Malware Analysis Report

2024-10-24 18:21

Sample ID 241018-cr3z2atfrp
Target 54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
SHA256 33e2695da4fe975e3945b6aafc539ef6ad61c4916b30b00bb5454fc4a9286d6c
Tags
discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

33e2695da4fe975e3945b6aafc539ef6ad61c4916b30b00bb5454fc4a9286d6c

Threat Level: Known bad

The file 54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware spyware stealer trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (80) files with added filename extension

Renames multiple (57) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Deletes itself

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Modifies registry key

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 02:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 02:19

Reported

2024-10-18 02:22

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

109s

Command Line

"C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (80) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\ProgramData\JqIEUsAU\SMYcMAwM.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sGMwogQU.exe = "C:\\Users\\Admin\\JgkkYkMI\\sGMwogQU.exe" C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMYcMAwM.exe = "C:\\ProgramData\\JqIEUsAU\\SMYcMAwM.exe" C:\ProgramData\JqIEUsAU\SMYcMAwM.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sGMwogQU.exe = "C:\\Users\\Admin\\JgkkYkMI\\sGMwogQU.exe" C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMYcMAwM.exe = "C:\\ProgramData\\JqIEUsAU\\SMYcMAwM.exe" C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A
N/A N/A C:\Users\Admin\JgkkYkMI\sGMwogQU.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1608 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Users\Admin\JgkkYkMI\sGMwogQU.exe
PID 1608 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Users\Admin\JgkkYkMI\sGMwogQU.exe
PID 1608 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Users\Admin\JgkkYkMI\sGMwogQU.exe
PID 1608 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\ProgramData\JqIEUsAU\SMYcMAwM.exe
PID 1608 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\ProgramData\JqIEUsAU\SMYcMAwM.exe
PID 1608 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\ProgramData\JqIEUsAU\SMYcMAwM.exe
PID 1608 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 1912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
PID 4420 wrote to memory of 1912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
PID 4420 wrote to memory of 1912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
PID 1608 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1608 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1608 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1608 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1608 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1608 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1608 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1608 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1608 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1608 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1928 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1928 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1912 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 4584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
PID 2988 wrote to memory of 4584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
PID 2988 wrote to memory of 4584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
PID 1912 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1912 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1912 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1912 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1912 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1912 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1912 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1912 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1912 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1912 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4668 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4668 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4668 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4584 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 3620 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
PID 556 wrote to memory of 3620 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
PID 556 wrote to memory of 3620 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
PID 4584 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 4584 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 4584 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 4584 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 4584 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 4584 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 4584 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 4584 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 4584 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 4584 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe"

C:\Users\Admin\JgkkYkMI\sGMwogQU.exe

"C:\Users\Admin\JgkkYkMI\sGMwogQU.exe"

C:\ProgramData\JqIEUsAU\SMYcMAwM.exe

"C:\ProgramData\JqIEUsAU\SMYcMAwM.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMMEcsQI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DmEUUQQg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKkIkcUY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ousQoMUI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAcwUocI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAkQgwUQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOckoAkU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PwUYAwkI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUEEccIs.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hakgMgAQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKMYUYAE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EOIYggAo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CkkkwgIo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CkMosoIY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSEksEAU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZywgsMMs.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zckEMgwI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSoQQswE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgcwgUsI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AcYwQMMY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOoIsYoQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKQUcogc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dyoIgIAA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vsIEYkgY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEUQQEoU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUwsoMUM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMIwsMgc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGwEskoo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkooUkUs.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VissQsQM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwUAAEck.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VeAEEMwc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIwEYMUs.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCokkQAw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wkIUMEks.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmMowEQQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuAMgkUw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQYAEYgY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XMgkAYYg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msUsUAoM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yKccMoow.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyYQoAME.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sqUQQAwU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMgwMkgY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncYEEcUM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xaAIAEoQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\moUQAcoI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AuUIooYk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUYwQoMM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIkYsMww.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JiQYIgMc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HukYUowY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIgYMMgA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mwksEkAY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAgksgwQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsYgcUIU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYQIQkIU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nccMEwwM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCcQoQkw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VsgwYYAg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CiEkkQsk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wOMcAogQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KukQcUgY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XoAwUgEM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqoUgQok.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEgUIYgA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hookQEYo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\POEUsEEE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SuMAkssc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qykQscEY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWkckooc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jawMowMU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQAMQAEg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bawowgsk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSAEYQEQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aucAssYE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAUMAEMk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGgoEgkE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hikAwEEE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BaEcoAgs.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMsgkwoA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqccIYog.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCMkIwwg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgMUcoAM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WisUMoYs.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgwksgMI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgkIkQYE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rcQIcgko.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xskswMAY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\decYAoIU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GQkAUowg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUAIksMw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIUEsoAU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\POUgAAsU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwkEkQkc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hoYEooAw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nCksAkUg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYMUMYcU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwYEYUsM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GGwQAIkk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMsIIYAw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYUsgUYo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NyMAosAM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGUEAIEY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\micYIEUU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSsksQMI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CsoMQoYk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PigQQIcI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\juMIsosg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NikwIAQY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skEgkoUM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqEkAQwY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwUMcgkQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lycwMooA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOMgoMIM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ruEIwkUg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUoAwUAE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EGgswgoU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQkUgQkA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fgsAYcIY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMUsAEoc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZuAscEMk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQgkkUYE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOQIUgoE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\owwgAwEw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkQgYcYY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYsEEUQA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMoQgccs.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZkkIsAkU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWAwEAAI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.169.78:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 172.217.169.78:80 google.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/1608-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\JgkkYkMI\sGMwogQU.exe

MD5 cac52262f54d81c8a949a39e8d6adb49
SHA1 72053539a7c16db35470210013b65a83ff04bd1a
SHA256 a8a2c8155974935469b303fcfbfb7186044ce63e1e1b7b3c5b6f30cb8477e798
SHA512 b034f001ed095b1f23119723c6524afccd32d9f8ae600ef5d94b062ab5ab663ff99af68e50fa187cfd0517fdd0d6a03d2b488b7d955c6a66a72ccf9ebbfbcf77

memory/2296-7-0x0000000000400000-0x000000000042E000-memory.dmp

C:\ProgramData\JqIEUsAU\SMYcMAwM.exe

MD5 7af184a9cd18aa67904640c4f9f4aff6
SHA1 98091ca35cb359021a17e8aae91e6578241d15a9
SHA256 14f7c76fa857b0dd6f943442fb0bf6f8ce4b44ff83fee8b476d99d7b344342ec
SHA512 232029b50b447abc4aa7d128b4c9aa9debcd2cd15ba465214c203be1dfc7568dcb0747ad406170bf3acdc26c4cd701adb1a0874dd9fc6a5ce78e26f0011e9e0a

memory/1916-14-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1608-19-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xMMEcsQI.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

MD5 ce1e5810d7c9f27a6b139b7bb5772198
SHA1 ec7dd31f242502ea55223a00c883044cba378ba4
SHA256 0ae29a2e9fb4ca75da5145ac86ab6dd9f12767cadb5bc6a9aa4b1036edc128e7
SHA512 44975121e40b3fa90d1c32ca56e53e2fcd5c768e64e22cc9f9ac73991b1ca79aa9745136b7dea10bac6c88c946af0155ba2abb91b14eb182dd1e69c2a718a63a

memory/1912-32-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4584-43-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3620-54-0x0000000000400000-0x0000000000434000-memory.dmp

memory/944-65-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2892-69-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2892-79-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2492-87-0x0000000000400000-0x0000000000434000-memory.dmp

memory/512-91-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2492-102-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2992-111-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1432-115-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2992-127-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1980-138-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4920-149-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4684-162-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2912-173-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2276-184-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4832-195-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2896-208-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5048-219-0x0000000000400000-0x0000000000434000-memory.dmp

memory/668-230-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1064-241-0x0000000000400000-0x0000000000434000-memory.dmp

C:\ProgramData\JqIEUsAU\SMYcMAwM.inf

MD5 b5095444daf5a82fd44c75d01971cada
SHA1 9b2d78b91880d310fc2657c91367605c9bc4d3de
SHA256 048cf5e3d26d60282130b4b03fb5e96cfc310c91423dee58d77eebef97241d01
SHA512 476db5d26d277496a2315b048418a804377d11300512ebaa6c230fb23f4bdedb66bee86f4328ed47a336a24de228682d1b080aa650938c1b19de395f8c5ce92b

memory/3748-254-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2180-262-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3928-270-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1444-278-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2484-288-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3304-296-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2604-298-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4972-302-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2604-306-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4284-312-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4972-317-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4284-325-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4056-333-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4192-341-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1040-351-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4284-352-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4284-360-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4528-368-0x0000000000400000-0x0000000000434000-memory.dmp

memory/372-376-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4972-386-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4360-387-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4360-395-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4732-396-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4220-401-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4732-405-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4220-415-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1764-423-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1492-431-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4528-432-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4528-442-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4640-443-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4640-451-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4936-459-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4712-469-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3020-470-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3020-478-0x0000000000400000-0x0000000000434000-memory.dmp

memory/772-486-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1068-494-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4592-504-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4832-512-0x0000000000400000-0x0000000000434000-memory.dmp

memory/316-520-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2748-521-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2748-531-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1564-539-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4220-547-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4816-555-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4472-565-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2228-566-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2228-574-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3236-583-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2212-592-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1432-600-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1492-608-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4580-609-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4580-618-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1312-627-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2912-635-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4728-643-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4220-653-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1424-661-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2476-669-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4640-677-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4376-692-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cAkM.exe

MD5 2cd1e5c936973fcc60ce0be85d04f0f9
SHA1 1aab760f23d22a498d665880cf00523f509350b0
SHA256 405066e3a1766ce93d67fde0ad00c9e11d1a0c0f8dee506a4455f51e5fdfda9d
SHA512 945f25aed012103527e585c8c72c46f5a75f8ddb30cf57bfd4d29b7f142abdf0815cc128869ee68132749e5cac534b1eb4009e1962689e431d02d00d8c463587

memory/4860-710-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ogQW.exe

MD5 5f10c7962b3be3e454672b5cb3ff731f
SHA1 11719235abd009e291ac94757a4ff297ba8da510
SHA256 4a94e9713ffc7ae3638d978d297bc4396ba5cc7d1203bb027b39cbcaff4a2b0d
SHA512 6f350071559288189111cbfc318711a1bd3766f5376ceb44dd938ebd68b5605d59aef5204a2dbaa65567ab93d1002efc20aeb66f02f7c5b917b050b2fb666edb

C:\Users\Admin\AppData\Local\Temp\Mkkq.exe

MD5 a2e86ea0e868c8f46634d733662b5451
SHA1 cd76f940bcf9453f954c015c1b6ef60232b0e630
SHA256 99915af24ac99f9ad8f59ce9b92ddc94213fa4ed915e3be2bd1b5b3dd1e81477
SHA512 915f4cba137b45777cc5c06ae176914a653a633822b608aeab76f6b706ab10d3ed30bcd67c28e3a0e7223e10a44e43ce45033fc266cf562ad4d545825bef59fe

memory/3488-743-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QMkI.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

memory/2784-749-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oUAQ.exe

MD5 660db204b3dca07c321341fa769e1077
SHA1 6e9096854a0eda9082b71e79da517106504f01ed
SHA256 d8d37e11f53e086bd116f4d3512dcd014974799939e4bf8e45882efdcdc306fd
SHA512 ac69a6f09ade180e24ba43bc132dc75dc092f967bca2829cf4b1234cf80df4878c1b9b2886f7de2b1608ca81ef98e1aff54d10539d485030cbd1273469ff2b7d

