Analysis Overview
SHA256
33e2695da4fe975e3945b6aafc539ef6ad61c4916b30b00bb5454fc4a9286d6c
Threat Level: Known bad
The file 54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies visibility of file extensions in Explorer
Renames multiple (80) files with added filename extension
Renames multiple (57) files with added filename extension
Loads dropped DLL
Executes dropped EXE
Deletes itself
Reads user/profile data of web browsers
Checks computer location settings
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Modifies registry key
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-18 02:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-18 02:19
Reported
2024-10-18 02:22
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
109s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (80) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\JgkkYkMI\sGMwogQU.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\JgkkYkMI\sGMwogQU.exe | N/A |
| N/A | N/A | C:\ProgramData\JqIEUsAU\SMYcMAwM.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sGMwogQU.exe = "C:\\Users\\Admin\\JgkkYkMI\\sGMwogQU.exe" | C:\Users\Admin\JgkkYkMI\sGMwogQU.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMYcMAwM.exe = "C:\\ProgramData\\JqIEUsAU\\SMYcMAwM.exe" | C:\ProgramData\JqIEUsAU\SMYcMAwM.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sGMwogQU.exe = "C:\\Users\\Admin\\JgkkYkMI\\sGMwogQU.exe" | C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMYcMAwM.exe = "C:\\ProgramData\\JqIEUsAU\\SMYcMAwM.exe" | C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\JgkkYkMI\sGMwogQU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\JgkkYkMI\sGMwogQU.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\JgkkYkMI\sGMwogQU.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe"
C:\Users\Admin\JgkkYkMI\sGMwogQU.exe
"C:\Users\Admin\JgkkYkMI\sGMwogQU.exe"
C:\ProgramData\JqIEUsAU\SMYcMAwM.exe
"C:\ProgramData\JqIEUsAU\SMYcMAwM.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMMEcsQI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DmEUUQQg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKkIkcUY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ousQoMUI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAcwUocI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAkQgwUQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOckoAkU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PwUYAwkI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUEEccIs.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hakgMgAQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKMYUYAE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EOIYggAo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CkkkwgIo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CkMosoIY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSEksEAU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZywgsMMs.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zckEMgwI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSoQQswE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgcwgUsI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AcYwQMMY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOoIsYoQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKQUcogc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dyoIgIAA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vsIEYkgY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEUQQEoU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUwsoMUM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMIwsMgc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGwEskoo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkooUkUs.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VissQsQM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwUAAEck.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VeAEEMwc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIwEYMUs.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCokkQAw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wkIUMEks.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmMowEQQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuAMgkUw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQYAEYgY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XMgkAYYg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msUsUAoM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yKccMoow.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyYQoAME.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sqUQQAwU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMgwMkgY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncYEEcUM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xaAIAEoQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\moUQAcoI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AuUIooYk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUYwQoMM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIkYsMww.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JiQYIgMc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HukYUowY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIgYMMgA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mwksEkAY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAgksgwQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsYgcUIU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYQIQkIU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nccMEwwM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCcQoQkw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VsgwYYAg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CiEkkQsk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wOMcAogQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KukQcUgY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XoAwUgEM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqoUgQok.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEgUIYgA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hookQEYo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\POEUsEEE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SuMAkssc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qykQscEY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWkckooc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jawMowMU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQAMQAEg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bawowgsk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSAEYQEQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aucAssYE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAUMAEMk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGgoEgkE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hikAwEEE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BaEcoAgs.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMsgkwoA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqccIYog.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCMkIwwg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgMUcoAM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WisUMoYs.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgwksgMI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgkIkQYE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rcQIcgko.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xskswMAY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\decYAoIU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GQkAUowg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUAIksMw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIUEsoAU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\POUgAAsU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwkEkQkc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hoYEooAw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nCksAkUg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYMUMYcU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwYEYUsM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GGwQAIkk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMsIIYAw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYUsgUYo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NyMAosAM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGUEAIEY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\micYIEUU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSsksQMI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CsoMQoYk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PigQQIcI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\juMIsosg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NikwIAQY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skEgkoUM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqEkAQwY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwUMcgkQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lycwMooA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOMgoMIM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ruEIwkUg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUoAwUAE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EGgswgoU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQkUgQkA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fgsAYcIY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMUsAEoc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZuAscEMk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQgkkUYE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOQIUgoE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\owwgAwEw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkQgYcYY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYsEEUQA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMoQgccs.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZkkIsAkU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWAwEAAI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 172.217.169.78:80 | google.com | tcp |
| BO | 200.87.164.69:9999 | tcp | |
| GB | 172.217.169.78:80 | google.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/1608-0-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\JgkkYkMI\sGMwogQU.exe
| MD5 | cac52262f54d81c8a949a39e8d6adb49 |
| SHA1 | 72053539a7c16db35470210013b65a83ff04bd1a |
| SHA256 | a8a2c8155974935469b303fcfbfb7186044ce63e1e1b7b3c5b6f30cb8477e798 |
| SHA512 | b034f001ed095b1f23119723c6524afccd32d9f8ae600ef5d94b062ab5ab663ff99af68e50fa187cfd0517fdd0d6a03d2b488b7d955c6a66a72ccf9ebbfbcf77 |
memory/2296-7-0x0000000000400000-0x000000000042E000-memory.dmp
C:\ProgramData\JqIEUsAU\SMYcMAwM.exe
| MD5 | 7af184a9cd18aa67904640c4f9f4aff6 |
| SHA1 | 98091ca35cb359021a17e8aae91e6578241d15a9 |
| SHA256 | 14f7c76fa857b0dd6f943442fb0bf6f8ce4b44ff83fee8b476d99d7b344342ec |
| SHA512 | 232029b50b447abc4aa7d128b4c9aa9debcd2cd15ba465214c203be1dfc7568dcb0747ad406170bf3acdc26c4cd701adb1a0874dd9fc6a5ce78e26f0011e9e0a |
memory/1916-14-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1608-19-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xMMEcsQI.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
| MD5 | ce1e5810d7c9f27a6b139b7bb5772198 |
| SHA1 | ec7dd31f242502ea55223a00c883044cba378ba4 |
| SHA256 | 0ae29a2e9fb4ca75da5145ac86ab6dd9f12767cadb5bc6a9aa4b1036edc128e7 |
| SHA512 | 44975121e40b3fa90d1c32ca56e53e2fcd5c768e64e22cc9f9ac73991b1ca79aa9745136b7dea10bac6c88c946af0155ba2abb91b14eb182dd1e69c2a718a63a |
memory/1912-32-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4584-43-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3620-54-0x0000000000400000-0x0000000000434000-memory.dmp
memory/944-65-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2892-69-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2892-79-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2492-87-0x0000000000400000-0x0000000000434000-memory.dmp
memory/512-91-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2492-102-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2992-111-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1432-115-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2992-127-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1980-138-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4920-149-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4684-162-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2912-173-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2276-184-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4832-195-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2896-208-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5048-219-0x0000000000400000-0x0000000000434000-memory.dmp
memory/668-230-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1064-241-0x0000000000400000-0x0000000000434000-memory.dmp
C:\ProgramData\JqIEUsAU\SMYcMAwM.inf
| MD5 | b5095444daf5a82fd44c75d01971cada |
| SHA1 | 9b2d78b91880d310fc2657c91367605c9bc4d3de |
| SHA256 | 048cf5e3d26d60282130b4b03fb5e96cfc310c91423dee58d77eebef97241d01 |
| SHA512 | 476db5d26d277496a2315b048418a804377d11300512ebaa6c230fb23f4bdedb66bee86f4328ed47a336a24de228682d1b080aa650938c1b19de395f8c5ce92b |
memory/3748-254-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2180-262-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3928-270-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1444-278-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2484-288-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3304-296-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2604-298-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4972-302-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2604-306-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4284-312-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4972-317-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4284-325-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4056-333-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4192-341-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1040-351-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4284-352-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4284-360-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4528-368-0x0000000000400000-0x0000000000434000-memory.dmp
memory/372-376-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4972-386-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4360-387-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4360-395-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4732-396-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4220-401-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4732-405-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4220-415-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1764-423-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1492-431-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4528-432-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4528-442-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4640-443-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4640-451-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4936-459-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4712-469-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3020-470-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3020-478-0x0000000000400000-0x0000000000434000-memory.dmp
memory/772-486-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1068-494-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4592-504-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4832-512-0x0000000000400000-0x0000000000434000-memory.dmp
memory/316-520-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2748-521-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2748-531-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1564-539-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4220-547-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4816-555-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4472-565-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2228-566-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2228-574-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3236-583-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2212-592-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1432-600-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1492-608-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4580-609-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4580-618-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1312-627-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2912-635-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4728-643-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4220-653-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1424-661-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2476-669-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4640-677-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4376-692-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cAkM.exe
| MD5 | 2cd1e5c936973fcc60ce0be85d04f0f9 |
| SHA1 | 1aab760f23d22a498d665880cf00523f509350b0 |
| SHA256 | 405066e3a1766ce93d67fde0ad00c9e11d1a0c0f8dee506a4455f51e5fdfda9d |
| SHA512 | 945f25aed012103527e585c8c72c46f5a75f8ddb30cf57bfd4d29b7f142abdf0815cc128869ee68132749e5cac534b1eb4009e1962689e431d02d00d8c463587 |
memory/4860-710-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ogQW.exe
| MD5 | 5f10c7962b3be3e454672b5cb3ff731f |
| SHA1 | 11719235abd009e291ac94757a4ff297ba8da510 |
| SHA256 | 4a94e9713ffc7ae3638d978d297bc4396ba5cc7d1203bb027b39cbcaff4a2b0d |
| SHA512 | 6f350071559288189111cbfc318711a1bd3766f5376ceb44dd938ebd68b5605d59aef5204a2dbaa65567ab93d1002efc20aeb66f02f7c5b917b050b2fb666edb |
C:\Users\Admin\AppData\Local\Temp\Mkkq.exe
| MD5 | a2e86ea0e868c8f46634d733662b5451 |
| SHA1 | cd76f940bcf9453f954c015c1b6ef60232b0e630 |
| SHA256 | 99915af24ac99f9ad8f59ce9b92ddc94213fa4ed915e3be2bd1b5b3dd1e81477 |
| SHA512 | 915f4cba137b45777cc5c06ae176914a653a633822b608aeab76f6b706ab10d3ed30bcd67c28e3a0e7223e10a44e43ce45033fc266cf562ad4d545825bef59fe |
memory/3488-743-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QMkI.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
memory/2784-749-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oUAQ.exe
| MD5 | 660db204b3dca07c321341fa769e1077 |
| SHA1 | 6e9096854a0eda9082b71e79da517106504f01ed |
| SHA256 | d8d37e11f53e086bd116f4d3512dcd014974799939e4bf8e45882efdcdc306fd |
| SHA512 | ac69a6f09ade180e24ba43bc132dc75dc092f967bca2829cf4b1234cf80df4878c1b9b2886f7de2b1608ca81ef98e1aff54d10539d485030cbd1273469ff2b7d |
C:\Users\Admin\AppData\Local\Temp\kwsA.exe
| MD5 | 9aa5ac5483750cc12aa3333880b069dc |
| SHA1 | 7bb1981b4d82f7682d67da9130223b81365d4e53 |
| SHA256 | aa2d2fd2a732c8f0f5e8944ef1fd52410118666a6fb3729295a65ffce5a87c85 |
| SHA512 | 18f4a051478c83c058767ac973b74a2bc3ddfdc8b6599cb304a9934fab27f6b3505b6e2d710d58cce9db4f41f46b758beb20d0197736922b1fb27cb0e8c830b3 |
C:\Users\Admin\AppData\Local\Temp\Igwk.exe
| MD5 | 44aaaf105158f5121be3a01d7046619d |
| SHA1 | 6e4728adcabc48c0a1fa16379da9337cf6518b54 |
| SHA256 | cdb8a84f77ca519a3ba7528fcf9b9ca4538f7dd4ac59d075b95c5edcfa66d72a |
| SHA512 | 18b1ba9de00cd91b76dc092fcb712185f0ba3d53a2889d70c5139d0612264b5f6216f98f5420d4dcfa62b76f9453e43a38fc81ab6875d705af098f8d0ccae9cc |
memory/3488-797-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UsoE.exe
| MD5 | b18f210615de620d21506da01cd93db7 |
| SHA1 | 22afe42119bc794aa1739a9d27b6738846a891d6 |
| SHA256 | 6f2e6957541df7259228c3b12ac3dfb529c5c824c932f63df56a9009f03ddf1d |
| SHA512 | 7a4b35040b25f4abc8a2569e7be01625a14baa918e07a6791349b2fe569d585b87355f80d36bef160e8342345997635e5265eea2c55c48eab24d62756583134c |
C:\Users\Admin\AppData\Local\Temp\iYEk.exe
| MD5 | bf57d7cda57d85897b39d12e600f9f33 |
| SHA1 | 2c93ce0802383d8d31f3e2cb657ebf34d8fccc65 |
| SHA256 | 67a3a00c3532fb79341e2f015e115bce49061521e6254c42d3bc854144a8449e |
| SHA512 | d6f5fb0ecd14d91bc4e24314acf0d8ed5f69d00d0245fd11737e50138cb12bdc6768464554e1d2f61442fe51d76a18903b2a89ea98718e96a35c25d7ed7db608 |
C:\Users\Admin\AppData\Local\Temp\iAkg.exe
| MD5 | 7434280c95a7efca1aa6a068865c5309 |
| SHA1 | 39d1c323956320b7e912c85c5acb78f662f02915 |
| SHA256 | 9f48fff588fa6c147e1eb23228351a561602a30868c397ce4cb6fae94eae7aa5 |
| SHA512 | a68d8e813a61a582e0b9146509b08d43177ee52aed73b7286082e8f285b31065056786e48ce9c6e3464b568d3b1ceac5aa50454505669ac342ec65f27e812c0d |
C:\Users\Admin\AppData\Local\Temp\oQES.exe
| MD5 | a3d948783ba12401829a1f6d94796090 |
| SHA1 | c6e31ad40b3462c3b6b7c275f58cca90a0f7d550 |
| SHA256 | 96881c6ace8183887a80a132ce25f3af97beaefd701335476e978012fe8bbaee |
| SHA512 | 462a3aed901bf50864c9831bab7293263640d64952c682a13cca688a293824c6427d54db0b1b3f13210b1bd95a79cde6d4a23d47c493751709a5bbef8864cd30 |
memory/1524-863-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4544-864-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qkQY.exe
| MD5 | 40c2a0e69b5f73cbba4c5875e59490f4 |
| SHA1 | 76d8822d8364f9679424f3768b38a30b30379520 |
| SHA256 | 9a677ebf5053c02991716809942f0f68246088710a201061f7101b8ac966d542 |
| SHA512 | 3f53a3651f570d17af4c9b5e3420eeb684f1196b98105bdd3fe90f55b0343fa8942feb0ac543df8a7dcc932b258c7ff40d467733e917e6639d5a22bc06d65f71 |
memory/1524-886-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ckYW.exe
| MD5 | 00149a7dd14e0260115d7619d6bb1216 |
| SHA1 | 79833ba695613e7a796c2f9514974740c0bbe142 |
| SHA256 | 288b0b4b8f1dae808e378281ff670c4158757727c4127ddb6e6dc4b024a1b80b |
| SHA512 | eaa81cb81198c991c09231ff2e020d121a0c90df11ca444e9339050786666e7eedbf333211cf16a25ab983bc51aa3dfbb35311c0eb449681cbcacab8265798ec |
C:\Users\Admin\AppData\Local\Temp\MAMU.exe
| MD5 | 79d7c2c573fdbc34ce1ceada7a31de27 |
| SHA1 | eefde3ddb8a24932b52de3b80f44801cc8bd7640 |
| SHA256 | 9d3f7ae9f1b54b8be9f6e819f3bf743ca418049158dc5fa2a25780db4a584670 |
| SHA512 | 30a8eca6859532e8262c9427381502385f708e94694ddb0f3854874b4c43ee1675ff69069e4a798512117eeb6558bc8bffba08ba07a1e9c1329ade12c7792895 |