C:\Users\Admin\AppData\Local\Temp\kwsA.exe

MD5 9aa5ac5483750cc12aa3333880b069dc
SHA1 7bb1981b4d82f7682d67da9130223b81365d4e53
SHA256 aa2d2fd2a732c8f0f5e8944ef1fd52410118666a6fb3729295a65ffce5a87c85
SHA512 18f4a051478c83c058767ac973b74a2bc3ddfdc8b6599cb304a9934fab27f6b3505b6e2d710d58cce9db4f41f46b758beb20d0197736922b1fb27cb0e8c830b3

C:\Users\Admin\AppData\Local\Temp\Igwk.exe

MD5 44aaaf105158f5121be3a01d7046619d
SHA1 6e4728adcabc48c0a1fa16379da9337cf6518b54
SHA256 cdb8a84f77ca519a3ba7528fcf9b9ca4538f7dd4ac59d075b95c5edcfa66d72a
SHA512 18b1ba9de00cd91b76dc092fcb712185f0ba3d53a2889d70c5139d0612264b5f6216f98f5420d4dcfa62b76f9453e43a38fc81ab6875d705af098f8d0ccae9cc

memory/3488-797-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UsoE.exe

MD5 b18f210615de620d21506da01cd93db7
SHA1 22afe42119bc794aa1739a9d27b6738846a891d6
SHA256 6f2e6957541df7259228c3b12ac3dfb529c5c824c932f63df56a9009f03ddf1d
SHA512 7a4b35040b25f4abc8a2569e7be01625a14baa918e07a6791349b2fe569d585b87355f80d36bef160e8342345997635e5265eea2c55c48eab24d62756583134c

C:\Users\Admin\AppData\Local\Temp\iYEk.exe

MD5 bf57d7cda57d85897b39d12e600f9f33
SHA1 2c93ce0802383d8d31f3e2cb657ebf34d8fccc65
SHA256 67a3a00c3532fb79341e2f015e115bce49061521e6254c42d3bc854144a8449e
SHA512 d6f5fb0ecd14d91bc4e24314acf0d8ed5f69d00d0245fd11737e50138cb12bdc6768464554e1d2f61442fe51d76a18903b2a89ea98718e96a35c25d7ed7db608

C:\Users\Admin\AppData\Local\Temp\iAkg.exe

MD5 7434280c95a7efca1aa6a068865c5309
SHA1 39d1c323956320b7e912c85c5acb78f662f02915
SHA256 9f48fff588fa6c147e1eb23228351a561602a30868c397ce4cb6fae94eae7aa5
SHA512 a68d8e813a61a582e0b9146509b08d43177ee52aed73b7286082e8f285b31065056786e48ce9c6e3464b568d3b1ceac5aa50454505669ac342ec65f27e812c0d

C:\Users\Admin\AppData\Local\Temp\oQES.exe

MD5 a3d948783ba12401829a1f6d94796090
SHA1 c6e31ad40b3462c3b6b7c275f58cca90a0f7d550
SHA256 96881c6ace8183887a80a132ce25f3af97beaefd701335476e978012fe8bbaee
SHA512 462a3aed901bf50864c9831bab7293263640d64952c682a13cca688a293824c6427d54db0b1b3f13210b1bd95a79cde6d4a23d47c493751709a5bbef8864cd30

memory/1524-863-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4544-864-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qkQY.exe

MD5 40c2a0e69b5f73cbba4c5875e59490f4
SHA1 76d8822d8364f9679424f3768b38a30b30379520
SHA256 9a677ebf5053c02991716809942f0f68246088710a201061f7101b8ac966d542
SHA512 3f53a3651f570d17af4c9b5e3420eeb684f1196b98105bdd3fe90f55b0343fa8942feb0ac543df8a7dcc932b258c7ff40d467733e917e6639d5a22bc06d65f71

memory/1524-886-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ckYW.exe

MD5 00149a7dd14e0260115d7619d6bb1216
SHA1 79833ba695613e7a796c2f9514974740c0bbe142
SHA256 288b0b4b8f1dae808e378281ff670c4158757727c4127ddb6e6dc4b024a1b80b
SHA512 eaa81cb81198c991c09231ff2e020d121a0c90df11ca444e9339050786666e7eedbf333211cf16a25ab983bc51aa3dfbb35311c0eb449681cbcacab8265798ec

C:\Users\Admin\AppData\Local\Temp\MAMU.exe

MD5 79d7c2c573fdbc34ce1ceada7a31de27
SHA1 eefde3ddb8a24932b52de3b80f44801cc8bd7640
SHA256 9d3f7ae9f1b54b8be9f6e819f3bf743ca418049158dc5fa2a25780db4a584670
SHA512 30a8eca6859532e8262c9427381502385f708e94694ddb0f3854874b4c43ee1675ff69069e4a798512117eeb6558bc8bffba08ba07a1e9c1329ade12c7792895

C:\Users\Admin\AppData\Local\Temp\EQAs.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 a16b543a161ef3b8eb3f44a602a07dc6
SHA1 c95a4412a95e60730e6ef80d7d14b340e57c688a
SHA256 e956331d2c3aaebd8e4d9f53c0b6bcda1231764a93845128ba3d82291b260a90
SHA512 c536f9be501cf493804349c184514f6736a8295c5dd3f5165498305a1e520459bdb13ddb030d9806908f61da2495877923b08dbd6d8bf107439bf496573a39f1

C:\Users\Admin\AppData\Local\Temp\YkYk.exe

MD5 793e71d06ab729225180f37d2ee132d9
SHA1 39262e2adffd77556b4b648bd2b06508be0f03fa
SHA256 4ee0ae1975323992022c02ed1bccd70170a0b7c76cf0bb388376c0923bb747fb
SHA512 12a86b5e41d839a144f4836ab2204182f5b7cfa2fcefc01cb3d7e9e6654890fe08bb3c7a500acc0887f17313720ea172b15c2d05bf7a3dd3717ead63f8682471

C:\Users\Admin\AppData\Local\Temp\ogUS.exe

MD5 6a1fd303fa2cf996e138608d12a17e28
SHA1 b8e9fd353a2fdf7f0837ba2297d6a59d1da1ea7c
SHA256 c37bcd95cda06dfe881e7cb96d091554e635f718c5b3c146ae80d22ba7d8590b
SHA512 2d7a9b9366dbf95ae9ba7f10e9f12b40657140f7c1b8ca8c6f2f2315d5931d8ffdb6426d0f231a9d6a3c2df1e315536c12890ebfceea81832415d2fd90974a3b

C:\Users\Admin\AppData\Local\Temp\MQwc.exe

MD5 d92f29d473ebc8d4e8eed3b29e4b1fe2
SHA1 7acd7b3ea966aedb08ad8843606d2ebfb45995ed
SHA256 76ec6e4431eba27f29ca432939978df2cb66568b26af5f0239d21803d65960b4
SHA512 83b37cc0419c061efed122cc0be9c9925cecdb57fec9b9792e30f845efc5b59f2267379d08d0080d15567e2d999b0882eb51959e3eda46f2826a17034d3c4d54

C:\Users\Admin\AppData\Local\Temp\eAoc.exe

MD5 c28923929fb4a5c1e2d0ae6b456b9b9d
SHA1 1745256cb84da8b669d88f8fcbe8a411f8db94cf
SHA256 aac17832d58c35bdfa02918076c8b9a519480f77bb4f123ebc64f310ae0952db
SHA512 80d6e1609331bc2e877c143c16b85d1174650ac15617145774bc9f86f00e34ed71e27dc214fa3a42c96100798549c0c31fcd33f9b93762213fea0cc07d427158

C:\Users\Admin\AppData\Local\Temp\QsQS.exe

MD5 6399af88afd5129af1f15ee6c636d326
SHA1 1df0457769ea3dfccf3d86e3cc161d1a1a070032
SHA256 1386477e79c1d5724c75d394f2df8807b0379d4bb9dd2f8424b6667fad83e2ed
SHA512 84160efa8d98ccb52599b340d1ab84faf7ecf7000b995c83f6d3f1154a1c45d57b40d224fb49f025197418476a49632c8177cfedeba1edb1bf42b70a96c7e283

C:\Users\Admin\AppData\Local\Temp\oYAS.exe

MD5 7a6537ed8e28114e617f7af16b0012c2
SHA1 197c910ab363dd4c15c4bc6cafbd514a84f05fe5
SHA256 6289875e8f6d9bd60661d57417a1feee37b71ae8f6c8e8a7899b423a52aa695c
SHA512 2d7bc0cef9b79b220df3b30398c671cd6ba5f86a256198ef6e78224244d621e09f6ab3b3ab735ef7412b54712ac04c64a87a9e59892d7e7b39b0c2d1ecf3488b

C:\Users\Admin\AppData\Local\Temp\AUsw.exe

MD5 f5d56666b3f52d7e6917e0fa1c4f0b95
SHA1 f8ff439915f42efe7d92e73b51fbb3ee821dbfa6
SHA256 c7cf0f8eafa12bee711d4afde8bbd1f49567fa38270b5bdee135b050c2c53815
SHA512 385e5e07a7d5523367a5d7dc7b9ec52cc32740dcce70162d9d5398c7dd5bcf0c0aaf178edc8a8d13bd6d4f2317af13e177d242dcc4fd007fc64c50fd58d93a47

C:\Users\Admin\AppData\Local\Temp\Qwok.exe

MD5 7ef64f8ffaa52f6ecead558abecfbfa2
SHA1 6e3161b5e5605e6cd2a69c4f27340311730a71fa
SHA256 962658f4a9d76bf82a42cf67592c47c39e270523c82a585fd804a4504de1a9bb
SHA512 85a6f974e29591b8f54750cda1f9c184eb07469c904df93f967dda85a7c5f75344125044fdf12123ea719666c828e2b425380e96dd8b9b457d614c4a802b5c41

C:\Users\Admin\AppData\Local\Temp\WYEW.exe

MD5 e8e2840360891231f25ba44072828876
SHA1 20c941dfc9ca5a4ea981ab1959a79d5295876d88
SHA256 68bbbfaa735e5b8c05036eb415e29e6244f9d6a047f11493178f8e5ff6b342de
SHA512 6af607bebfe579f5b2dbd1a23ddd9425063182db9a6747a2d8eb5e64d21095c2fd7fb99c58a520b88aadc1a8d63917afd222a04a9983a7f93045c3227973bb90

C:\Users\Admin\AppData\Local\Temp\mwAm.exe

MD5 9a9446cebd08f962fa94b0cb5fcee9b8
SHA1 505446d1579d610ca93cca0e28a8ffb0b754582d
SHA256 b9881fe3b54275a395e47326b1a04cb57913d0d746d9affcf7342d79dddc8203
SHA512 cce7289203da0a44104d997d9770f8d359454ed50572c43e23a0ecfc0c05fae203d4b81eb27b61260e2e2cb3cf683496f342c901409caf892efbba11b3dcc0d2

C:\Users\Admin\AppData\Local\Temp\YIYQ.exe

MD5 d80924718c14f274fb7524c6b4652f82
SHA1 f26c659c391894056ea067e419bb82f604dfa917
SHA256 ddfbfb6f8a82601dafe33f05f7fe1ec547f15140b66ee82b7837afff5a84bada
SHA512 e10a9d0258037c089f1ef691594090e3988c348caa305559bbc26c78aeeee2161f59a88e79db05ea8129e16b7e34e1cd6ce9dc49090aff61f78bc7b0d5eb54d0

C:\Users\Admin\AppData\Local\Temp\ywcm.exe

MD5 2756f7b38cf4d01187b63a94b4f0db51
SHA1 08059c9e21162c666c24c812b5406d030ef72517
SHA256 0690ac820cb6246f7bb9c99a4b3575ca6dd8c0aa0f99e6a0ca0474a9ac5f0d45
SHA512 7f69d272b16ce90a277490dd7da837b093447e46ed3ad875bb0caaff10458be5e53b306aa258bfee3302a1178167d4f2657cf4f0fc0aa2d8362fdcb7692b3cd2

C:\Users\Admin\AppData\Local\Temp\icwU.exe

MD5 cfda27f54fbc45392bea65cc4835d820
SHA1 6fe614f3d528104e9c299edf8daccf5e2b9644c3
SHA256 9589adefd674c59805e1c91516d5e5c771123567b13b357f477b34feded9d2cb
SHA512 e50e9a6d0623e7b1e4eac9e124b8a0fda78b05204c5469602ea463cd183f11aebb74f23be53c2ce2af42e74a7866e64fade61474d75a642c0964f39ad317a01c

C:\Users\Admin\AppData\Local\Temp\UQYg.exe

MD5 28abe1b9c0a5843a9ff451435b351283
SHA1 e4143df8202a0738b93b729f97aaa5c6814e14f7
SHA256 b909d17fb2664a768f76b3aee0364d2a773a174f68efddc87000859f800a3960
SHA512 742b4f49674d862b2cc71f863fcc9fb1586247827247559e41b4e833b2b43e01c17c798e6218ff78e96f227308de5d0bafd4ea99fe0f41f156d54ff4e08c3467

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.exe

MD5 61e6477ffe566b20ec7fc3bbb229887e
SHA1 980b6aada9654c2436673a1b118379fdccc72f5b
SHA256 2dd5691d2515397439c7087feb2430e30d62185365a6b829c3bd3c5964c5debc
SHA512 0f021c841f89728a4d46f8eb8e13a2bf7fee79ac8e1164b1df9584e9faa752bd76bac577b3f3e251e901f48405d1c342ec926ca7c378ef7e9efe26aba854048a

C:\Users\Admin\AppData\Local\Temp\qwsm.exe

MD5 19756ab64e798f91fce5ea2787988947
SHA1 4c4d103c849bcdef47d623c4bfac45e66f8e5aab
SHA256 293faed57be850b3cd22419b16116e1dc208dd5f80a95e9f4b1dc6779ccb1829
SHA512 95158666780418d54c1105f85a04d332cab785d331498b2bc3268d3c444b807f31184808bb76a151e68ae1ff9850a0e18c501d836c489590b7c98ab7a547d341

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe

MD5 e1c9f4a8a34962e908b5b5c1e96dac1a
SHA1 2b2e01178da0fb595b09f456dee9e75bd8d18cdb
SHA256 70c6983f6d9605c5701e4d8a8808968095b6827dbe1ec56af94f6325eeb7c93a
SHA512 06a0ee17e35609a0346d800d5088d22375a39089288c5706d87713cf28240681958c0346cd60bbf297e6deb2b510208ab8c03738b2e9a5eb9c349a738239a317

C:\Users\Admin\AppData\Local\Temp\sYMC.exe

MD5 30214864dc214b869bf1c99c372ce9d7
SHA1 0b86de83257b621dd7632448ae6b090d930bda30
SHA256 9793d8e0eb2b9efef23c392603f3573ba3ad9f2ef1cff1cc61a1b2152e91b7d7
SHA512 a5b291e9ded74cc8648931606a88a0313216715f73f9e5e28d5b3eebfa0e3717f03bd7739875bf8151ada1e71ad034b526aa4f9e23d476f936a5ee494dbfe4b2

C:\Users\Admin\AppData\Local\Temp\KkAM.exe

MD5 b63b05347010dfb4e71ab2cef137f897
SHA1 ddd168ea69a776f9739b3da0cae7e71231b5e1a4
SHA256 1ecc64ad4a238e1b5bbb1d3417563692bfe8a4a68fe99dbcfae27f734ea21954
SHA512 d2a12126663371e89f55d4765d42df14bba9ff48de07bd44212a2b9e08c7c46b862e79878eed6ebff8ec7dc195cfe444b666f7a1477955e628a3065d98b98f20

C:\Users\Admin\AppData\Local\Temp\GIUE.exe

MD5 e934669c3b0ad83c9f45ddb7b5171927
SHA1 2bc918ead0790f5e13ac535d739c246709dd73fc
SHA256 01167ede3622d94b795317af0e07f92e6a4fb072ca26c44c5ddd2018e5e3c01d
SHA512 7a6279935bb47a25c33485414e4fe09d2777025aaab5519b5c80b848573fe3b31c4c91ab34bf6f326ba7b3e75f302c3fc4493d302e609bd1c8ab88fb4edd08e9

C:\Users\Admin\AppData\Local\Temp\wEgq.exe

MD5 e5a825d6d5cd17ecec066eb9252aa597
SHA1 1e42e8d179da2fa46116c67416b3b7c0ef92c768
SHA256 f16759e0ae74d0365eed1bc71a1fc61141ba74ec99f13a88787b9ac0f5691e5e
SHA512 6d0a7a4289df9fd8d199b8bc1e1ac5e21f1877a5b08fa2dd8624695c8b72d70b9e26e7092f8b1af3bba3694e3b58eb993f6cb981d5c0ea54746c59ec626fe40a

C:\Users\Admin\AppData\Local\Temp\MIwY.exe

MD5 2faf6747c97b75aefeeab722200c237f
SHA1 b38a2cfdb52c560d50a8b4509fb602763bf4ab13
SHA256 bbc3090ce0e8ffe8d3d155c1e3fd3bd3b2a1fe9fb3221e4f7234427348b53807
SHA512 8339f68383da31d82ecb4277dd2464e07a72d1dfa7e65563a8a84585b3029e31d45991c50094a053c0fdcba79db1ca533c164e70d384c363d25b8bc4030c54a2

C:\Users\Admin\AppData\Local\Temp\sssI.exe

MD5 5452c21a45fcedfbb2b38a3e70bff5bb
SHA1 eb2e00a2f507ec1cb754cf14005dcc52f0389ee2
SHA256 18fcd17c2af0abbf932d2844b01750f93baaa4192a7462433f998d2799033539
SHA512 fd12c33556f7d509fb8d8d7436faae6e683c8ae23994feecc290e0bd17a7f120557ba5640725091a4d52b991bdad524a396d10567de98357c76e9071c51ae589

C:\Users\Admin\AppData\Local\Temp\EoQC.exe

MD5 24713d904c55a59ee0cc17c84d0cd0a2
SHA1 fcea2bbf13fef72f5441fe54f63f1e2c9814e718
SHA256 4086bacccf9ae044312fe0d6b5aab1e4bd6ca88d5d86b3089f879ec74f4cc977
SHA512 26d7a53cf39f656db99ed0f24a1dafa9407cea5d63b6b46dd2353b88fd515eb6c809ac0b11232a66fce22d02b4f6075935158be0091a96f4b4cf5ed9d59142ce

C:\Users\Admin\AppData\Local\Temp\UEQy.exe

MD5 037b3f61ac5baa27c2d226e5ac3d8e61
SHA1 061e77fe7540345c6d56a814ebad2d961b270b5f
SHA256 c94844a3ae3e108e1434eb61329dc187986b2696756f78b5f8554f396501abaf
SHA512 da112dbbb1bcc42d8ea0d6f649a43d9edaad08556e6b4d399b8bae8813bd3844ed3991a7da1e501533ad104920298578630b009e19e94070c56df85c6e4606e7

C:\Users\Admin\AppData\Local\Temp\OUUO.exe

MD5 95a68cab5f17690b26b066ba073108c2
SHA1 b451fd7852b4570c124b7ba17b8901b55fa7196e
SHA256 90b67e80a3ced57f55ce749dbfd47a83c700c0e644529dcdcaa2b7dd19893174
SHA512 3052f4d3cda3ea492858cc6673468676523f5c2fda071fb2cecd37f255dc5b5f3040adef1c70368c74ed052ee0428114e30cb01e4e4bee29b02d078dccc3f869

C:\Users\Admin\AppData\Local\Temp\IYMs.exe

MD5 d1e774bf7cf72b129a6fb18361778e0d
SHA1 acae13fadc2078d9b7535e0c7e64b93364d1e177
SHA256 30970eb97cc925a12350763d1b3d5e571b4c765dce9429572acc6f6341f5479a
SHA512 b95aa1465b268c1b2b5fefb23095b45dbea46d26f9763414123ec699878de9bea2b60dbab9924fbd03a4330dc91853e68d945b5b6d1a718ad326cfa2f4c6b08e

C:\Users\Admin\AppData\Local\Temp\AYsy.exe

MD5 94174f4423faf62f304cef08bd8b18d5
SHA1 cb74d240fe178de4c1d4b75f2ebc61292cdf62e8
SHA256 b83d263c534694078d7dc176a7dd3922fe33f1a6ac9b7af32c1957a885b09025
SHA512 4f348c8163f8b3027c85480e9e554c4537d413a34be27ad75cfbbefe5d7fe87b91e05c9e38cb8011e801a48c3dbd7b96f263fa73d36c732570589c383a806989

C:\Users\Admin\AppData\Local\Temp\GQUq.exe

MD5 f32f19ec21b570edc359d650e283bfca
SHA1 9d5d02dd4112181e29d063e50b78550ed368ae5e
SHA256 050c0eeb788577680b717544dbbd4d9d44b523d72f44caa46e28616d0c902c6a
SHA512 57d352abc0261bb45a62402a641a3e8211fcbadb6885f10ed3095a6362c1d1b10d44d71f570b904fccd04755f2b4aeff61d112cd235752494f2edecbce9da38c

C:\Users\Admin\AppData\Local\Temp\Wsoy.exe

MD5 20dcd3ef05700bea65b354b331e9c80d
SHA1 4dc0242a4ddd1e9a5cff4c65f070a36c1502762f
SHA256 4840ed27b75086d677a58b44ab1c6886bb7965c77cbb6f4b48a8a86159bb772d
SHA512 084713c0ac155dc0a6e0f4832d8dd0eb6aa4a1d4df6904dd1e34e230abc3eed2b2464cc58a6da7da0600c421c63659c35f56a82996bcddc837805dcd3080c0e4

C:\Users\Admin\AppData\Local\Temp\yYcG.exe

MD5 1e17eb010b2bae5dfaef91f333958864
SHA1 d4b27104f4eea9f29d27f93e462b9103fff17e75
SHA256 3160cab37fa517315ebe955660fe90069ad5aed26a3e64dfc3544268e010d1a5
SHA512 82efe7e578f7d9668925a34c0d645ff9239c71e26b16d8d46918ce2bea716526aa46380e47651271bade874fe47626caecb1235600bb28dad31553340ae30ce6

C:\Users\Admin\AppData\Local\Temp\igUi.exe

MD5 0693b6a97ccb73159ac26e682a7e2481
SHA1 da38692c6058539e0124b20de1c4a9f82e32dbbe
SHA256 1db838dd241800e7234786534e9c6287fb4baab0eb15069b18bd41a83ecf0e54
SHA512 055c31a7a6c2d0abfe31dca16bd58ced39ad4ece9298af5da28dfe7446dc611414a4092b0cacf5ddbdab275c5695336400c2379b2b839007ed3be4b949cb2d5e

C:\Users\Admin\AppData\Local\Temp\Cckg.exe

MD5 e9f7c8bf6712fd31b7465deb9f478540
SHA1 b51ee16e1308a858195e8a244dccfb7d899c6b80
SHA256 199abf52e77c71a99c372eddb23ba2276e8ec88f74c9efdd7a63e71434b28a84
SHA512 ca8c0d4d555064bb8e35e4b19473bb93e5dd4d8eaafc20fd7acad7015a3f6725125fa5052860510879f2a645c1dfd8120632cf881a3a2bb4b8bb18a89b064218