C:\Users\Admin\AppData\Local\Temp\EQAs.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
| MD5 | a16b543a161ef3b8eb3f44a602a07dc6 |
| SHA1 | c95a4412a95e60730e6ef80d7d14b340e57c688a |
| SHA256 | e956331d2c3aaebd8e4d9f53c0b6bcda1231764a93845128ba3d82291b260a90 |
| SHA512 | c536f9be501cf493804349c184514f6736a8295c5dd3f5165498305a1e520459bdb13ddb030d9806908f61da2495877923b08dbd6d8bf107439bf496573a39f1 |
C:\Users\Admin\AppData\Local\Temp\YkYk.exe
| MD5 | 793e71d06ab729225180f37d2ee132d9 |
| SHA1 | 39262e2adffd77556b4b648bd2b06508be0f03fa |
| SHA256 | 4ee0ae1975323992022c02ed1bccd70170a0b7c76cf0bb388376c0923bb747fb |
| SHA512 | 12a86b5e41d839a144f4836ab2204182f5b7cfa2fcefc01cb3d7e9e6654890fe08bb3c7a500acc0887f17313720ea172b15c2d05bf7a3dd3717ead63f8682471 |
C:\Users\Admin\AppData\Local\Temp\ogUS.exe
| MD5 | 6a1fd303fa2cf996e138608d12a17e28 |
| SHA1 | b8e9fd353a2fdf7f0837ba2297d6a59d1da1ea7c |
| SHA256 | c37bcd95cda06dfe881e7cb96d091554e635f718c5b3c146ae80d22ba7d8590b |
| SHA512 | 2d7a9b9366dbf95ae9ba7f10e9f12b40657140f7c1b8ca8c6f2f2315d5931d8ffdb6426d0f231a9d6a3c2df1e315536c12890ebfceea81832415d2fd90974a3b |
C:\Users\Admin\AppData\Local\Temp\MQwc.exe
| MD5 | d92f29d473ebc8d4e8eed3b29e4b1fe2 |
| SHA1 | 7acd7b3ea966aedb08ad8843606d2ebfb45995ed |
| SHA256 | 76ec6e4431eba27f29ca432939978df2cb66568b26af5f0239d21803d65960b4 |
| SHA512 | 83b37cc0419c061efed122cc0be9c9925cecdb57fec9b9792e30f845efc5b59f2267379d08d0080d15567e2d999b0882eb51959e3eda46f2826a17034d3c4d54 |
C:\Users\Admin\AppData\Local\Temp\eAoc.exe
| MD5 | c28923929fb4a5c1e2d0ae6b456b9b9d |
| SHA1 | 1745256cb84da8b669d88f8fcbe8a411f8db94cf |
| SHA256 | aac17832d58c35bdfa02918076c8b9a519480f77bb4f123ebc64f310ae0952db |
| SHA512 | 80d6e1609331bc2e877c143c16b85d1174650ac15617145774bc9f86f00e34ed71e27dc214fa3a42c96100798549c0c31fcd33f9b93762213fea0cc07d427158 |
C:\Users\Admin\AppData\Local\Temp\QsQS.exe
| MD5 | 6399af88afd5129af1f15ee6c636d326 |
| SHA1 | 1df0457769ea3dfccf3d86e3cc161d1a1a070032 |
| SHA256 | 1386477e79c1d5724c75d394f2df8807b0379d4bb9dd2f8424b6667fad83e2ed |
| SHA512 | 84160efa8d98ccb52599b340d1ab84faf7ecf7000b995c83f6d3f1154a1c45d57b40d224fb49f025197418476a49632c8177cfedeba1edb1bf42b70a96c7e283 |
C:\Users\Admin\AppData\Local\Temp\oYAS.exe
| MD5 | 7a6537ed8e28114e617f7af16b0012c2 |
| SHA1 | 197c910ab363dd4c15c4bc6cafbd514a84f05fe5 |
| SHA256 | 6289875e8f6d9bd60661d57417a1feee37b71ae8f6c8e8a7899b423a52aa695c |
| SHA512 | 2d7bc0cef9b79b220df3b30398c671cd6ba5f86a256198ef6e78224244d621e09f6ab3b3ab735ef7412b54712ac04c64a87a9e59892d7e7b39b0c2d1ecf3488b |
C:\Users\Admin\AppData\Local\Temp\AUsw.exe
| MD5 | f5d56666b3f52d7e6917e0fa1c4f0b95 |
| SHA1 | f8ff439915f42efe7d92e73b51fbb3ee821dbfa6 |
| SHA256 | c7cf0f8eafa12bee711d4afde8bbd1f49567fa38270b5bdee135b050c2c53815 |
| SHA512 | 385e5e07a7d5523367a5d7dc7b9ec52cc32740dcce70162d9d5398c7dd5bcf0c0aaf178edc8a8d13bd6d4f2317af13e177d242dcc4fd007fc64c50fd58d93a47 |
C:\Users\Admin\AppData\Local\Temp\Qwok.exe
| MD5 | 7ef64f8ffaa52f6ecead558abecfbfa2 |
| SHA1 | 6e3161b5e5605e6cd2a69c4f27340311730a71fa |
| SHA256 | 962658f4a9d76bf82a42cf67592c47c39e270523c82a585fd804a4504de1a9bb |
| SHA512 | 85a6f974e29591b8f54750cda1f9c184eb07469c904df93f967dda85a7c5f75344125044fdf12123ea719666c828e2b425380e96dd8b9b457d614c4a802b5c41 |
C:\Users\Admin\AppData\Local\Temp\WYEW.exe
| MD5 | e8e2840360891231f25ba44072828876 |
| SHA1 | 20c941dfc9ca5a4ea981ab1959a79d5295876d88 |
| SHA256 | 68bbbfaa735e5b8c05036eb415e29e6244f9d6a047f11493178f8e5ff6b342de |
| SHA512 | 6af607bebfe579f5b2dbd1a23ddd9425063182db9a6747a2d8eb5e64d21095c2fd7fb99c58a520b88aadc1a8d63917afd222a04a9983a7f93045c3227973bb90 |
C:\Users\Admin\AppData\Local\Temp\mwAm.exe
| MD5 | 9a9446cebd08f962fa94b0cb5fcee9b8 |
| SHA1 | 505446d1579d610ca93cca0e28a8ffb0b754582d |
| SHA256 | b9881fe3b54275a395e47326b1a04cb57913d0d746d9affcf7342d79dddc8203 |
| SHA512 | cce7289203da0a44104d997d9770f8d359454ed50572c43e23a0ecfc0c05fae203d4b81eb27b61260e2e2cb3cf683496f342c901409caf892efbba11b3dcc0d2 |
C:\Users\Admin\AppData\Local\Temp\YIYQ.exe
| MD5 | d80924718c14f274fb7524c6b4652f82 |
| SHA1 | f26c659c391894056ea067e419bb82f604dfa917 |
| SHA256 | ddfbfb6f8a82601dafe33f05f7fe1ec547f15140b66ee82b7837afff5a84bada |
| SHA512 | e10a9d0258037c089f1ef691594090e3988c348caa305559bbc26c78aeeee2161f59a88e79db05ea8129e16b7e34e1cd6ce9dc49090aff61f78bc7b0d5eb54d0 |
C:\Users\Admin\AppData\Local\Temp\ywcm.exe
| MD5 | 2756f7b38cf4d01187b63a94b4f0db51 |
| SHA1 | 08059c9e21162c666c24c812b5406d030ef72517 |
| SHA256 | 0690ac820cb6246f7bb9c99a4b3575ca6dd8c0aa0f99e6a0ca0474a9ac5f0d45 |
| SHA512 | 7f69d272b16ce90a277490dd7da837b093447e46ed3ad875bb0caaff10458be5e53b306aa258bfee3302a1178167d4f2657cf4f0fc0aa2d8362fdcb7692b3cd2 |
C:\Users\Admin\AppData\Local\Temp\icwU.exe
| MD5 | cfda27f54fbc45392bea65cc4835d820 |
| SHA1 | 6fe614f3d528104e9c299edf8daccf5e2b9644c3 |
| SHA256 | 9589adefd674c59805e1c91516d5e5c771123567b13b357f477b34feded9d2cb |
| SHA512 | e50e9a6d0623e7b1e4eac9e124b8a0fda78b05204c5469602ea463cd183f11aebb74f23be53c2ce2af42e74a7866e64fade61474d75a642c0964f39ad317a01c |
C:\Users\Admin\AppData\Local\Temp\UQYg.exe
| MD5 | 28abe1b9c0a5843a9ff451435b351283 |
| SHA1 | e4143df8202a0738b93b729f97aaa5c6814e14f7 |
| SHA256 | b909d17fb2664a768f76b3aee0364d2a773a174f68efddc87000859f800a3960 |
| SHA512 | 742b4f49674d862b2cc71f863fcc9fb1586247827247559e41b4e833b2b43e01c17c798e6218ff78e96f227308de5d0bafd4ea99fe0f41f156d54ff4e08c3467 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.exe
| MD5 | 61e6477ffe566b20ec7fc3bbb229887e |
| SHA1 | 980b6aada9654c2436673a1b118379fdccc72f5b |
| SHA256 | 2dd5691d2515397439c7087feb2430e30d62185365a6b829c3bd3c5964c5debc |
| SHA512 | 0f021c841f89728a4d46f8eb8e13a2bf7fee79ac8e1164b1df9584e9faa752bd76bac577b3f3e251e901f48405d1c342ec926ca7c378ef7e9efe26aba854048a |
C:\Users\Admin\AppData\Local\Temp\qwsm.exe
| MD5 | 19756ab64e798f91fce5ea2787988947 |
| SHA1 | 4c4d103c849bcdef47d623c4bfac45e66f8e5aab |
| SHA256 | 293faed57be850b3cd22419b16116e1dc208dd5f80a95e9f4b1dc6779ccb1829 |
| SHA512 | 95158666780418d54c1105f85a04d332cab785d331498b2bc3268d3c444b807f31184808bb76a151e68ae1ff9850a0e18c501d836c489590b7c98ab7a547d341 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe
| MD5 | e1c9f4a8a34962e908b5b5c1e96dac1a |
| SHA1 | 2b2e01178da0fb595b09f456dee9e75bd8d18cdb |
| SHA256 | 70c6983f6d9605c5701e4d8a8808968095b6827dbe1ec56af94f6325eeb7c93a |
| SHA512 | 06a0ee17e35609a0346d800d5088d22375a39089288c5706d87713cf28240681958c0346cd60bbf297e6deb2b510208ab8c03738b2e9a5eb9c349a738239a317 |
C:\Users\Admin\AppData\Local\Temp\sYMC.exe
| MD5 | 30214864dc214b869bf1c99c372ce9d7 |
| SHA1 | 0b86de83257b621dd7632448ae6b090d930bda30 |
| SHA256 | 9793d8e0eb2b9efef23c392603f3573ba3ad9f2ef1cff1cc61a1b2152e91b7d7 |
| SHA512 | a5b291e9ded74cc8648931606a88a0313216715f73f9e5e28d5b3eebfa0e3717f03bd7739875bf8151ada1e71ad034b526aa4f9e23d476f936a5ee494dbfe4b2 |
C:\Users\Admin\AppData\Local\Temp\KkAM.exe
| MD5 | b63b05347010dfb4e71ab2cef137f897 |
| SHA1 | ddd168ea69a776f9739b3da0cae7e71231b5e1a4 |
| SHA256 | 1ecc64ad4a238e1b5bbb1d3417563692bfe8a4a68fe99dbcfae27f734ea21954 |
| SHA512 | d2a12126663371e89f55d4765d42df14bba9ff48de07bd44212a2b9e08c7c46b862e79878eed6ebff8ec7dc195cfe444b666f7a1477955e628a3065d98b98f20 |
C:\Users\Admin\AppData\Local\Temp\GIUE.exe
| MD5 | e934669c3b0ad83c9f45ddb7b5171927 |
| SHA1 | 2bc918ead0790f5e13ac535d739c246709dd73fc |
| SHA256 | 01167ede3622d94b795317af0e07f92e6a4fb072ca26c44c5ddd2018e5e3c01d |
| SHA512 | 7a6279935bb47a25c33485414e4fe09d2777025aaab5519b5c80b848573fe3b31c4c91ab34bf6f326ba7b3e75f302c3fc4493d302e609bd1c8ab88fb4edd08e9 |
C:\Users\Admin\AppData\Local\Temp\wEgq.exe
| MD5 | e5a825d6d5cd17ecec066eb9252aa597 |
| SHA1 | 1e42e8d179da2fa46116c67416b3b7c0ef92c768 |
| SHA256 | f16759e0ae74d0365eed1bc71a1fc61141ba74ec99f13a88787b9ac0f5691e5e |
| SHA512 | 6d0a7a4289df9fd8d199b8bc1e1ac5e21f1877a5b08fa2dd8624695c8b72d70b9e26e7092f8b1af3bba3694e3b58eb993f6cb981d5c0ea54746c59ec626fe40a |
C:\Users\Admin\AppData\Local\Temp\MIwY.exe
| MD5 | 2faf6747c97b75aefeeab722200c237f |
| SHA1 | b38a2cfdb52c560d50a8b4509fb602763bf4ab13 |
| SHA256 | bbc3090ce0e8ffe8d3d155c1e3fd3bd3b2a1fe9fb3221e4f7234427348b53807 |
| SHA512 | 8339f68383da31d82ecb4277dd2464e07a72d1dfa7e65563a8a84585b3029e31d45991c50094a053c0fdcba79db1ca533c164e70d384c363d25b8bc4030c54a2 |
C:\Users\Admin\AppData\Local\Temp\sssI.exe
| MD5 | 5452c21a45fcedfbb2b38a3e70bff5bb |
| SHA1 | eb2e00a2f507ec1cb754cf14005dcc52f0389ee2 |
| SHA256 | 18fcd17c2af0abbf932d2844b01750f93baaa4192a7462433f998d2799033539 |
| SHA512 | fd12c33556f7d509fb8d8d7436faae6e683c8ae23994feecc290e0bd17a7f120557ba5640725091a4d52b991bdad524a396d10567de98357c76e9071c51ae589 |
C:\Users\Admin\AppData\Local\Temp\EoQC.exe
| MD5 | 24713d904c55a59ee0cc17c84d0cd0a2 |
| SHA1 | fcea2bbf13fef72f5441fe54f63f1e2c9814e718 |
| SHA256 | 4086bacccf9ae044312fe0d6b5aab1e4bd6ca88d5d86b3089f879ec74f4cc977 |
| SHA512 | 26d7a53cf39f656db99ed0f24a1dafa9407cea5d63b6b46dd2353b88fd515eb6c809ac0b11232a66fce22d02b4f6075935158be0091a96f4b4cf5ed9d59142ce |
C:\Users\Admin\AppData\Local\Temp\UEQy.exe
| MD5 | 037b3f61ac5baa27c2d226e5ac3d8e61 |
| SHA1 | 061e77fe7540345c6d56a814ebad2d961b270b5f |
| SHA256 | c94844a3ae3e108e1434eb61329dc187986b2696756f78b5f8554f396501abaf |
| SHA512 | da112dbbb1bcc42d8ea0d6f649a43d9edaad08556e6b4d399b8bae8813bd3844ed3991a7da1e501533ad104920298578630b009e19e94070c56df85c6e4606e7 |
C:\Users\Admin\AppData\Local\Temp\OUUO.exe
| MD5 | 95a68cab5f17690b26b066ba073108c2 |
| SHA1 | b451fd7852b4570c124b7ba17b8901b55fa7196e |
| SHA256 | 90b67e80a3ced57f55ce749dbfd47a83c700c0e644529dcdcaa2b7dd19893174 |
| SHA512 | 3052f4d3cda3ea492858cc6673468676523f5c2fda071fb2cecd37f255dc5b5f3040adef1c70368c74ed052ee0428114e30cb01e4e4bee29b02d078dccc3f869 |
C:\Users\Admin\AppData\Local\Temp\IYMs.exe
| MD5 | d1e774bf7cf72b129a6fb18361778e0d |
| SHA1 | acae13fadc2078d9b7535e0c7e64b93364d1e177 |
| SHA256 | 30970eb97cc925a12350763d1b3d5e571b4c765dce9429572acc6f6341f5479a |
| SHA512 | b95aa1465b268c1b2b5fefb23095b45dbea46d26f9763414123ec699878de9bea2b60dbab9924fbd03a4330dc91853e68d945b5b6d1a718ad326cfa2f4c6b08e |
C:\Users\Admin\AppData\Local\Temp\AYsy.exe
| MD5 | 94174f4423faf62f304cef08bd8b18d5 |
| SHA1 | cb74d240fe178de4c1d4b75f2ebc61292cdf62e8 |
| SHA256 | b83d263c534694078d7dc176a7dd3922fe33f1a6ac9b7af32c1957a885b09025 |
| SHA512 | 4f348c8163f8b3027c85480e9e554c4537d413a34be27ad75cfbbefe5d7fe87b91e05c9e38cb8011e801a48c3dbd7b96f263fa73d36c732570589c383a806989 |
C:\Users\Admin\AppData\Local\Temp\GQUq.exe
| MD5 | f32f19ec21b570edc359d650e283bfca |
| SHA1 | 9d5d02dd4112181e29d063e50b78550ed368ae5e |
| SHA256 | 050c0eeb788577680b717544dbbd4d9d44b523d72f44caa46e28616d0c902c6a |
| SHA512 | 57d352abc0261bb45a62402a641a3e8211fcbadb6885f10ed3095a6362c1d1b10d44d71f570b904fccd04755f2b4aeff61d112cd235752494f2edecbce9da38c |
C:\Users\Admin\AppData\Local\Temp\Wsoy.exe
| MD5 | 20dcd3ef05700bea65b354b331e9c80d |
| SHA1 | 4dc0242a4ddd1e9a5cff4c65f070a36c1502762f |
| SHA256 | 4840ed27b75086d677a58b44ab1c6886bb7965c77cbb6f4b48a8a86159bb772d |
| SHA512 | 084713c0ac155dc0a6e0f4832d8dd0eb6aa4a1d4df6904dd1e34e230abc3eed2b2464cc58a6da7da0600c421c63659c35f56a82996bcddc837805dcd3080c0e4 |
C:\Users\Admin\AppData\Local\Temp\yYcG.exe
| MD5 | 1e17eb010b2bae5dfaef91f333958864 |
| SHA1 | d4b27104f4eea9f29d27f93e462b9103fff17e75 |
| SHA256 | 3160cab37fa517315ebe955660fe90069ad5aed26a3e64dfc3544268e010d1a5 |
| SHA512 | 82efe7e578f7d9668925a34c0d645ff9239c71e26b16d8d46918ce2bea716526aa46380e47651271bade874fe47626caecb1235600bb28dad31553340ae30ce6 |
C:\Users\Admin\AppData\Local\Temp\igUi.exe
| MD5 | 0693b6a97ccb73159ac26e682a7e2481 |
| SHA1 | da38692c6058539e0124b20de1c4a9f82e32dbbe |
| SHA256 | 1db838dd241800e7234786534e9c6287fb4baab0eb15069b18bd41a83ecf0e54 |
| SHA512 | 055c31a7a6c2d0abfe31dca16bd58ced39ad4ece9298af5da28dfe7446dc611414a4092b0cacf5ddbdab275c5695336400c2379b2b839007ed3be4b949cb2d5e |
C:\Users\Admin\AppData\Local\Temp\Cckg.exe
| MD5 | e9f7c8bf6712fd31b7465deb9f478540 |
| SHA1 | b51ee16e1308a858195e8a244dccfb7d899c6b80 |
| SHA256 | 199abf52e77c71a99c372eddb23ba2276e8ec88f74c9efdd7a63e71434b28a84 |
| SHA512 | ca8c0d4d555064bb8e35e4b19473bb93e5dd4d8eaafc20fd7acad7015a3f6725125fa5052860510879f2a645c1dfd8120632cf881a3a2bb4b8bb18a89b064218 |
C:\Users\Admin\AppData\Local\Temp\uMAi.exe
| MD5 | 5057dd7ed545c446abca0bd79426609a |
| SHA1 | 816418e7ad6dfa86e20f9a79cf335a95494de017 |
| SHA256 | a9f62d677d557d6b9961f6223cefd93f394c20e1bd9db9be7b23402bfd9a7738 |
| SHA512 | 6f2c045f195ea5b47040c6b09449de329e8bb5647ed09412a889748069dc1858d4e927e1c33fadb4303f14701d752e7dd020eebdf7fbc35fa01fa034eb63d80f |
C:\Users\Admin\AppData\Local\Temp\IQYU.exe
| MD5 | cf5f6ad5f76d268685c6a38c162b90c7 |
| SHA1 | ece911513088d82e638ea7e4f0eb779981fd8734 |
| SHA256 | 1aafdf2871eda4a3f410eb3bc9bbbbc2558e9cb9ac34f719fd1b47482a0c2fa1 |
| SHA512 | 85ae56a6dee2bb6714f4ef63022a05646cdad247b563c065c2ba88d13093d5a46e0522648ea82fb36675bc4aadb13a17738d0b7d604073b26d4e44a553c347cd |
C:\Users\Admin\AppData\Local\Temp\wkwG.exe
| MD5 | 8beb865fe560663fe1942ddcd7efba85 |
| SHA1 | 14a298b714370ddd5997c223b92a934a8a81d08f |
| SHA256 | 6517ca378f6133984c0add65f1a6b9814537cf960340c9de30b050638a698e60 |
| SHA512 | a2029b034cb9aab150a2ed52ca57cc1a0e347cc009b351d10ec34be78005b3d4dbcaa963e15aa86d001310dcf899c579fcd7db411abe6cb19ecc09cdbc97c064 |
C:\Users\Admin\AppData\Local\Temp\MQwo.exe
| MD5 | 8f040dd6c15fd5c228a1effaba58abcb |
| SHA1 | 3e6dbc3b9c30a371f7f9d620f1a9c85ba86b5d99 |
| SHA256 | 28bf3adb64980b24998dfab101241d42eef16caa3ab8977d7990d8e8a0388516 |
| SHA512 | 1490ebb4a38aaa2a86d4760d64ec5adeb9980b211d8bab8ae91ac09dc5d305e51ae7d9c90d0a7f8cf4c026af5ca36a18f48d5c4f705d69cc483f477e35c833af |
C:\Users\Admin\AppData\Local\Temp\UIsW.exe
| MD5 | f28370bd31bff9c15c9e75fe35d2c2f8 |
| SHA1 | dc9526c9cd6d7d3fb0e7f7195ec9669ac17fff4b |
| SHA256 | 75fd4c0247cc3a1e6e4787cf964520fb2c4e6322f3be206982a66651ef1b4c3f |
| SHA512 | 27ccfb989cc7673fad98668349137dc751ba376dcdf790b19e143a3aab1517f783d0664de47b987361a67a7d171502c0accd28542c46e858208e87b9420edeb7 |
C:\Users\Admin\AppData\Local\Temp\EYIy.exe
| MD5 | 60db48d367512a2ab1651fc94c90c77e |
| SHA1 | ec1fad50e2c1cca464afcfe8db22e9bdf7145bdb |
| SHA256 | d9b77f25887d0d37bc821aa417569c44d1628c60d4e5e2c1ac93089b31ec9d29 |
| SHA512 | 46cff969c28cd5fd0dcaab50610ddd58e16c8d3211f75c567d72c94ede42dac0c59a18e750df08ad6a0e38a5ba575dc79a0a65ecdffbb4efe87f9f500c7e95ae |
C:\Users\Admin\AppData\Local\Temp\awMm.exe
| MD5 | 6810cc548b91c4c37a5cf74d79192927 |
| SHA1 | 0bb4e76ea4f464d0f532e093ab4c852f3e66359a |
| SHA256 | f3258dae724d034622377ed6f85a78d94689ee90534157f881308c5bebd8c821 |
| SHA512 | 8c704a621539ad566dd1c0e8f42948afd05b98d1ca8084c8966a2db252e329d37c0811ace2554e64aefd5ec3d71ea6453958929322c6f9bdde74d64fcd49c0dd |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe
| MD5 | 9bf478c3d5695d7afd33e994331e6d3a |
| SHA1 | c4d0e562e7be8c0d7eb5b6dbdfc3b5fa1af7b7cb |
| SHA256 | 311d318d02439fb2776ebd6c45d120c93212941565f03af74d0751a4fb4cf11a |
| SHA512 | 8194c893b8702cf1501a327745a8eb21c37e9e4a7a74a6d0bd7357504e920c8071959badb2f1820192918c19ed93fe1a10871102e4751cfdee79c0c019be4de0 |
C:\Users\Admin\AppData\Local\Temp\OUgu.exe
| MD5 | b768a9f73afbf76c99d00d899e3e99ac |
| SHA1 | f3d24652fd717c45fa3a96b6ba95f96b5c9dd7b3 |
| SHA256 | f21907d3fa227ebbf42601ad01f55bcd9f0cbac21507a6f3be7a88fa4ca19c76 |
| SHA512 | 0e6eabfc9f1889190b851ddb4f9c585c70d7ff0a21150c1b726b1c052f9fd5c7b214993a0caf9390f97bbc88d0bba43488c7d43ce1f5b48739de3d440be53062 |
C:\Users\Admin\AppData\Local\Temp\QMAy.exe
| MD5 | d0f66850feee9290135a3393418bf77b |
| SHA1 | 12af6d73e9e8e43b05ccfbeb3652a1f3ae6c2a45 |
| SHA256 | f93faed3908a113d39bbfc2714f48703bbeb051e1dcd516792dc6309d511aa17 |
| SHA512 | 199a26bd908a9ab562457ea94689bd9ef7efa819257dad1851537007e98eacd3abd22755272c2895675db87021929391047c4d06aec9c8647a7b88f3b95849dd |
C:\Users\Admin\AppData\Local\Temp\CQQa.exe
| MD5 | d0f5e59ef962db479da76c143ed0eb43 |
| SHA1 | 11722ce29b4dc75fee4d83ae576adb2d7cac3a4c |
| SHA256 | fc0cb015e2dcdfa76e3af34ba4fc85448c8110b11c7625b5e3de3f4b35241f3a |
| SHA512 | 3fe83753723febbe46ab1c7cdb459844f6e892b570f746a8334983de49a78da10d8831da878ed459daf4a0901156f7719fbb1d83ee4df5884d330704cd9a09f0 |
C:\Users\Admin\AppData\Local\Temp\YIcO.exe
| MD5 | fc4f7cdd4b268973fb85e02a5545254c |
| SHA1 | 56d2822a17af3b17a0f05b6b3850b163586acf1a |
| SHA256 | 1b34b4d1ab720961ca3355f253c852c5bbf33b30f3542ae437563f6803b502b9 |
| SHA512 | c76f1e2c4f8cd95923acad560c9d49ede3f8e2f2a38e6968bacebdbaf4ad84e99d65f012fdf367f5ad2b8a24bbca7e706a138f573329fa64a49a266c57850dfb |
C:\Users\Admin\AppData\Local\Temp\UsUK.exe
| MD5 | 61760be73b9e15eaa468f4f60c1046bd |
| SHA1 | e39e6d9be57edf20bd71fa69b0014271bd80fde2 |
| SHA256 | ab19ddd54d61afe5cd0000527b2c84a24c4c74d6893b7483b6539d0b4a5e6d61 |
| SHA512 | 45e74ffcd7141f0b7546bc23410182037b4fe0a55e411457993c69d5a62feb36df0a7d160b07e20ec6e44fa83ef5fc71f24e8aaf1717dc0afd79a2f3b097a996 |
C:\Users\Admin\AppData\Local\Temp\uMoE.exe
| MD5 | e018600c9fa5d0c84c48e70eb099b632 |
| SHA1 | f204456ed298806d182b1e08ef2a21fb7c9d19b9 |
| SHA256 | 42bca52154f507a5058b1cfa62d9142d7e1bd5d7863d674e685b0894632dad3c |
| SHA512 | 4e3bf0625b39ddc81b81f2de2d98b8ac2b2cba5087b260624fc505bd016e9690c8d4db7c0c284356372ac5700f780242d3313181f6d518251b0efd481f289e5a |
C:\Users\Admin\AppData\Local\Temp\WsYG.exe
| MD5 | 7fba4356a868bc33fb045495b7ec3c5b |
| SHA1 | 0d1753eefd80d1b766495ac483fdfb46a594be42 |
| SHA256 | a5e682a7f063dad3d817b081d3b18fd060454bc7b247a60bb0cc38e2a0250c16 |
| SHA512 | 91aa3669aac1630a8adcbace250ea9ab28ea02dba22c6807d3a32e80b553b38abc582bd0732f9de3f7e4a7a02b18a1e2f4e2e6e85e2bab9c515d8a7467671305 |
C:\Users\Admin\AppData\Local\Temp\mEIs.exe
| MD5 | 15d40c485ead9ad740c7a1098e23b529 |
| SHA1 | 522dc813678690080621afd3d9d4d07973469491 |
| SHA256 | 6faf0afbc910df0667ba264006899598f7d30fbf7edb267bda4e0985a199c6ec |
| SHA512 | 0c89c2a264daf38bc46e7bd946e54f405c90cb7a8f3e18a459a04daecb9af56b10048b3fb7ceccd76ac3ee1f142af1ff2f076026af6a94fcdf44a94f997fe841 |
C:\Users\Admin\AppData\Local\Temp\eIwa.exe
| MD5 | 953d3694cac78f50f0e626db0d8349c5 |
| SHA1 | 40268deeb6a41aed2b3a05189d30d3d76f0ef48d |
| SHA256 | f78617efcccd5e5821826f042229dad5797488f8926bcf34c2f496fa9ad76ab6 |
| SHA512 | 47ea58c72440afb5cf734338e7ca131c016af8cca77eef378d8318bc2987d79634a9abe8d7d3404edbb07b4aaa166ac10ee656f661da70c5d5bdfc9cc8df9634 |
C:\Users\Admin\AppData\Local\Temp\Iwwk.exe
| MD5 | 75a359de233ec798d0a5085516c9a554 |
| SHA1 | af8fbf5a0984acc61add9f391c166b3cf4e3e634 |
| SHA256 | 3aa5b42cc8e3959f73b3fac24d13d6d3e30aaba92b08ff91411b9f5ea8af9927 |
| SHA512 | b85b5dc965a87b89692fa40f4cbc10bc81e99cca21654952c462f1faaa39488ca0ad4529d052201fe57cac7f76f0497c66109953b6a00d733186c64b050cd696 |
C:\Users\Admin\AppData\Local\Temp\EUYE.exe
| MD5 | 3278f60e633bd25e6472764eed12764e |
| SHA1 | 7f1c8a763a3c5b0ac13b882b7c64677514adb159 |
| SHA256 | b1b62ef6e27dcbf7d259e61116805f14af2b1688212f2425331f4f4f68e08227 |
| SHA512 | 56c4b6a150d11d9873d3f573662b15c7b306155a2c001f7f8eb97d5e8cdad02ffb41779c878383a5dc49fc0c532f9631599a5738c39f8721a4f799aeaed365b2 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe
| MD5 | 07f88b8f3111bb9cc2f4cfe934c93712 |
| SHA1 | 86ef6386ff2d670257516368fd4f9ae7a58cf974 |
| SHA256 | 20ec934fb102754df69c2e7346225a83f731f9b85e8b9946c3dd50d506c27c3b |
| SHA512 | abcca4dcf962ca385ee1dc0cbbd6d43bb7d635c187c8c177e042dfeb1eedd623ec16e1be3e802a9f8daafa23588f8e5cc3a521b59af7f05f1f8cfbcb7d01530e |
C:\Users\Admin\AppData\Local\Temp\mIoU.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Users\Admin\AppData\Local\Temp\QYsQ.exe
| MD5 | b664629b039615b819bcc09b65dbe5a6 |
| SHA1 | 73e3fc39cf8c8d2e90151e5f026f08d2664c4cba |
| SHA256 | 88f450a3e237785a6fc34a9aabb296b20e418e7882af286af0ef8422a61db0fe |
| SHA512 | 765a72ea0867005ba4877e8a5dfcc97b4c3057868a8d9f5073b0148bda3638cfb90c060f0c33c2d9ff3d1a5a4cb8d713745ddd201860f5706744730b4a925f4a |
C:\Users\Admin\AppData\Local\Temp\uEAA.exe
| MD5 | 6347b09e82118be66780783befb9da32 |
| SHA1 | e71a28579a5c3eb7f39a0c99589f143b82cb643d |
| SHA256 | ca25d5c86406666b44b66f80e8e857701133f5f01d65112e8416f335fb61c835 |
| SHA512 | 9e4deaa4750702d6bd7f22fab8aa2e9d106172492683c3efd1f799b10cb4c954016a80c36b3c6632fd9891e6062f868a56ee095b2104ddf51b58d689b6a57d5d |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe
| MD5 | 15568984c2f2b638c53abe12d6e54ed3 |
| SHA1 | 79f10af45f2bbd46159e453c75db406d7e35b70c |
| SHA256 | 123cebeaf6c7b5a54207b76afab8994ce65c335efc4e48e5c197234fec34b4c9 |
| SHA512 | e5604b49c5139305bc8ae7950564004f185065b2f30ba1cc1fa8f767fc52e5ac722eac14172cc685c5409b1a8c0a1bc45470324079fb2880252b546d75130a7e |
C:\Users\Admin\AppData\Local\Temp\IoIg.exe
| MD5 | 73e8111ec9f88ffc6d168ee07c86141f |
| SHA1 | b92de1cda5a625290d6b0b027ab4d1591a0552ac |
| SHA256 | 0007dd444a807c0c543c3258516085edf40a45cd7ba239538feff90b666a64ad |
| SHA512 | 0dd93c162f0ca12a341156a33e8f94075ea7d95b8b2edbff375b4e11f9941ab81b389a10926d077a401df2c1281e5dc47fa62980f486cfd4960f4e3045968270 |
C:\Users\Admin\AppData\Local\Temp\usAS.exe
| MD5 | 674acaab45708cd9c09748a32d3349fc |
| SHA1 | 7f142d467bf11b325125ca52c6326723d7cfbc27 |
| SHA256 | 9f14461f767d40b6ef1870ec9ddedbc8e2ac9f55ff2dbc4ec92a350c0562311d |
| SHA512 | abe0e3ffa8848c2c98f7f52e4b851a72a88372aa84528fb19810b4385c140310da700cf934a1ebeadb0273542342b5ec4fb13581d02a0d6d7858838c404f68ab |
C:\Users\Admin\AppData\Local\Temp\gcMA.exe
| MD5 | 8859896dbc09624f5117a305b4b8bed4 |
| SHA1 | 8ee630af2fe4d9e96a076a71d375d40f926c8865 |
| SHA256 | c447bd734cbd8400d1a2fd38e230f1eecfeef1bf25ba612571d0e87bfc469878 |
| SHA512 | ca32e79454d730cf5275ac6c91ff33a19057133247823fe74a6ffa21fe97d0703ab1c83e21fdee17fc2018c54dd9bd87f7d350698f2ff01fd706948e1e332e2f |
C:\Users\Admin\AppData\Local\Temp\IMwm.exe
| MD5 | 24eb5a3c408dab1f2e55952c9d984873 |
| SHA1 | d357a4f67ecffeee7e093bf2ed36d02282a1dd01 |
| SHA256 | 73052f0c865a30ca7f43d11f4a12d8f2ab7065572e72cc1780dd5d6da71121b2 |
| SHA512 | f11fcd93b2bfe8c0421ccbc9e3bfc1c72f24a3da75add81ca68be9f8a54be21ee50e550f30ca6c0e4a15a47e3d6a86ff539191b446b3e025155612272ba38ae8 |