C:\Users\Admin\AppData\Local\Temp\uMAi.exe

MD5 5057dd7ed545c446abca0bd79426609a
SHA1 816418e7ad6dfa86e20f9a79cf335a95494de017
SHA256 a9f62d677d557d6b9961f6223cefd93f394c20e1bd9db9be7b23402bfd9a7738
SHA512 6f2c045f195ea5b47040c6b09449de329e8bb5647ed09412a889748069dc1858d4e927e1c33fadb4303f14701d752e7dd020eebdf7fbc35fa01fa034eb63d80f

C:\Users\Admin\AppData\Local\Temp\IQYU.exe

MD5 cf5f6ad5f76d268685c6a38c162b90c7
SHA1 ece911513088d82e638ea7e4f0eb779981fd8734
SHA256 1aafdf2871eda4a3f410eb3bc9bbbbc2558e9cb9ac34f719fd1b47482a0c2fa1
SHA512 85ae56a6dee2bb6714f4ef63022a05646cdad247b563c065c2ba88d13093d5a46e0522648ea82fb36675bc4aadb13a17738d0b7d604073b26d4e44a553c347cd

C:\Users\Admin\AppData\Local\Temp\wkwG.exe

MD5 8beb865fe560663fe1942ddcd7efba85
SHA1 14a298b714370ddd5997c223b92a934a8a81d08f
SHA256 6517ca378f6133984c0add65f1a6b9814537cf960340c9de30b050638a698e60
SHA512 a2029b034cb9aab150a2ed52ca57cc1a0e347cc009b351d10ec34be78005b3d4dbcaa963e15aa86d001310dcf899c579fcd7db411abe6cb19ecc09cdbc97c064

C:\Users\Admin\AppData\Local\Temp\MQwo.exe

MD5 8f040dd6c15fd5c228a1effaba58abcb
SHA1 3e6dbc3b9c30a371f7f9d620f1a9c85ba86b5d99
SHA256 28bf3adb64980b24998dfab101241d42eef16caa3ab8977d7990d8e8a0388516
SHA512 1490ebb4a38aaa2a86d4760d64ec5adeb9980b211d8bab8ae91ac09dc5d305e51ae7d9c90d0a7f8cf4c026af5ca36a18f48d5c4f705d69cc483f477e35c833af

C:\Users\Admin\AppData\Local\Temp\UIsW.exe

MD5 f28370bd31bff9c15c9e75fe35d2c2f8
SHA1 dc9526c9cd6d7d3fb0e7f7195ec9669ac17fff4b
SHA256 75fd4c0247cc3a1e6e4787cf964520fb2c4e6322f3be206982a66651ef1b4c3f
SHA512 27ccfb989cc7673fad98668349137dc751ba376dcdf790b19e143a3aab1517f783d0664de47b987361a67a7d171502c0accd28542c46e858208e87b9420edeb7

C:\Users\Admin\AppData\Local\Temp\EYIy.exe

MD5 60db48d367512a2ab1651fc94c90c77e
SHA1 ec1fad50e2c1cca464afcfe8db22e9bdf7145bdb
SHA256 d9b77f25887d0d37bc821aa417569c44d1628c60d4e5e2c1ac93089b31ec9d29
SHA512 46cff969c28cd5fd0dcaab50610ddd58e16c8d3211f75c567d72c94ede42dac0c59a18e750df08ad6a0e38a5ba575dc79a0a65ecdffbb4efe87f9f500c7e95ae

C:\Users\Admin\AppData\Local\Temp\awMm.exe

MD5 6810cc548b91c4c37a5cf74d79192927
SHA1 0bb4e76ea4f464d0f532e093ab4c852f3e66359a
SHA256 f3258dae724d034622377ed6f85a78d94689ee90534157f881308c5bebd8c821
SHA512 8c704a621539ad566dd1c0e8f42948afd05b98d1ca8084c8966a2db252e329d37c0811ace2554e64aefd5ec3d71ea6453958929322c6f9bdde74d64fcd49c0dd

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

MD5 9bf478c3d5695d7afd33e994331e6d3a
SHA1 c4d0e562e7be8c0d7eb5b6dbdfc3b5fa1af7b7cb
SHA256 311d318d02439fb2776ebd6c45d120c93212941565f03af74d0751a4fb4cf11a
SHA512 8194c893b8702cf1501a327745a8eb21c37e9e4a7a74a6d0bd7357504e920c8071959badb2f1820192918c19ed93fe1a10871102e4751cfdee79c0c019be4de0

C:\Users\Admin\AppData\Local\Temp\OUgu.exe

MD5 b768a9f73afbf76c99d00d899e3e99ac
SHA1 f3d24652fd717c45fa3a96b6ba95f96b5c9dd7b3
SHA256 f21907d3fa227ebbf42601ad01f55bcd9f0cbac21507a6f3be7a88fa4ca19c76
SHA512 0e6eabfc9f1889190b851ddb4f9c585c70d7ff0a21150c1b726b1c052f9fd5c7b214993a0caf9390f97bbc88d0bba43488c7d43ce1f5b48739de3d440be53062

C:\Users\Admin\AppData\Local\Temp\QMAy.exe

MD5 d0f66850feee9290135a3393418bf77b
SHA1 12af6d73e9e8e43b05ccfbeb3652a1f3ae6c2a45
SHA256 f93faed3908a113d39bbfc2714f48703bbeb051e1dcd516792dc6309d511aa17
SHA512 199a26bd908a9ab562457ea94689bd9ef7efa819257dad1851537007e98eacd3abd22755272c2895675db87021929391047c4d06aec9c8647a7b88f3b95849dd

C:\Users\Admin\AppData\Local\Temp\CQQa.exe

MD5 d0f5e59ef962db479da76c143ed0eb43
SHA1 11722ce29b4dc75fee4d83ae576adb2d7cac3a4c
SHA256 fc0cb015e2dcdfa76e3af34ba4fc85448c8110b11c7625b5e3de3f4b35241f3a
SHA512 3fe83753723febbe46ab1c7cdb459844f6e892b570f746a8334983de49a78da10d8831da878ed459daf4a0901156f7719fbb1d83ee4df5884d330704cd9a09f0

C:\Users\Admin\AppData\Local\Temp\YIcO.exe

MD5 fc4f7cdd4b268973fb85e02a5545254c
SHA1 56d2822a17af3b17a0f05b6b3850b163586acf1a
SHA256 1b34b4d1ab720961ca3355f253c852c5bbf33b30f3542ae437563f6803b502b9
SHA512 c76f1e2c4f8cd95923acad560c9d49ede3f8e2f2a38e6968bacebdbaf4ad84e99d65f012fdf367f5ad2b8a24bbca7e706a138f573329fa64a49a266c57850dfb

C:\Users\Admin\AppData\Local\Temp\UsUK.exe

MD5 61760be73b9e15eaa468f4f60c1046bd
SHA1 e39e6d9be57edf20bd71fa69b0014271bd80fde2
SHA256 ab19ddd54d61afe5cd0000527b2c84a24c4c74d6893b7483b6539d0b4a5e6d61
SHA512 45e74ffcd7141f0b7546bc23410182037b4fe0a55e411457993c69d5a62feb36df0a7d160b07e20ec6e44fa83ef5fc71f24e8aaf1717dc0afd79a2f3b097a996

C:\Users\Admin\AppData\Local\Temp\uMoE.exe

MD5 e018600c9fa5d0c84c48e70eb099b632
SHA1 f204456ed298806d182b1e08ef2a21fb7c9d19b9
SHA256 42bca52154f507a5058b1cfa62d9142d7e1bd5d7863d674e685b0894632dad3c
SHA512 4e3bf0625b39ddc81b81f2de2d98b8ac2b2cba5087b260624fc505bd016e9690c8d4db7c0c284356372ac5700f780242d3313181f6d518251b0efd481f289e5a

C:\Users\Admin\AppData\Local\Temp\WsYG.exe

MD5 7fba4356a868bc33fb045495b7ec3c5b
SHA1 0d1753eefd80d1b766495ac483fdfb46a594be42
SHA256 a5e682a7f063dad3d817b081d3b18fd060454bc7b247a60bb0cc38e2a0250c16
SHA512 91aa3669aac1630a8adcbace250ea9ab28ea02dba22c6807d3a32e80b553b38abc582bd0732f9de3f7e4a7a02b18a1e2f4e2e6e85e2bab9c515d8a7467671305

C:\Users\Admin\AppData\Local\Temp\mEIs.exe

MD5 15d40c485ead9ad740c7a1098e23b529
SHA1 522dc813678690080621afd3d9d4d07973469491
SHA256 6faf0afbc910df0667ba264006899598f7d30fbf7edb267bda4e0985a199c6ec
SHA512 0c89c2a264daf38bc46e7bd946e54f405c90cb7a8f3e18a459a04daecb9af56b10048b3fb7ceccd76ac3ee1f142af1ff2f076026af6a94fcdf44a94f997fe841

C:\Users\Admin\AppData\Local\Temp\eIwa.exe

MD5 953d3694cac78f50f0e626db0d8349c5
SHA1 40268deeb6a41aed2b3a05189d30d3d76f0ef48d
SHA256 f78617efcccd5e5821826f042229dad5797488f8926bcf34c2f496fa9ad76ab6
SHA512 47ea58c72440afb5cf734338e7ca131c016af8cca77eef378d8318bc2987d79634a9abe8d7d3404edbb07b4aaa166ac10ee656f661da70c5d5bdfc9cc8df9634

C:\Users\Admin\AppData\Local\Temp\Iwwk.exe

MD5 75a359de233ec798d0a5085516c9a554
SHA1 af8fbf5a0984acc61add9f391c166b3cf4e3e634
SHA256 3aa5b42cc8e3959f73b3fac24d13d6d3e30aaba92b08ff91411b9f5ea8af9927
SHA512 b85b5dc965a87b89692fa40f4cbc10bc81e99cca21654952c462f1faaa39488ca0ad4529d052201fe57cac7f76f0497c66109953b6a00d733186c64b050cd696

C:\Users\Admin\AppData\Local\Temp\EUYE.exe

MD5 3278f60e633bd25e6472764eed12764e
SHA1 7f1c8a763a3c5b0ac13b882b7c64677514adb159
SHA256 b1b62ef6e27dcbf7d259e61116805f14af2b1688212f2425331f4f4f68e08227
SHA512 56c4b6a150d11d9873d3f573662b15c7b306155a2c001f7f8eb97d5e8cdad02ffb41779c878383a5dc49fc0c532f9631599a5738c39f8721a4f799aeaed365b2

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

MD5 07f88b8f3111bb9cc2f4cfe934c93712
SHA1 86ef6386ff2d670257516368fd4f9ae7a58cf974
SHA256 20ec934fb102754df69c2e7346225a83f731f9b85e8b9946c3dd50d506c27c3b
SHA512 abcca4dcf962ca385ee1dc0cbbd6d43bb7d635c187c8c177e042dfeb1eedd623ec16e1be3e802a9f8daafa23588f8e5cc3a521b59af7f05f1f8cfbcb7d01530e

C:\Users\Admin\AppData\Local\Temp\mIoU.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\QYsQ.exe

MD5 b664629b039615b819bcc09b65dbe5a6
SHA1 73e3fc39cf8c8d2e90151e5f026f08d2664c4cba
SHA256 88f450a3e237785a6fc34a9aabb296b20e418e7882af286af0ef8422a61db0fe
SHA512 765a72ea0867005ba4877e8a5dfcc97b4c3057868a8d9f5073b0148bda3638cfb90c060f0c33c2d9ff3d1a5a4cb8d713745ddd201860f5706744730b4a925f4a

C:\Users\Admin\AppData\Local\Temp\uEAA.exe

MD5 6347b09e82118be66780783befb9da32
SHA1 e71a28579a5c3eb7f39a0c99589f143b82cb643d
SHA256 ca25d5c86406666b44b66f80e8e857701133f5f01d65112e8416f335fb61c835
SHA512 9e4deaa4750702d6bd7f22fab8aa2e9d106172492683c3efd1f799b10cb4c954016a80c36b3c6632fd9891e6062f868a56ee095b2104ddf51b58d689b6a57d5d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