C:\Users\Admin\AppData\Local\Temp\wAAg.exe
| MD5 | eb6ade23034bb626d1ff474d7fe46f1f |
| SHA1 | fd2477b88107edbe1aa5e117139256d45f379664 |
| SHA256 | 3c56357e2e1752941575cd469968371a8f35d86e09a4aa0bbef74c8a92f421ce |
| SHA512 | 2c68212eaa81153c241c1cadb85023f06b21fbd696eff04e49fbcf9c6e77793f5054926c45d51b27f41ffa1d5d26a57da5123550fd02de9f842a2f5f5b90f7b1 |
C:\Users\Admin\AppData\Local\Temp\YwoO.exe
| MD5 | 8861568750e91e2cb90b0cff83b6d16e |
| SHA1 | 8c6dde8a811aea9c681bca37e1a08b2a419a0dba |
| SHA256 | e25ad3aa66dfde487b9d1d615f450b0a5a77499b2f0d4918a0d5fc61c262578e |
| SHA512 | aa2eacb41611affcbc8c2eaba58179f3d5fda757b0a4ce10a3dde3224e4dcbe640705aa7234af7b191b864411d79b484fcaa89dd585f2ace825cb3a6f2cd1cce |
C:\Users\Admin\AppData\Local\Temp\scMY.exe
| MD5 | 0eca9068a4f3bc36f4f3d5489b08f7e5 |
| SHA1 | b9c781068f0db5d0ddf06b2c4c32a0298db04436 |
| SHA256 | bd83568d16ceac3370faf5a8b1e975cc2d8cced936da6d46155fa34ee52fc2af |
| SHA512 | 67ea1b62f514bc1705d180a392f0179f09e8fbf1dd3e3eca8bb842654f57db3e28afbf6265e4aa59403c8ed459cff23a992ad73407862535b21ace95393e641b |
C:\Users\Admin\AppData\Local\Temp\moQm.exe
| MD5 | 7b52aa53f0157913d923c1d1a4353fe9 |
| SHA1 | 7e23a8236df8653ef0772bccbc764c46643bb11f |
| SHA256 | 62760108cab03358f91d0e49305e9bcc3649f063a200906f4ee8000e3bacc5e6 |
| SHA512 | 82e5a5c8539985631893997f7341c77c4a3a46415aa7e5fcd6667906a806fd33c06cccd341854aae043bf97f5356f66218ed5b03105584d19c3b36355d274834 |
C:\Users\Admin\AppData\Local\Temp\ssAm.exe
| MD5 | 7ef60ab81e7d4a1ff8fbf4644f71eea4 |
| SHA1 | c0a376b6430059e5eaa419b8a99aa69f6321b6da |
| SHA256 | dad80b563fb1b6ab947beab6ab421f8471925eaa4ecf9ea5a3bd3d548a0158cf |
| SHA512 | 361d1abea993b2311e29800f0c11b92e61c537f1f318e8ab5e6c8ba1c1f9c158feeb3fcaba4a75ac356c08a69216fd07209bbf115af0d72f80e302641a2d2026 |
C:\Users\Admin\AppData\Local\Temp\mogE.exe
| MD5 | 648fd230259a632f32e45dd936fd1bb7 |
| SHA1 | abfda2444fc67771825802dbcb79ed05bc6215b1 |
| SHA256 | 4eb72465cad67993cab24b3c4650ae540b410486bb8bfb6d0985d9e9311d5f2d |
| SHA512 | 46b95a3f662b1e59d308b630c40c6b864585ac95656ce4aae1d09e2444b32448d7bc3f630e3f29a2f93d1e7eeae2defaa71b993aea11fa0ddf30ec2c2f0571aa |
C:\Users\Admin\AppData\Local\Temp\ckwi.exe
| MD5 | 54fa4a6a0a3ff63f132cd4fa35205ea9 |
| SHA1 | a437ad92690ca249b97089fb5f172a9cdf995b7f |
| SHA256 | 018b8a25c2be89c08145589e25d60baf0725c5ab15f8afa8acbc813982df0f61 |
| SHA512 | ceaebaefc60e5a292b856735a2c8abcc27a122d17548ef56f2b6118d7bed5191e998f9c3c823b76b6f70d5f128cf73e42f763356aafadf97ea5c3a8c33cedf32 |
C:\Users\Admin\AppData\Local\Temp\kEAm.exe
| MD5 | d538bff41ee29f6c1b5fbdf4e4a7011f |
| SHA1 | cfb80b6e923264f7f7cb6dbfb9f22a65bb7588f5 |
| SHA256 | 1a5a84dc5f5b844e36ca1f011ee76ba352faefab47b276d4b86b3ef47628af1a |
| SHA512 | 639d97e661eab01b4e7f919749de1606c74bb4e02d7275bfcdcd62b1a80b1b8ed0be409edc37a76948147e1d80c7e555d9c7952b4ce15e950626a1396b0eb0df |
C:\Users\Admin\AppData\Roaming\UnlockOut.mp3.exe
| MD5 | 9262a6daab8b21e6170f389a869030d4 |
| SHA1 | 9a95ca9ed9ab88a75172738a55e8c197995df7a1 |
| SHA256 | 22c5e07d7dc5417009b938662af575e8e7138f12ff108250a963fdab15e07bbb |
| SHA512 | aba4de168e12ce27dfdb3abfe418cb69fcb7e9f8508ffbd2e161c220ef036e3d97b3d5a32748f9dc97a5bab2e56f1a55616c38391da0d06178c65297e316fae3 |
C:\Users\Admin\AppData\Local\Temp\KAwK.exe
| MD5 | fc07e5f582c012a14c3fd75459402048 |
| SHA1 | 03473392a5ee0cd9b3491bd24f1aa68afe9342b5 |
| SHA256 | 422c0548e236eab297150dce5352aafed605173d2518e9b4c3bdea0d571e9022 |
| SHA512 | f34907a7a090f17a1113c0468db2e4e87b0cc2de180c52f9f25ff7fab8a032d254e66d84e209d05e09a49ac561e7a1d11d7ab6bff83674564c663d2f6b6ed8f3 |
C:\Users\Admin\AppData\Local\Temp\cAge.exe
| MD5 | 49b4681546224071160001df0db494bd |
| SHA1 | 7241e7e11ca72750ba18f00f34fd0d320cd249ab |
| SHA256 | 69df30e3a3d5526fdfecb9fc18213d230be02ec40633dfd8888662ba3db9ec95 |
| SHA512 | 4cfb146d7b84e999a6fa0cbd6133885fb57eba2995ce049f56c87835f77a48b0626a1376961cbf65cbb8646f285f78cf02998c55841fd7b2a564c7f279dd8652 |
C:\Users\Admin\AppData\Local\Temp\osoC.exe
| MD5 | 600328de195a6e2738e6703bc468dc4f |
| SHA1 | 88e4d5e6715d72b018b690dfe8c61a53675e6b99 |
| SHA256 | 97c73a0e5b30c144d2e35792bde2c7099c94ca73cf8f2e9a9de42d1c45bfeadc |
| SHA512 | 548f89e872ed221e61d8920539b7d3e15aafb31239780f136c7c5f2d3fa65a799d016108fd4a7ace4321610a5610646c8bab60c29eb4ac4cdb03e6b6d7b6b340 |
C:\Users\Admin\AppData\Local\Temp\iIsK.ico
| MD5 | d07076334c046eb9c4fdf5ec067b2f99 |
| SHA1 | 5d411403fed6aec47f892c4eaa1bafcde56c4ea9 |
| SHA256 | a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86 |
| SHA512 | 2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd |
C:\Users\Admin\AppData\Local\Temp\SUwo.exe
| MD5 | 015b9e87c092bd56957ddcd693cbeeaf |
| SHA1 | 9a71d09fc696eb8924a061bcde22b8a0caaac99b |
| SHA256 | 112c638c176e1ff43a2cc0d72d41beb362f77d2303705f790babb908f2802cd0 |
| SHA512 | fbf48ff0d9636ad495a0b31332a1d9f324292c71f96858441b0eaaeecd4c9e40e4c60304422848189c844bee79a03e677be49df22d26692c69eb374e31e1b119 |
C:\Users\Admin\AppData\Local\Temp\AAMK.exe
| MD5 | bcd807f6a6d55958db71bb6ec9276842 |
| SHA1 | a485ddd25fe353c40520be7f216c7072bffb5bc8 |
| SHA256 | ce1a21548e76ce6e2a3d39797c66fcba8eaf8e0f884eec6a6ca0d3c4de8e17db |
| SHA512 | ff1efd02a68f38c250c2b03a87194da448699dcee8dd361dbad9f41f8f719e2d522f416654fc85ff65dd6845806f9ee484d52b27a66e1fc8f09ae05ae2c16ebd |
C:\Users\Admin\AppData\Local\Temp\kIsQ.exe
| MD5 | 084c9ace0095968c53c08d6385e36f68 |
| SHA1 | 58a0c84058c9e94c719cc41b53c5185ee205328d |
| SHA256 | e32b2dc641c9a73a5d51c8598cdf67c4ee535e16fd8e71aaa635c7026ec21b05 |
| SHA512 | 6f507c25e0679a3125ad98dc12ac48b3d8b29fdd84d016400cab5b4fb247c73e730e4e82a4dcbe5a80e4ae48dc769673418c9ce0e18fb1f817893a9c6013fcf4 |
C:\Users\Admin\AppData\Local\Temp\sAYS.exe
| MD5 | 151b0b390cce65a5fc0b59a524b9eb80 |
| SHA1 | a3cce338864b4920b726e7cbb7fc0bc7cfee96e4 |
| SHA256 | af365fbe280d80c546a8350e9f6030b791ef7095e2063e7a8ca496d522ace354 |
| SHA512 | a1f8a25a8fe210cda72b2870bf24ecf94848654559add7401e919b168d48e6a4c8cea69d23c79127df8d917562fbaa16c466a60ec484a2b948a59b18cd2a9f53 |
C:\Users\Admin\AppData\Local\Temp\KYEk.exe
| MD5 | b035ad68ee03c9ccdd3b521693e2beae |
| SHA1 | 1aeceeb5f6ec1563d5efb4356e651bd33a7906c6 |
| SHA256 | b6aaf776633d12622ff2c6ff7b83e38080b4da0d57188a1519a373be158dbfb8 |
| SHA512 | 8612a5bb26ef69d5f083eaf11c98b82aa6d74cc76c15e4896be20c1bf0224cf55d4cfa954370073f283d7bc8938c394ed0c93d4ca6ef90a90125114a7b277d67 |
C:\Users\Admin\AppData\Local\Temp\MckI.exe
| MD5 | 156ca5745e6a107ef00251a2ccc25bac |
| SHA1 | 760aabfd403c099f03336131bcd8089025c38d57 |
| SHA256 | dbd780fe2d4d2e1a4040492f078f997ddd47bd4c07bdf6205d32e449dc29257a |
| SHA512 | 1e0d2b05e3799c13b467a0742109e314de157564941993076e2c7533b276dab426b5ed8938f52d714c109b3ce0d5b752060c63a398d78d5c04421cd3feca5f34 |
C:\Users\Admin\AppData\Local\Temp\WwYU.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\IEoQ.exe
| MD5 | a3d5bf74424dc3fa2eca67049fbd241d |
| SHA1 | 4069db543093a68532da8f271ff16c4b44c7a9e5 |
| SHA256 | c7d1947a2f2656459fe6cf62c7ddc959c73352ffc6740e6072fae19452ec172d |
| SHA512 | ef9169acd33a0777a6c3b2be009900241775c60a159d41fe0d1f9c4973c113b35ff06997cf348a1b9eee8bceb41d504844afbf801c88bbac4c67099cf4b0b306 |
C:\Users\Admin\AppData\Local\Temp\uQAc.exe
| MD5 | 0847a6025ae21f88e3896de299a39b83 |
| SHA1 | 1eea44c3847d204c42d0f85727dd2aa4df4e2aa0 |
| SHA256 | 378d31c14357ce6b691ec3bbcc245416f9920c3a4344063debeaa91dea26458a |
| SHA512 | 958ea550cece550b0db48a62bfaae3157f076a3786134333b9b9ab60552f0003896ffa5dd7670c0c7a108baf39aafa115e9db88e6408bb9d27c143dcf6cdb606 |
C:\Users\Admin\AppData\Local\Temp\UQcG.exe
| MD5 | 6fa96bb56dac221aa3caa7cfd9c0d027 |
| SHA1 | 163806931bb5dd5dd5c7242e93e57158ee8760e7 |
| SHA256 | 70e9b2295698200c59c5d1e29c1a0fa0d20d2556673a77d3013ab6d6f5c7b57e |
| SHA512 | a49e2bfc2d7265707d5298dd4ac19cf53f5816725655aa1e9875ed9489e9d24002a17babb8ec790807fcaf39b5f39b89429f5a8778c656b02ad1c9301ac426c3 |
C:\Users\Admin\AppData\Local\Temp\kAUQ.exe
| MD5 | 574560a0b70f0635787affcd51858a0e |
| SHA1 | 1ecafe89dc72c2520278d3d19ddd37f77fd64c4a |
| SHA256 | 130e3875c634ee7254d2e95e5bb84bd50d5234922035489f99f92ae26f70f2b5 |
| SHA512 | 83bed2e185eee1b4f664e91472c00b6a302f73a5454cad4921788f943f1bd30efc698f78ad2c1cf3e040dc460a8e26e19e8d615b66a2d8d41284ecaad5552cd7 |
C:\Users\Admin\AppData\Local\Temp\qEcI.exe
| MD5 | 9a69e8a62da8cb66b8f37083519c94f3 |
| SHA1 | f98dc12b963ff187f0a700a9a4a6cba4d1f28ced |
| SHA256 | a642edbbee7d18cfc66a9654d7f3438e67148cafded88f665adfd37aa87ccb4e |
| SHA512 | 4c5c1cb7d12a6615cf7acdbe112595fcf05bcd5911a86a94760cf59499ca6f4178dea65d66f4bb8b38a39bd885a617d623facbe03889b80cd0582637f88da65f |
C:\Users\Admin\AppData\Local\Temp\GIcO.exe
| MD5 | cbe4def3a8c886dd341c2c414ae56bd3 |
| SHA1 | 098486221c5e589741330927d3afdf0d460d905d |
| SHA256 | 1be2238ff6f005966e357e1a6186bd4e1586b84d01c04757c81d5ed8c6c1e712 |
| SHA512 | 21f5c5128e1885d0014c5d3a130db98d44f1246d80e6da2fb63098b97ae6c963576271e3172914157f4a42c2dac54b56c60a99ab3f58e84fc2ae8a73c3658b69 |
C:\Users\Admin\AppData\Local\Temp\ssMw.ico
| MD5 | ace522945d3d0ff3b6d96abef56e1427 |
| SHA1 | d71140c9657fd1b0d6e4ab8484b6cfe544616201 |
| SHA256 | daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd |
| SHA512 | 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e |
C:\Users\Admin\Pictures\My Wallpaper.jpg.exe
| MD5 | 6400a240d50fcc6adecfd43fb2a13e9c |
| SHA1 | 65d0d4ed73fb7877cdfa84656d40bd6f9d7de020 |
| SHA256 | 0c237562a5b8a08711b417ab2ad56d182560fd771b32bdd4677dbeb5ce69e01d |
| SHA512 | e90a52fe35a5419089f2a162f5f4ff91f92c953ebb35e579a5a50a6057078198c90e8c589da8dfc534f81a6cd1b326ab00053fd5fb94ba34b10e2822726c84cc |
C:\Users\Admin\AppData\Local\Temp\ysIo.exe
| MD5 | d22e054c9220e0fdf88a3e1a98b0319c |
| SHA1 | 89ccecb5fc39da9de8381eaeaacaca5af2576c67 |
| SHA256 | 85cd078fbfb8f69c5b76b698e1816d65dd5497df0948a53f7a37bb905a1a98f5 |
| SHA512 | a8b52c212a7c492ffdcc3976fb264ce3cd56629d564e1d414484e59d9d35372c57265e1b563becbe170525a8ff60c9711fe4bb33da28e466c13735441067dc8a |
C:\Users\Admin\AppData\Local\Temp\SIwi.exe
| MD5 | 46b1ccd9733866f3ab7e900ca6ce3585 |
| SHA1 | 01e47ef9ab8535ec2a7582f3824356a8bb03915d |
| SHA256 | fa74102d471f41a352c863e63d2dd9c05d826e9874c588de59361ae48a608b47 |
| SHA512 | bf697774fb6db7c9f03227d0c840216ff5887c01922779a00b3002bf4405dee4139d126b4f2d740ed830de68dd117b6b8e7bec4e4953648ea6a5fda7f7a707b2 |
C:\Users\Admin\AppData\Local\Temp\aEoi.exe
| MD5 | 5ecc4fd09d2d8a4718436b931cbff232 |
| SHA1 | 6fe8a30799832022fc2e11c6af5c922e7c4b6986 |
| SHA256 | a3a369661bf7d8ce44b8dc1a68ba7e19ac4d8881b8ee8d841f957232113da785 |
| SHA512 | 5929e6f6b6d99a6129b6ed760aa76da12dc4cacc906b1f02f029b81e8075ecc660f7ad761bed4ad5e456c34fb755dcb42d3b04a4f55094afe9d76dcd583266e0 |
C:\Users\Admin\AppData\Local\Temp\Agoc.exe
| MD5 | d2551b254baa37f6807a238fcdf86166 |
| SHA1 | 11160494a3a26d0632da8da126505cd6e12a558f |
| SHA256 | 83995e444ee2dbcf477cc8343f711593ddcb23a9b51af37d9c3eda321b159dc3 |
| SHA512 | c4adc510da009f11e72ca5f7f210c5777b133d29a12474685e2707285da83a91999833497b7b4edebc24c34d698e8a19f16b063a701d67799c51ae2c8e1d066c |
C:\Users\Admin\AppData\Local\Temp\ssAI.exe
| MD5 | 5749b13fdf1e2f8cb4355a68f3fae503 |
| SHA1 | 53b573b6295fd20a073c758b9ba644ffa7c69f4a |
| SHA256 | 4eefb13bebb48293491329ce751df3427a127482d5503e6b68c69bfed0389f1d |
| SHA512 | b8529a2ea165955ed60eb42c5a3264c177e627a3a2d983d0e4c2421d06d0037d8cdc8a40f641fa69b32ee48742ae6d3df54013dc4908f7ff5fed93f83dcbd3ca |
C:\Users\Admin\AppData\Local\Temp\ekIM.exe
| MD5 | 95b4a096ac60816f27302094b6e0558f |
| SHA1 | f17e8f329d4640a4a42f505490942e2c8cebe4a8 |
| SHA256 | 3016ec15a3a5dcff60882636bcbff542df1f5d396b61c6638df1e5b38feafb0b |
| SHA512 | c898ad55a5cfd1e68ba94078cd6d8aef7b925b28f0443c701112ad2cd2251616fbf652eff0bc2a686e73f765d55d7c2250193bf6c4ae933bf1ce88c1d5318070 |
C:\Users\Admin\AppData\Local\Temp\ggkW.exe
| MD5 | f5db13c955da643938c71f04dde987ae |
| SHA1 | ed9ebed2cf6c181cfb7a15c51786cfa22a5f0b5e |
| SHA256 | 9d9d17d9f69cad1a12e99d8b44481acff75779f4a25875305a328832e6ba459f |
| SHA512 | 5f07d5ce6500cd7ceead9380907f79d24acc20e7b834f2aacbf94d29fb62bb0b7bc8a2952613bdcac924a19d60aeec649370a538811714c3f0f2dba9b9de0b03 |
C:\Users\Admin\AppData\Local\Temp\cwwM.exe
| MD5 | 3ad13435a9748d890d968c01ec58f734 |
| SHA1 | 23ec8dd8b1786026c75ebfb73a895138c0d15a2e |
| SHA256 | 705723825b0d2a33ba622beb40dd5ffe972e368a5957d65d781b8e0f2fb88b51 |
| SHA512 | 4b28e2abd4d2363843e6af80a5110a49f63d92ba38745e40f2bd6d98a0e21d5a9dd2f046c7e8d93ccfaf215daee46d35492636fb2df05398964c1dbe9deaba29 |
C:\Users\Admin\AppData\Local\Temp\WEgK.exe
| MD5 | d729f4aab18e356b05fbf1e56da11dc1 |
| SHA1 | 92cd6e8f604b0b97bf62c97ce28f932bc5118c6a |
| SHA256 | 4d05e9c90e25d6f8d01ceeab62ec75db7259ec1f96385ce9c79180d535bb69e4 |
| SHA512 | 66f9cffa143fa64e4b79f36bb4efa7749c7eba663dbe3f593e021cd939d33e57e8defc023ddfe81b8365b668b42fb6076f22ec56199cdece78d7bd1278dacf0f |
C:\Users\Admin\AppData\Local\Temp\AIYw.exe
| MD5 | 579b64d201b6cf0266409cfdd3eadff9 |
| SHA1 | a83fa7cd3af394314ad8a253f867613b0c99fdc9 |
| SHA256 | d4212737b51e4eea9fca95157395b53db16383b54d6c2994c71155b3e7e81bb5 |
| SHA512 | 9ff6a00d7f6b4449c5efb2d2dd130aff11a89aa18a26dea315d9a6d9df11a237a62eb07c3448121b557bcf97e2cf3f4e517b419cec3e85d0bf46a312eb842d29 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-18 02:19
Reported
2024-10-18 02:22
Platform
win7-20240903-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (57) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\lAwUUQco\SUIEcMEI.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\lAwUUQco\SUIEcMEI.exe | N/A |
| N/A | N/A | C:\ProgramData\XMEQoIQs\PWgkEYYY.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\SUIEcMEI.exe = "C:\\Users\\Admin\\lAwUUQco\\SUIEcMEI.exe" | C:\Users\Admin\lAwUUQco\SUIEcMEI.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PWgkEYYY.exe = "C:\\ProgramData\\XMEQoIQs\\PWgkEYYY.exe" | C:\ProgramData\XMEQoIQs\PWgkEYYY.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\SUIEcMEI.exe = "C:\\Users\\Admin\\lAwUUQco\\SUIEcMEI.exe" | C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PWgkEYYY.exe = "C:\\ProgramData\\XMEQoIQs\\PWgkEYYY.exe" | C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico | C:\Users\Admin\lAwUUQco\SUIEcMEI.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\lAwUUQco\SUIEcMEI.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe"
C:\Users\Admin\lAwUUQco\SUIEcMEI.exe
"C:\Users\Admin\lAwUUQco\SUIEcMEI.exe"
C:\ProgramData\XMEQoIQs\PWgkEYYY.exe
"C:\ProgramData\XMEQoIQs\PWgkEYYY.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DUooMEow.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zacEYQgI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\REYgMUcg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yuYskMUM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cMQUAwYc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SeooMsgQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SAEwMQIw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\roEksUYM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DyAwEQos.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hUcEYggQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bCEYcwQQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wgwQQsks.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eyYAMEwk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CgQAMEcM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hKYoEQwI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lWssksss.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xGwQsgkk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VOUUcwkk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mQgwEAAs.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SkQwQEsw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QmsQUUUY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YysMQEoQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nKoMsccU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NccQIUEM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BegoQEgg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jYAEAEwo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MEAoMUUc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ogYwkwIQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gUYwUIsI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CcEkwsYE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qoEEAMMc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rMIUoMoI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PMssMwYg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pcsYMQcA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LOMIAccw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ukkQgAgE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qYkgkEYo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iGgQIsYc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RagQQEoQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZOgYMkUc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DIYIwsUo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zMsEQwQQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aWUcYoIw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GyUIQkgk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eYcAoIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qCkksgsU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tucQYIkI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FUEEMQcM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XGYkosgI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HykkIUgs.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qokoYMQs.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SWgEIEcM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QIoYMwQc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ugoAkwMc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oasAoIQY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dqcUYMMo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nUogAkoI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zmAskEMc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NacIQEsU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\goggwIgc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GQYggMUw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UAAQQYwk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yIYAMMQk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\picgMoYE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZuQYksgg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jswAoEEQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vkUkwkAM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oAgAwEsk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yWUQgcII.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uyAksAIM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tQsAswww.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vOgoIIgQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TOIgcUoA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JgwAIkMg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UCcooQAM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uEMIUYUg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MWMIgEQA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\esMgEYok.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1677545583-39431059913666410093881852611338265761-120894969-411569329-266175147"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tYEsYckM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fMMUIMoU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HgMwwgEk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TcMwkcQA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "539268477-1018821869257060643-11404127609744433689241618824028158-1004534101"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-88117089115169815151838299556-1381649573-331633002165424187518185664-1305195448"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MikIgYUY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YWwEIUcA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KCsoAsEc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YmMEgcow.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qyAQgcsM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1792361974175058483-12734282281285550021-1366032656798812452397028623-1531478630"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RcYcYQgY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1824822644-1264221072-1937761202102076296-1062681616738357270-1013408681-1920732082"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vggEoEMw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "832225201784430045160726534085174910722835822113812898341099453569-240678005"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pMkkcIQs.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1578511283-8974153271050758058-16807594101076694888-293902856-1742997889711709500"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bEwQIooY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "740067346-1223159225-583215081-2089225749-385428879198533150216703072032012754233"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\swMsMUsQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1363305976-1961416353-8889578233492283521063787599-8077212427265138161904313132"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OmowEMsg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cyUEEYAc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13337347661161360190132423954-19357387901126836626-1347226913-16822236491683540735"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AwEQUosQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oSUYMgAw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-73317171585264244115725512071349169750-155810671-8551283361487424543-1762953389"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HusUYooU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NcUkskEc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lQcUkYEc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1549446050-210430595516515589241120070950-821461723-561110775-1595336840-2113388737"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dyQEUIQs.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wUMMskQM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13495347111408746521663281444940224314-2092885581-1862877196-10183351311275505342"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CEMMUcMI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-212035634150144182-21079156962020111489-242676542738034006-375455821-1372986685"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uIQkgkcI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-756440808-16286085931341655104212154826099594499515587388211794108799-511278136"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MEMoEAYg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PckkwIYY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "617843466-680810783-771151796-643265869-434742245136899536-1930443456-425144524"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bygUokEE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-816352316281161273991518004-214035904515701513896165288691899120556-254456204"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fyQMwQUw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-420079888-24498995-1701588254-5084712719387965591068456414695972544-1364310630"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2045221637-13313801431007853055-1884118114-547884824-1282968429-2061687931-2068873037"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nIUcEsAQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1265730766753490975-7074607001758415529462308999-13432969477207762571384041529"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-175027348-49062505270617197018942073501297604235-893291399-630502664-2043259178"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "570017070-257665909-979449568-18745566271624638134-1320707589-97932243-1186168273"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6826220361664306252752239879-7250595491163964789-1570161590-780622878-1831727365"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hCkwoIcA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1906629779134644081-1753552265328448881866136254-7051618111168101886-1096213392"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13428105231305228798-1876648713-1535716884475894536901221310-1905820599572143978"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MYgcQkgo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\saEccwsU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18426947721488739980-5399243962104676353886565589-1403315719-12595626681268590692"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eyAQksII.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sMsMMgII.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2064216128-1537369248-241191266228298870-1673765770-2197194183492044-524362155"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aaYcoUMo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1753875528-750784533-1350489974-206575559317360488791480960409-2427782431648803744"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "432256573239380319-19974177971818101579-1866196673-1687527682-1087421121380307636"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rAkoEcEo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fgYwooUQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZCwYccgM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-342234625-1427199720-1477452573-1326548106902471700-1563876143-1868315279938925650"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TIQgUsYg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "343881098-1686351206-446400118-406341454797520996-1020431738-16942737191139551018"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "62205744014573099481832510605-145943106-18502423371915019570-625475019591199538"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GgwYIkYY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1306213654-1264947742-1724966634-160299747335831134873171061-321601989360690657"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-220676101934552626-820800511250282130287650203-465119943725561487-1298881798"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7328872481505973734-946565507-1332471841212655440857987909614417341251217181584"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wgkAAcMw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "472655266131407337348108523612629621601916535818-15074871381629311985762540321"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2521796692324689111302556081372574404804732230-1837398547-6977200661355238088"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iIEIQAQk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "148795876962087168910577953651814478701105299276-121677149721331634582111021672"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ccYoQIMw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dgUIkgoI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XKkEAIww.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1373829294771071034-404434995348506119-452887287188611810416078146192106930557"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4500041811018875239-964730954204135442-22282843-1292113449-1790282222-1470328602"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "128447734614539025421865806304-7213087751931631921431156024-1645368913-1177032371"
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "192804253313985308411351055598-1809545611038570009-603416753-1547114812-1782406325"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PKMwgoQI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 172.217.169.78:80 | google.com | tcp |
| GB | 172.217.169.78:80 | google.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp |
Files
memory/2268-0-0x0000000000400000-0x0000000000434000-memory.dmp
\Users\Admin\lAwUUQco\SUIEcMEI.exe
| MD5 | 6df84fdab369c1101c4c3e1ad42737a2 |
| SHA1 | 2afd564743a68815c05ecc4a73dd373526998ea2 |
| SHA256 | d07051a0446ae5712bace16596390524fd51fb01db12c22cd98b97d454168230 |
| SHA512 | a0e57ec16f0091fafc21d570bff1109b3ca3738b96c912813fa8e546316a6283effd6e252847c800c8265bf2a8dc5275dd90608547dad98409702abcf05f21ef |
memory/2120-14-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2268-13-0x0000000001C90000-0x0000000001CC1000-memory.dmp
memory/2268-12-0x0000000001C90000-0x0000000001CC1000-memory.dmp
\ProgramData\XMEQoIQs\PWgkEYYY.exe
| MD5 | d0663b98b960f7803c15e600f3707e56 |
| SHA1 | 02303487fe847b6f6b3e32041beac672a8fd94a6 |
| SHA256 | 9ca43eaeab081791f9e39375ae0ee46bc147585939590a7799e9d1311a6baff5 |
| SHA512 | 6c7cf4dae1b4485b92e6a0f310c9e38d3dc7783cb0077164e8537ad41474c497565a017f54edba028276a4de5eef0bae49b3110ca75fa410edf27096e3317a33 |
C:\Users\Admin\AppData\Local\Temp\lugUcYgQ.bat
| MD5 | d2912863b3c619e455c88c0667d5383c |
| SHA1 | 2c21e30809862aab64f29caa71f167215aa2e081 |
| SHA256 | 0e0b21f74d18cc7309fd2a5bd6625517c36ed5e0c03f6eb885d522de24e69d38 |
| SHA512 | d9ab82f89c9bcaabcf2e15974ba53ce63ecc94e870969c72cc0ad74633fe5373d2e8343fba97f5f86633ab9cb38e19d850fc24894c985b963d1531743d91f187 |
memory/2708-31-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2268-30-0x0000000001C90000-0x0000000001CBF000-memory.dmp
memory/2268-40-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2780-42-0x00000000001F0000-0x0000000000224000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DUooMEow.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
memory/2628-44-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2780-43-0x00000000001F0000-0x0000000000224000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
| MD5 | ce1e5810d7c9f27a6b139b7bb5772198 |
| SHA1 | ec7dd31f242502ea55223a00c883044cba378ba4 |
| SHA256 | 0ae29a2e9fb4ca75da5145ac86ab6dd9f12767cadb5bc6a9aa4b1036edc128e7 |
| SHA512 | 44975121e40b3fa90d1c32ca56e53e2fcd5c768e64e22cc9f9ac73991b1ca79aa9745136b7dea10bac6c88c946af0155ba2abb91b14eb182dd1e69c2a718a63a |
C:\Users\Admin\AppData\Local\Temp\lIIkEkwk.bat
| MD5 | 10cb755518a891bea8aae398e6ce22e9 |
| SHA1 | ee3e04b9fefabbda0cca8d09503939189dea6f0a |
| SHA256 | 960860e18d21c699070c355030f9b886a50f8bc85606600cd9e11d2d6eb80c28 |
| SHA512 | c6cf302d530cdd070f659a62c2ab3ec1b23118d2bda106c17a2fcf780217c2569e79a11275f8278a4ba422c1ee75b6283436ecbfbf7b93c334e7010c049e3851 |
memory/2628-66-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pCIEMEUU.bat
| MD5 | dc76b145f4b4f43fef7f9ba433e57acf |
| SHA1 | 76857436fcbd9e727b58ec9f0fdc87193e530558 |
| SHA256 | e0b62b7504b4143634cb95b0f36dd928c8a873069e1e12efed68fa91344e58f2 |
| SHA512 | 622193c5eb401ed56c012ce90c391b894e078b756b9e33eadad0036779a6d470ad764b24d7adaf956785ea5fbd060950a858c474ce5e1fd7c70478e50993c4e7 |
memory/536-79-0x0000000000160000-0x0000000000194000-memory.dmp
memory/112-88-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wYUkgsgY.bat
| MD5 | 29f958bbfc139a3f9223d8c8e20f3aac |
| SHA1 | 9efcddc4a846e835bca5bcf449847460aa40038e |
| SHA256 | 746ec78a82ed5367946917dfe4812b65d2970d2c00955cc3d65a271e855ecbf9 |
| SHA512 | ee0787612ad0f789c67c08380ceaa09e1bc0de7efbb77ea23f304362e48f14d878d0fb8412f0259f86693420c47299f092508f4fa9817c7241769b7959c92b01 |
memory/1440-101-0x0000000000270000-0x00000000002A4000-memory.dmp
memory/604-110-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GkYYgsEc.bat
| MD5 | 06f09536e4cb8fc7cb85e0698988d439 |
| SHA1 | 66118a31f6c1ed745b174591f8bd5a570ac828d5 |
| SHA256 | 6ac29c9a6cd5f84272bda207cd5c7836cfae442d3ab185c19c17484518b05905 |
| SHA512 | 9739a7425275d73baaafa0a5b9d1e7ce934dc2ea68e1a2eaa4853c2df3cde52483d39383ac6f2084f5b8d92ca8d63333042a422f77c4f72e1cdf266dc27eec92 |
memory/2064-123-0x0000000000200000-0x0000000000234000-memory.dmp
memory/2132-134-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kwoksAoY.bat
| MD5 | 6410ddcd7caf67318a4d032e1184c2a0 |
| SHA1 | 0057adf03401795a25f88231b6afeccf20421c76 |
| SHA256 | 1f60f69f90127eb474c67f40dbbd9590212351be034fabe16e61236dcd9a861d |
| SHA512 | 805bbf461a10d5f092b7fda27194776c201e93f17c76a676f17417abdd729f10220625e84215d7697f1bebe4cc543ff373982742b308e62e0ad3db0b6e7fdb50 |
memory/2676-148-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2024-147-0x00000000001A0000-0x00000000001D4000-memory.dmp
memory/1672-157-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UcgEcoEE.bat
| MD5 | 33c9b6a787e5d8ade6713e58a34b9e25 |
| SHA1 | 02c212a20db91f41c5fd05ffed54ec7d8ede56b8 |
| SHA256 | 18e4e2bddaf2ca7c2cc190f8d83efe0092b57abbed48d091a01ba76ced2f492a |
| SHA512 | 1dadd6060c4cd07a85ff0c0916c1adc1ea9b4cdd2a3d4c9fcd7d02b7dea4630558d33e96fa2a75ad02bef85bdce9aef1c894b56f5d6d663b48229c02b8deeec7 |
memory/1356-171-0x0000000000160000-0x0000000000194000-memory.dmp
memory/2720-172-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1356-170-0x0000000000160000-0x0000000000194000-memory.dmp
memory/2676-181-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DkwEkAME.bat
| MD5 | afd9cb6d2a9cdd5360cef772cb7e39e5 |
| SHA1 | edccf71de37a24f079e4fa8e14c9dfd22fdc56e7 |
| SHA256 | b14c6ca8a8942bf9f0955f2741be44838edca8ea40629b95473407def85c8d5c |
| SHA512 | 9744bbb7752472f7b74802b1a9bcc2c75dea2c70109aabf74afae4acd402cec05d4ff3552fd63da6a71044f4f2f8a67ba62fcfecc88e343a64fb63c5a131c4a6 |
memory/2272-195-0x0000000000110000-0x0000000000144000-memory.dmp
memory/2272-194-0x0000000000110000-0x0000000000144000-memory.dmp
memory/2720-204-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bsgYAYII.bat
| MD5 | eacbf268bd0879c6cf9155ead713cd95 |
| SHA1 | fb0aa2fd8f4ee640257a36403acfb98febcdfd38 |
| SHA256 | 7c2b4b961e91012bb88db42cb48154a59531f5e35fe806ffc5d269a4f4931f5b |
| SHA512 | 315724c5d1911c976d90c39387092a6c2b8230dc9866c7acb0412442d26798d9d04d51dc629a1c7901438626dbeadcb3c09ba0368de9d0a060e06a39b98dc171 |
memory/2816-217-0x0000000000260000-0x0000000000294000-memory.dmp
memory/676-226-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tWEgAkAA.bat
| MD5 | ab24457bc7537b1e14c4c618dc6e3774 |
| SHA1 | 104edc69e18ecee1f494f26b278dabd9ac91130c |
| SHA256 | f142adbad86b2bb0bbf637d19e92c19a0067da686f5d701fe42f25694aab1017 |
| SHA512 | b1404c95d4621a9bd065695e609dc67d1946ceacf029e7262ed4666b3b38afb9dbc96e27e848c17863be95eec8530f091379dc46411b2b714cf2f76916e4f3ee |
memory/2204-249-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vCsoEYUU.bat
| MD5 | b96475ef81d8109532d1c417cc50ad12 |
| SHA1 | 9362764be6471f717de35c33c5df1b618df38d67 |
| SHA256 | 3832267ee1d572aec36a701f6e5f2f66818a238ff372908bf439689e33bc5b80 |
| SHA512 | 57f597d42aef6fc48d52f22fc1d0f47967dbc7707d4eca0987b7f2bea0494c19fd84c04c844667aa171b7c3cf6c2cb78ce9977c48404cbd3b2036d6a5f2d3f22 |
memory/1952-262-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2212-271-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\smAAUkAY.bat
| MD5 | 2b3b70b8babd5a5a973c029d9da95084 |
| SHA1 | 216d43a2b6d6860d604258c4752887a029923e0d |
| SHA256 | 1ee24d465ede6d5f61e65104162dd7c20a5339b51abe06191144feeae9efaa6c |
| SHA512 | 10bf2e76c291bfb0e9d5452e5c1fcd084bb9feffba2ccbd764defedde4f3b1d5d2f6d1736dde63e07a0dba806c31c63d1d96608e859b2e0253bbd9ec64c742ca |
memory/2584-284-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2964-293-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\asQgYUUY.bat
| MD5 | aed6114418105733b797e7f47cb62866 |
| SHA1 | 12178c09aab5c056446f55feb46810358930ce29 |
| SHA256 | 1985c85b7afb20d6d53419a12916b491e70077b8726ef1652d4c342796fd41d5 |
| SHA512 | 64dbd790f8c6697df91ba6296d263d24a04e241166e982ca9b2ee9993897e66d9489aaea968071f01edb36e962e7dac4a92c3590e1dd182d78e6c3e8975eada5 |
memory/2768-316-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cKwcMEoY.bat
| MD5 | beb200f79670fd820336947986ad3af8 |
| SHA1 | 8f6af5b53e7c96e6d50ab7b40e6a6216e5cfe482 |
| SHA256 | 0ae81e7bb7d4f2ae463cb8d3956a7937c833f90e1372f3ee60f64cdf7d0a3225 |
| SHA512 | 30c0708f6542ac0a16100343639e6085c6f3566ca1fc77f0588cc9562ac3d591601d90372ffe94cc65f768fb6c55ccca9fb2e19e07e0ab63b43d4d851dfe7f7f |
memory/2860-329-0x00000000001A0000-0x00000000001D4000-memory.dmp
memory/468-338-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UaUYcAkw.bat
| MD5 | f415e8200481a1f9a952e91891e1d7f8 |
| SHA1 | 2bcef4a9f6084dfcbdb8b6c4298233e959b7cfc1 |
| SHA256 | 5b018408dab8096c898d135effdcca583528e4ce897552cd4c36b91a941df140 |
| SHA512 | cb9dc664e49e7892a22a2645703a804f3cf4c4d66d2159081f0dbf626f10d0e0357c93b2831089669b058005e97e1093c3c5a48d677ed10201f3a5bcb25842b5 |
memory/2416-351-0x0000000000120000-0x0000000000154000-memory.dmp
memory/776-360-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PqsEccMU.bat
| MD5 | b9fc587af9acd9855cf5f9e7919f5dda |
| SHA1 | ec9f1cf6e0884c17b3c17b94ffee7ca8fb651306 |
| SHA256 | c389aedb08786159e7eb0ce8a81cc5a5de061ef231a88c0b35527b9ba410683c |
| SHA512 | 914884bf58f79c4aa9cd63fba752c2deea2bc5fa7370b42d0e6178301bda38799ca722291f6db2935fcf83a5f616a62b66888bef3006c2bb0494bcdb1450aa90 |
memory/2620-373-0x0000000000120000-0x0000000000154000-memory.dmp
memory/1544-382-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vGEIssEg.bat
| MD5 | b05da2830097cfaa92c5b2299e3e00b1 |
| SHA1 | c7207983ffb4062b77e1799d037791a588561a5c |
| SHA256 | b5fa868e4499be4f39b20b6207874a4ecf90afca01a56cf0dd3bbf5f6b9556d5 |
| SHA512 | 75f74f498d12ff61029a9e7469ccc95ff9c76d3e21a48b4af4a27490603eed7f2cf8187215be46c549011127647f68b13ecf1e49706d816ac18958b396dd6529 |
memory/2248-398-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2248-397-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1764-407-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ZAwEMIkE.bat
| MD5 | b208f750917f9e2ceb9f340b55c1e33c |
| SHA1 | c64175edb628648c86d17b3368b162a7e11dc6bb |
| SHA256 | f2709aa7da8662bab59d2ffe99186db3986bdef7a84993e4d99f74446dc6d78c |
| SHA512 | 3616de3548cc3ccfc248cec61b1e5cffd8686175cf870a69f6b68b5df4aeb7c04dfff13c57f1dee5c49455c93d362f4dbfae3c88684286ebfa9cc20449bfdadf |
memory/2168-420-0x0000000002260000-0x0000000002294000-memory.dmp
memory/2996-429-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OkwggEMc.bat
| MD5 | 14800b8df9b1aed365e9c2814e034892 |
| SHA1 | 94ef274bc4b930297326426a7cbf3454385f84ba |
| SHA256 | 8258a2199212340810ac4b01fa6ad1f7d39c5b91bf381282c7264591a84665b6 |
| SHA512 | c91a0cbbe691b5211a5a2bf4bf1fa9bd58e8b021959bc7a6de28db5ece1c52f9c2758fb7e9ba246b8c82d35b40be2863b357d3c9dfd08f5fa334090d0a4ea9d6 |
memory/2780-442-0x0000000002290000-0x00000000022C4000-memory.dmp
memory/2524-451-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kQsEYQwg.bat
| MD5 | cfedf7a706c59150fa38c6b0c3fd57b8 |
| SHA1 | e632adf2dc2fff580b4423b538949b84d94f70b3 |
| SHA256 | 3b598807a0b11155cafa04bae8b871add42244e2696ee78224b4d51bee5bd1e5 |
| SHA512 | b862ddfa2a155e9444eab9df2b425601be152fbd34a12f429827c550bb54c99f32e71280e15d82826ce27a2b130fb87c1de3153e069fea26e4e74dbcc6dbcce1 |
memory/624-464-0x0000000000120000-0x0000000000154000-memory.dmp
C:\ProgramData\XMEQoIQs\PWgkEYYY.inf
| MD5 | b5095444daf5a82fd44c75d01971cada |
| SHA1 | 9b2d78b91880d310fc2657c91367605c9bc4d3de |
| SHA256 | 048cf5e3d26d60282130b4b03fb5e96cfc310c91423dee58d77eebef97241d01 |
| SHA512 | 476db5d26d277496a2315b048418a804377d11300512ebaa6c230fb23f4bdedb66bee86f4328ed47a336a24de228682d1b080aa650938c1b19de395f8c5ce92b |
memory/2284-474-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gKQosoIg.bat
| MD5 | 6b1cb6c2a86d99f334115fa3e39cbff7 |
| SHA1 | 75d2e47bc6ec9b8a5cb52728bb08d1903fbbc085 |
| SHA256 | 10bf056da553c0aaef9cf3929a061205e631d8e50a715950cf8e9ed96792bf75 |
| SHA512 | 1fb1accd894e82d81b2901b08fe6d73e98ca2d226aafcd3db838e98c373b2bf3515b256d171188757e000258b264d177eeeff804f0ed55bbae3e684f3471610f |
memory/576-486-0x00000000001D0000-0x0000000000204000-memory.dmp
memory/2072-495-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yEsYAUAY.bat
| MD5 | fc286ec71672c3ca1b1fdbafe6c57fa8 |
| SHA1 | ec1723427f4bd1fbdb4c1638765e970a24316ab1 |
| SHA256 | f3b4e86e268f2f0b13ecc4f746e7e666615f8ee5fedcef77f8843b9638b22939 |
| SHA512 | 71ffbc87c42ae155be3b2adfe4b5eb0a16ee72d555d3b1cd53465f759ffcc2822cdd827a2b1e05e324c257747191c99fe10029db1fd566440e7cdf094b182cbc |
memory/2472-505-0x00000000002A0000-0x00000000002D4000-memory.dmp
memory/1300-514-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XuAMIYUA.bat
| MD5 | df5cdc2455d27eb3838342ba4d63bbc7 |
| SHA1 | 9b31a090ab62dfebe902759b953eb3c1b36508aa |
| SHA256 | 2af090121f14d562c6344ca230ba772db64fe8e5dde418192af6d0b35001df63 |
| SHA512 | 8ba737bc88159a19704dabe0e3615d71be15b3874ad264e06650948d46c5df0b83d20ed6e2c4da94bfc640a886f895200e9525b1a7ff6b9f5ace621c47854f6d |
memory/2744-524-0x0000000002240000-0x0000000002274000-memory.dmp
memory/2916-533-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DoUwkAcw.bat
| MD5 | c87bc08b176bccedc6146fb699c91680 |
| SHA1 | f389c1a9224727246cab350b632eadeacc5b1d75 |
| SHA256 | b144858793ebaf611f5504f62cc1353622bfe6f30d7f726b7148ae168bfb8084 |
| SHA512 | 5e72d14c7d9c4555eef4dd7061f74200f46538d97628f956913453dae0a89452abeb8a10f395969238c38cd37634a7d4fa786b7894963aaab5c59058aa46f37e |
memory/2360-543-0x00000000001E0000-0x0000000000214000-memory.dmp
memory/1012-552-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NMcooUoE.bat
| MD5 | 67a6a4b382a4790a07455b2db78c0730 |
| SHA1 | 708dd783105be498e6f87637273b8fb193cbe679 |
| SHA256 | 054b6343b032133db1980bb5ff5f89dcd4f7e8ac201121687fda5732b5cd76d0 |
| SHA512 | 1db2b262c715339cf4522741e4fd0bf6227fb10feaefad89480e0f9d5f989bf1eeb3a569deda29918e1ef3d5d438b3913ef5cfdd06acb70afc23d77e27c84013 |
memory/1416-564-0x00000000002B0000-0x00000000002E4000-memory.dmp
memory/2764-573-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PYUAYUMI.bat
| MD5 | 3dc47a33da92785256a39459252bbb32 |
| SHA1 | 54f7168e2f1abbf3f3cdbe686a6034af2c56d502 |
| SHA256 | a250c8cabd3a4a81c8c26e9f7fe8d599aa8a3cb2bde0b7849fb73c83875ae08a |
| SHA512 | 486fe5dae9b28f3cadc319cddee59918bba7c65c1841a7f8614013ec982ae5e3f82862db897789d43bf6a85f3148f9ec74dd6d932bc374aae7ad4bd9ad52753f |
memory/2120-583-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2076-585-0x0000000000260000-0x0000000000294000-memory.dmp
memory/2708-584-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1748-594-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1772-604-0x0000000000400000-0x0000000000434000-memory.dmp
memory/784-605-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\euUEIAYM.bat
| MD5 | b4c28170acdf3ba81a09e26eeaeb6770 |
| SHA1 | 9489a05cb89dd0dff35bfb76a622031293b6c1d5 |
| SHA256 | f371e0afc51ee112fcfe8662aa765509afac4106360bcb82dba24c3feb926325 |
| SHA512 | 7b2139d1b43432ef2a0a09224829c7857fadc3bd42dcf99dcbead31c81a4495eb018a935f0d9ff2309b7fb9bc6e0fdeda66821b58f82e667bd49b65c1003f162 |
memory/1256-614-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ciwYwgcQ.bat
| MD5 | 43fa03046a9cf8a7eecb716aff7c89a4 |
| SHA1 | 0709e8213768fcba5237860bcb86a5a072295c08 |
| SHA256 | e01b7436f66ed467731d8dff1b1837ab13f0dcbc0a6831e717703adb1b4bebac |
| SHA512 | 4022d2b71b6ec7760d375f8f87134c7887c69958b785ee2e2ea0b80e0d859dcc5a77a94c4c1c7a70a186dc74043a18ee36cf1dc3f8ffb6ba8bd9b854acaae684 |
memory/1692-624-0x0000000000180000-0x00000000001B4000-memory.dmp
memory/784-633-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CIkAUscc.bat
| MD5 | c44d0fa580cde4719590c5891dc800fe |
| SHA1 | 91f8b3bed2fc44ba7f52c5a5212aeecb794cf1c5 |
| SHA256 | 7830f2d306f0e85e1ca662674815723383cec81051ce176b81a23d0a792c5863 |
| SHA512 | 8d2060b3d1e8e02d15e736c6395158ead977957db78d867f995ade2273e4de16512a68987e3427d715715b1a80e248b2fda243cadd809c64b78d434e0cb83c16 |
memory/2428-645-0x0000000000110000-0x0000000000144000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mwwA.exe
| MD5 | 6edb7be53b5f0907a3489f5b120ebc7c |
| SHA1 | a2569fc7240540da4f6ce0f72fbc9a78d251bc81 |
| SHA256 | 59c4621e256e991d4b95ca1e1c16a1834b1431fd673b835ba91009818d406aa5 |
| SHA512 | d262a3fbb9bad4c8debfc1e88ca7a8310f4227b8ac2244f070a43b6ea1bd604ea1c0b5e8dc7ea3c26208afd25a759bd8d395c1bfba3787f70490266310078c8e |