MD5 15568984c2f2b638c53abe12d6e54ed3
SHA1 79f10af45f2bbd46159e453c75db406d7e35b70c
SHA256 123cebeaf6c7b5a54207b76afab8994ce65c335efc4e48e5c197234fec34b4c9
SHA512 e5604b49c5139305bc8ae7950564004f185065b2f30ba1cc1fa8f767fc52e5ac722eac14172cc685c5409b1a8c0a1bc45470324079fb2880252b546d75130a7e

C:\Users\Admin\AppData\Local\Temp\IoIg.exe

MD5 73e8111ec9f88ffc6d168ee07c86141f
SHA1 b92de1cda5a625290d6b0b027ab4d1591a0552ac
SHA256 0007dd444a807c0c543c3258516085edf40a45cd7ba239538feff90b666a64ad
SHA512 0dd93c162f0ca12a341156a33e8f94075ea7d95b8b2edbff375b4e11f9941ab81b389a10926d077a401df2c1281e5dc47fa62980f486cfd4960f4e3045968270

C:\Users\Admin\AppData\Local\Temp\usAS.exe

MD5 674acaab45708cd9c09748a32d3349fc
SHA1 7f142d467bf11b325125ca52c6326723d7cfbc27
SHA256 9f14461f767d40b6ef1870ec9ddedbc8e2ac9f55ff2dbc4ec92a350c0562311d
SHA512 abe0e3ffa8848c2c98f7f52e4b851a72a88372aa84528fb19810b4385c140310da700cf934a1ebeadb0273542342b5ec4fb13581d02a0d6d7858838c404f68ab

C:\Users\Admin\AppData\Local\Temp\gcMA.exe

MD5 8859896dbc09624f5117a305b4b8bed4
SHA1 8ee630af2fe4d9e96a076a71d375d40f926c8865
SHA256 c447bd734cbd8400d1a2fd38e230f1eecfeef1bf25ba612571d0e87bfc469878
SHA512 ca32e79454d730cf5275ac6c91ff33a19057133247823fe74a6ffa21fe97d0703ab1c83e21fdee17fc2018c54dd9bd87f7d350698f2ff01fd706948e1e332e2f

C:\Users\Admin\AppData\Local\Temp\IMwm.exe

MD5 24eb5a3c408dab1f2e55952c9d984873
SHA1 d357a4f67ecffeee7e093bf2ed36d02282a1dd01
SHA256 73052f0c865a30ca7f43d11f4a12d8f2ab7065572e72cc1780dd5d6da71121b2
SHA512 f11fcd93b2bfe8c0421ccbc9e3bfc1c72f24a3da75add81ca68be9f8a54be21ee50e550f30ca6c0e4a15a47e3d6a86ff539191b446b3e025155612272ba38ae8

C:\Users\Admin\AppData\Local\Temp\wAAg.exe

MD5 eb6ade23034bb626d1ff474d7fe46f1f
SHA1 fd2477b88107edbe1aa5e117139256d45f379664
SHA256 3c56357e2e1752941575cd469968371a8f35d86e09a4aa0bbef74c8a92f421ce
SHA512 2c68212eaa81153c241c1cadb85023f06b21fbd696eff04e49fbcf9c6e77793f5054926c45d51b27f41ffa1d5d26a57da5123550fd02de9f842a2f5f5b90f7b1

C:\Users\Admin\AppData\Local\Temp\YwoO.exe

MD5 8861568750e91e2cb90b0cff83b6d16e
SHA1 8c6dde8a811aea9c681bca37e1a08b2a419a0dba
SHA256 e25ad3aa66dfde487b9d1d615f450b0a5a77499b2f0d4918a0d5fc61c262578e
SHA512 aa2eacb41611affcbc8c2eaba58179f3d5fda757b0a4ce10a3dde3224e4dcbe640705aa7234af7b191b864411d79b484fcaa89dd585f2ace825cb3a6f2cd1cce

C:\Users\Admin\AppData\Local\Temp\scMY.exe

MD5 0eca9068a4f3bc36f4f3d5489b08f7e5
SHA1 b9c781068f0db5d0ddf06b2c4c32a0298db04436
SHA256 bd83568d16ceac3370faf5a8b1e975cc2d8cced936da6d46155fa34ee52fc2af
SHA512 67ea1b62f514bc1705d180a392f0179f09e8fbf1dd3e3eca8bb842654f57db3e28afbf6265e4aa59403c8ed459cff23a992ad73407862535b21ace95393e641b

C:\Users\Admin\AppData\Local\Temp\moQm.exe

MD5 7b52aa53f0157913d923c1d1a4353fe9
SHA1 7e23a8236df8653ef0772bccbc764c46643bb11f
SHA256 62760108cab03358f91d0e49305e9bcc3649f063a200906f4ee8000e3bacc5e6
SHA512 82e5a5c8539985631893997f7341c77c4a3a46415aa7e5fcd6667906a806fd33c06cccd341854aae043bf97f5356f66218ed5b03105584d19c3b36355d274834

C:\Users\Admin\AppData\Local\Temp\ssAm.exe

MD5 7ef60ab81e7d4a1ff8fbf4644f71eea4
SHA1 c0a376b6430059e5eaa419b8a99aa69f6321b6da
SHA256 dad80b563fb1b6ab947beab6ab421f8471925eaa4ecf9ea5a3bd3d548a0158cf
SHA512 361d1abea993b2311e29800f0c11b92e61c537f1f318e8ab5e6c8ba1c1f9c158feeb3fcaba4a75ac356c08a69216fd07209bbf115af0d72f80e302641a2d2026

C:\Users\Admin\AppData\Local\Temp\mogE.exe

MD5 648fd230259a632f32e45dd936fd1bb7
SHA1 abfda2444fc67771825802dbcb79ed05bc6215b1
SHA256 4eb72465cad67993cab24b3c4650ae540b410486bb8bfb6d0985d9e9311d5f2d
SHA512 46b95a3f662b1e59d308b630c40c6b864585ac95656ce4aae1d09e2444b32448d7bc3f630e3f29a2f93d1e7eeae2defaa71b993aea11fa0ddf30ec2c2f0571aa

C:\Users\Admin\AppData\Local\Temp\ckwi.exe

MD5 54fa4a6a0a3ff63f132cd4fa35205ea9
SHA1 a437ad92690ca249b97089fb5f172a9cdf995b7f
SHA256 018b8a25c2be89c08145589e25d60baf0725c5ab15f8afa8acbc813982df0f61
SHA512 ceaebaefc60e5a292b856735a2c8abcc27a122d17548ef56f2b6118d7bed5191e998f9c3c823b76b6f70d5f128cf73e42f763356aafadf97ea5c3a8c33cedf32

C:\Users\Admin\AppData\Local\Temp\kEAm.exe

MD5 d538bff41ee29f6c1b5fbdf4e4a7011f
SHA1 cfb80b6e923264f7f7cb6dbfb9f22a65bb7588f5
SHA256 1a5a84dc5f5b844e36ca1f011ee76ba352faefab47b276d4b86b3ef47628af1a
SHA512 639d97e661eab01b4e7f919749de1606c74bb4e02d7275bfcdcd62b1a80b1b8ed0be409edc37a76948147e1d80c7e555d9c7952b4ce15e950626a1396b0eb0df

C:\Users\Admin\AppData\Roaming\UnlockOut.mp3.exe

MD5 9262a6daab8b21e6170f389a869030d4
SHA1 9a95ca9ed9ab88a75172738a55e8c197995df7a1
SHA256 22c5e07d7dc5417009b938662af575e8e7138f12ff108250a963fdab15e07bbb
SHA512 aba4de168e12ce27dfdb3abfe418cb69fcb7e9f8508ffbd2e161c220ef036e3d97b3d5a32748f9dc97a5bab2e56f1a55616c38391da0d06178c65297e316fae3

C:\Users\Admin\AppData\Local\Temp\KAwK.exe

MD5 fc07e5f582c012a14c3fd75459402048
SHA1 03473392a5ee0cd9b3491bd24f1aa68afe9342b5
SHA256 422c0548e236eab297150dce5352aafed605173d2518e9b4c3bdea0d571e9022
SHA512 f34907a7a090f17a1113c0468db2e4e87b0cc2de180c52f9f25ff7fab8a032d254e66d84e209d05e09a49ac561e7a1d11d7ab6bff83674564c663d2f6b6ed8f3

C:\Users\Admin\AppData\Local\Temp\cAge.exe

MD5 49b4681546224071160001df0db494bd
SHA1 7241e7e11ca72750ba18f00f34fd0d320cd249ab
SHA256 69df30e3a3d5526fdfecb9fc18213d230be02ec40633dfd8888662ba3db9ec95
SHA512 4cfb146d7b84e999a6fa0cbd6133885fb57eba2995ce049f56c87835f77a48b0626a1376961cbf65cbb8646f285f78cf02998c55841fd7b2a564c7f279dd8652

C:\Users\Admin\AppData\Local\Temp\osoC.exe

MD5 600328de195a6e2738e6703bc468dc4f
SHA1 88e4d5e6715d72b018b690dfe8c61a53675e6b99
SHA256 97c73a0e5b30c144d2e35792bde2c7099c94ca73cf8f2e9a9de42d1c45bfeadc
SHA512 548f89e872ed221e61d8920539b7d3e15aafb31239780f136c7c5f2d3fa65a799d016108fd4a7ace4321610a5610646c8bab60c29eb4ac4cdb03e6b6d7b6b340

C:\Users\Admin\AppData\Local\Temp\iIsK.ico

MD5 d07076334c046eb9c4fdf5ec067b2f99
SHA1 5d411403fed6aec47f892c4eaa1bafcde56c4ea9
SHA256 a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86
SHA512 2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

C:\Users\Admin\AppData\Local\Temp\SUwo.exe

MD5 015b9e87c092bd56957ddcd693cbeeaf
SHA1 9a71d09fc696eb8924a061bcde22b8a0caaac99b
SHA256 112c638c176e1ff43a2cc0d72d41beb362f77d2303705f790babb908f2802cd0
SHA512 fbf48ff0d9636ad495a0b31332a1d9f324292c71f96858441b0eaaeecd4c9e40e4c60304422848189c844bee79a03e677be49df22d26692c69eb374e31e1b119

C:\Users\Admin\AppData\Local\Temp\AAMK.exe

MD5 bcd807f6a6d55958db71bb6ec9276842
SHA1 a485ddd25fe353c40520be7f216c7072bffb5bc8
SHA256 ce1a21548e76ce6e2a3d39797c66fcba8eaf8e0f884eec6a6ca0d3c4de8e17db
SHA512 ff1efd02a68f38c250c2b03a87194da448699dcee8dd361dbad9f41f8f719e2d522f416654fc85ff65dd6845806f9ee484d52b27a66e1fc8f09ae05ae2c16ebd

C:\Users\Admin\AppData\Local\Temp\kIsQ.exe

MD5 084c9ace0095968c53c08d6385e36f68
SHA1 58a0c84058c9e94c719cc41b53c5185ee205328d
SHA256 e32b2dc641c9a73a5d51c8598cdf67c4ee535e16fd8e71aaa635c7026ec21b05
SHA512 6f507c25e0679a3125ad98dc12ac48b3d8b29fdd84d016400cab5b4fb247c73e730e4e82a4dcbe5a80e4ae48dc769673418c9ce0e18fb1f817893a9c6013fcf4

C:\Users\Admin\AppData\Local\Temp\sAYS.exe

MD5 151b0b390cce65a5fc0b59a524b9eb80
SHA1 a3cce338864b4920b726e7cbb7fc0bc7cfee96e4
SHA256 af365fbe280d80c546a8350e9f6030b791ef7095e2063e7a8ca496d522ace354
SHA512 a1f8a25a8fe210cda72b2870bf24ecf94848654559add7401e919b168d48e6a4c8cea69d23c79127df8d917562fbaa16c466a60ec484a2b948a59b18cd2a9f53