memory/2752-655-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wuAAMsAY.bat
| MD5 | 708ca067249d8071841bb2c8c930292b |
| SHA1 | ff2fd8f656d99807fb52c6a274b5550239be245d |
| SHA256 | b6afc6bbbaf5daa22cf0b7f0b3670a6b3e8f0a3c4f1b44def9b0cf939083fb94 |
| SHA512 | e092917a1114b139ececd61fa8c3593dba56cdca6cabb30e1e6d28577fa0ddc2454642f8c6c7bc09d5520c63eea9924d00c28ca24ca32bb4c49c51c59a3e36c4 |
memory/1632-679-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3028-678-0x0000000000130000-0x0000000000164000-memory.dmp
memory/2576-688-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ugcMgwYU.bat
| MD5 | 8828c79b360ada6638e9109d2a527032 |
| SHA1 | c876def1c105ff2969bf2a790373eb7c5750f93c |
| SHA256 | 814228baa31690b5a6be51460834368ff8963e7e2a64430a3e4e747d01007ce7 |
| SHA512 | 5ed022c0466e483af403a54a949e56328be08b981ab2fca2155ff11fe235944829706366fcc9a517446d2d22dfb92b2215265ffbfa6b50e66f99bfa681b88892 |
memory/1632-706-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3016-707-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xwYwgYMQ.bat
| MD5 | a3b42e9994f41fd353846d667029aafa |
| SHA1 | 53d7ea7131e05ec2540274577b9da912545f7019 |
| SHA256 | 5fd65c4c36a0fb5e9fb1ee514434bf384df37d2aacb1c082e5b76237d05ba7ad |
| SHA512 | 00afe46b25c6db763ca6197056eed33f68cb8f0a7472891888be5fb9e8ab0a8054ad2e8868f1e8a29a8c583572a022b4ca8e8b564bd39c1d0044138ac1703219 |
memory/3016-726-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2044-722-0x0000000000170000-0x00000000001A4000-memory.dmp
memory/976-727-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\joQYUEwc.bat
| MD5 | bbebbf2a48806165a463a70a34222317 |
| SHA1 | aaeb20bb8045cc42f6294761fd482aea04fc437b |
| SHA256 | 658030eb78c700e797e1880c4658f7ab195de1601b603016234795733b8aa6bd |
| SHA512 | 263030a463f475bb84bd596c1ecf907a336320d6303d78001cc9ebfbe1c640b7d1fbdc8f41afb97cabc3464723968bd708e20b3f8081c9cb27535f3a0d95e3b1 |
memory/1000-739-0x0000000000120000-0x0000000000154000-memory.dmp
memory/976-748-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DeEEUIUA.bat
| MD5 | 4e10b35f0330c4b7c6ebd16c66a83e29 |
| SHA1 | 9a83bdcf6aef3b442ff2ad2d2d912986b29ce4b8 |
| SHA256 | a3f4756b345f8564f2afe1a28558ca22fce205188a21a5a55f01f4ab2660c188 |
| SHA512 | a03e00549323824ea1bc601858c59cff095a5c88b2fd048a53f5f7bf202f75652245e7d9d42eefd3f7bbf51221b5610f4af57e30153590065cae6863da092a35 |
memory/2940-766-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JAgIcUcQ.bat
| MD5 | 08148a9ff2bfb7d6ca4ffb30da8ccb79 |
| SHA1 | a67dfe3a08dc658a9f9ee2e6b79c634a86eb0c28 |
| SHA256 | 74adfde7d8f51d46e0ea8a4fe866f903d2c82634120e1567f5f672df47ff6bca |
| SHA512 | 09bad481507a6a16bbc20cc4f90095dccb79bd0bd1fed9bddeba0cc2a36ea24950034c091c23bf1526c71f5bd02b5bca62be71fcac70d2efb495af6346dfeacf |
memory/484-776-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2976-785-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aKcIIUoM.bat
| MD5 | 772165b987d34f731b9aa50f4bf98748 |
| SHA1 | ae3fec0aa7e18533e50df9daf6dde9364895846c |
| SHA256 | 01fbfa6c2f6f675214c2ecc1d8e295e62e153cc0a7c27641511f52bab2e639ae |
| SHA512 | 3744bfcf83e20ff087ca98eb4b3d7ed7cef423925cf22d5ee4a45115dfc37165749b60ddbda07c51ce6a5366bb81b0879a7bcbbb3717ca4c8139766cc1f7c25c |
memory/2672-803-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SawYQgYo.bat
| MD5 | 1499c8e466cb7d53cd2dd56eff120270 |
| SHA1 | 50be85e123ac1aa447a30408058d32cf7110c2fc |
| SHA256 | 161ec752554afed2cbf616445ce9139e598de231ddef7dff7a0c53f3375e0c0c |
| SHA512 | 518f880175109f0cae038a46091669e56e6d6a50a7fd596d0fd89e5c9306a6daf1a226f47437dacc4f9aa57cc039b6938e4ac4d42231184f3fcf56d118013c41 |
memory/2208-815-0x0000000002230000-0x0000000002264000-memory.dmp
memory/2092-824-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GgMoQYUs.bat
| MD5 | 6d566d6525c127d98641afcec9128dc3 |
| SHA1 | c765c718af9b3c9e025d778f0991deddcfcd31b0 |
| SHA256 | 86c0c0d0e51198856b14e2e15626ae83f2bcd031570789b45e81facd14ff7e6d |
| SHA512 | 33d012db6d2521b70846017ba732b93103a6affb3840c9204fb8ed37723b61fe3858f87cf359991a6f6bb0eb3deec4c7cf87616294348ea8e031addbd5e4d797 |
memory/1900-834-0x0000000000210000-0x0000000000244000-memory.dmp
memory/2224-843-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tQgcEUws.bat
| MD5 | 6d2ffa5cc6891c3f5e063c5c3872d910 |
| SHA1 | 91500e0429b5044ceef3d6caad0ab139aa92dd18 |
| SHA256 | 3a6b337c29c832076e7d0352febe99d6a0d774aac65f79654d8dc64db1fb095b |
| SHA512 | 8583e8bb26d8b9e8221edaf68103df19ca5ff86362657ec69fc12732289c99380aae2991ff69f24032a7da239b6296521ce9a17bf5dd8c3486129bd4f2296a41 |
memory/1968-861-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HksUkAww.bat
| MD5 | 518d0e0d69ee839dd333d1bc435c60a3 |
| SHA1 | e6ee7d1a8fced7307d3bd6d268387cb8df46a0b2 |
| SHA256 | 0f5806f989f4e89220c1873445c777329793d3e04faf7cc6321d447745c332b6 |
| SHA512 | 7e4b520ef149310c7618b9de9c444dac9c146fd93e9f3ce1f65de731972e47afab1a9f6e357262f44cf5b2575a0ef2f131f07bf80a7766f44bac3a012227b80a |
memory/1000-871-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2404-880-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NWcsMMwo.bat
| MD5 | 7d4e222c6359dfe920810418d19bf69a |
| SHA1 | 01b94bcb9efbb3a28e332ed3fbbc2a2274b14888 |
| SHA256 | 75bbeb1d688b8bde8b43ba15dc62aac172bc493fdbdf59c6d8d856a8f798010d |
| SHA512 | 20dae22320542057f4677a753c7485894d85377f3be34797876517acf9ea54e5c99fdda2b4146cc6b9c73a7d306154a27fe6eb1f73d59b1af22963af70b4442b |
memory/3068-892-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2616-901-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TqUwkYMA.bat
| MD5 | 57018e4fe99a536ae94a797a4ce47f38 |
| SHA1 | 62624cf7d81107a807119f8e9a938feecb22d07c |
| SHA256 | c8cf2e4a50adbc15ee0e8da9a4bcbdb2954c7a14cfbe86333db9256b1684711f |
| SHA512 | f85c660c6de6a3415286a5f9e99a134fbb0340dcc6d85a25c5c71219952cabed76f562d6f6ab547bf2b5dd526a5e52df977188d22c01072f468f771d4401d459 |
memory/2956-912-0x0000000000120000-0x0000000000154000-memory.dmp
memory/2956-911-0x0000000000120000-0x0000000000154000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PSogIIgA.bat
| MD5 | 730d41af2b70c7dde167d3251a6cc79c |
| SHA1 | f95f1bc8cd3758b97af7c4273d05bc964e54e01c |
| SHA256 | 3157684abb1b0212f819e4e2c2d8838d408808de7ff1dd5510edf1d14181ad8d |
| SHA512 | cb8285af2c6de2453155d8715d85d758c2076aa68ab52adbff46b8891fecd84540cb75b43706aebff75cc8ed2bb13edae4cf8fa89127936adfae52b97d41d3eb |
C:\Users\Admin\AppData\Local\Temp\MGgIssAA.bat
| MD5 | 178d96e98eb80a5926c9ebe7818d7dce |
| SHA1 | 90ed2211c462d549b4c39da863fd4fe8f3a7472f |
| SHA256 | 70fc87e4e3ab26fe4c5cc5f15a09ba3b38b585ec6445feb5bf7542f4f15af928 |
| SHA512 | 16c738a1574ce59997797cf61c7b209b1bf0d9b048bb498f815d2413366a3e225e6ffd71d1c61a701c64fb46bf44b5810bda7ac6581bcf3e50440c1b5929b756 |
C:\Users\Admin\AppData\Local\Temp\CcsYEMQU.bat
| MD5 | d83a15fff09cc769c0b26d34723e6cf7 |
| SHA1 | dfbad9103250100873bc50a28ddba813eed686b9 |
| SHA256 | 98d720262463ae229165957cd141fcfcab685091d4c44eefb66e9c76041c0527 |
| SHA512 | d2f5c1dbe4840946d90a264c16d0c2846a0cfa8fb803a9466820f4e6bc6173cbe9c0a8c705e89ce4779ed3baf25d7e91041353c1df799b55e6c30871a5258784 |
C:\Users\Admin\AppData\Local\Temp\skcAwIUE.bat
| MD5 | f9c820be6e1c79ac97ac9b399795829d |
| SHA1 | 7c9a6e19d2f62aa8a2175a3409fd33f3bbee9378 |
| SHA256 | e34df3319f9cd6dcfa2b09e4fe63347f58bda9f1b5519d974bc22daea67aa0d7 |
| SHA512 | 95234746fc0fe84e9a21bc2880c33ddda3bca97b52fad521f12bdaa66f8657e9d41e3d774f684f21435cde28356f134be1b7654cf03e28d8827af6bfe40f62df |
C:\Users\Admin\AppData\Local\Temp\ikAksUUI.bat
| MD5 | 71bdb1b9d5f8664d660c76a894e50606 |
| SHA1 | 04df07693e5aeb9a0ad6f07935eae26893daba71 |
| SHA256 | 3c9b3787874ab6773e8e2b3b85b688799a571c114f7080871a9c4c7ba129fde9 |
| SHA512 | 731ea83ac335f2f8665a4f4917ea1c0fe62d194e198f42f2addc67c0899ec0769cfb609dd841f9c2bdd795dacd2035f11aef247eeb03923bd140429c35dccaaf |
C:\Users\Admin\AppData\Local\Temp\fuEMsIkA.bat
| MD5 | d70d1bdfe30a4cf07e121f4b43525ade |
| SHA1 | db5039d5e3020953ca3c91a2640a0917a3df20c3 |
| SHA256 | b3f3d5431edc887be77512dded580a919efe324b462f6a50d16d5b5b56001469 |
| SHA512 | 1c1de5d5ead11ca59d2cb387252142c04665f323bc14069c3235938b8787d231a4893e154fe13a7e2b3cd8818cf0cd8794c4f79a32d888459e9a97b9a0716699 |
C:\Users\Admin\AppData\Local\Temp\TcwwIAoQ.bat
| MD5 | e4677e8004afdea61141fb29cd0bb069 |
| SHA1 | 62b32f6ef3975418f79631ccede1efb21322865a |
| SHA256 | 468cc6f64e8ee52c88e166cb97b9c75d1f7a2293561db161274f7758760e215b |
| SHA512 | 3e13a55fd8f557ded7ba5bec076dac7ca64c6eccfa4b382970614c4ebc721de3ec319ae3609a98a00501d966b336073e11c8904bb6c262e23bad4f4c21a4a568 |
C:\Users\Admin\AppData\Local\Temp\IoAS.exe
| MD5 | 0b042a08ae793f32e34f6290b5d0caa0 |
| SHA1 | 2874b9a0a6746fc47f9a99bbf69f8ae1f28a45a4 |
| SHA256 | 8dbabd93b7b4820b2ef90ada561a54c5abee6db2d3be29ae22ea71e8260b6d85 |
| SHA512 | 328350b38d5308257fe32fb3ea520e49701dc2e8c376133d3b4cb35ce2682018f87a9919f5d5827dff0e4a102925e00c133bb37153cc872857d517ff7e82799d |
C:\Users\Admin\AppData\Local\Temp\OIUm.exe
| MD5 | ad93d0360ef5bf3254b723d3818551af |
| SHA1 | cf2dea1bbd67658dd54976f2aa337bf2a76fe5bb |
| SHA256 | f194a7285af33ecdb71e03bdf2b701086aa1004783fc9652995d70c62188bc2b |
| SHA512 | 138f20cecad8a847d7bbf4398288721cc2cd11e1a662015a57a098b288b6d0d4639c32c05aa27a0d857ef3216995dae480c2ea5d16abca2a9906153b98149fe8 |
C:\Users\Admin\AppData\Local\Temp\mEQc.ico
| MD5 | 47a169535b738bd50344df196735e258 |
| SHA1 | 23b4c8041b83f0374554191d543fdce6890f4723 |
| SHA256 | ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf |
| SHA512 | ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7 |
C:\Users\Admin\AppData\Local\Temp\sIoS.exe
| MD5 | ddc7b5051e04fa8965989cc200e97508 |
| SHA1 | db9165e276033bf28d772bc618a1fe3c22c594cf |
| SHA256 | dd09eb8fe872fc1f28cc83f4ba398135fc37747f152a5adc4c40fc26f2c0897c |
| SHA512 | 13930843aedf307224012ad3b4755104eee040b26a15090a60fa07fcab9bdaaa74d2be502d7d9a2f44c810fafb8e2246826a86d550fd3e575df6ebef57fc6b98 |
C:\Users\Admin\AppData\Local\Temp\lIQoUIoA.bat
| MD5 | bf76b8a2c9e55af3c886b7123acca6ae |
| SHA1 | b6902fffb442639baf4f270499b6a6bbfe0583e9 |
| SHA256 | 93137a7634224a1d92fb0c0c2c08ffd165497a8b7fea3158bb8eda0d84024349 |
| SHA512 | 093590b626a328ba675a5d83b34e0766c36c0677b9a6dd5b93abae7c36c58cfd74ded50abbe12de9362afc8d4f8cc63424b8f0a9e88c2a7ecfd7c6e6e4ff34f8 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
| MD5 | a57959ab9e8f7e8fca06eefd8e96a606 |
| SHA1 | f8fe5187a528f975d8644d6f4103aef9d895dccb |
| SHA256 | 73672ba5ff4274876325a87affcc1c7b6a8541351b2bb8a5aaf1e9a6e87420b6 |
| SHA512 | 078b4b977bc60cbf7215e76d9c60241fd0a3b5d4455cf7036362157cd0c2b1e16b1edd9e1ec0e8b6786e61ae204dfb68a8ec06d3b34de1c9ddebe6b01e0eea5d |
C:\Users\Admin\AppData\Local\Temp\EMUa.exe
| MD5 | adf413ee1a77dafc89efe26c2c382b2a |
| SHA1 | 6996a685a96177b63789d9ff59e7efa6908b8ec9 |
| SHA256 | e705c3ff897a989972376dce1bcf3bcc9a1596330e52e27af7f36d3778c49bde |
| SHA512 | df9a3dea7f65313da7f9abb4cff291cd4910d68e913ab4a82e0469b44097e5442eebf48e43c14c5e92a301d9cb2b2a1dc9add14d4eba4f61552ccfc50adca922 |
C:\Users\Admin\AppData\Local\Temp\KAYa.exe
| MD5 | 6a799666aa7b78caf12168b684b0f6c1 |
| SHA1 | cb93806b1f78102103dbe064ed3d4f0ad235ee78 |
| SHA256 | 64a90fef57a99a571eba8a08928a307e35ff6f214bcf42dc52b9727134303c96 |
| SHA512 | b9bb2ba23060b56eca0a083a2f7d1b54b4285764a0c2247781a7cc4e60880d979f15d1f202b614ea4d3928786fd2c1d84f24b7640abe77e9610b13980d575ccc |
C:\Users\Admin\AppData\Local\Temp\ccci.exe
| MD5 | 219bfd6178e7a62616554f120eb10eb3 |
| SHA1 | a2d9c6224b2ce04deca80fa0d836df8c5ae91ed4 |
| SHA256 | bab6e84e46e58ba59d0814549dd8eb79936079a8abeadcd428d380ae4b956da3 |
| SHA512 | c94803c7e4ad43f3318778d609222747cb8fe1081f239d9570607b50e17fdf13db6497f56d95da73f115437b2293a4a2466e960982c6f60086df57bc9dd0bc3d |
C:\Users\Admin\AppData\Local\Temp\uAww.exe
| MD5 | 9394c1035b2331210ec4f939b8e6ea0c |
| SHA1 | addc9a90a373993caad8eb6d959886d7379e1b82 |
| SHA256 | 16cd608d845272655f4fd74b92a0e6e105b8ef8f714634063cef1999bd6f9d9f |
| SHA512 | 3a0be95dc3734421f73f2c938d5dd29ca46be2b2aa120929f5f4cf833af215c69f999eddb1868919755851388fbf3f630090167c81024464d0c47bca0ebd00ab |
C:\Users\Admin\AppData\Local\Temp\cwQG.exe
| MD5 | 8206ccffe2eee34212aa7c5828ba3cab |
| SHA1 | 5d7b81c30e13cde50ecbb5b8a7d32a4b1c08f271 |
| SHA256 | 0333229cce065eaa9544bd8aa9e5055a370ce66d28c02d6811e62a27ef4841e1 |
| SHA512 | 195fd0ae6c2944cc767fddd61d4cf5833919b3599fd400bd683ab73f2104bd9cb58037df189dd82d674b0f3ba019bc606a879261646866235c8fa36fa13e8d1b |
C:\Users\Admin\AppData\Local\Temp\bEYokowg.bat
| MD5 | 08fb2671ebef5468c76a385d68753dcc |
| SHA1 | 201175fd6b08b3e1b41415f5203ad6654bdcbb9c |
| SHA256 | e8d9ab7e39034a211c881b91e50cfab8807116b5e9c769505da1e2c66fc427c3 |
| SHA512 | caf431af0644be91b6fceda48ff2372e0e2b1b21d03cf8d1b0773ab2928b044bf27a254944e53af8bcd1b32ac278ef41a18d477b5c440943fadd74ff6ed470c7 |
C:\Users\Admin\AppData\Local\Temp\iYcC.exe
| MD5 | 90f97cf62493a9b49427fe0a1eb7a62c |
| SHA1 | b106dba41a12fd1f07eaf04f0271ede863cf44b7 |
| SHA256 | ace23736e7ab0e26b2b665dce68e95ce7a3da74eaf7e83f7b99f2f9b6c22600e |
| SHA512 | c4dac8c4fec4c9573a7e9186dbef0975304ce4db0f90b1b93efea6d972fb9e0ab01fc1efb62eb4b20bf017bf02ca7a1dda5264cd7f17798cfa883ef13e2ca26a |
C:\Users\Admin\AppData\Local\Temp\aEku.exe
| MD5 | 140245045406e0c99da06a84db0ad2a1 |
| SHA1 | 6de1b1e4ab2399063e47a5c0ce80468c0f4b3aa9 |
| SHA256 | 10891b02be4dd3b53b28eabcd96f0968d4a03ca3634798bfa7c033d8695117cb |
| SHA512 | b0866057681808ad1b3ba231ca95245d7c311c9d174fab07a38e53f26022f33c771f1be6fa0bb7b7f27c5c3ade7af369edb0c72112a2e52b3066009cecbab56e |
C:\Users\Admin\AppData\Local\Temp\cQss.exe
| MD5 | 78d7e982b2ea04bab0c112f54c1e4db3 |
| SHA1 | 90879af43488d14fbdb26fe95da041ecae3ad342 |
| SHA256 | d21bbb92bab3e36122f495fa16dc78fbd18728e6a1b38bdc6a9627707357999b |
| SHA512 | 215953680dd26cec2da32ee7ac7e211d5dee23b6839144136b2f1516addbdfa977d0b17d4018ac0b8454c875e7d9d9755e7a60164dd3be7c34f6574cf8312ad5 |
C:\Users\Admin\AppData\Local\Temp\iMgQ.exe
| MD5 | aab6b4104e332d15e5a9ac3226af6815 |
| SHA1 | dfc555d5374ab6025e46c3a00f8f9120bce914d3 |
| SHA256 | bd867c772de676a2efa443593ac16d168c09000013f472d51af2199e887ac36f |
| SHA512 | a466bdfbf946ae20021d83841d9e01e494a5920c40267b608bd2a21efc7b135d006f1fecd98779e40d209ded23e5298551eeead75be7f697ab3d1e583f2fe116 |
C:\Users\Admin\AppData\Local\Temp\AoIa.exe
| MD5 | d1e7cbdc3c07adb2b561f56cb7f1878c |
| SHA1 | f39bc83eb2a0833de53d49b3b14e5cf6c854a79f |
| SHA256 | e3e879d5bc67182c6785d3592c4241821954785ed381d072a53b41fcf67e31f7 |
| SHA512 | 1315fa6d1ac57b289a250c9b63587f0a3c76e0183b1a228300e647ab909a687849c5be549145604d75fac3443e48315c259bbd338e7e787faf665f958b51198b |
C:\Users\Admin\AppData\Local\Temp\iAgc.exe
| MD5 | 79a8ff620c1dc15bb1d1123cdcb9b133 |
| SHA1 | 9e29b7786551063481fdff03419c40b314411007 |
| SHA256 | ee810ed5a6d0746c400ec32d9f6bbcbb0634d6925082ad9f9026c0a0509cad2e |
| SHA512 | 20b63be637a8e3c5b24f1063db6b81cb734f35ec34bb04219fd4e009eb2bce5c5ce9323ee6d3c5ee5c287c0e1a80cf333a1497e080bbd3821647f9391494f24f |
C:\Users\Admin\AppData\Local\Temp\qQYEsMMQ.bat
| MD5 | 59ea281fbf9201b1983cfd344d83cc8d |
| SHA1 | 5b2a81fa7e829ce74625fb239f079ebb1a989d09 |
| SHA256 | a606552ba9785f9672fdfa1797564937d5996603ed3070b327270da9031ddcef |
| SHA512 | 944baffb784ef941df2317ae1e1188da7e6fe9c72902ecf722227af3a621c3ce145b18fdbd7a77b1e089db5e7d3a380ae6cd9c6547d380f2b068c959c9476e9b |
C:\Users\Admin\AppData\Local\Temp\QAgi.exe
| MD5 | cc32a5778c16acae0e331cf0d3313b62 |
| SHA1 | 7a9ffd9685047a7adbed11b303e1e0b38eb59954 |
| SHA256 | e8bc0a53ffb7a93a070442ce0b0f74ea1470847664562aaffd845e171d451794 |
| SHA512 | ad03f937ab77f4d09334b017d940acb15d003860639792eb7a0c19804e71c7ea44e889ba4f35f7134ae5430a0b025fbf6af6ebf95329b21525d0d676618e1661 |
C:\Users\Admin\AppData\Local\Temp\mIYc.exe
| MD5 | 6277bb2092958efe3f29c097e574f8f6 |
| SHA1 | 850cc67a555086f6b489bf74a11b534fb64d5f1a |
| SHA256 | 676c2dea6b9e852ec4201e565f6a8e539997a330cc5fbd7f68d446b48ce9db9b |
| SHA512 | 40a7f80a654a976c89c6517c2b0370b41f80a469be5dd472765d3786162ac35a726d790a93dddaa8cd4c4e811bdbfa3834bfaa76f736160f5aed4baa4b57d02d |
C:\Users\Admin\AppData\Local\Temp\usMe.exe
| MD5 | dfcc3de9e1de0c487905398f384958c3 |
| SHA1 | a95a48c06f274c06c5bb312961abe571a03b9bd7 |
| SHA256 | c4ff8e7577e5553f8c4deeeacd4ed1dd1535ecb5c67f8fe5fba9321d35a907e7 |
| SHA512 | 4866dfc651a1353b2cdfe07af3fbf9b9abc1dd06b638a973f5379e2422466a8df7667b813208d12ad2d83c64d66a3441b59790598c68a2de3af0fd62d86879a9 |
C:\Users\Admin\AppData\Local\Temp\qQcc.exe
| MD5 | 89952b0b2bd679952325c0327ca4d060 |
| SHA1 | 348d5e0e8a2c021445468a7f0ac0dd19af951f9f |
| SHA256 | bcbace1700013a11df77039aaaa1e865fe4d68d9eed4a086867d914122a7480e |
| SHA512 | d6acffaf7f11a947f09ff9293501e188b7c9d15e265a9109839d001fe1ab05e87695c65ef4ecf26b1c5e12d2faa6ba1935e0e293231334085f7de5b8f72428bf |
C:\Users\Admin\AppData\Local\Temp\WIwK.exe
| MD5 | 184942ffa3b7d00f5adca5eca4f4cce4 |
| SHA1 | a921de8e5245a5e59eb331416050af76f0081aaf |
| SHA256 | d844bdb014f91558ac6670fac0d6c8b703b7c12d7f55e0cf137019288370245e |
| SHA512 | 31b7952452824f81b8aa78063b78e70eef73732677f6e0300271a9e1b2cb626314e48f6f5c1a4270c16b661d0c9d1b2d26c9ba415ef9f449831880a59dc9bd0e |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe
| MD5 | 4f9849cefbb190feba4b5e7b6f19fcca |
| SHA1 | 86b67238ffc44d1184d8326cf724cc4ddb6a3aa9 |
| SHA256 | c3679769e3ec8dac1059e583961b19c8d1a2b5f0edb84a80fc3e2b310c468473 |
| SHA512 | 49be490595bf0f89c0b6a81d6a39c2f4e17a6cef63c67643c77eb6d2f7fef91600b7f935f37c67b36ca4d6d5584530365c8a9ca1ec83e5331ae5ee2a5924f0cc |
C:\Users\Admin\AppData\Local\Temp\mQwwQUUA.bat
| MD5 | c751e56f75204d124e86630ae46e977d |
| SHA1 | c916b6f413d6840f78021560d7b8e45458782be7 |
| SHA256 | e4c35a510386a90563715716c9f47f49e32e2c443fa9a8ab26415526f0202525 |
| SHA512 | 2dd18c87b5ffc87f5aec19c776ab71b47f86021819f49dc70e63ff588a68825a9dc4d2ffa9aa422e34af3032d2bce7a04907805a2a7d5070cd2b53f5a30f1d25 |
C:\Users\Admin\AppData\Local\Temp\yUIQ.exe
| MD5 | 202c04cd6f5d18541025e3fe98896d9e |
| SHA1 | a9c2049d4387e4a955b8c0ea6d53c98c83bf9a57 |
| SHA256 | f3c55726779adbe2b9d695bc53d22a3130e243b8ff68c2adcbe60d98f99d7ede |
| SHA512 | b578d1bef081a53309eb45ce594637d86a631e5168ded95900995529744b917950de9376cdd6466c4cfe97f73e70c0f1c2beea8f4fb7f96bd1f003e2713fbdcd |
C:\Users\Admin\AppData\Local\Temp\oAYK.exe
| MD5 | cbd2c3cc67c105870ee5fb927312b403 |
| SHA1 | 30bf268a083e4342e5914dc1bca0c56f0d71c935 |
| SHA256 | 2f83fa97232aac2640dff8f3517069219f02809f857b00cfd135d07421162ec0 |
| SHA512 | 75f51b1e208b21d6c0f437780346d87c746dc76b62855b4ff5980298a1224c088069acd456405cd07903256beec1f1607b528f94d99094651fd6d03656b00958 |
C:\Users\Admin\AppData\Local\Temp\IEMK.exe
| MD5 | 4e95693ea48882fc5e60efc5a5af5623 |
| SHA1 | c3620f41ec20eb96078fff85684d484fc1b408c6 |
| SHA256 | 5fa40e83e73768ee50264b05c016ebb4a0259513ddbd187f0ac478557154df62 |
| SHA512 | 5b6b5ee14a72b835192b3711ab234f9c87db5d2467847a4ca4a96f93d9d24219ee650c8a4010a4f45e4b3ad565961eae1a9b1d516fb2ce730e9dc9af0887e6d1 |
C:\Users\Admin\AppData\Local\Temp\iUQU.exe
| MD5 | 62e9cd89ec2ad43f9e053993a6723aaa |
| SHA1 | b213bf690dfa187fb4e84c5071ea26ff54dae0c2 |
| SHA256 | a1215ad26950ea9c9f4af7996df27039c792b1e7bc200bbcf8522e5d947d5554 |
| SHA512 | a2077c57d2ed96087d40205fe2e13d6d42431e09df9f9d429d88359b39ba3d7d5d4f78c2dc392aca61db29699b035bdfecee29bdf23b2cd9403519668fff3ea7 |
C:\Users\Admin\AppData\Local\Temp\OcsQ.exe
| MD5 | ecf08022afc78a3b8911e19aaef640f0 |
| SHA1 | 015383667684a4e48090e0d5d162a5bf9f31b284 |
| SHA256 | 5403f88851c78a8618f043d248a6f846179484783c0e40d50d0bffff17eac459 |
| SHA512 | 9a002ac87c972e60f505c0760c62e1afad8d0dc414c40be63261c70f6519da2e38d232127491bda0c0f7391fb4903cbab3bf15d9e99de25eb95bd4f0a9d82659 |
C:\Users\Admin\AppData\Local\Temp\aSIYkUgk.bat
| MD5 | 1127cb832d3ee169258cf5ff6e348270 |
| SHA1 | 576edf6f41aa89e4356ebf64a112a11822b32c25 |
| SHA256 | d28e7ee744c9d6f1e0aa538a0f644b44eb029f7155fddc936f84faf69027b088 |
| SHA512 | dfeebfefd64b75af643c1af0e109bf2ffc369e3f8b6f3583c399b9bf658d6127c96861daf3ef287b3704700051d5d7e433a89857b62585953420db0a33247492 |
C:\Users\Admin\AppData\Local\Temp\YAcs.exe
| MD5 | 3c47197beda901cfdf15612da6eb98c6 |
| SHA1 | eae12e5d48d076e363596637dae8d0482285098e |
| SHA256 | f7b3d50186df9df2da23f9e297f89eadd9b5ae7e1a880e5ef1c6addf4f7ed233 |
| SHA512 | 5eb994e93f741a791f6caa305f3582551b3dc4b49a8a864f122cf2f72e6e987da23b754bc6321fb9334be076f8256e1913e3d6d4734f325995d4f4eb5a771dc0 |
C:\Users\Admin\AppData\Local\Temp\Ykgm.exe
| MD5 | 7e68b5783edcf652a35080813cbbd487 |
| SHA1 | 4cd2c542e7719429651d7906752b78b875041788 |
| SHA256 | 2e00bd8d48b3ac678d105a0b4ef4b14ceff2d3a575b14117646c7f2960b0f6b3 |
| SHA512 | c403f1cac6ce998919a60e8a85f0ff5eb2ca6abd5636ab9a90a90e16ca60f24d1bbd77812bc2a4c5c75d587f09f04b39227a154c990c3d7ec12e2203a7227469 |
C:\Users\Admin\AppData\Local\Temp\AYEs.exe
| MD5 | 589fe3d4df3a110a0d74916673696e2a |
| SHA1 | 06b79b952eb59cdff255f2e3d3c3604850837400 |
| SHA256 | d07f44b8dee93a1f96d0a5d0dfefaf4bafeb51e5e05225ee18955b4ba5a41e32 |
| SHA512 | 35725b25222c4e31f4e4a11f396b33911d9a31b0000202843d288d044df7179783665c1e31576b85770bd3036e4488365a9176f70357198e1cddba992b6d133b |
C:\Users\Admin\AppData\Local\Temp\YYkO.exe
| MD5 | 11a899ba6a400a3079a2001e82e148e8 |
| SHA1 | 0ddb6754bbac0c6668365795c188073697d6c9a6 |
| SHA256 | a2dd1a751eb1cb419dcdc808635b049e4e491035118d1f3c5346e135b0a04de8 |
| SHA512 | 62bdfb25b41b7176384bd0d9bea03561fad7df8c64ff5c87c34f5f36bbe9ab7fc3179f0e238ad40399558f3eb98996e57e10998798cdad5c45ae44feda21336c |
C:\Users\Admin\AppData\Local\Temp\eOgIQAAA.bat
| MD5 | dd3f03cc6b392a11d6c5e2971fd6e29f |
| SHA1 | 172b707f2d9d43d6ed5140da1a1513b37452d2fa |
| SHA256 | 1493f4b57e4db0deb9a4b685f9207c381f98257474c4de249dead8703eb3ef5b |
| SHA512 | 5cebd2d51d9d195860d25348669b9ef2d8a26784333e78710a34ff1f0574216cf4534389a42605547a0a5aba16778f3559377d8329776052ac52972158aea39b |
C:\Users\Admin\AppData\Local\Temp\ssUY.exe
| MD5 | 6860b2c4804da0ede76578f2528e9844 |
| SHA1 | 4d4101fb5f84c64858ba4ed84b491defaa0be56b |
| SHA256 | f4a0080e5b2cab196139cbfbab1d9521aa2980c1da0ad5c366fd0aed41a97126 |
| SHA512 | cff49b2dcb8e5e3eac8c6f6fb1f18a463d3f40d32b4d8d1cfad0acc182e340541f88e4ee79998efe83536bdc0ba11dfbbb23176ea4681cf516d486ee7abf6261 |
C:\Users\Admin\AppData\Local\Temp\oUAg.exe
| MD5 | 6cafb8be31384534ebaa33b56d3bfa2d |
| SHA1 | ee0cb45753ee39ffd8f44a9b75abb01d6a5076d5 |
| SHA256 | e69f5ae8b7498e152f4ae579ca768f7bff7ee330409d4afe68e7efa5da8671b1 |
| SHA512 | 3c6d3a1777a40b5adb87f439f5fccdcd8dfce7c4d6fef6ce72a66f7fc678921eb15d33b74e5e8e7eeeef6fc59e8696c24cee678b7f33659bdd3bd05963b89d11 |
C:\Users\Admin\AppData\Local\Temp\Uggy.exe
| MD5 | 71f42d074697f8cf6128d72e5b51afd6 |
| SHA1 | 65da1451bafac053643c2e931a2be07eecf955f1 |
| SHA256 | a2215a45cae3a0f2a3a3da3d4962db2d4ae237cd5a279c1588d7c07bb009d15a |
| SHA512 | c35c18b38fca319477b204d8a59eedf6fa73f4f24fc9a16d3775ef51414801813bbdf3d1b3a2375d9bd1417ade8bf88c4779cf97f53d3c5edfbabdee7b703a5f |
C:\Users\Admin\AppData\Local\Temp\QkUE.exe
| MD5 | 216699ffc71751c4a0a7136dff41dc8f |
| SHA1 | f95a1c7a6bcbd4c3b663adb0c19fd00d3d4c16c7 |
| SHA256 | 5d92c2dfa9a75f39489ae434fcfd974875997423a4b3e0aedd4a3a8f24627d2f |
| SHA512 | ab056b54375d28e76b7bea4ddfb9973df46dce5fb34692652e1f2f466df9821f9a2ee21055471d2b6be470c6ecc9bdd86a6e785aa348ff4de7e1c674973017a5 |
C:\Users\Admin\AppData\Local\Temp\sMkYsEwI.bat
| MD5 | 31380a733e91f2d1595d82e3f81319de |
| SHA1 | 624d73298e1bbcde5ea6495607260f4f8acdcc2a |
| SHA256 | 91b06641078909d2aa2817e4fcf5922da7d4c8a62bccc702c2c88bcac47a84ef |
| SHA512 | 75e302e217681da0a223fcda476bac4765a647554997a02f5ca82d80c6e3f419454d62efd3e08fe9ed5882fb2f705dc633a07fe8d9525b1e98504e1a6ea9d9a9 |
C:\Users\Admin\AppData\Local\Temp\MkgK.exe
| MD5 | d36a876c5c25f8cabe219d3be8f91dc7 |
| SHA1 | 6bace03ba7e1dc5f6114d8ad6c2ec27620819aa1 |
| SHA256 | 1982fb2f041811573959a2b587142b8e315d71d3a3a1ecb30b460e69fc06e905 |
| SHA512 | e890450b4d6bca8bea91a7ad25dc5ab76f290ea926aef81552fafa1483167cd03c4d1325bd7b4e773c7136827d6496470cb4723d0887cd577527bb973bbcda02 |
C:\Users\Admin\AppData\Local\Temp\UAUq.exe
| MD5 | a3a7519f563970610e57878f4ab2daf9 |
| SHA1 | f3f98c9416ff0dd9788ee04a46b8b6fdbc56b751 |
| SHA256 | 17146dd8680b26d0f900a0e510a25989e4f4880f4c842494dcb0b368b7f18b46 |
| SHA512 | 947a0db10e3bbcdb1385cb71ad2c6a4befc224624c2b2a256b7e338fe0d7f0f2b38570d14c845506ae5cf785212f82d5ce082bbdb48246a4925f01025ee58a29 |
C:\Users\Admin\AppData\Local\Temp\EssG.exe
| MD5 | de71a5f4a0b8f879bc0e087fdcfe16d2 |
| SHA1 | 8733203f5c6253136cb19a65b158be867b8bb604 |
| SHA256 | 47443e2aeff96570c4e5c9e35c14573992e7f87c85150d99e44cf1cbd6861939 |
| SHA512 | c5c1bc583dffe521bfc496295e1533599f2cfcad6462e92650180aab01789c4969f457125cbe34d96171aaf220ee77e65f2cdf5c4f6d15edf3bc7bdc18dabef8 |
C:\Users\Admin\AppData\Local\Temp\WEsy.exe
| MD5 | ccd24195dad97d4a31b52812b335e016 |
| SHA1 | 59e124650b3110b8f33edaa7f5a1d127ebe126ac |
| SHA256 | f5f8251910dfc379d771fb7355d254a45f97487e046611d587a11169240eff22 |
| SHA512 | 7cb76c0f5afd81ce5fdbb7b04ba492939e12340080ecd45accb397e4b548153f5fc1196426e2bd2ba09f0508f909ced539f904a5b3acd6ad48e01de92e0796eb |
C:\Users\Admin\AppData\Local\Temp\CUYe.exe
| MD5 | 3a8d51260674071ab8901ddf61e06b82 |
| SHA1 | a6ce087d65571af81a79fb43be6e10d635c7328f |
| SHA256 | 9c3a980763c39f43d6587178da6d91ee4c1323b0eb507f01eba64d5032726572 |
| SHA512 | 645f6a109b52bb7e52a3c4927304da6277b9fa0604ad2c7cf3d3e2b5d4139f8de8dd7917435545bbb01c606af93b8f96382a95bd5faa7884128515b03bcd2e98 |
C:\Users\Admin\AppData\Local\Temp\TcsEoYow.bat
| MD5 | 00575bb523fb5220240faa979e03334a |
| SHA1 | 47f6abc1994eb0d799ad79f15def8eae4eb87513 |
| SHA256 | 9d6916a3041dbd6e58a1ebd2d111c2838359b8132e3a8fe105de903d99663afe |
| SHA512 | 00504b9c78c5a6d6bc5992a4afebb339858c111c9042eb192a9bddccb6d3542c81c85739135d2a87ebef8b92604140b57fa3ebb8d06e2a5a0ea48cbebbb73e5d |
C:\Users\Admin\AppData\Local\Temp\eIMU.exe
| MD5 | f3c2facc754f12fc8e5144da028665ec |
| SHA1 | 025032c6c9c2876fe989bb731e17ce29e10e7d40 |
| SHA256 | 85e4be7b33dcae467518c050deb2fb451190956fc6e93313c9b25efaec68d7dd |
| SHA512 | 012b095e0216e54da7e8f94ee740866db28e74a4ff2fc413e052f40102218c37e3ac9b52d0025f833183e8cf43165ee05ab03e6981b1ae6bb60e7f4504aa3464 |
C:\Users\Admin\AppData\Local\Temp\mIMA.exe
| MD5 | f847948c3f78c0ac49025c2aaaf3f469 |
| SHA1 | 1d3ea15dd561b77d6e995a5fd4732ade4dacb1d0 |
| SHA256 | dabc7cc494b5aea3c58c54922df71cb872e98bef070ce6fbae9ca9f88a626839 |
| SHA512 | 8cbe7ba0aec00aed5ebf83ee6a4cda55bbfcab6bb040e4a91eec316cc337a49d8c99e4a15bfa63cfe91880811612ffb6b457d2cfc48c5e6ba46cfbd00a0a0f00 |
C:\Users\Admin\AppData\Local\Temp\IUoW.exe
| MD5 | b81a2d93966c2d29e23f3a4b89a07d94 |
| SHA1 | 71f0849cdb99d1da9d8c2c474b760ff552ce2684 |
| SHA256 | 5039d8ccecd97723a160a618e52e8f602f95461c2b50d4f8ff016dd7ba7379fb |
| SHA512 | 16ba10511fc9634d256fb7208139dfbe920c45bd4fa7409810cc746d1df4148f34f020f4924c90117eaa17c9f0e944721a9abbb14e38c7ea94415ff451fa5f6d |
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
| MD5 | 588aa539657d9d07d20d5be893071162 |
| SHA1 | 4a5b15bf48fbb55be08af99791243b9fb92e92e1 |
| SHA256 | 272d3817f9605ba84783c482d962e58c7abe3435153f711ccfd6627d390be2c5 |
| SHA512 | 9ec2f08de6a51cf42005fda6c9e86995507d2070f5353131b152f274e1b57ff63ca093f965b03c45a65e88a07b28d5bbd57f6fd88396258d77a75368369134c7 |
C:\Users\Admin\AppData\Local\Temp\KoUI.exe
| MD5 | 823b12d3677d3f5906b3dc7904ea1625 |
| SHA1 | 6a741d46882ba234a0c107994902d686289badf4 |
| SHA256 | f0fcaba503ce53687a51175e9e9f253589bb5d2bef96bde365a6895c85d4558e |
| SHA512 | c75cb7bd30c9ed40715b41817be7e6e28610b3bb450434bbf3ae90fd94c95d7d3891bb6273c73c143713c5933683571422e357922a825017059a6eb091c62e3b |
C:\Users\Admin\AppData\Local\Temp\EkYq.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\kYIk.exe
| MD5 | 30bf64391ded4242111b42a2322ced04 |
| SHA1 | 6030fdcb6451e5774abd1085a3866cd330e903a2 |
| SHA256 | 6e227503bbeafa639dc1592e1ca23094882035a30b01cd95f2bd53e81d49771d |
| SHA512 | 032f56cb073972b24c770e6745f07ae13b40f30d428da00cf51f6ceca5c34d9a32048cbd21da0e60d6e5a3e4883ac7f44be34cff7f56fe16109d69cf3f35fc1c |
C:\Users\Admin\AppData\Local\Temp\lEgYQQkI.bat
| MD5 | 34a0908f8333c40220b413eb2271a2a6 |
| SHA1 | f2136ba8f2b05581a9fe99aaecb3c991b08c3959 |
| SHA256 | b3f8386ae41e4e3bf4572ce6ad612673b4dd738e4e8054368e2ee53fdefa7543 |
| SHA512 | 8bbe48aaf39adc17cf80095ff7c3ece60293d0fae21d711181da12138e0af79cd863ee5cdd275d2fc863c393ed9379e88bd3a0b26169855210c2b29039f56463 |
C:\Users\Admin\AppData\Local\Temp\sUEa.exe
| MD5 | a1d294d60cbf7a2c505e48c51a68fc03 |
| SHA1 | 6ac59e5efdb326a5b116c5422b3e90a415c17a19 |
| SHA256 | 30fbff0d2db196b4979742386006753e5fd07f1ed7b3694875b6f1ab7628a0e2 |
| SHA512 | b2e66d54fbf190715f50178d43c191aa6aa138006b4a5e2c55a5f946381556dbf7fd38d8da2596c7cbd26bb3778ef8854a415739035c85f53a3e339fc530f82e |
C:\Users\Admin\AppData\Local\Temp\GckW.exe
| MD5 | b2a5d9593484a5a2da0224bef339cd36 |
| SHA1 | 0870cf947b5788d05022aeea868c831dcffe62f5 |
| SHA256 | c40985acc7b99c125f7722ca6d9da631778d63d686c91bd8495c727b129ef015 |
| SHA512 | 30de502ba445053bee2c10a2b50be3fbbb7e823b8453809e7c71e63e6c9b838dcdca0940dcf30ac4ec22cc503665f7be94224bbc2cad4bd234bfca7245c689c6 |
C:\Users\Admin\AppData\Local\Temp\qEwe.exe
| MD5 | b8f67c5b02ec760a679cd97e6733fc3d |
| SHA1 | a93b4abb45696403b894e7b39759ad0feda29ab7 |
| SHA256 | 1b6ccd6a7d1f3a2a39825c6b3a4c94041e57f03fcb18108ecb0f0a865b64c49d |
| SHA512 | 1e4e5f26cf21762ea21fe2d2d08d52a6fb3ab6cfe79ec826210cb33b7320b0c2c153b4fa01f5bc4f8e0d6ed88a82c44c42a1a05d8f925a614ae8aa2342a61f52 |
C:\Users\Admin\AppData\Local\Temp\RGUcwIws.bat
| MD5 | bb44ba591ea2d03d9ceb65cd15eeebc2 |
| SHA1 | 57bce201826152add88b05f7002259b980c8f589 |
| SHA256 | a7443dd2ed39bd0330a6952dbd0d77d0d82721cf10085182f1126bd73fe34b6e |
| SHA512 | 29076354dd5119929bcdf02d2550744c772709233e339a8a18d293c28e452b1bd1a3f89194645d5dca9b10b87f00f170181b1608a6cc33dbb5573f38854b5806 |
C:\Users\Admin\AppData\Local\Temp\kigYkcMQ.bat
| MD5 | 49dbe6703242dcdbd685ecfaa77a21b0 |
| SHA1 | a40f382e0dcc8f7039f079c683850f3050650826 |
| SHA256 | c94cd0b82d527cc59d825548f6209968e52150dfb4c7a494125d367f715e17e4 |
| SHA512 | b99effe9d51ab5e45f9d5a6e0c3f3130cfcacdc25ad56f6ff56900efda2bac52ffd8f6ec538aa21b513ee46dc4224549785a0a7c13b625db6293c0602ee2a494 |
C:\Users\Admin\AppData\Local\Temp\yusYIgcE.bat
| MD5 | 9a59a97f756cd82f0e937320de068873 |
| SHA1 | 8675eb5952d0f96c3dde95c77501abd405899846 |
| SHA256 | 252df2cd26cf92a7aae3965cec5b246f64023377524b393f810c0bec94e973de |
| SHA512 | 13a780b36e9220c5fec738e53e98a12669d615aa29a77026435629bf211bba771678872d167466b7a5f412e34f25cbc9b1c2f3aeb727c9438b1a69bf522fd98c |
C:\Users\Admin\AppData\Local\Temp\kqwwMQwE.bat
| MD5 | 482924e0245c42657d64374f9f315504 |
| SHA1 | b0105357e81dd6e3f993655146d26528c44924ca |
| SHA256 | f0ae4133dc22bbfd4142ba9f426a8570c186ca4c47d9cd859891d8adf40216e5 |
| SHA512 | 903c3283f72956f5f28ce1fb81d2799aafd48d4d21d08044f3a6dc1f17a36c7b069dc3b0ba1f28d531f6d2b64a6d66b31db303ae01b4193897d6f682fe326b44 |
C:\Users\Admin\AppData\Local\Temp\wysIkEIk.bat
| MD5 | ed60671642fb9e0aa3406cd05273813d |
| SHA1 | 2020f7474767ebe378b8fae3b1da5a7afa97133e |
| SHA256 | bfad4d15202283f236e9b4fcda02e7f20c0c65f75be3e5d12f78527b63533a84 |
| SHA512 | bb6dba695a30bae274b59eed3cccdc5138183f685fb78a7b5a52adff2080689070409acda8bdb02fe742d3bd5269a6d6f8d1947b0f563389e25c4135b5ee2367 |
C:\Users\Admin\AppData\Local\Temp\fUkgQQUo.bat
| MD5 | 022862539cf2f9accbeec00d8963108e |
| SHA1 | e1b1731d3a470898c3f2429617bc0f3bb266938f |
| SHA256 | 4f895156c6ccf1fe6aebad61de03e6b835be3e458e2d267d670c9f6fd00077eb |
| SHA512 | 86c64f7a76a45f457e155b75148311dbb630b3467bcb4230e267f18d340a2650e89e24b0ccaff48cadce31e3641d57836f9ae7f3252ca3ab0c59b6f3e1927ea5 |
C:\Users\Admin\AppData\Local\Temp\JKQMosAk.bat
| MD5 | feb5129b8bac2843c77a47ee0922d6ae |
| SHA1 | 775420b91129844c2f65da7e26726293083d4eb8 |
| SHA256 | b401ff3160df6b9879cbe8f5c97e18f904026c96d2b56f5ab7d31960bf827b7c |
| SHA512 | 569f59dbba24325dfc3a26d8a144d894dacb9e0dbcd5c91f63ed15565a632fabb590be985c2ed4b8277095a3d0defe937670575616281f3e81f832356a06c5e6 |
C:\Users\Admin\AppData\Local\Temp\taMgoMgc.bat
| MD5 | aade23e12a54adfdf168c4a655dace87 |
| SHA1 | e67319c8581d264bc14072f1de007eba7b65c257 |
| SHA256 | 4531565c4b7bd638c7c802cc3eae1be413a4cca11990aa6687184eaa62084f8b |
| SHA512 | 90c0fb60e41e31399282b64e60733ada76d25460cee0d8c7475899d5b407b5ea15428d16b9736fb2d9c63bace824f8f26ed757b5702c09c0159226d6429d4fb1 |
C:\Users\Admin\AppData\Local\Temp\DmYAwQMQ.bat
| MD5 | 8a8fc0764c44cea0eaec4ed964a17a75 |
| SHA1 | 6cbfb479b261d55387a36485bac5f51688e71d3d |
| SHA256 | 487021ad64f9636ce00d78b14b54489d8715437ebbcb8c3fd5d7614eeaf1b2e4 |
| SHA512 | 249effe00bd2a410facfea8dcf46dc46da85521a98a17de90f223af08b9469296a744b816e1e137fc966681faabc504a57eb043ae274e3ea9870749efc2818a3 |
C:\Users\Admin\AppData\Local\Temp\gqcEYwYM.bat
| MD5 | 8414d2aba1fe758736b6d638ee37005d |
| SHA1 | 0ffaeb88ed42432cca8f1affde39158cfe093416 |
| SHA256 | fa270415eaccf667a4d51e1998c649c7a5f3c28ff89e27093feac65834881751 |
| SHA512 | 7b0605e2abfe29ba546cfb59ae657278b5a6576716c736c901d0b27aacd3a59df7a8c0dc5a599aa55c8f914af85715f8e622af7f810d3cc68a1f6a14f345d8d4 |
C:\Users\Admin\AppData\Local\Temp\msgskkYo.bat
| MD5 | 952bdb3b21aa0086b7008a62509ecf72 |
| SHA1 | b3d150e2b3737b46aeefc59614a7459075ef9be2 |
| SHA256 | 8dc321b9135ee4fbee83a304b911e871f83e7ae84d344bae6f464804f77b2f86 |
| SHA512 | e016f51a53c8582c43c3fc432f0dce55685b83989ab490fe23037f976fb7b6fc9d976b0b105ed6c1db6398eaa42abffcb4b97e1dcfc86620ea121d6ec850ee88 |
C:\Users\Admin\AppData\Local\Temp\iAsc.exe
| MD5 | ed93d25c7f3ccab78b1d44f666e1b5e9 |
| SHA1 | ca7edf04daa53edec2df5d64e3602479b560e172 |
| SHA256 | b620330d2093a9ffd610d88482e36e4db48d39e7e969def27fc162a3916d4eae |
| SHA512 | faf43a588332ae455f5abcd817f9f9b07b445e1de58ff4d0299e81fbe82cf28ef8e6bcddaacb7636c042d74ba8ad6c55010aabd4add47f2e1b47b252bece8604 |
C:\Users\Admin\AppData\Local\Temp\MMMg.exe
| MD5 | 369bbd1e59da61482ee08c09cad052be |
| SHA1 | 90b5e58ebeb0699fb03492d1d2585bcfaa08a82b |
| SHA256 | 02208c52a9fe36693bb2977f891782f38c0f7ac5257f1e79ef527a12e1069067 |
| SHA512 | a4a62af475537868681edea0319367e0708fe4b0c0372d7630904ea90eb29d65eaee13b0d9d194c7d764d1258292c12a7442665889ad9f88d3fb162ffd4c194c |
C:\Users\Admin\AppData\Local\Temp\uAsw.exe
| MD5 | c4900f7e9a3fce1feebafe04e0831202 |
| SHA1 | 78047be060acca1377f540b0ee6ba26715dfaa7a |
| SHA256 | b027f5a6ed785763639183681417cc7388d850c466482f7323bb7674529390e6 |
| SHA512 | dc3d18d45b31b121eeb471c15ac3cdd350b10572980e87776a9a4f02998ff4327c903019670153fd8677e8926803da291579640685d3709b5f0643f3cafbc821 |
C:\Users\Admin\AppData\Local\Temp\Wwou.exe
| MD5 | 6e4ce9bc65958824df9bbd622692fb5e |
| SHA1 | 3455160945de4380fcb7b93b20abb8c19edbd3d9 |
| SHA256 | 77885a016616a699400600d6b102123e7c979d7b09136e3f80ab70a71a105c0a |
| SHA512 | a088fe555eb2785f1f383e1c9d9fd9e1d9f22b00f0052a5b1d3ce248a43b143aabb5458f4385e32ae85ba116014818af230fabaf768dfd74832b45dc7f2dffb3 |
C:\Users\Admin\AppData\Local\Temp\SwkAQEsI.bat
| MD5 | ddd9022300e741b971dcc69ba2ec0a02 |
| SHA1 | 4942ea9e6f985b593837a7844ff12454843f6957 |
| SHA256 | 4e31112659639fef123c009cef7c0ca3cdc14e589f08753795638a9092a1b4b0 |
| SHA512 | 3a2ec977ad5502942a2cd8f9fc612fedc854bb49c08f190fc13221a05cd3151b3735db4b599608111b8144ed5223861b83525776c1e1add100f3ea0a489cc0a8 |
C:\Users\Admin\AppData\Local\Temp\Swcs.exe
| MD5 | d9d3b9b3972cf65e90dfaf5ada58e031 |
| SHA1 | 77a86733352f0cee35bc5b11ee1a5812a63ecdb8 |
| SHA256 | 8e3e95c0f72616fb1c184d9d876c530fa38e5fd6607a4f37ca9bb979c011ce8e |
| SHA512 | 78f54b8b5a655bfa8b917a64ca562e571f6baddfe32e1daa730e1c3b36f86e6a96beaebca8845c50e4b6d596861e3b3b52b66f4b229dfde4ac2263dfd63e6058 |
C:\Users\Admin\AppData\Local\Temp\MAIs.exe
| MD5 | 289450a62f8576b3175721c7bb79eef3 |
| SHA1 | 427448ae568f150f256c87dbe5b8844d33c1a18b |
| SHA256 | cb0ebf69cb782e1107b8297fc9eec8c0a43f6942802e18c843e1eece26fc6a4b |
| SHA512 | 4144fc1900bdc79cb260ea0e13e5eb0fa81acdd9d476ce684309a049aa5211c71bd5fd2e6495424cf0738115c12e4b64ffa1c147d32d1487a3417e8a635ef2a5 |
C:\Users\Admin\AppData\Local\Temp\mUAY.exe
| MD5 | 3aa378aa9cae1e317a91bf0921f48be7 |
| SHA1 | 8007efccbfcddc0e50353db4f5cdfca0bdaedf55 |
| SHA256 | b5dd5e8872fd835063eef0b30e994c9b02e4a11f8affa47c4860b940c23dce04 |
| SHA512 | ff7d9c60b32a46ebd0fd9c2bac7fad7d2ae9c53a7dd1f045992b021d063696f81da46316d9796348396e3693e121021fe1b1e6919ae988999fc19dcd8b2fa581 |
C:\Users\Admin\AppData\Local\Temp\aYUE.exe
| MD5 | 364db0e044e9a6dd461022ebf6892383 |
| SHA1 | 562978e9dab3a3cc997f3381dde30a619628491f |
| SHA256 | a6c25511ccb1527e56b31fbf27fde3b1542d6db7b88879cdce8cf3a626bec37a |
| SHA512 | f60b6f5bd91059a0d94e2e1829fde6f37ecd9de36c10317748de7927fa2859ce92c117d64aeca40cb037e353b917ee3a0b1e4a9eedfc0b167cdd620278285a47 |
C:\Users\Admin\AppData\Local\Temp\gkYw.exe
| MD5 | 105da8210b500f3df3792da7ead440aa |
| SHA1 | c91bf8ed9863abe357c31c5ff9185612f49b4405 |
| SHA256 | 8888d120e837f07bb345250c449f738595eb40beb0550c0447c9b5de7a7dfe71 |
| SHA512 | fd74c515f1aae3d5cd4a1fc5e321277d02979d3662026caf51acdd8c494a584345c6631302b46a7f800f2283eb5fd09385bc808d741911e82ab1bd77c19ea8cb |
C:\Users\Admin\AppData\Local\Temp\kocS.exe
| MD5 | fde9707ec9799682568bb89f8f41234d |
| SHA1 | bdb0f4e186ce089b0322c5a601799a305352c6e8 |
| SHA256 | 6cd5801b2c3f1f5b9a7c057ccd11db7fd08a90f506dfbe56efaedcd029027a6d |
| SHA512 | 6e60425d92f8a250b1fa60522f31c3b070a20b13e43211065bfb1736f277c303102cf382eccfd3646ca4ba4f2d9fff95a564485c0473c24df675534aa7c3dd1e |
C:\Users\Admin\AppData\Local\Temp\mYky.exe
| MD5 | 6bcfed8aff1a3fd07f0e89c35fbb8d18 |
| SHA1 | d93b2fbfcd36eeb37db4f0abd772d308f9662e9a |
| SHA256 | abc828fcaef40a31e40aa707596f94dc85fef6301e90eda4c622f6b61b82f252 |
| SHA512 | 38e80cf7dd0b00f8853e6125a73fc6d77fe9de0f2ccd910dce7ce363284076a8235128929cf645e5099242bd5ff6292caac5b14f695db0d244522d238553db5f |
C:\Users\Admin\AppData\Local\Temp\KEYw.exe
| MD5 | d9c40be5a2948bfc1b8036aebdd342a6 |
| SHA1 | 920977c566ae825df226910ec3faaf63d3502429 |
| SHA256 | c51e442c97eded0662167682295634b20eb1f45858d4848b15d96e583626ef0f |
| SHA512 | dee74fdf27b15a65f846bcc42072f1d71e415792fcd6e5a529d8686b534bd031630a7cb38ee312f12af3a435e41a5e55dbf6fc7f32273575b17ef6cf05624ea4 |
C:\Users\Admin\AppData\Local\Temp\yMYm.exe
| MD5 | c20673c9e61b20d17a3abefc9c7a9a2e |
| SHA1 | 70e6315a78fe24202b1191b6b8b1993fa01fa125 |
| SHA256 | b4c6f442fa15848423999a7c787d551c1ed81dc5cdb3c6c889a3a7b6c40d2246 |
| SHA512 | 205c38e8ead8273ecb41e5cdde1de9f4bd9b78b150d3fde11a6bcaeeea386bfc9acea3c0ab19e292ff0b31e84b1762ef674097dd3a8579bfe57508ae22211cfd |
C:\Users\Admin\AppData\Local\Temp\AycowEYk.bat
| MD5 | 48216b6bafdd21c7212408a6280c6972 |
| SHA1 | 4b61feaf9033b6b0127de9d83a2f9b48b70ffb93 |
| SHA256 | 282d95851453075e6bf7650aaefb720ceca96aee6ecfc4d3ef899889976dbe86 |
| SHA512 | 9491adf79cc97a86c9ad084c4059e0d9d5d2b9c921f9a59e1fcc8920f91caa11cd8969fef14d9f420d4a028797595739005dc33e4b8d03a7d9f5265e9eb19526 |
C:\Users\Admin\AppData\Local\Temp\usQi.exe
| MD5 | b07c29f538b9dd7e3872152349cda8ee |
| SHA1 | a52e414e7320293a946e419f0a799dc050be6d8c |
| SHA256 | 045e2035b45b2cf30732a9724882b19a60f8946820dbde729e7fd0eb9f8817c8 |
| SHA512 | 70c9474774d7a3db826a37ab890d20d2d97f79ca52a83510df1d51bab3d094a5c1614d0bebe73016210c8cd294d3c118bb68f17bf9ac82a1c8f5a8ca2a29ed6e |
C:\Users\Admin\AppData\Local\Temp\MUUM.exe
| MD5 | 7aa61cbc47e1dfd964fe9fc5d572901a |
| SHA1 | 4871e0748763e81eb81f1b9e978eeb422ad4fb9d |
| SHA256 | 97ed8572a091f10062fc70605dcf246439eb73aa5e79de94fe81207a944094b2 |
| SHA512 | 13688cff99dad0511eadd7c8dc11fd4f5239a3787970a731682410b60a9b536f1a6b98f150af4525e45009ee72bed70fe7f7a0a3ee900776f230595d94655fee |
C:\Users\Admin\AppData\Local\Temp\FMQwUsAs.bat
| MD5 | cff24c2fec69afdad915e76513016a05 |
| SHA1 | fc011fa7fb217db48af72669e0fe0f93ef6c26d0 |
| SHA256 | cf73e1943045fab77212ca437e3b47061dc5587f82ea04ac169bd68a5a74ca08 |
| SHA512 | 4d41bc0145db8e42572b110673a8b4aecff25fe82664cfe3f23cbf7e056d4705c912683f5737c13d204ec8be509d2d5d647f16656d442328fbfed7c6c7b35dce |
C:\Users\Admin\AppData\Local\Temp\goAk.exe
| MD5 | 7ff8cde4315680af213651adcffc24de |
| SHA1 | f3ecb655bf137b0846a51af6ab7d9ca29f4e8b16 |
| SHA256 | a40748ad6d2c6e842bc1b344de031cba8f19d4dbd80cfb3c9facd66adb038923 |
| SHA512 | ffc90573017c34e4f414bed69bf535f007ffbe52e1dd7cf3817d925ca6e75debf1ff6596155cb7ffebfe5045ccedc4709c1f799536f9b085ec0546fc72cbe747 |
C:\Users\Admin\AppData\Local\Temp\YwIA.exe
| MD5 | ed911272efa35ce3cff39452ff47dfea |
| SHA1 | 4b71793c004ec02dab5a46226da6edd5bbd7240e |
| SHA256 | fd724928be8dae1561437779e4d624c958b256efafcebcaad82c5255a98270ac |
| SHA512 | cd774863c6c2c6094925bd197d93c8d8642d442913493ef53ce41297db993e59332ded7c5c3a0b05b679f06fe3d5456e632e353e948157be8ff1358a40a3ca69 |
C:\Users\Admin\AppData\Local\Temp\uYkE.exe
| MD5 | 18d6b75cc82a5613e4a66649e77a773e |
| SHA1 | 7cc70c571073ae0d7415590c21ce9c582c0c5844 |
| SHA256 | 15c360e61582cadfb46c928408bfa4d97f9e040b92141f5f25e87887c723dc0a |
| SHA512 | 50b6f277c4543316247ec244282c88618dd632cd00ed6d5f2e99b2c35c27e4c5116258fe5a144302360173ca9c5f655c165670da7729160bd9806241fbf635ad |
C:\Users\Admin\AppData\Local\Temp\YcAc.exe
| MD5 | 7c6cf8679e4cd2f1e150d615dd502822 |
| SHA1 | 29ad5b18793a4132bd3d9b9c434dbe559a9881ba |
| SHA256 | 02df91a250dad89cc202037a75f7e6d8d15975792587d91625f68b7ef5d23401 |
| SHA512 | cce8e30e21e13d62b18cfd96d813246aec548ef5b3876898f6a2a9d1a9d5213bab1c40003651fb5166abe4aae53cf0c6ab52ce22707fd5186fbdf21f3032756b |
C:\Users\Admin\AppData\Local\Temp\qYgc.exe
| MD5 | 9175417bf8da830abcc6a1812a2ea49a |
| SHA1 | df334f4f7e79d0a3f4bdf81ce8f76775ce09016d |
| SHA256 | 78df00541c364fac08932e60aad293abfb8520cd0d2672e7f412be132cb56de0 |
| SHA512 | 6df61902fa59c0ee4ce5764bb651615261b7d79e6d363062c01c20ff94ad271c8171d28c43a7d59cb9c2f04285eb7f0e8ebb3f2585dbcfdd04b9ff059758df92 |
C:\Users\Admin\AppData\Local\Temp\ZWgMAwEM.bat
| MD5 | 65deb928648bd2987f2831c7b56ac888 |
| SHA1 | 945b9c467b4899a01b35560aceebd9efff7a56b9 |
| SHA256 | 1ec9318f18f48efbd9ab1761b8a4fbb7bd9fd71868e511815364e537a09d51a2 |
| SHA512 | 652ef25aeda79dec43313326cf9468e1763a1b382bc48cee19eb623535fda52834340118482ba174178f5cbbc38e7dc67d0bfae5b301ef404b8d8e6c6faa0d84 |
C:\Users\Admin\AppData\Local\Temp\KYwQ.exe
| MD5 | 779a86269ff9f9779ed47be1de43593c |
| SHA1 | ccfb9161be71ecbbf126fb0211c22b048ecdc8fb |
| SHA256 | e6e6e031e4ebc9e4b8ee73ab8b9fb3887002ce3a43f60819affb2237d347c87f |
| SHA512 | bb0ce89035980fd37883d730379ae5a6addeb385038a1bd8ac21e70446a230b0d484507e52f00b7bb1d24d4c1fba6c94fd6b4a4bf4b3a1aeed237569b45eaed2 |
C:\Users\Admin\AppData\Local\Temp\KQAE.exe
| MD5 | aa98e665121243e6ee6390247a51a5b6 |
| SHA1 | 24bbf0ba6ba11dac21da1f494d4fa29be7f34bcb |
| SHA256 | 91e8589fa2ae9d6070bcaea5cdb25b36f02cfc2dff43c6e347c5f0bebfcd8842 |
| SHA512 | 0807d44ebc130389eb5d91a422b69cc5ba817d4287cea7ef5c31aeff81fd9e652212efbf81457c84580660b1a7e3a60e4d3378ed4805da025521797463b4325a |
C:\Users\Admin\AppData\Local\Temp\yMUI.exe
| MD5 | 754abedfe2ac2e226f4760dfd43dc6a9 |
| SHA1 | 57ad0f1f5776c5a1c96ab583fa985f4a4be7524a |
| SHA256 | b1ff94a52cc6ba862a7e3dd063a70f5545d547a7e11295f54cd510d4c3908914 |
| SHA512 | bf7511034cdb3181baea4b8df9d24251beaaa7e35c5f916c76f5fe4e79f0be83cadacb05728f9b4aa1ea81ca068c6c8705aff9fb91e480e614a9b6a35b508937 |
C:\Users\Admin\AppData\Local\Temp\QwMS.exe
| MD5 | 2fff6acc322ff23128fc6212a55446e9 |
| SHA1 | 0592ab5ded3aa519606dbba9dafaf5d86bcc1395 |
| SHA256 | c9ca629eab676122fb7287f5e14f53599d059ee1109f57afbf8a67ebaa8d3b19 |
| SHA512 | 65e5dbcf5d46a0d8d2e2540b96b4b9cdc0dbdd9c2c8461f2158ab9a6be683be017b6b389df32d8b447475f67c912b0380d5bb4762f4d8d04ddb8d5eca394fb4e |
C:\Users\Admin\AppData\Local\Temp\OQAy.exe
| MD5 | 5f0b894c792fe10c0cef033c7cbd4f97 |
| SHA1 | 008d2706eb10679570498bb626c419df82fe44e1 |
| SHA256 | d829b7706652c38c4ed1e5a408e45e5302bc909777b6f100560a3a16eed6e8d1 |
| SHA512 | 7cf3ee9342c480d827cb1ee098c3d7c7cd5fa531a89a943f878540929b13eea254fd2358a681f3e80a1c1efab5cf0a4f41596f3cb4adb2a0b784890bbb101683 |
C:\Users\Admin\AppData\Local\Temp\hqcUsEQU.bat
| MD5 | 9ac8d848d6a440781ecd8c371ed885f5 |
| SHA1 | 511d18e04b6882aa2b4170545af568adc63658b5 |
| SHA256 | 5ec2d3c207f83937789ec9d50a19f4bf09f803e388cb93cf6ed951814c32d5f7 |