C:\Users\Admin\AppData\Local\Temp\KYEk.exe

MD5 b035ad68ee03c9ccdd3b521693e2beae
SHA1 1aeceeb5f6ec1563d5efb4356e651bd33a7906c6
SHA256 b6aaf776633d12622ff2c6ff7b83e38080b4da0d57188a1519a373be158dbfb8
SHA512 8612a5bb26ef69d5f083eaf11c98b82aa6d74cc76c15e4896be20c1bf0224cf55d4cfa954370073f283d7bc8938c394ed0c93d4ca6ef90a90125114a7b277d67

C:\Users\Admin\AppData\Local\Temp\MckI.exe

MD5 156ca5745e6a107ef00251a2ccc25bac
SHA1 760aabfd403c099f03336131bcd8089025c38d57
SHA256 dbd780fe2d4d2e1a4040492f078f997ddd47bd4c07bdf6205d32e449dc29257a
SHA512 1e0d2b05e3799c13b467a0742109e314de157564941993076e2c7533b276dab426b5ed8938f52d714c109b3ce0d5b752060c63a398d78d5c04421cd3feca5f34

C:\Users\Admin\AppData\Local\Temp\WwYU.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\IEoQ.exe

MD5 a3d5bf74424dc3fa2eca67049fbd241d
SHA1 4069db543093a68532da8f271ff16c4b44c7a9e5
SHA256 c7d1947a2f2656459fe6cf62c7ddc959c73352ffc6740e6072fae19452ec172d
SHA512 ef9169acd33a0777a6c3b2be009900241775c60a159d41fe0d1f9c4973c113b35ff06997cf348a1b9eee8bceb41d504844afbf801c88bbac4c67099cf4b0b306

C:\Users\Admin\AppData\Local\Temp\uQAc.exe

MD5 0847a6025ae21f88e3896de299a39b83
SHA1 1eea44c3847d204c42d0f85727dd2aa4df4e2aa0
SHA256 378d31c14357ce6b691ec3bbcc245416f9920c3a4344063debeaa91dea26458a
SHA512 958ea550cece550b0db48a62bfaae3157f076a3786134333b9b9ab60552f0003896ffa5dd7670c0c7a108baf39aafa115e9db88e6408bb9d27c143dcf6cdb606

C:\Users\Admin\AppData\Local\Temp\UQcG.exe

MD5 6fa96bb56dac221aa3caa7cfd9c0d027
SHA1 163806931bb5dd5dd5c7242e93e57158ee8760e7
SHA256 70e9b2295698200c59c5d1e29c1a0fa0d20d2556673a77d3013ab6d6f5c7b57e
SHA512 a49e2bfc2d7265707d5298dd4ac19cf53f5816725655aa1e9875ed9489e9d24002a17babb8ec790807fcaf39b5f39b89429f5a8778c656b02ad1c9301ac426c3

C:\Users\Admin\AppData\Local\Temp\kAUQ.exe

MD5 574560a0b70f0635787affcd51858a0e
SHA1 1ecafe89dc72c2520278d3d19ddd37f77fd64c4a
SHA256 130e3875c634ee7254d2e95e5bb84bd50d5234922035489f99f92ae26f70f2b5
SHA512 83bed2e185eee1b4f664e91472c00b6a302f73a5454cad4921788f943f1bd30efc698f78ad2c1cf3e040dc460a8e26e19e8d615b66a2d8d41284ecaad5552cd7

C:\Users\Admin\AppData\Local\Temp\qEcI.exe

MD5 9a69e8a62da8cb66b8f37083519c94f3
SHA1 f98dc12b963ff187f0a700a9a4a6cba4d1f28ced
SHA256 a642edbbee7d18cfc66a9654d7f3438e67148cafded88f665adfd37aa87ccb4e
SHA512 4c5c1cb7d12a6615cf7acdbe112595fcf05bcd5911a86a94760cf59499ca6f4178dea65d66f4bb8b38a39bd885a617d623facbe03889b80cd0582637f88da65f

C:\Users\Admin\AppData\Local\Temp\GIcO.exe

MD5 cbe4def3a8c886dd341c2c414ae56bd3
SHA1 098486221c5e589741330927d3afdf0d460d905d
SHA256 1be2238ff6f005966e357e1a6186bd4e1586b84d01c04757c81d5ed8c6c1e712
SHA512 21f5c5128e1885d0014c5d3a130db98d44f1246d80e6da2fb63098b97ae6c963576271e3172914157f4a42c2dac54b56c60a99ab3f58e84fc2ae8a73c3658b69

C:\Users\Admin\AppData\Local\Temp\ssMw.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

MD5 6400a240d50fcc6adecfd43fb2a13e9c
SHA1 65d0d4ed73fb7877cdfa84656d40bd6f9d7de020
SHA256 0c237562a5b8a08711b417ab2ad56d182560fd771b32bdd4677dbeb5ce69e01d
SHA512 e90a52fe35a5419089f2a162f5f4ff91f92c953ebb35e579a5a50a6057078198c90e8c589da8dfc534f81a6cd1b326ab00053fd5fb94ba34b10e2822726c84cc

C:\Users\Admin\AppData\Local\Temp\ysIo.exe

MD5 d22e054c9220e0fdf88a3e1a98b0319c
SHA1 89ccecb5fc39da9de8381eaeaacaca5af2576c67
SHA256 85cd078fbfb8f69c5b76b698e1816d65dd5497df0948a53f7a37bb905a1a98f5
SHA512 a8b52c212a7c492ffdcc3976fb264ce3cd56629d564e1d414484e59d9d35372c57265e1b563becbe170525a8ff60c9711fe4bb33da28e466c13735441067dc8a

C:\Users\Admin\AppData\Local\Temp\SIwi.exe

MD5 46b1ccd9733866f3ab7e900ca6ce3585
SHA1 01e47ef9ab8535ec2a7582f3824356a8bb03915d
SHA256 fa74102d471f41a352c863e63d2dd9c05d826e9874c588de59361ae48a608b47
SHA512 bf697774fb6db7c9f03227d0c840216ff5887c01922779a00b3002bf4405dee4139d126b4f2d740ed830de68dd117b6b8e7bec4e4953648ea6a5fda7f7a707b2

C:\Users\Admin\AppData\Local\Temp\aEoi.exe

MD5 5ecc4fd09d2d8a4718436b931cbff232
SHA1 6fe8a30799832022fc2e11c6af5c922e7c4b6986
SHA256 a3a369661bf7d8ce44b8dc1a68ba7e19ac4d8881b8ee8d841f957232113da785
SHA512 5929e6f6b6d99a6129b6ed760aa76da12dc4cacc906b1f02f029b81e8075ecc660f7ad761bed4ad5e456c34fb755dcb42d3b04a4f55094afe9d76dcd583266e0

C:\Users\Admin\AppData\Local\Temp\Agoc.exe

MD5 d2551b254baa37f6807a238fcdf86166
SHA1 11160494a3a26d0632da8da126505cd6e12a558f
SHA256 83995e444ee2dbcf477cc8343f711593ddcb23a9b51af37d9c3eda321b159dc3
SHA512 c4adc510da009f11e72ca5f7f210c5777b133d29a12474685e2707285da83a91999833497b7b4edebc24c34d698e8a19f16b063a701d67799c51ae2c8e1d066c

C:\Users\Admin\AppData\Local\Temp\ssAI.exe

MD5 5749b13fdf1e2f8cb4355a68f3fae503
SHA1 53b573b6295fd20a073c758b9ba644ffa7c69f4a
SHA256 4eefb13bebb48293491329ce751df3427a127482d5503e6b68c69bfed0389f1d
SHA512 b8529a2ea165955ed60eb42c5a3264c177e627a3a2d983d0e4c2421d06d0037d8cdc8a40f641fa69b32ee48742ae6d3df54013dc4908f7ff5fed93f83dcbd3ca

C:\Users\Admin\AppData\Local\Temp\ekIM.exe

MD5 95b4a096ac60816f27302094b6e0558f
SHA1 f17e8f329d4640a4a42f505490942e2c8cebe4a8
SHA256 3016ec15a3a5dcff60882636bcbff542df1f5d396b61c6638df1e5b38feafb0b
SHA512 c898ad55a5cfd1e68ba94078cd6d8aef7b925b28f0443c701112ad2cd2251616fbf652eff0bc2a686e73f765d55d7c2250193bf6c4ae933bf1ce88c1d5318070

C:\Users\Admin\AppData\Local\Temp\ggkW.exe

MD5 f5db13c955da643938c71f04dde987ae
SHA1 ed9ebed2cf6c181cfb7a15c51786cfa22a5f0b5e
SHA256 9d9d17d9f69cad1a12e99d8b44481acff75779f4a25875305a328832e6ba459f
SHA512 5f07d5ce6500cd7ceead9380907f79d24acc20e7b834f2aacbf94d29fb62bb0b7bc8a2952613bdcac924a19d60aeec649370a538811714c3f0f2dba9b9de0b03

C:\Users\Admin\AppData\Local\Temp\cwwM.exe

MD5 3ad13435a9748d890d968c01ec58f734
SHA1 23ec8dd8b1786026c75ebfb73a895138c0d15a2e
SHA256 705723825b0d2a33ba622beb40dd5ffe972e368a5957d65d781b8e0f2fb88b51
SHA512 4b28e2abd4d2363843e6af80a5110a49f63d92ba38745e40f2bd6d98a0e21d5a9dd2f046c7e8d93ccfaf215daee46d35492636fb2df05398964c1dbe9deaba29

C:\Users\Admin\AppData\Local\Temp\WEgK.exe

MD5 d729f4aab18e356b05fbf1e56da11dc1
SHA1 92cd6e8f604b0b97bf62c97ce28f932bc5118c6a
SHA256 4d05e9c90e25d6f8d01ceeab62ec75db7259ec1f96385ce9c79180d535bb69e4
SHA512 66f9cffa143fa64e4b79f36bb4efa7749c7eba663dbe3f593e021cd939d33e57e8defc023ddfe81b8365b668b42fb6076f22ec56199cdece78d7bd1278dacf0f

C:\Users\Admin\AppData\Local\Temp\AIYw.exe

MD5 579b64d201b6cf0266409cfdd3eadff9
SHA1 a83fa7cd3af394314ad8a253f867613b0c99fdc9
SHA256 d4212737b51e4eea9fca95157395b53db16383b54d6c2994c71155b3e7e81bb5
SHA512 9ff6a00d7f6b4449c5efb2d2dd130aff11a89aa18a26dea315d9a6d9df11a237a62eb07c3448121b557bcf97e2cf3f4e517b419cec3e85d0bf46a312eb842d29

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 02:19

Reported

2024-10-18 02:22

Platform

win7-20240903-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (57) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\Geo\Nation C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\ProgramData\XMEQoIQs\PWgkEYYY.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\SUIEcMEI.exe = "C:\\Users\\Admin\\lAwUUQco\\SUIEcMEI.exe" C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PWgkEYYY.exe = "C:\\ProgramData\\XMEQoIQs\\PWgkEYYY.exe" C:\ProgramData\XMEQoIQs\PWgkEYYY.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\SUIEcMEI.exe = "C:\\Users\\Admin\\lAwUUQco\\SUIEcMEI.exe" C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PWgkEYYY.exe = "C:\\ProgramData\\XMEQoIQs\\PWgkEYYY.exe" C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A
N/A N/A C:\Users\Admin\lAwUUQco\SUIEcMEI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Users\Admin\lAwUUQco\SUIEcMEI.exe
PID 2268 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Users\Admin\lAwUUQco\SUIEcMEI.exe
PID 2268 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Users\Admin\lAwUUQco\SUIEcMEI.exe
PID 2268 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Users\Admin\lAwUUQco\SUIEcMEI.exe
PID 2268 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\ProgramData\XMEQoIQs\PWgkEYYY.exe
PID 2268 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\ProgramData\XMEQoIQs\PWgkEYYY.exe
PID 2268 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\ProgramData\XMEQoIQs\PWgkEYYY.exe
PID 2268 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\ProgramData\XMEQoIQs\PWgkEYYY.exe
PID 2268 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2268 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2268 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2268 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2268 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2268 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2268 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2268 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2268 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2268 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2268 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2268 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2268 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
PID 2780 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
PID 2780 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
PID 2780 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
PID 2552 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2552 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2552 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2552 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2628 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 112 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
PID 624 wrote to memory of 112 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
PID 624 wrote to memory of 112 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
PID 624 wrote to memory of 112 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
PID 2628 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2628 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2628 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2628 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2628 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2628 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2628 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2628 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2628 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2628 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2628 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2628 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2628 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1904 wrote to memory of 776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1904 wrote to memory of 776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1904 wrote to memory of 776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe"

C:\Users\Admin\lAwUUQco\SUIEcMEI.exe

"C:\Users\Admin\lAwUUQco\SUIEcMEI.exe"

C:\ProgramData\XMEQoIQs\PWgkEYYY.exe

"C:\ProgramData\XMEQoIQs\PWgkEYYY.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DUooMEow.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zacEYQgI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\REYgMUcg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yuYskMUM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cMQUAwYc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SeooMsgQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SAEwMQIw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\roEksUYM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DyAwEQos.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hUcEYggQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bCEYcwQQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wgwQQsks.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eyYAMEwk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CgQAMEcM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hKYoEQwI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lWssksss.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xGwQsgkk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VOUUcwkk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mQgwEAAs.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SkQwQEsw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QmsQUUUY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YysMQEoQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nKoMsccU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NccQIUEM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BegoQEgg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jYAEAEwo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MEAoMUUc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ogYwkwIQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gUYwUIsI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CcEkwsYE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qoEEAMMc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rMIUoMoI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PMssMwYg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pcsYMQcA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LOMIAccw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ukkQgAgE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qYkgkEYo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iGgQIsYc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RagQQEoQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZOgYMkUc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DIYIwsUo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zMsEQwQQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aWUcYoIw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GyUIQkgk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eYcAoIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qCkksgsU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tucQYIkI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FUEEMQcM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XGYkosgI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HykkIUgs.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qokoYMQs.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SWgEIEcM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QIoYMwQc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ugoAkwMc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oasAoIQY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dqcUYMMo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nUogAkoI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zmAskEMc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NacIQEsU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\goggwIgc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GQYggMUw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UAAQQYwk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yIYAMMQk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\picgMoYE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZuQYksgg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jswAoEEQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vkUkwkAM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oAgAwEsk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yWUQgcII.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uyAksAIM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tQsAswww.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vOgoIIgQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TOIgcUoA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JgwAIkMg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UCcooQAM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uEMIUYUg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MWMIgEQA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\esMgEYok.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1677545583-39431059913666410093881852611338265761-120894969-411569329-266175147"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tYEsYckM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fMMUIMoU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HgMwwgEk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TcMwkcQA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "539268477-1018821869257060643-11404127609744433689241618824028158-1004534101"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-88117089115169815151838299556-1381649573-331633002165424187518185664-1305195448"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MikIgYUY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YWwEIUcA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KCsoAsEc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YmMEgcow.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qyAQgcsM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1792361974175058483-12734282281285550021-1366032656798812452397028623-1531478630"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RcYcYQgY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1824822644-1264221072-1937761202102076296-1062681616738357270-1013408681-1920732082"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vggEoEMw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "832225201784430045160726534085174910722835822113812898341099453569-240678005"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pMkkcIQs.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1578511283-8974153271050758058-16807594101076694888-293902856-1742997889711709500"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bEwQIooY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "740067346-1223159225-583215081-2089225749-385428879198533150216703072032012754233"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\swMsMUsQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1363305976-1961416353-8889578233492283521063787599-8077212427265138161904313132"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OmowEMsg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cyUEEYAc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-13337347661161360190132423954-19357387901126836626-1347226913-16822236491683540735"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AwEQUosQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oSUYMgAw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-73317171585264244115725512071349169750-155810671-8551283361487424543-1762953389"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HusUYooU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NcUkskEc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lQcUkYEc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1549446050-210430595516515589241120070950-821461723-561110775-1595336840-2113388737"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dyQEUIQs.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wUMMskQM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "13495347111408746521663281444940224314-2092885581-1862877196-10183351311275505342"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CEMMUcMI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-212035634150144182-21079156962020111489-242676542738034006-375455821-1372986685"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uIQkgkcI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-756440808-16286085931341655104212154826099594499515587388211794108799-511278136"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MEMoEAYg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PckkwIYY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "617843466-680810783-771151796-643265869-434742245136899536-1930443456-425144524"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bygUokEE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-816352316281161273991518004-214035904515701513896165288691899120556-254456204"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fyQMwQUw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-420079888-24498995-1701588254-5084712719387965591068456414695972544-1364310630"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2045221637-13313801431007853055-1884118114-547884824-1282968429-2061687931-2068873037"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nIUcEsAQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1265730766753490975-7074607001758415529462308999-13432969477207762571384041529"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-175027348-49062505270617197018942073501297604235-893291399-630502664-2043259178"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "570017070-257665909-979449568-18745566271624638134-1320707589-97932243-1186168273"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-6826220361664306252752239879-7250595491163964789-1570161590-780622878-1831727365"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hCkwoIcA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1906629779134644081-1753552265328448881866136254-7051618111168101886-1096213392"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "13428105231305228798-1876648713-1535716884475894536901221310-1905820599572143978"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MYgcQkgo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\saEccwsU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "18426947721488739980-5399243962104676353886565589-1403315719-12595626681268590692"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eyAQksII.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sMsMMgII.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2064216128-1537369248-241191266228298870-1673765770-2197194183492044-524362155"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aaYcoUMo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1753875528-750784533-1350489974-206575559317360488791480960409-2427782431648803744"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "432256573239380319-19974177971818101579-1866196673-1687527682-1087421121380307636"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rAkoEcEo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fgYwooUQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZCwYccgM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-342234625-1427199720-1477452573-1326548106902471700-1563876143-1868315279938925650"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TIQgUsYg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "343881098-1686351206-446400118-406341454797520996-1020431738-16942737191139551018"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "62205744014573099481832510605-145943106-18502423371915019570-625475019591199538"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GgwYIkYY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1306213654-1264947742-1724966634-160299747335831134873171061-321601989360690657"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-220676101934552626-820800511250282130287650203-465119943725561487-1298881798"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "7328872481505973734-946565507-1332471841212655440857987909614417341251217181584"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wgkAAcMw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "472655266131407337348108523612629621601916535818-15074871381629311985762540321"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2521796692324689111302556081372574404804732230-1837398547-6977200661355238088"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iIEIQAQk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "148795876962087168910577953651814478701105299276-121677149721331634582111021672"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ccYoQIMw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dgUIkgoI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XKkEAIww.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1373829294771071034-404434995348506119-452887287188611810416078146192106930557"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-4500041811018875239-964730954204135442-22282843-1292113449-1790282222-1470328602"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "128447734614539025421865806304-7213087751931631921431156024-1645368913-1177032371"

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "192804253313985308411351055598-1809545611038570009-603416753-1547114812-1782406325"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PKMwgoQI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 172.217.169.78:80 google.com tcp
GB 172.217.169.78:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2268-0-0x0000000000400000-0x0000000000434000-memory.dmp

\Users\Admin\lAwUUQco\SUIEcMEI.exe

MD5 6df84fdab369c1101c4c3e1ad42737a2
SHA1 2afd564743a68815c05ecc4a73dd373526998ea2
SHA256 d07051a0446ae5712bace16596390524fd51fb01db12c22cd98b97d454168230
SHA512 a0e57ec16f0091fafc21d570bff1109b3ca3738b96c912813fa8e546316a6283effd6e252847c800c8265bf2a8dc5275dd90608547dad98409702abcf05f21ef

memory/2120-14-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2268-13-0x0000000001C90000-0x0000000001CC1000-memory.dmp

memory/2268-12-0x0000000001C90000-0x0000000001CC1000-memory.dmp

\ProgramData\XMEQoIQs\PWgkEYYY.exe

MD5 d0663b98b960f7803c15e600f3707e56
SHA1 02303487fe847b6f6b3e32041beac672a8fd94a6
SHA256 9ca43eaeab081791f9e39375ae0ee46bc147585939590a7799e9d1311a6baff5
SHA512 6c7cf4dae1b4485b92e6a0f310c9e38d3dc7783cb0077164e8537ad41474c497565a017f54edba028276a4de5eef0bae49b3110ca75fa410edf27096e3317a33

C:\Users\Admin\AppData\Local\Temp\lugUcYgQ.bat

MD5 d2912863b3c619e455c88c0667d5383c
SHA1 2c21e30809862aab64f29caa71f167215aa2e081
SHA256 0e0b21f74d18cc7309fd2a5bd6625517c36ed5e0c03f6eb885d522de24e69d38
SHA512 d9ab82f89c9bcaabcf2e15974ba53ce63ecc94e870969c72cc0ad74633fe5373d2e8343fba97f5f86633ab9cb38e19d850fc24894c985b963d1531743d91f187

memory/2708-31-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2268-30-0x0000000001C90000-0x0000000001CBF000-memory.dmp

memory/2268-40-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2780-42-0x00000000001F0000-0x0000000000224000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DUooMEow.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2628-44-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2780-43-0x00000000001F0000-0x0000000000224000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

MD5 ce1e5810d7c9f27a6b139b7bb5772198
SHA1 ec7dd31f242502ea55223a00c883044cba378ba4
SHA256 0ae29a2e9fb4ca75da5145ac86ab6dd9f12767cadb5bc6a9aa4b1036edc128e7
SHA512 44975121e40b3fa90d1c32ca56e53e2fcd5c768e64e22cc9f9ac73991b1ca79aa9745136b7dea10bac6c88c946af0155ba2abb91b14eb182dd1e69c2a718a63a

C:\Users\Admin\AppData\Local\Temp\lIIkEkwk.bat

MD5 10cb755518a891bea8aae398e6ce22e9
SHA1 ee3e04b9fefabbda0cca8d09503939189dea6f0a
SHA256 960860e18d21c699070c355030f9b886a50f8bc85606600cd9e11d2d6eb80c28
SHA512 c6cf302d530cdd070f659a62c2ab3ec1b23118d2bda106c17a2fcf780217c2569e79a11275f8278a4ba422c1ee75b6283436ecbfbf7b93c334e7010c049e3851

memory/2628-66-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pCIEMEUU.bat

MD5 dc76b145f4b4f43fef7f9ba433e57acf
SHA1 76857436fcbd9e727b58ec9f0fdc87193e530558
SHA256 e0b62b7504b4143634cb95b0f36dd928c8a873069e1e12efed68fa91344e58f2
SHA512 622193c5eb401ed56c012ce90c391b894e078b756b9e33eadad0036779a6d470ad764b24d7adaf956785ea5fbd060950a858c474ce5e1fd7c70478e50993c4e7

memory/536-79-0x0000000000160000-0x0000000000194000-memory.dmp

memory/112-88-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wYUkgsgY.bat

MD5 29f958bbfc139a3f9223d8c8e20f3aac
SHA1 9efcddc4a846e835bca5bcf449847460aa40038e
SHA256 746ec78a82ed5367946917dfe4812b65d2970d2c00955cc3d65a271e855ecbf9
SHA512 ee0787612ad0f789c67c08380ceaa09e1bc0de7efbb77ea23f304362e48f14d878d0fb8412f0259f86693420c47299f092508f4fa9817c7241769b7959c92b01

memory/1440-101-0x0000000000270000-0x00000000002A4000-memory.dmp

memory/604-110-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GkYYgsEc.bat

MD5 06f09536e4cb8fc7cb85e0698988d439
SHA1 66118a31f6c1ed745b174591f8bd5a570ac828d5
SHA256 6ac29c9a6cd5f84272bda207cd5c7836cfae442d3ab185c19c17484518b05905
SHA512 9739a7425275d73baaafa0a5b9d1e7ce934dc2ea68e1a2eaa4853c2df3cde52483d39383ac6f2084f5b8d92ca8d63333042a422f77c4f72e1cdf266dc27eec92

memory/2064-123-0x0000000000200000-0x0000000000234000-memory.dmp

memory/2132-134-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kwoksAoY.bat