| SHA512 | ebedff8b41a4ecc92af4b8ce7544d2e55b6adc388f58c482a65ed144d633df180bfaf1d1d0ae19bc71b84f91d331d7044d2e2fd455c9b49211aa23d3c85cfbb2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe
| MD5 | faceb7f26dd1652bca9e39c88b702f1d |
| SHA1 | a6222c62e654e0ffc8cb666fd8ddfaf666d49e33 |
| SHA256 | 375094ede4a7d9597f2382893d4f2f4b329c252ee2840ce5e36ed4e469030c2b |
| SHA512 | 57e19476661994ccdb78860aec43a628c1ec7a3570c0134e9ec5ef0a05eb3556acc766914599370514b0aef9d1937f243a3330032211c7c9933c14b75911e3aa |
C:\Users\Admin\AppData\Local\Temp\wAsa.exe
| MD5 | 32e7f040f98e6b1300db8b275ea71e4f |
| SHA1 | a1c0c370368657d4fba171b97363ac9033a95259 |
| SHA256 | af510b9da99b9a61a40a878fd9929ccdc506e22fff5a409c3a9cb66b8231b2b0 |
| SHA512 | a32ef8746469350ff5f5540645c7acb21c51dbb284d003a9e79110d9ce1bf958b3e08d8d7a09b069ccde956c78154efd8d5d2bf53863558aab30b42fdb4708db |
C:\Users\Admin\AppData\Local\Temp\MEcsoUEk.bat
| MD5 | 4d0d254faadf21586b34dde6414d89c3 |
| SHA1 | 965fbb7208fd4f19b40ac9b518cd8aaaf3df642c |
| SHA256 | c43db941b0f7c41931e2044fb93616b7b51281deb0cabc98a6fe6e19fc6f66df |
| SHA512 | 610cb465164dd59861f7232fdc42a7f2f3cb22650592966c4d33f62a86b02b9c8aca745b21452e1ba77304df70a8c864ab4683858bcba7aa47aa8f5e15571d2e |
C:\Users\Admin\AppData\Local\Temp\AYQi.exe
| MD5 | 1ee93d2f4ecb2ce6e4bc996dd32a8cac |
| SHA1 | ffd998d1e6add3c00e5633e84c10c83e23249e0a |
| SHA256 | f4e1d4d82c15166d2c20dda81e76db382bb999a869827b082321aae5e8dd9983 |
| SHA512 | b589bdb6d86853e2e4d540c1aaae15a3a505781e825d70e157ccb935893ae8c06f2b7163a267a8499e5cf565c84bafaed1d414560d779f7bca4c377d71366c01 |
C:\Users\Admin\AppData\Local\Temp\QAAMkcEE.bat
| MD5 | f0475aff7c427c54bd3976ecc61e24bc |
| SHA1 | 62eeb86e19e8c048c01ec02c6a328c46792c4262 |
| SHA256 | 977b168e223d403a560e817afc0c92520145b293cdb29946c88e6145df395eb4 |
| SHA512 | 21ed1b4c54e4fbb0f72c5dc4e76234b849f04b9858fcc580082a4bc8824e2ba903abd1020727e2a3ffa95800e648d3617ce0543552ebec1aeb97bd5c8e4eec4a |
C:\Users\Admin\AppData\Local\Temp\CYAW.exe
| MD5 | 751efd040e3527b803be6d11de57c217 |
| SHA1 | a9d0935e22cb1aab088a1a6a93f5ac1e17c3d3ec |
| SHA256 | 9080d8feb1e32c964b7a165dd22cce2e6275f45b751a3abe39fd379c2c8956ab |
| SHA512 | 60a1322745d13a677f34db3b8156d60582e6d66356566c1d3e4d8be9a5227ee9331f1ac9bff068b4251d4880faa37a4d8748f9ade87315a74e9d0da1510e9062 |
C:\Users\Admin\AppData\Local\Temp\gkQQ.exe
| MD5 | 2bd7e78f97763f2a2fe1ade1b23ef8bd |
| SHA1 | d04e8b8a6c7a69c892f84d7853728b48c68665ca |
| SHA256 | e06bc9d6628a5b88f804dcd4ac79aa37b4abfc202c7b7dd20a250dda9ab38c88 |
| SHA512 | 876db18457b54f9d40dbe73ae3cfc418d94752b91369c489e880f49d267b35679de35b11b96ac039a65d3faeb174fd1f1c3aa6c74034f5a0bf863e7ef5c5272f |
C:\Users\Admin\AppData\Local\Temp\CYMW.exe
| MD5 | e1792ba8e5bf18c9748dd6217a390d60 |
| SHA1 | e8cd64408d3a28786049edaeba3188f711f392b0 |
| SHA256 | 1a451a3bdc0018008443cc1b8d1a3f211a0173edb494f21d3a5e101ea08bf9e9 |
| SHA512 | fd4f55c5104e485dbe3f62984f54f251adb29bf71a0920f56db2c57f83d4d74a214629d8a864d5087b37dcd4ca8d152cf0e67b1c64c86c5b960a9247e7b7a8f8 |
C:\Users\Admin\AppData\Local\Temp\eIoU.exe
| MD5 | 8d247d2d356d4ca475f382f0f73e910f |
| SHA1 | 7b8fb4190a88c770648afcbff041dd3856224287 |
| SHA256 | 7f19adce96c59a829f8eb6af853fcb7316009440d5a824621aa123d464a8029b |
| SHA512 | 6e3acd22efe56563207776b6a87fe95449cdb42aa9544f1e812e42278f2481de91b8615c9dfb2dba51e098333805d56354c3263a4ce3e9c5beaceff966c57f54 |
C:\Users\Admin\AppData\Local\Temp\uAso.exe
| MD5 | b262a00c9456f217252721a0d8488180 |
| SHA1 | ce8e5ec3307f5f323030042c00d0a8f4dc0d0472 |
| SHA256 | 4dc3f05ac637c4e66604b955ca6d277ef53e69ed96f8302d5dd5c100190c3dbd |
| SHA512 | 39363fb6529c73931b21a4e18735189154407050604882e964774f9a2d5d5bcc861780c47f378290f66d2c4711896841d07c4b53243f06c8ff4de03a3ff27444 |
C:\Users\Admin\AppData\Local\Temp\YywAksYE.bat
| MD5 | f719dbb4537fb83a6e9702a853a31379 |
| SHA1 | 6919341e9f3b6fc4d64eed9ff9ca37bf5128eea9 |
| SHA256 | 4d121049a7f88ea67506529d41bcb42ccaebd7e75e2b78e0d634a441831e6718 |
| SHA512 | 1e4724911368d79b44491cd673bb0b4b8b6c8ab042555e06c09b26cc58e0e8bdaa5752e8ba4453aabc22ff07b2c21ec896771c863fac618260c89f0c0e2a26a8 |
C:\Users\Admin\AppData\Local\Temp\OEQg.exe
| MD5 | 2c5a0ba98057923026db94361b87b2f2 |
| SHA1 | f7628e99521cf12f4bae19a078619aa03649f6b9 |
| SHA256 | 40627fad2475192be4d120178cc3120499b6f69c5a73cfbbdfb187da5fe7aa66 |
| SHA512 | 71ffe6254032cc13291bdab7a270065bcfa3d0f2eef436748f1a5e7b2582c2dfec152171790c833a1ee7277a1328326615619f596446d4fc3db3ce7e9c8bb499 |
C:\Users\Admin\AppData\Local\Temp\EQAA.exe
| MD5 | 91c40802f53300071d1d3a76c6e77e37 |
| SHA1 | 730119343585235826408a39468280ffe19d5f08 |
| SHA256 | 3bdf6d938a1642e04df331eff7df51494be91a0d300ef2ed4183b4e021a14c4d |
| SHA512 | 29861fe93ca6aaed6f45fef08b648e285bd3985ecc9a2e61c49f18ad3f331e04da05623694c5f14138a109af122e39c7393529e33552bbad3e9bdcdab84fb62a |
C:\Users\Admin\AppData\Local\Temp\kscw.exe
| MD5 | 7ae8cf460d1e6847e774c3349916c45f |
| SHA1 | 9c966f05165438e2a29e5e40ff60cfcde4fd8f80 |
| SHA256 | 093c262042918ad228db00f61a6f2fdd59a6ef2e4ee414794b2ac7c065339f09 |
| SHA512 | f222807107a5dc64f5d8f563093b813101bfa91cd9f54475e78c735cc6c10d0b17732bee3b10724314baddf21694e1c391da02d854083f2bd3a7a96f404cd294 |
C:\Users\Admin\AppData\Local\Temp\MsEe.ico
| MD5 | 97ff638c39767356fc81ae9ba75057e8 |
| SHA1 | 92e201c9a4dc807643402f646cbb7e4433b7d713 |
| SHA256 | 9367b951a0360e200345d9aa5e6895e090fc3b57ae0299c468a5b43c0c63a093 |
| SHA512 | 167328960c8448b4df44606d378f050ca6c24969fbd7cc8dcfe9ddeb96ac7ccd89e507a215b4c1debff0d20a0a239d547f1e496635fa2f06afad067c30597c46 |
C:\Users\Admin\AppData\Local\Temp\aIYggQoE.bat
| MD5 | faf3574e9bf7254889228765cca2d90d |
| SHA1 | 833ee708053c6c84cf008eb089eb604c2c2a6236 |
| SHA256 | 16c77cf1c28af7a402dd1a0e767d571834ac42ad3d4c8ee57c1a7bffab0d43e9 |
| SHA512 | 18cc2183275d7db6cde77835c60648ef2d6d178f67189c8fd546533510f18221bf912fb7f7ae299697854366c2af5886a46be816d963503c2c7e4bd9cf1d2260 |
C:\Users\Admin\AppData\Local\Temp\QkAi.exe
| MD5 | 98dc4b0bd656a3e93078e222ddbc9a32 |
| SHA1 | 1413d43e41fad0f50d707313d9d3cf8a4e500948 |
| SHA256 | d6c025b85af07163037ba19fc5a018af7ba509dab0835aaed34fd04d8d1c0e20 |
| SHA512 | a2cb631e78e0ee2c0fe0d00b0c0e3096d05666e75689b33c5476a0b53e446655a6b420c866f54f4b8b15c696c79897cdd64e4325fc8483b23d632cc53340bdb3 |
C:\Users\Admin\AppData\Local\Temp\YMEQ.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\AYYM.exe
| MD5 | 4c25175b85502bc0e55e6d672110aac1 |
| SHA1 | 0673e986a9bf38827afae5d1e86f4d2b20420ef0 |
| SHA256 | 0e31d1011a70ad36d44846a6b4cabff68b0d35dd5cb24f2eb2887fbb618631e4 |
| SHA512 | 1ec9fa6bc8617725930ada7e5b2a0ffb2ab5dff720d43a1dd7ec5b968ae5bf35186434202dfab07012795fe50c374152d34a6b41aa497e518dd9f9d869dca140 |
C:\Users\Admin\AppData\Local\Temp\owIw.exe
| MD5 | f17f9c77888e56ad45a7b8a4f4e77dad |
| SHA1 | 2bbe128853a825c8e8520c718736d6c312ade29b |
| SHA256 | 6ec0d1c8ad2d3832567177dbd3f0d9d29b4b8686c94f5606bcdf43efe7eb5510 |
| SHA512 | 76916671df834915eb406939b0ce601cbb0e87f8eca2d0a8a3fb75490a0f813ec7f1696988e0aeef59a4eedca575d367056e4fbf58afb6fa309af7110bb8c72e |
C:\Users\Admin\AppData\Local\Temp\aooI.exe
| MD5 | 3115fc3239325a8bc51dd1a33b2e0afd |
| SHA1 | a5ed69f2a388705c3c1869703f4f207c9ba4f372 |
| SHA256 | 67ceabf8fc64c7bbb978b702c0dcfe359a17c8453b48b8c63a7c5c388fa28fda |
| SHA512 | 5bb7e3ca5490c14830fcbb0ed30c9bc83d35b04466b6b54e6446697d586ea11dd4848176095ddd72d5cdc547d6868ce77694d9947cb68f0be38795d554b44111 |
C:\Users\Admin\AppData\Local\Temp\QQYg.ico
| MD5 | f461866875e8a7fc5c0e5bcdb48c67f6 |
| SHA1 | c6831938e249f1edaa968321f00141e6d791ca56 |
| SHA256 | 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7 |
| SHA512 | d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f |
C:\Users\Admin\AppData\Local\Temp\qEcK.exe
| MD5 | 127ed47732dbe630d51ad26b5ff63b71 |
| SHA1 | d75679604c5cf8f223a6ab83aa4f03fd51b708c3 |
| SHA256 | 17ab7e4375f133261272fcd8def6b2fe31bc1df28b4db4f38a10609f685857e6 |
| SHA512 | 48a38d574376046e513962f8fe7c1acf439f6c10004ceae9b273c7f3823cdd11350d80db397e6d444c63e006bd2cd9c75cae6e53822e67e577133958872f1e58 |
C:\Users\Admin\AppData\Local\Temp\rmkwEkEc.bat
| MD5 | 3ce037b4737c4ac73bdeb2c33aefc97c |
| SHA1 | 11b4447080878767378099a0f79c323a38ae9a69 |
| SHA256 | 6d063cb77565fc6e7b3ea0fa3cdafaddbc783e2ae7dfa65165b965671b531be8 |
| SHA512 | 3d7cd983497ef74163e5737853f0aa4b69f4a56a94d6bc7ef59d5d636e5edb989817ca1f433b90cc3bc43699fc8777a379c10ffef532975e10dc0eaf1b3add79 |
C:\Users\Admin\AppData\Local\Temp\yQUM.exe
| MD5 | 38239f62b661d8eab6fa45e8ddd24256 |
| SHA1 | 1457d09b9511101f1be84777588e57e2a1571529 |
| SHA256 | 7923c25685301a1da5fbb105f801b5d62690e521feab4127d2e3712cfe50b3b6 |
| SHA512 | 233a264bf5411b8b6408e47b0c9e760e9b7ed867a1765d0b5984195e8498e4da554f33b6b98e77b2c4ce110a142ed50910d466f1ae4939c5e06e26406a2e16aa |
C:\Users\Admin\AppData\Local\Temp\Mooi.exe
| MD5 | 37f5ab03de9bd55a49e155bebb9191b5 |
| SHA1 | 792e553a9bbc060c50330b7348974ca2a211a894 |
| SHA256 | 4021512018bc0b9e6e0fc5c2d4e4741e9570d00768e1eb442b7f684ae5801e87 |
| SHA512 | 2e130242c3a48706a814861a488f6d2391eeb2291683d3241e493b03d7b774be3311155bb28745198f4a9d284a7ca11a2bde2d3d0bfb940f8344a39f8042b27b |
C:\Users\Admin\AppData\Local\Temp\EUYY.exe
| MD5 | 7649c3528836617f1eb3e380e0b208a0 |
| SHA1 | 78f8e7357b5f88709a0ee4fbf0b2b208a41124d5 |
| SHA256 | a3f81c7cbbc4e2e1364ea212f4c4b86c1fa8c4fd7b6b2f0a51479dae08d2d0e7 |
| SHA512 | 939a45d85e70ef1068d76650874470e19c9c8fcd4e08f02a031d495352a338404dc313baf849c8c7fb1fefde9f9b4b88ab2038ea597cb2813948cf1941be63c3 |
C:\Users\Admin\AppData\Local\Temp\ywEA.exe
| MD5 | 1185e0004ca95c93a1d612d02863214e |
| SHA1 | 5b3bb5b59842816ecc61f1068a4f42c44ab22868 |
| SHA256 | 53c02cd008b3ba5f3ee87c23477f6d800b1904ef5e61b594948dc02ce0db98c0 |
| SHA512 | da833d08b0589fc0c82d3ffe5f040aad35b84617d15ba4db4f1eed7d36afc5a4a8e2f2a1612460893b6a7244fcb0ab6406153c3fdafd7931aa402c046e0a7a93 |
C:\Users\Admin\AppData\Local\Temp\aoQW.exe
| MD5 | eaf6aab472d7e122977aab46400019b2 |
| SHA1 | 6a6961acfe993020bb84f6ce373a31873779a3d5 |
| SHA256 | b333b2218ea965c747c921c42abefb7a6e5020e7bf2eaf72b338204f9367c1f9 |
| SHA512 | 1eabfd5ceaf59ae46e1a05d2b5ec9ce0ee79f4f7621814fd70ab7e1676e7d942374f87933ebaf709f5483a78a66dc70e596410b58e6262f386ff5f1508f94a12 |
C:\Users\Admin\AppData\Local\Temp\ZWsgsEkc.bat
| MD5 | 9993fa0f9a23806db21ce09619f0cc70 |
| SHA1 | a34e52573a26f9311b7d5b3cbd99cb779679c717 |
| SHA256 | d4a60018a03011f201aa6e3ffea317e3f71b450432730a3ff4e57ae4ef31f2a4 |
| SHA512 | 522feeb379c5b894d5fad20153df5e124130ed93b9af55783f4a3913362fb40c50a5afd067a1bb48f924dde77ccb5fc222f2ef0197ca61489133571fce0ba550 |
C:\Users\Admin\AppData\Local\Temp\ugEG.exe
| MD5 | 411983e98e3234ef90027add0b602e92 |
| SHA1 | 77612729e1aae2356e27ea4cf18633d3b6205e69 |
| SHA256 | 4fd966e01a2784d2b4cbb483fe9221f73248327bcdc295fd046296bf847382a7 |
| SHA512 | 842f77311433593b4f972f47d06d489a1b61ee963f493be06a8905eaa79e1f6f3f416093ff76538006d961d29924b18025fc3b2167bbc137a7c88b094b529343 |
C:\Users\Admin\AppData\Local\Temp\EIoI.exe
| MD5 | 70709d0f17d458c48e22eee34a57e796 |
| SHA1 | c91f9f5e21957db803efd827edf3cbda7edad2aa |
| SHA256 | 81511b0c7ab9368301b25bd81b2146f54a23eb3d4a137a89016b0a8df2ca2a24 |
| SHA512 | c35c30a1f0062757fbc1320c49391076e82f947b17a56153024132c8898e9d6e5a5bd3e8b12af18f3790c3d19e411d1549153b38abfe11afd14cf096d2903c77 |
C:\Users\Admin\AppData\Local\Temp\MckG.exe
| MD5 | 663d44ac5a9ef721dc02d4ccb000a750 |
| SHA1 | 52158be2185acdda039bd59d4ea22a522f9102d1 |
| SHA256 | ac0f5d6d066f9bb281681a07d4d69a25d9175b252aa9d90803d1adb42f06772a |
| SHA512 | bce32981bcdd1a1535f8996bb68950beac7a00a38e280edbfcf9326ef926aad6fc8ecf3fc7e8ca583f2899655db64db82f5b1ea3cb2bfae063d41245b9d1f6ac |
C:\Users\Admin\AppData\Local\Temp\zOkgUUcg.bat
| MD5 | 1095c68b0f45d79f8ebd78183f596473 |
| SHA1 | 32deaa9e4a1ef415340f76de1d932a497713807d |
| SHA256 | 87c2e006d028a04e0e50db768de11ca5a66b7875c92581b7b6862c2f8fdaf779 |
| SHA512 | 61a24bed533e2e1da77bac3b3fbedc868bb27c20dcc1f1ae254e9b89fb3bc04ba72a13c9a329fbcc6e4073019e40e9152f18e1c832e4a9d8fa2abc18eb211ace |
C:\Users\Admin\AppData\Local\Temp\Uogy.exe
| MD5 | ed147c1527aec754d297a0e801b8bfa7 |
| SHA1 | 6ff5ee423855008c62e0806066417a85a01eb8c3 |
| SHA256 | 0286b55a884b46935c1c475671463d22526d233c673a4b4b6f2e96e7da99fabe |
| SHA512 | 868a41d28d644829f827cfa47e1856194ac8d74f4d10405c67b53e78500014ae1d29647e067ac61fb036e3504443f6b7c281129d22e68d33637b915233f835c9 |
C:\Users\Admin\AppData\Local\Temp\oMYc.exe
| MD5 | e8062c2ebd8a56c709de4c3d3bcd9580 |
| SHA1 | 05ac1c23c814403259ec27de85ff6c89059a8790 |
| SHA256 | bfc3aa2b72de9a59fc50a278b8a7f0142e3169d855356fbc5a0cacb26acdcb1f |
| SHA512 | 2e749fe4e2751408856ae3567ba74b2163d65d11447c3da6cae117af604fef8601bddb95c202b38e4ff16240b9b7e274836e40ce58656bde9e2367131097797a |
C:\Users\Admin\AppData\Local\Temp\wsse.exe
| MD5 | 11508d1166b2468f7caa18ff4e007054 |
| SHA1 | c05a714a32ca0041aa030c6352a51254c18bea4f |
| SHA256 | e346022674072d6d8860142a7bb19894dcfbef1c12ac59ab115dab9bc2bcdd44 |
| SHA512 | 6a92edcfa0908fb8322f18f179539014c3e663e8654736e3977a0ba4faab7b11d565b1f0bf7f29855c84fc8e96627d4550751d4aaeeef4405990bb84784cf211 |
C:\Users\Admin\AppData\Local\Temp\kkkU.exe
| MD5 | fea8e7f1f46adce9f2fb4511e53669cd |
| SHA1 | 56a6ec15be22341af66fb7a3cb8c8c6e904a3e10 |
| SHA256 | 165e30dfdc200bb6bf975fd264f32fa73f2c50e8a68d2883ab80f0ec0092456d |
| SHA512 | 36d5f35705b6e702e8aa67d93251028d00c9dfa44147327d1db3ec237adecf994d0c77d7f7c353d37734b5dc8bb4c83e95e2d77afa9441149af8d7aa90330d39 |
C:\Users\Admin\AppData\Local\Temp\NGccoQIU.bat
| MD5 | 1acba6cd3ea146f507bec7792098685f |
| SHA1 | 26d00ee7c4f6d554a85fa1f6678f2d7c4de242de |
| SHA256 | a346a696ed3d1cd4acd82f07568768d793e9f452d434d67bce449fbb46fe8962 |
| SHA512 | 6c60c13a03c33103a8c835bb4d9cfb70cbac29e92f9d4a6a64792617ac8c782d7a68f86255cda1a37df4f6d243e67fbd76d9ec7fc62e8895f37e7dff17d003d6 |
C:\Users\Admin\AppData\Local\Temp\mgwk.exe
| MD5 | 83037c0dfb2d4a4c1a019a432e40aa78 |
| SHA1 | a938b87be014f81c823cb60af1c179b76bdf4533 |
| SHA256 | d9ad7db80e195e0c7e566eb422145eb013f4710cea6ba7a15cd4677a1bcf79b8 |
| SHA512 | 620932385ffc30f818a563e1a1b292e6beae80aff953fe57ff3181e31de4e0d5dffbd2e36aa1cd35d256f3b6714d87b6b5def16b8375d584fc1dfbbd04efb877 |
C:\Users\Admin\AppData\Local\Temp\gIIW.exe
| MD5 | f2769907930b56e2f0c8a99a19a1c5d8 |
| SHA1 | f681294a5b3e2dac6f3a290ca3d7ee51f763094c |
| SHA256 | 5c5af3d6712e18faf279363dcf039fe8486a16d46ac1c3651c9fca026024b3aa |
| SHA512 | dbfaa4dfffe092301a684882f2c09fc7b038a99293ae5cfcf451fdb2951b1cdbd4a6e603038c2905cda11f192e38288ccfd8a22b2873b1cddfb733c0ead020e3 |
C:\Users\Admin\AppData\Local\Temp\SwIA.exe
| MD5 | e13bd9f14a41ba8896e2068a0c5b1fbe |
| SHA1 | abca7e04b7fe6dfc402cae4cc70b72426d990a29 |
| SHA256 | 65c35947dc05a9b7c6f4423eefc181a50873c606ac2ad8cb77fca45d08ca445e |
| SHA512 | c549a3d87d8cec205a9b063f891bfc8936ff9be8c7d61402eaa6d7b3bd294d92164abfe731a826c3807eb421f60ff2a23158e8d8f902f1e3ea3f3cebf9429ff6 |
C:\Users\Admin\AppData\Local\Temp\oisEgMQA.bat
| MD5 | 88bcae69ae5602998f6338a6dd7f70dd |
| SHA1 | cc16ee7b2b732bdec1ad8b437a334714a8498750 |
| SHA256 | 12c1827a9f4035ed63956c8287a7737de3573c02e7e36795772812faf684d889 |
| SHA512 | 831e0c796462d976d9838711743c0820b072fc6897e64b833105474fa16dafd85ffbd0332864e29813613651dc69d097e2e339e090a471afc436a7b50e4e8de4 |
C:\Users\Admin\AppData\Local\Temp\UUIG.exe
| MD5 | 0d13758a2b7978410633dd0512c00528 |
| SHA1 | 9fcb461f8d1f22f25698239d7bae43910a4ac37b |
| SHA256 | 600eeba19036c784d9d4efb5128c78313a0c77543b62105d3d61c0cb131cc2a3 |
| SHA512 | 8ae65392d4923cd064149982c1ab9923371c93b22231574aefe52a649997e6e9150f1538c75fb0e768feb624a8fa244343fca5f916fd4fc503b8addc05d81f36 |
C:\Users\Admin\AppData\Local\Temp\qwIY.exe
| MD5 | 54dbdf7615158232f121696f076efdc7 |
| SHA1 | 8685e051f798189b9f2ab3f7168e8c1403a3e921 |
| SHA256 | 434f6d0ee15ce8f60749e723ee5d862b42aa98306f4155da508d706f3909fee0 |
| SHA512 | d2ffcfc0a97f71d6181d43fa528a6b57ac82bcee948f7d2ff21ffdba2c785a6a14372d058a6c526410850d96a2d9ca9bbf407e5f1bc0766621157d4602c9a9f5 |
C:\Users\Admin\AppData\Local\Temp\ecIcEIkI.bat
| MD5 | 31cbcaa4495519eabbaacf51466d630b |
| SHA1 | 4872ae5e245104b14d31b63d4c1abbee7d908a2f |
| SHA256 | e942321d20d08347df8b1f39f4058739c2a2e08f91f1e4be6a52f64746dbc273 |
| SHA512 | 7a45d412a596edfdd84474d80b53ff1524b803afb1ce3a3b2bfbecdc8fb18618b096df241ef4ba28376122ac8aab76b62873a019f3823c9fe93320b621ace3c4 |
C:\Users\Admin\AppData\Local\Temp\wwMs.exe
| MD5 | 44837594762c4839178f55da15697ece |
| SHA1 | 4ef1df6c92eaec6ee85d82a9a6c87da597813804 |
| SHA256 | f4114d8fa0fddcc4bbe12a8752d9da546a23afdb9172ed83d6fc139824902d7b |
| SHA512 | a9470dbc826dc30296a30c338638c85aa18be6c550c105b5f777f85329985ff29027001b863140ef474bc84250b148241b963e3b71761ac672cd58e2b3d40d24 |
C:\Users\Admin\AppData\Local\Temp\WIwS.exe
| MD5 | a70b7d6c525124a572fc8047bfeb7775 |
| SHA1 | 2a8e16725f29574b4da97bdae114b8983672f3b2 |
| SHA256 | 5ea0dd3bb22459df3d6a8396b22bc3665ca1f24c59edcf6cc4a6431c0d7bf889 |
| SHA512 | 7c1bb91d9174de77d4b9a1a7f92855924d86173942b11f053f6dce144299175c4edc82996ace9452cbd23e5cd76683087d5ec80233d60ce6c751dc710f39ee7b |
C:\Users\Admin\AppData\Local\Temp\uSkAYkwE.bat
| MD5 | 0930af1f282c42d310e0c4556672338b |
| SHA1 | f7653d4c54637777706c2693e5941b82daf3f4d0 |
| SHA256 | 7a6c4723999816643994755cf96ee976a7be8c3ea8571e0de0ae9315a704346c |
| SHA512 | 64f1dd8cf128907391494095bc2d4d37a41d50bfde4d16b3d20f846b2aaa8b9c574c3b03bc26f0443d36f018d8d37eabeb3e07522ff7437340ced4d0546884b7 |
C:\Users\Admin\AppData\Local\Temp\ywIK.exe
| MD5 | fd82a94f882f10297bff42c575cf4a36 |
| SHA1 | d099da2819661e7438fd29501c635bec2ec2727d |
| SHA256 | da0eddfdf7716cb91833907e042563705d3f66ea15858a445b38f81c209e21ff |
| SHA512 | dc55c3838803fc2dee33a5f3c44c33aba7c043c83bea6a9e84c71f9146d77908ccc2431fb69a4a7e631958daaf50abd6b93f73c8c28e6f9e7f2f030fdc79abfb |
C:\Users\Admin\AppData\Local\Temp\mwgq.exe
| MD5 | b3c420b8215f1e59dfbfc7735567a018 |
| SHA1 | 4a6beefdd37c8defa36285b1f720387a35948edb |
| SHA256 | 0f0f753041dca5ca8ba84c352ff93f5e62528ea06ddb8bfd121fbdfce390632b |
| SHA512 | 4adefcd04d12e369939ae1ac34058c8b7effa4ad09e2fb32139dc61b1eabad45d81d200c35f63db33280a132c52613a1670e98666cc5f16f557707badb2eac2f |
C:\Users\Admin\AppData\Local\Temp\Yowc.exe
| MD5 | b793639993bb13ffed13c3903f94f283 |
| SHA1 | 8018ee12ecd6e665e2c6cdcbb8968d8bb360277e |
| SHA256 | 15c43a875f9d57a0a4f521081cef64723a2f7b2a86e104f53a8bd6dc3a6f133c |
| SHA512 | d011f45b15159dc6e8f9cb681edffe011f65b7454c3cdbccb69fcfaab6e700806ca87f35dfa31c23fa9a2a252a973d6acff822dd49bbe62fad53a12c65b2ebe1 |
C:\Users\Admin\AppData\Local\Temp\IsYAsUoQ.bat
| MD5 | 4697d68968247850d56e83c651979d62 |
| SHA1 | 060cd8b370247b2a7b78611674f5b42b77b2b390 |
| SHA256 | faf455cb6adb28521fb66f6e53addb570babbebe051d8f6f7f7d3d90ee5433b8 |
| SHA512 | 0c065aa975886ddcbec09f57f463bc6c7aca677b8dba1a092afea146fd553e2017af8bd6e4e873d0023581c6c3dec76b346efe2118a871ee08dd8cb7214c7cee |
C:\Users\Admin\AppData\Local\Temp\IgsW.exe
| MD5 | 487901eb1bd09df98a038fea6f7581e7 |
| SHA1 | f32c12beb3f29355ab7eb3f4c7d27f150fc8c103 |
| SHA256 | 3e2b52afaf4957af39a1b56a417d3feccd8ac7add739cc5215fc917366d8f4fd |
| SHA512 | 41caa154e64a499fb29760eb18586cd3557ab310fa0ab5ae18019a565ae4fedc399d829f669f6291799df7e6c88d613edde47c96737f36242d5be780b2836e02 |
C:\Users\Admin\AppData\Local\Temp\Acww.exe
| MD5 | 608f929c3de0cb706241742493ad4c29 |
| SHA1 | b00396e4491aec17036f6a2b346d4c77a7946dcb |
| SHA256 | ccbb4ab4ac4fa1484dbfc91fbe0993e70f40e191a228b7f30a7be8b622670d66 |
| SHA512 | 872af429349b9eb8947d49c406ae249459edb0671e6deea92687772b6c1ef13b5df2415342e89c0904070a47aae9362f99b25ea9ca971edd34076371f93ecde5 |
C:\Users\Admin\AppData\Local\Temp\KQMA.exe
| MD5 | a435dc5f405f7893bfd7e7f35a135fc4 |
| SHA1 | 901ea5c796c8033ebb11e4b34408f9bf6b0f338b |
| SHA256 | 27f3cfbfb2221d8aa93b54630b79d9bcf8148710ec3bb4093a13f1a7f2776c01 |
| SHA512 | 9c06558bce76d23a129ee8b0a54f1fac9eb1ce7542a0d83babbc5afa77052c5d9a13116cc080ce3949c09f3ef710daea21501dd7da999a91f2ab0765e371abe1 |
C:\Users\Admin\AppData\Local\Temp\WwIMMIQU.bat
| MD5 | 22756a8dc94320006b09ab2513936279 |
| SHA1 | 4d021c7ab67742762c036bbc6d4f5b508087fddb |
| SHA256 | 4d03ececbc8d39a9d3d0c058add4fcb7a32fe9c767296d2ccb423a4ca895bf2c |
| SHA512 | 832f1e358d44158b616a125b1eb447308f2468743b277f6bf3aac1201eabe623b7151d6d5fc074b8f0cc6ac8060e952e42ff06df9d387a28f105014a97e0bcbe |
C:\Users\Admin\AppData\Local\Temp\mMYo.exe
| MD5 | b3ef0edb823c3449c503055fe735bde2 |
| SHA1 | be8f3b1598311f19794a7ddad5fc6b957239e713 |
| SHA256 | 12389f6b00de411fce5092ed97769f7f59d78639070757b1e2a4e1dede1de39a |
| SHA512 | 725fef11023fa71ddde39798d060c1345354023c820c3e60d64b0d1f6e209642d23b44a24022ef02231daac2caf2b604e1d0ea78a3f5ef640b54801700bff893 |
C:\Users\Admin\AppData\Local\Temp\gkYI.exe
| MD5 | 9e8a1826332d6b0f6dc97884b3ec23ca |
| SHA1 | f6ebe704f38063eada58f1592e2ea385cac897f0 |
| SHA256 | 1e2256bacd024045e182e7e73cd9f6403b45ab1d0d14bd74ac512f4670836145 |
| SHA512 | 01d2e684b1b72faf0a3885c95eb89e8046673ad02edc38ca5ce4e9a45617692346dc4fa2d46020f1b333f4df2ea53f8f6c471d28ee9b8885ee7bae286e6c343c |
C:\Users\Admin\AppData\Local\Temp\IGgEUooY.bat
| MD5 | f8d8f1d91e50e4d25d233d6289339128 |
| SHA1 | 8e692c9905820eecafa722f621d336d22514dba7 |
| SHA256 | 4d29cea32684eeb0d00f95424a152ed8f363449c2827b790911ce602fab3eee2 |
| SHA512 | d4cee281ae175cbcca698de833290c6019d493270ee30ca83b7b84ca4832302e043c8698d099d94b49551f7f6177888afc2a5740938478343d175bc9a886db62 |
C:\Users\Admin\AppData\Local\Temp\Uoou.exe
| MD5 | 6d031eef754b9d7138bf2b711b5db059 |
| SHA1 | 3dad139b25862eaf405e8a04b78c46a1c1dd85fc |
| SHA256 | d9daa3ea00711d1768557152b91a654c803748bf1701e7e2118e3671340b03b6 |
| SHA512 | 525ad7ff7e874c0763312a8f05fb0500b3a41e79d8f1b546a48c9e2fb2cbacd779564b033bd3da9c01f38877748121835f8c10b21422a994f67ea8f3674eeb24 |
C:\Users\Admin\AppData\Local\Temp\KEsq.exe
| MD5 | 93449b84ad03af7d2d2bf00e22bf9db5 |
| SHA1 | 03b28f4cfaf745ac40492c31c4a77cee893b4e87 |
| SHA256 | 3fcd0d58295124dde877b80f6413ee3551df96477e9c4aad83b6b75816bff8b0 |
| SHA512 | a18c28e6b0433e7b2e8806d79d07457160a4a7d77d8de3d567a872405b3b867f991d5081c4295c7270752d718c46489b4b9c3752ed11e40ec680758f234ebabd |
C:\Users\Admin\AppData\Local\Temp\mYUu.exe
| MD5 | 91ed0f4af5f7924569c4f5c7f51f3ada |
| SHA1 | 74b4453df9331205870042411c93e612b7f87dca |
| SHA256 | 4bd0d6c6d837cc34235db059c440011b02c3922822146cad248c397588936fd2 |
| SHA512 | 481b8974f8621e77e36380171eceac273e8c19bd18b6c6e0917932ca1d03fd4666cb8817f2b60004aa4887af51e23463f78d988d20775ff683a5e3bf75c7e24a |
C:\Users\Admin\AppData\Local\Temp\WgQs.exe
| MD5 | a8dae6bfc5890149ad2eca517a065088 |
| SHA1 | f252d28e95da54b774893943b3420cc5697884ef |
| SHA256 | 57361bdd042ae12a69671e814c9c496c6b0c2c7220c2127842f646dcaea09a9a |
| SHA512 | ef9287f24bf068e717bc816000501595d3665fefc64819d6d601bcc568571543442a281884993aae7a683ce6bc3dacdbfd96ac28050ccdc8b6d257540b607bdd |
C:\Users\Admin\AppData\Local\Temp\gYsE.exe
| MD5 | 4bb1385a9c39f521c1d4f597393270b6 |
| SHA1 | c7c2716512819f76d06b72364203bd3fd5476781 |
| SHA256 | 18d2b2f601c8d62638f542f63da470c6ee4f15d9c62fc78a50f1711510da6fb1 |
| SHA512 | 6820f3203e549f78d69a5619c4935ebb570df81f4d71f2ee5bee0f25f58b4cc665b7ba52610e9db304f148a65fc58dfc8dd3951d533bfa70189de5a365bead3f |
C:\Users\Admin\AppData\Local\Temp\zIcEsAUQ.bat
| MD5 | d44c7a64c760648cbbea6601b36d73e2 |
| SHA1 | 16d1e2809849806ba1fa6a8502a0abc7dd5257e1 |
| SHA256 | 79f0edfc5d37a3b82bdb99ced53bfa7ce5d39d0845cf8eecf235bfefb8c23987 |
| SHA512 | b1edbe3c2667bfba689882168112a3086b150c6c307b9425807b9fe22e3f799e1f304793dff7f6f8da39f0ef4ff78f9d7a9a3bbc9b1c9edcd4baa6f7d645fd07 |
C:\Users\Admin\AppData\Local\Temp\iIIU.exe
| MD5 | 10da93ccf57ec9b8c2fef264c26290cf |
| SHA1 | 95ec69b3c4090cf5fc8b0f69dd6e6ebd864efc5e |
| SHA256 | 9fdf31b87d1d3880b13e3a642f5bd9864e1513df5556fa2fd8940cfc53754e9a |
| SHA512 | 996383ed112f9b370f484037024690644ed7595a3df4d5f488de8eecb6f452363d082f271b9860dbe6688029aefeb565796c1ee65fc830bf4f007ceb6437718f |
C:\Users\Admin\AppData\Local\Temp\cUQy.exe
| MD5 | 56e7c0ca9ca47f7bedff49ce1ccc0bc9 |
| SHA1 | 37f99a344e35e22838901eb3e15afa784d1e91ad |
| SHA256 | 361a27e7db6c5d48f669079d98b96fc9e7a5cf8c2e16482b467a4b95994e6132 |
| SHA512 | c1efc733969bf9aba8bc6fb371be41d5965b3418f92d57694f758bb21a7b7ad4115c3648cd78a10be2e67bcfa9f69789c82ea36848d4aa377b9483d8e331ded2 |
C:\Users\Admin\AppData\Local\Temp\CYUK.exe
| MD5 | 5c18fb29041bdd3219c395f6b51b600c |
| SHA1 | b04279bf819fb09d25fba12211e8699c59f664fc |
| SHA256 | b4e3870200479c12da930fb94247b74095a34f6d1e745a803099077e8f68f2e0 |
| SHA512 | 079cd6a0057eb59d8390c073c8f6948f962b8efd78dd9aa8a9ef01a3d143313e19251dee1f520a5a02a1b1b765aed9614a7cc054426f96b9dd55040fb552105b |
C:\Users\Admin\AppData\Local\Temp\bUYAkwEI.bat
| MD5 | d804196ff70ed91a55c3df7661ca4cec |
| SHA1 | 3d8fce49a05a5af87b42de51a613c6f1625b8007 |
| SHA256 | e83a8b53551938010a828b1fc68d290816e0a9fd83c442b2c94b46cd6cfdb45c |
| SHA512 | e86dcb62db61f49590707263dc31253643d3cc2e5d86e2dd2b8cde847527384182b7030b229defa43b9c18bbe94f04ebc8573db708dfa9ca52d2b8caea898f2f |
C:\Users\Admin\AppData\Local\Temp\SUgQ.exe
| MD5 | 87fc1fc5feba5a79053bdfcc05429a78 |
| SHA1 | 30e02b0945fdd1557bdd7ad5b3103b286b44693f |
| SHA256 | a3933c655a29d91310fc65f1a445b7be23ca0fb1551532b6a6482bcddb3d8248 |
| SHA512 | 2b797657168010af9f2401fcd4d1a3c5d48deea63c721b610929bd8447115333ac02921754c03324ff955ae2feb2df7d7fbbcb13f4a4d4d491714d844964b7c8 |
C:\Users\Admin\AppData\Local\Temp\iIYM.exe
| MD5 | 288918d967f678b30dcf15cdde6c5f11 |
| SHA1 | 1d47985a52094dd60b30e27a8bb385b7436bf1d3 |
| SHA256 | 2d80e485fc013a2bb69c627ba376b787078e4405e6be32db1938e74e451daae9 |
| SHA512 | 589cb0f641841b17dcb500780c1fdcd53b3b7681c708bc225a861771cc7b83dea1729b68ed39004b657598643743762be54f8c646e40fd89ff65f93dee7c058e |
C:\Users\Admin\AppData\Local\Temp\GMYi.exe
| MD5 | 9c967fa8a239e6340258de034ab4b054 |
| SHA1 | 9a0521291e43fbf4f10c79640c192d7c1b1482ee |
| SHA256 | 19a9137532be4a32c057d9b8ee4d64cc11eadff04f06e9490b3405db767e7308 |
| SHA512 | 49b2c6fb11e32c9c8d410d3da64674234146d09c081fe955bd47ebab9d96fee09557cf9cebf6b1585981ac7b19df9ed09bae59118c6b099bcfee3bfdf2bf0502 |
C:\Users\Admin\AppData\Local\Temp\QMcM.exe
| MD5 | 2f40325c1dac64bc4c4617760de9dc26 |
| SHA1 | dfb6712e6e299c509cc1ada57e59932d7154d582 |
| SHA256 | dfcb2296161bda9d7b6d380e9d47145061af18ce39f9402b1b337d2b9816d85c |
| SHA512 | 86658c90457b11484b92376b83cd5317195b589c32d3922e2b35062e7d39ff9d37975853c7ab6bfce874c5a56eadcbc3616af7a952198bcf666b98aec3d6a7c2 |
C:\Users\Admin\AppData\Local\Temp\IoAm.exe
| MD5 | e49a623e785be52594d414e1dc557846 |
| SHA1 | a2e366306931e93c445677cce70ab34e4d6597be |
| SHA256 | c6468e018fe4b7d386575532fe9d244d05f650ed3e65b0fa04159eecf4d11881 |
| SHA512 | 21922c96f881775b37e3b159559d0504cf7e2326613bf0b2029cf0b347689c611fd6c35dedfae54854d6d00f8f198baf6c04390a3557736eb1ded38f96f56039 |
C:\Users\Admin\AppData\Local\Temp\VsMwEcwg.bat
| MD5 | 29cb788102dc534b2a7e15e02b718290 |
| SHA1 | ca88a59fc2d47fae85370b4515e54b9fd53b1022 |
| SHA256 | 2bdbcf77f07ec9a3d47f61d1218d99455b9c361c1d402017ce4b8f4b64bdc837 |
| SHA512 | 0e77dbde69985aa02d0f851ad5aff0cb93910070a9fac13ac23e3af17cfca60936ae1c2d68e739a82f64870bf96932703273a2b5261aadd8263b3e7df20ae571 |
C:\Users\Admin\AppData\Local\Temp\uMgi.exe
| MD5 | 54ab1fd4e6837e4b78f5e9a3d171d510 |
| SHA1 | 1f503598043ca4f3de206bb02422bed638994604 |
| SHA256 | 68bd04f0d8a586fff1f61c27e9a7cd2982029e9e9279f3817f0edb9f69eb5cce |
| SHA512 | 0372f94bba902b1d8363a0a429ceab5810e6c2d525a6a3e837bfe625053acc85d93110adc56d1dfa281d89d6b50e0343927efe367edb29b80953687cf8e8a201 |
C:\Users\Admin\AppData\Local\Temp\iUoS.exe
| MD5 | a17f0dda272e6c7829652bef53983187 |
| SHA1 | c13ab36d1e8034014336974eaa520ffd50eb0f30 |
| SHA256 | 460f4ae29b054e6ef2bbb9bd673484b9dcfbcd77194adbe36dfc417ea3acf17d |
| SHA512 | 856bcac75c762f620995b66672010cd59169d5e8d777c517942e19ae213aeebcbdd779880fa2f30288d0a4495861f6bef941b771748f1920178e6beea9a6e5cc |
C:\Users\Admin\AppData\Local\Temp\wwEg.exe
| MD5 | e48eb655a605ccfa58127e010c7734f1 |
| SHA1 | cb91e202c8e3aaefb76129001611f6b5e16c9294 |
| SHA256 | 641a17c7c0f1e1b325d7285a51eb2524d53af6afd223f952100979a516abdd29 |
| SHA512 | ca1f19923dd0ddff1d9fca6811e25b236adbc8304e56aada01bbeaf9b1c2588add559b005af870071035788d0e5ea032ac2e410cc70a385f736ee2ba19647d76 |
C:\Users\Admin\AppData\Local\Temp\HyAosIwc.bat
| MD5 | aa2fce6cab3a6a5afcf6a71862a4bd41 |
| SHA1 | ef911be51492638cd7eb5eb56d9e514bcf0185a6 |
| SHA256 | 03e07fea68dba2124fde540342f4db99ec46b7dca122d4d8422bb4b6b3b4db39 |
| SHA512 | 203fe82d90d5b6dffd35478749563f9736c715616b23739abcd8a32e8baf4c1f70816f06fedd4982d4c0d91cf662a8bd11d2fe920e568d76c71c6693671a3847 |
C:\Users\Admin\AppData\Local\Temp\MkQYIMsM.bat
| MD5 | 1204629e2a4c719264bb4d3a1a13b73c |
| SHA1 | bea49f1f08cc7fd4fcea3d4664c180375633bdf0 |
| SHA256 | 279b9440a6785271becb56add08a85acebe19438dced26a2b3faad12c32de6e5 |
| SHA512 | 1c547209c3879f58cf095031c6a1f84b5ce557a354ec0e5790f1444138329552b5c9625ed85b3d6ff5b0d81d440cc729d0ab6bcfcb0916420bc2b0ebecad30d4 |
C:\Users\Admin\AppData\Local\Temp\KQEwksgg.bat
| MD5 | fb3c4b9bad29cf2cc52699b87e9a2cc1 |
| SHA1 | 10c8ca5152ebc51aeac8f2d95d9bdda762e8d57f |
| SHA256 | 520cab138f9d20b3e5afcaf481c49c04820a139977e7b0d2bda03ed7b9823755 |
| SHA512 | 0d1daebb56fc75be3b25d37fa674df393dc002d807d8136af73d9cc0af27978b5924ff0bc8583fea9bd65474b3c5c49728314b9897f72a564bedfafb8dbb8f6e |
C:\Users\Admin\AppData\Local\Temp\eQIk.exe
| MD5 | 1aabc7a85777e7d4d228f9464c15acde |
| SHA1 | be1e331d6b591e7b90c57d5dc204ecca7638ead8 |
| SHA256 | cba6d3414f3b90905cfb4bdc29e79f718cd41c0fecba2a53bb0611e9f22ae92d |
| SHA512 | 6de7dd035882244f3f5458f19a8e1f23c70eb8de926e84663f8a71a84f9086bba38ee5967f3b29a77e54bcc42c0e5f11e91a2d615ade0782e1007e7de8bd5c4d |
C:\Users\Admin\AppData\Local\Temp\SQsC.exe
| MD5 | 647cea9fcbed0bdb37f9d356b3c3455c |
| SHA1 | 115ae07cf63ec092ebcb8bc1092f43a3c48feeb3 |
| SHA256 | e473c05860d00b3ed8cc68e848209b52502419b2cbfd8ff3cc13549724a149ac |
| SHA512 | 9124c92c0050a53edd534356c568dd3cebb91c03541b5d87ae0b36784e8af362ceac20112c4d2183332d6d2c5ae131f63cfcf541e8c7e41baaff502ac4b233cb |
C:\Users\Admin\AppData\Local\Temp\cWIgkoQc.bat
| MD5 | 6075611b8644771df60e3782118c0b11 |
| SHA1 | ff45df3bbfe03c1b48bf7c23d68e22611e56bf1c |
| SHA256 | 864d01469441af2a2ca51ca06a1c9f489e4d1f446d67d47631898526ca2fbaa3 |
| SHA512 | c3816ecd6dcc5e89944dce8ca5f5275fa0d948538ee8f796921c76cecfe4e36f34ef376bec9a44d8b609678034cf676a048256d389c6237a2768daf3f42a8466 |
C:\Users\Admin\AppData\Local\Temp\GgkE.exe
| MD5 | 78a2fe0d5ba0706ab133b971ed98c935 |
| SHA1 | a7a0ac9d2b5a056739667c02cd3923af68dfd9cd |
| SHA256 | e7af23d585631ed80bb9343719571ce2d4af27002ea217bca9f1cb54dec52f10 |
| SHA512 | 82ad256998c755a229d66fb3834688d55aa6b1c86bf3d0cf0b648dc535f5167f6b9fe774abbdac0d7ab71fb6b5882c49f16892051d611c0aafdf0d288165bec8 |
C:\Users\Admin\AppData\Local\Temp\gQEq.exe
| MD5 | 090273a465361481bad56b922890d44b |
| SHA1 | 99af2d712fef7af5d73cb13011e7ba4b190fcb41 |
| SHA256 | 292ff2b6167ed59587d74af4473d67bac6c297fd311464cc2adab00ac342ef78 |
| SHA512 | 4974552e166e7411d6576c3269c44ace067b4d4d68887622eafcf57a628a1a00d3c21681e15a100208be5d5fca74a19848f2f6dd6b5439028c5a3b0da6574506 |
C:\Users\Admin\AppData\Local\Temp\SQoC.exe
| MD5 | d309f885ffaffa98c3c434e30b060adb |
| SHA1 | d5c45d53e3b0d550b10a679425cbfa99158e9907 |
| SHA256 | 4a6df37eb921f70baedc66015c57bd1885a5a6fe0c9d1f99c8e1200ccf8450c3 |
| SHA512 | db751f078272423f6b3bb15560da600094554f3a6d7a28eebd3b28e31216b33f1142ac345a4ffecfe5e016b32e987e7511665ea1839736de3a1343a703ffa0b2 |
C:\Users\Admin\AppData\Local\Temp\SAEo.exe
| MD5 | 3cc50313de3c889e61fcb845f56bfdf8 |
| SHA1 | 046cd276e4c1c5c53d1678544194760c404277f3 |
| SHA256 | ac47e2add3b9c64f4387d5ddee46ce584f0180c377c44edced894acc7ac548f1 |
| SHA512 | cdfdfcd4667951f265b90b64b82eef6332c5879518fadf7f4ee38c8af331fdfc7aff796af15c46edf9843148aa42a4f04bbf8cd1b4a70d324e12f8c3719cd538 |
C:\Users\Admin\AppData\Local\Temp\ycQgcUkY.bat
| MD5 | c09c7e6fd8c433a0b4f827d7295c420e |
| SHA1 | f56da8e5c98139d957ceffbba3eac0f52ec24afc |
| SHA256 | d4c6d6dabd81fa4cc6004ac0d20140d2eb422ecd8a4dd8c3fb30dfdd6cdeb7a7 |
| SHA512 | 4d61a426a2fe2d0b8a65ca318862c985c8e672c95e72e2659e30fad723247b25069284d2021bb0ec28bd003c146a0b90ba0fe7e723727f2d15db5e6a012c02b0 |
C:\Users\Admin\AppData\Local\Temp\EQEk.exe
| MD5 | 3941f13212992ddb42e008e481467420 |
| SHA1 | 1deb2fdb106931e0c60a5abab1490d5c0ac64b50 |
| SHA256 | a45eb524ae9a48c6519faa8a44191681cfbb9bcb71763d67020fe97efe316b8e |
| SHA512 | 4367f0c4fd288848183580da7df447242e9e44297e4573052e408788e26b7938fa784bc97409caed001f606a1fbeac54f9c5bff05ef7af3716f2d3068cf5ec12 |
C:\Users\Admin\AppData\Local\Temp\qEAe.exe
| MD5 | 36c1d5938d8ee40100c20b59ec45e3ec |
| SHA1 | c68bff5e137198b801b84774c184abee530f0b13 |
| SHA256 | 6ee1e5e65a01f5bb31fa0aeadf10a4a348b909f00d9a5c39d7650b7d3d126fe6 |
| SHA512 | b31c8fe42fc70aa599328acb5133894b825f3e3ea240845d2a14c76bbf35c94f0a98801e41bf2fd4e018d65d7cd6f1d9f08685ec5f97d0dc0ec86f8b9e7f18b4 |
C:\Users\Admin\AppData\Local\Temp\qcoI.exe
| MD5 | c4dcfff6ba75fc91e95a42e4ecf8f7d8 |
| SHA1 | 54ef51727265bb3d2932d994f52cd52686665a72 |
| SHA256 | c27f42f844022279c0742bd4e176e4143f93309213548723add0993d3a91b0a0 |
| SHA512 | a5dc510afe13910ecda912553c7c43e6bf94ac85af6356c397d28085d00c2cc3af0798e73d44e5a522fc9dcf94297c9a0a124373e7e2101c73ed985fa4102ee0 |
C:\Users\Admin\AppData\Local\Temp\GIUI.exe
| MD5 | 4c4935a2b0d92dd1267a15d3b4f28a9c |
| SHA1 | aa6a903bb333d504b127488dbb080235005cfb39 |
| SHA256 | 52e6259b98be1cff559e8f5f1c2160303a262766b5e8869d79796edae583226e |
| SHA512 | f67990e140a6b646e39663c16b9fc80fa5815d432ce640f98a4300c9e1b856d03513cb426d2c7a71c07fcda24bd18291a8e3059a9eb1ffe82c9bb55eef8cef13 |
C:\Users\Admin\AppData\Local\Temp\ruQEwggU.bat
| MD5 | f4ee0a7071ef2c1adec3e9d70edadf3c |
| SHA1 | 642a2870ec88b577154f57ce5b369d1251d49907 |
| SHA256 | c0957c37ab0b4497f90727dbb2950678073afac3b66f096ecdd595fc91370796 |
| SHA512 | 2be0a9c97115a4fbf750cfd5f193b8f0f3a98911e16d8ffdfe18004aad3576ed5b3a4026b6f59bce16928c2e87aa5a9aa81b249c43f136bd288eca58ad023dd3 |
C:\Users\Admin\AppData\Local\Temp\pQMQQwAs.bat
| MD5 | 101573382e7e674cc5d8421e4a679389 |
| SHA1 | cae433907d9a13c1967954e9f31c03428ea24569 |
| SHA256 | ed0705e66e09ce19fe7ef46ff3716b497577c7f64f86f50c3074d8e6dc1f5285 |
| SHA512 | a288bd15fb567ea3b51642e31c6dc01ee213972b9477b64c20f5add42eebc54b98336952b03a1035d247ee7a7e90b52c5a2c7c135d875c616ebbb1db67f458a6 |
C:\Users\Admin\AppData\Local\Temp\ZGsQwQEw.bat
| MD5 | c37da4ab27d69fc15a00f78cfb41290e |
| SHA1 | 65e4dd5f450a18c1893488765030ce186c7e3651 |
| SHA256 | 9533c6f9fd56c259094c4edd67d45ec2e1a66a0148532a189b75c3a53fc506a0 |
| SHA512 | ddda1492f973c667d7653ec482766d0fe9316742f2f611c9418cb69eb42c4cf8e65fe8a209667518a30abe7e196e10af7bf65edc622b8c5fc1eebde320946fc4 |
C:\Users\Admin\AppData\Local\Temp\VqwQQsAQ.bat
| MD5 | 8ee7d7bf33bba46562f4b309c60cbc01 |
| SHA1 | 8613419143169b9233a1a3a459ebc193cd30e803 |
| SHA256 | 3352691f5061749f27ffc99237a2baeb26d34c8c60bbff9e20f6dd755055df45 |
| SHA512 | 134f385e941d75ffb512e2ba3d301f0d769b2c5a81b038dea6eeb945787feafaaf8fc7ef880458c3f7aa904385b242d66f95f135c254607e97a5b0b97e84678a |
C:\Users\Admin\AppData\Local\Temp\usAYgcgU.bat
| MD5 | 0df9a523a4cab03079e3f795d5994b68 |
| SHA1 | 4db9393b9b076da1523211b5914dc3bdd8c120fe |
| SHA256 | bbaee103a085690eb1e4f38dc9ff8d8d21344b24893937bb30f98079a467155d |
| SHA512 | 06d1ea088d29dd2aec72d6f667d9b1cdad514c35ec2c18ad50de4fb903bffdc4043a039fb55cfb8f727e456e1cef87c928165ba3d8689df83752a106e44602f3 |
C:\Users\Admin\AppData\Local\Temp\wqwMgMIE.bat
| MD5 | d107d7839ea050c21e0a9651c3f98506 |
| SHA1 | 85e96314fd283b7f95c4c5457c4a902016bbfca2 |
| SHA256 | db1c2d8dc2086311b13d9b7d4b3f7efa1ceb7d4d427272f708d5fe9b11ba6b7d |
| SHA512 | 6fb31ee546b7108d7ab3d378823ab0f8b4cfbeff04ba5cc0f5c5ab770f03af4da7786e93bc98acf803decbccdf73826a4a7d756cb5c14a95b0273567b46b3b10 |
C:\Users\Admin\AppData\Local\Temp\mmUkMcIc.bat
| MD5 | 49f6cd529172c75c234135199a2982ee |
| SHA1 | 9268ff564a35aaddd3d9b79dccadb6aaa59f90a9 |
| SHA256 | 93350c4cb266f5f3588236d1ba6ed22130f47d3ed95503e5fd9cef9594e02e26 |
| SHA512 | 011dbf7e9b99040f6dc3208f0d3a4d2bb19066d015708f0995c8576cfe8e74bd8b62a46a2a0cc8b703b6bf552bd48e7a61d93825ade1aaf2197932033d3377be |
C:\Users\Admin\AppData\Local\Temp\GkkEocoU.bat
| MD5 | ee2d13d09067ff6b082f4cc004e28d1a |
| SHA1 | 48ad79f51f45c0410bfc6b03be0632a61fe57095 |
| SHA256 | 09ef2ca016a475ab766e8d1808c84a7b5b3a07450a939161ce37ba022884d0ab |
| SHA512 | cbcacef82959ed63c7e37c08422c0dc9b5019e9c9af32de6fa97681fc135996cbdc6bec5c4ddd58ffb8bbebe3ae22c6f8eedfd5b4bb5345d789f3287617b67d0 |
C:\Users\Admin\AppData\Local\Temp\iqwcowgA.bat
| MD5 | 0a483ea6a617f740f587655bbb673e7b |
| SHA1 | cf71e0a5614743e4847df2a46a0bf27f411b4dd1 |
| SHA256 | bec9ee4c02f0755e0ed1a1fbbc4ea9183549531eb3c4f3e8b5fe7dc9a2d8235f |
| SHA512 | 2eed398e8b6942b652d0719bd55d0ef4d795629b8c1be8575b8bf9ac0ce65a40344ba5406ff3e210b037d139b5637edebadc7c02b44d03db95c5449c2f106fbc |
C:\Users\Admin\AppData\Local\Temp\pwccYMYw.bat
| MD5 | ed2b6bf0c5efc8583c7f50003ae92103 |
| SHA1 | 7c731c8cf772db49b724f7488d93beaa9b7e00d7 |
| SHA256 | 78511a0d7aad84449ffc97f3adb1192d40d91c2f3536fa8530d20a8226b6a74f |
| SHA512 | 6ffc4940a91e8bf1f0f7f50ea9e1886d997f1f363ca27edd897b2b4bd3420ae01fe07f1508d09292f372f2644fd20e78e49949d42178db32f54575322984c6a0 |
C:\Users\Admin\AppData\Local\Temp\TYwckYYA.bat
| MD5 | 781b4491eb28ead0fa62c96b023a48bb |
| SHA1 | 14375879f239ea484167f4b8c7cef54d6aa83922 |
| SHA256 | 3667acc2440e85052ba39f4da82cb91c908719af4baf4e2e6ea779597b8ad908 |
| SHA512 | 7a5dcd796222350a037e51985aba77e617b46669d69a64b86dd42388dfc055e32e120c4d202c5d7d0e09a8b05c5ca49ddd3a25fa32198fca93cf985007107b96 |
C:\Users\Admin\AppData\Local\Temp\tYIIsUkw.bat
| MD5 | 2989004fb947dea374a05b0f954c0cfc |
| SHA1 | 867e58c6c49092464ee8b6b98bb91113b6722a63 |
| SHA256 | fe53a98ad6b690a777a266e49da38bd05777d3665a1f94ee313caed7860ea691 |
| SHA512 | 5787f47ed456db964ba892bc951decf2e1427a18aa4e4155adac063945f929806a1adabbf98c30a8bb7c5692731bbc90944168496bd6d3540c7c796fed0bbd51 |
C:\Users\Admin\AppData\Local\Temp\VgIcwYYw.bat
| MD5 | 75cfa8a42b489c3be47d74ab7cf87796 |
| SHA1 | 539f40bb9f2aabaa5c099d0ac9cbe97750e3c9ba |
| SHA256 | fb762a4850bab4c9963d7af515c21962fb63fa6ab942c1787c734f6dbd65e936 |
| SHA512 | f5e921457110b707e6c2134ccaf406936ea61af5b81c988cf8bcc30afc0afd542e91967d21affd87e1d9f7e25b8e34834d479d026f5968ddfd3dc8870c9454c8 |
C:\Users\Admin\AppData\Local\Temp\wEkYEowk.bat
| MD5 | 440e4ccca0f0fad1d76e1b4e2812293b |
| SHA1 | 37031f85ea28e4b5190db082073b1c273ab54743 |
| SHA256 | c049d9ba9fab52280710323cd25a6050fd59e75b8c058f64ccc33611ff4ef702 |
| SHA512 | 42806f005efbf67c0470f9627527458fe79df9020900e707de58f41e2ae5eb32af070f79d1b0ac01fb7f1c3c6907103a9eaa400b2ba31608368af444b496d0ae |
C:\Users\Admin\AppData\Local\Temp\QwwIYAAU.bat
| MD5 | f4056eee2640b106f40dcd3145cbf622 |
| SHA1 | 908764dbe56658297fd6a4f6fbab770716720634 |
| SHA256 | 595a99f1804a1035a6c5f86a43d2eaa390ec5f60e504ceedfb4f9027df4f0c2b |
| SHA512 | 4f42006b488be8314a3519be2d541cb9120b951c8d6d31f07fce97b187c0211a570c276b26e501a1a438ecf5ec379703a101a664bc586e9d54cb3c2a988473d7 |
C:\Users\Admin\AppData\Local\Temp\UaUsoQsI.bat
| MD5 | 8b787884bf4f8cad094df84fbc4ff6e1 |
| SHA1 | 96365c6f4f9b90d2cb36299a84f4d593513ce683 |
| SHA256 | a65a285c3aae5bf4ad5fa256e3e6387a618978d398bd99f05ada865379c11a42 |
| SHA512 | 7c4f27c55a48793b4498233b091d0c4485fc34724c54b57c90b524c5dae57f285d2fd3ce0619580522ff37744b17694c6cf7d0a8b4808413ec8e76b1483fad7f |
C:\Users\Admin\AppData\Local\Temp\YsAgIsoM.bat
| MD5 | 4fdc8a3fc9f7e5d944f3f714a4de46ef |
| SHA1 | b7551ac6c09ee90ba4f49633c01cf8b4ff6e7d90 |
| SHA256 | c04b17ed4cad7380d8bc1e8652593689a82812b018a181796ac2f8338799bbf7 |
| SHA512 | af23958dc3c6f389d87e92234741eb929c48dea468ec21e0564ec803376e4b91d8d2c6b7b2ef7cdbb62470ef9bc0256e6fd3195352fc2e16df46fbbef3605991 |
C:\Users\Admin\AppData\Local\Temp\IYAUAgQY.bat
| MD5 | 59732da5353dbc378c2a869db696f225 |
| SHA1 | e130d9b3fa57b04cf2298d043e726ba3bb0d207b |
| SHA256 | f47331c1674f16c7031750f077f7f9bc7c7908157838860223d3bd77a50c617b |
| SHA512 | 06f8e65ff56e0827630ec7fb4683dc21da16c0588ba7e8e53b095b764a954beea1efa8a98d2ceef5a9a411480fe3308ce674d592ca5a542dcd83a88d580c78b7 |
C:\Users\Admin\AppData\Local\Temp\noksAgAs.bat
| MD5 | 8d6dfbf48b4b1d1449fdae4ba07bd7f6 |
| SHA1 | 993310883e4c72a593aa5a452772a731025604ff |
| SHA256 | 973fa94e6e7619f011bb20fe09d94c0e1e92b560a5fc23e5fb1e97d2766c3eca |
| SHA512 | 08a01e72cc121bc6c628f69fabec229b19c91932ec027a7978b0a18fdc6c4729c58dcb0399d93e0116c7c8b4a9d679248b30121b50484f43f8adccd369391d4f |
C:\Users\Admin\AppData\Local\Temp\HeAogYcs.bat
| MD5 | 1cb92851c7cf2a0c84e2d05a03bc57f2 |
| SHA1 | 58600524a9b46e92b22aaa7c576b0a37d606216d |
| SHA256 | a936570d6b3b88e1dc7d2424093fd54207eb852fea01213b32ab867dd1871e19 |
| SHA512 | 747b7439b3c0ff065952eaa79f073080508ccb799712b98ac4660ac1b92dd76997cd4b4bf1c159768b36db4dd91699eafb1513cb4e95ad03db9c5d77d2d45a51 |
C:\Users\Admin\AppData\Local\Temp\daAYAEcw.bat
| MD5 | 7e34e0f1b6dd398aae424e66d031034b |
| SHA1 | 867c91fe53701df98bfb3461a27e4c221693d2d6 |
| SHA256 | 348bd9c5ebd02809ebaf362eb70845bc9622a74e44bc2686b38429247c25deda |
| SHA512 | 3f657929be149b9a4c5846ae92af546011a94a1bb7f24ece9a814d043cb4a6d86b37bd396549022bf16978aa01f85b7b03b00534ff7a8d51dceaac54fe7227b0 |
C:\Users\Admin\AppData\Local\Temp\fKYUoIsg.bat
| MD5 | a4107a4871dda388457faa931bc806c1 |
| SHA1 | 66d88c7f46d1f2cd7da429fe61bfe531260adbc6 |
| SHA256 | 6a85ce6d9a60b7540eece2dc5d6ad91340aa37745ab18e981525f1a999ca37ac |
| SHA512 | 769367fe0f7ee4ad48202aed851f433eef1833d0cdbcf11b403cf0867b93e985485885b1eccb35ae4a084db62046fe3ac8cc373ac79d277030e01ac606671838 |
C:\Users\Admin\AppData\Local\Temp\OicQQwwI.bat
| MD5 | 33d0c72df5fbbfeaddf00b3f67709bba |
| SHA1 | 8b9fbb5b9ad22aae4093c3c4d0862f8b5e52d899 |
| SHA256 | f9cf95c5fdad30e79d382e1714b49f1c7fec3e074b6002350c021b7d17f1f612 |
| SHA512 | 07f4da37477795303ecd8a181a64ef7045191d51c4c8d809f07a16ba07342859e15cedf8d816c4ad07b4950cfa244149dab8e11028f4ffc8ef50f1de354dda1d |
C:\Users\Admin\AppData\Local\Temp\CeMQEIAs.bat
| MD5 | 11f6cf7193f35ad3462b0dc38906a6cc |
| SHA1 | 631c4e8633c59f5f10afda9e83e4c12040e0d0d3 |
| SHA256 | dfc5570eb5ad6475eea4aa2b7705156be2569f069ed3cb4186d7d64fd7f96e10 |
| SHA512 | 7664aa850790cf1102baf711c4b7b1536117ac5d636d1f6cc09fdd6519d2f8e58ff929afa904e68973d4908ce1975b67128eae61058244f1d280ab219178805e |
C:\Users\Admin\AppData\Local\Temp\GSQccgcw.bat
| MD5 | 0629b515cd18bb3e3d2494c451340213 |
| SHA1 | 581f2621108a5d005465d648823b4449bfdea9f0 |
| SHA256 | 07e65437972cd0edde455a1c8bf2145f91aa1809d95f00fb723a6a961997cd02 |
| SHA512 | 9da21f8f05af2fff5ddd1b9819b8230f89751636170da4e2a62a2ec2212bbfd131fa6dcd3b0772fd8d03e0b29c3bd5775330a62d56fe50b0c49f16ad48c20470 |
C:\Users\Admin\AppData\Local\Temp\cakMAosE.bat
| MD5 | 91a9a441f62e3d29ea2367af50da4c4d |
| SHA1 | 7ef7c8302ced855839ecc3cafa869dd624139421 |
| SHA256 | 8aadbcebdfd7e9f8ee7dab4fe6709d5df63dea2e08f8e2bcc9be432b5ce5dd4b |
| SHA512 | b62a33ce72c8dd5bcfdb31875e3676b248750a7ca02ace792a3e9bfe6db5a9069ba98660a4fb9acb46d6a9e17fc1b688e7b56db246e517c940e7eb58a1891280 |
C:\Users\Admin\AppData\Local\Temp\eKQwosIM.bat
| MD5 | e3dc1e2ed641c24c54a8c839132b5eaf |
| SHA1 | b0528a6ebe5e7b9419647cccd5f9f14ef7f52f3d |
| SHA256 | c0860ea4ce6e8df1d96da8e554f2914c2f2491f569bd3ea24bd4e65d693dbe35 |
| SHA512 | eb31d292fc53d16d5152d5c47128a405b31e9ea198d2c06a92281fee16df2debd10d757ec08423ad7bb918cc99deb9f767747e9958d14542c05673d641aef97b |
C:\Users\Admin\AppData\Local\Temp\NeccUYwI.bat
| MD5 | c33e1f2a607b96c0c023fe9d6c520f45 |
| SHA1 | 2e492b309042cedbeb6e08e09fa6977caaef4733 |
| SHA256 | 2cb2e4e5c9fc14da5be6a2a4b478ba48182b9a2b331f6843cf78cc0c1133164d |
| SHA512 | 506f6e34def6092304ef054e4399ab80ef91b162bb0fd9012f8ac803a4d52d7d71f20ead2d9dcc102b96d6abd3935ed1adc1fa56615a66db31cda7fc5202cee8 |
C:\Users\Admin\AppData\Local\Temp\fUMkQgYw.bat
| MD5 | 4dbf735ca03a5fc747ff3da1f8ffb8ad |
| SHA1 | 27986b9e301f379a8cdd5bd7d918ee746d0da038 |
| SHA256 | 44cc7825c019de18b96f81289ac90c33e8011c3e8844aa4e5b908c1775c633ad |
| SHA512 | 54f55dd45e2b41aa847c708749f2aded9f1b2fc46050154ab51eee71bf488b0180a53017bf481ea94ed65c7b74e3f76d4ac53ab0626d2e3e31626690c89e5ee2 |