MD5 6410ddcd7caf67318a4d032e1184c2a0
SHA1 0057adf03401795a25f88231b6afeccf20421c76
SHA256 1f60f69f90127eb474c67f40dbbd9590212351be034fabe16e61236dcd9a861d
SHA512 805bbf461a10d5f092b7fda27194776c201e93f17c76a676f17417abdd729f10220625e84215d7697f1bebe4cc543ff373982742b308e62e0ad3db0b6e7fdb50

memory/2676-148-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2024-147-0x00000000001A0000-0x00000000001D4000-memory.dmp

memory/1672-157-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UcgEcoEE.bat

MD5 33c9b6a787e5d8ade6713e58a34b9e25
SHA1 02c212a20db91f41c5fd05ffed54ec7d8ede56b8
SHA256 18e4e2bddaf2ca7c2cc190f8d83efe0092b57abbed48d091a01ba76ced2f492a
SHA512 1dadd6060c4cd07a85ff0c0916c1adc1ea9b4cdd2a3d4c9fcd7d02b7dea4630558d33e96fa2a75ad02bef85bdce9aef1c894b56f5d6d663b48229c02b8deeec7

memory/1356-171-0x0000000000160000-0x0000000000194000-memory.dmp

memory/2720-172-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1356-170-0x0000000000160000-0x0000000000194000-memory.dmp

memory/2676-181-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DkwEkAME.bat

MD5 afd9cb6d2a9cdd5360cef772cb7e39e5
SHA1 edccf71de37a24f079e4fa8e14c9dfd22fdc56e7
SHA256 b14c6ca8a8942bf9f0955f2741be44838edca8ea40629b95473407def85c8d5c
SHA512 9744bbb7752472f7b74802b1a9bcc2c75dea2c70109aabf74afae4acd402cec05d4ff3552fd63da6a71044f4f2f8a67ba62fcfecc88e343a64fb63c5a131c4a6

memory/2272-195-0x0000000000110000-0x0000000000144000-memory.dmp

memory/2272-194-0x0000000000110000-0x0000000000144000-memory.dmp

memory/2720-204-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bsgYAYII.bat

MD5 eacbf268bd0879c6cf9155ead713cd95
SHA1 fb0aa2fd8f4ee640257a36403acfb98febcdfd38
SHA256 7c2b4b961e91012bb88db42cb48154a59531f5e35fe806ffc5d269a4f4931f5b
SHA512 315724c5d1911c976d90c39387092a6c2b8230dc9866c7acb0412442d26798d9d04d51dc629a1c7901438626dbeadcb3c09ba0368de9d0a060e06a39b98dc171

memory/2816-217-0x0000000000260000-0x0000000000294000-memory.dmp

memory/676-226-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tWEgAkAA.bat

MD5 ab24457bc7537b1e14c4c618dc6e3774
SHA1 104edc69e18ecee1f494f26b278dabd9ac91130c
SHA256 f142adbad86b2bb0bbf637d19e92c19a0067da686f5d701fe42f25694aab1017
SHA512 b1404c95d4621a9bd065695e609dc67d1946ceacf029e7262ed4666b3b38afb9dbc96e27e848c17863be95eec8530f091379dc46411b2b714cf2f76916e4f3ee

memory/2204-249-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vCsoEYUU.bat

MD5 b96475ef81d8109532d1c417cc50ad12
SHA1 9362764be6471f717de35c33c5df1b618df38d67
SHA256 3832267ee1d572aec36a701f6e5f2f66818a238ff372908bf439689e33bc5b80
SHA512 57f597d42aef6fc48d52f22fc1d0f47967dbc7707d4eca0987b7f2bea0494c19fd84c04c844667aa171b7c3cf6c2cb78ce9977c48404cbd3b2036d6a5f2d3f22

memory/1952-262-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2212-271-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\smAAUkAY.bat

MD5 2b3b70b8babd5a5a973c029d9da95084
SHA1 216d43a2b6d6860d604258c4752887a029923e0d
SHA256 1ee24d465ede6d5f61e65104162dd7c20a5339b51abe06191144feeae9efaa6c
SHA512 10bf2e76c291bfb0e9d5452e5c1fcd084bb9feffba2ccbd764defedde4f3b1d5d2f6d1736dde63e07a0dba806c31c63d1d96608e859b2e0253bbd9ec64c742ca

memory/2584-284-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2964-293-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\asQgYUUY.bat

MD5 aed6114418105733b797e7f47cb62866
SHA1 12178c09aab5c056446f55feb46810358930ce29
SHA256 1985c85b7afb20d6d53419a12916b491e70077b8726ef1652d4c342796fd41d5
SHA512 64dbd790f8c6697df91ba6296d263d24a04e241166e982ca9b2ee9993897e66d9489aaea968071f01edb36e962e7dac4a92c3590e1dd182d78e6c3e8975eada5

memory/2768-316-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cKwcMEoY.bat

MD5 beb200f79670fd820336947986ad3af8
SHA1 8f6af5b53e7c96e6d50ab7b40e6a6216e5cfe482
SHA256 0ae81e7bb7d4f2ae463cb8d3956a7937c833f90e1372f3ee60f64cdf7d0a3225
SHA512 30c0708f6542ac0a16100343639e6085c6f3566ca1fc77f0588cc9562ac3d591601d90372ffe94cc65f768fb6c55ccca9fb2e19e07e0ab63b43d4d851dfe7f7f

memory/2860-329-0x00000000001A0000-0x00000000001D4000-memory.dmp

memory/468-338-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UaUYcAkw.bat

MD5 f415e8200481a1f9a952e91891e1d7f8
SHA1 2bcef4a9f6084dfcbdb8b6c4298233e959b7cfc1
SHA256 5b018408dab8096c898d135effdcca583528e4ce897552cd4c36b91a941df140
SHA512 cb9dc664e49e7892a22a2645703a804f3cf4c4d66d2159081f0dbf626f10d0e0357c93b2831089669b058005e97e1093c3c5a48d677ed10201f3a5bcb25842b5

memory/2416-351-0x0000000000120000-0x0000000000154000-memory.dmp

memory/776-360-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PqsEccMU.bat

MD5 b9fc587af9acd9855cf5f9e7919f5dda
SHA1 ec9f1cf6e0884c17b3c17b94ffee7ca8fb651306
SHA256 c389aedb08786159e7eb0ce8a81cc5a5de061ef231a88c0b35527b9ba410683c
SHA512 914884bf58f79c4aa9cd63fba752c2deea2bc5fa7370b42d0e6178301bda38799ca722291f6db2935fcf83a5f616a62b66888bef3006c2bb0494bcdb1450aa90

memory/2620-373-0x0000000000120000-0x0000000000154000-memory.dmp

memory/1544-382-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vGEIssEg.bat

MD5 b05da2830097cfaa92c5b2299e3e00b1
SHA1 c7207983ffb4062b77e1799d037791a588561a5c
SHA256 b5fa868e4499be4f39b20b6207874a4ecf90afca01a56cf0dd3bbf5f6b9556d5
SHA512 75f74f498d12ff61029a9e7469ccc95ff9c76d3e21a48b4af4a27490603eed7f2cf8187215be46c549011127647f68b13ecf1e49706d816ac18958b396dd6529

memory/2248-398-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2248-397-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1764-407-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZAwEMIkE.bat

MD5 b208f750917f9e2ceb9f340b55c1e33c
SHA1 c64175edb628648c86d17b3368b162a7e11dc6bb
SHA256 f2709aa7da8662bab59d2ffe99186db3986bdef7a84993e4d99f74446dc6d78c
SHA512 3616de3548cc3ccfc248cec61b1e5cffd8686175cf870a69f6b68b5df4aeb7c04dfff13c57f1dee5c49455c93d362f4dbfae3c88684286ebfa9cc20449bfdadf

memory/2168-420-0x0000000002260000-0x0000000002294000-memory.dmp

memory/2996-429-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OkwggEMc.bat

MD5 14800b8df9b1aed365e9c2814e034892
SHA1 94ef274bc4b930297326426a7cbf3454385f84ba
SHA256 8258a2199212340810ac4b01fa6ad1f7d39c5b91bf381282c7264591a84665b6
SHA512 c91a0cbbe691b5211a5a2bf4bf1fa9bd58e8b021959bc7a6de28db5ece1c52f9c2758fb7e9ba246b8c82d35b40be2863b357d3c9dfd08f5fa334090d0a4ea9d6

memory/2780-442-0x0000000002290000-0x00000000022C4000-memory.dmp

memory/2524-451-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kQsEYQwg.bat

MD5 cfedf7a706c59150fa38c6b0c3fd57b8
SHA1 e632adf2dc2fff580b4423b538949b84d94f70b3
SHA256 3b598807a0b11155cafa04bae8b871add42244e2696ee78224b4d51bee5bd1e5
SHA512 b862ddfa2a155e9444eab9df2b425601be152fbd34a12f429827c550bb54c99f32e71280e15d82826ce27a2b130fb87c1de3153e069fea26e4e74dbcc6dbcce1

memory/624-464-0x0000000000120000-0x0000000000154000-memory.dmp

C:\ProgramData\XMEQoIQs\PWgkEYYY.inf

MD5 b5095444daf5a82fd44c75d01971cada
SHA1 9b2d78b91880d310fc2657c91367605c9bc4d3de
SHA256 048cf5e3d26d60282130b4b03fb5e96cfc310c91423dee58d77eebef97241d01
SHA512 476db5d26d277496a2315b048418a804377d11300512ebaa6c230fb23f4bdedb66bee86f4328ed47a336a24de228682d1b080aa650938c1b19de395f8c5ce92b

memory/2284-474-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gKQosoIg.bat

MD5 6b1cb6c2a86d99f334115fa3e39cbff7
SHA1 75d2e47bc6ec9b8a5cb52728bb08d1903fbbc085
SHA256 10bf056da553c0aaef9cf3929a061205e631d8e50a715950cf8e9ed96792bf75
SHA512 1fb1accd894e82d81b2901b08fe6d73e98ca2d226aafcd3db838e98c373b2bf3515b256d171188757e000258b264d177eeeff804f0ed55bbae3e684f3471610f

memory/576-486-0x00000000001D0000-0x0000000000204000-memory.dmp

memory/2072-495-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yEsYAUAY.bat

MD5 fc286ec71672c3ca1b1fdbafe6c57fa8
SHA1 ec1723427f4bd1fbdb4c1638765e970a24316ab1
SHA256 f3b4e86e268f2f0b13ecc4f746e7e666615f8ee5fedcef77f8843b9638b22939
SHA512 71ffbc87c42ae155be3b2adfe4b5eb0a16ee72d555d3b1cd53465f759ffcc2822cdd827a2b1e05e324c257747191c99fe10029db1fd566440e7cdf094b182cbc

memory/2472-505-0x00000000002A0000-0x00000000002D4000-memory.dmp

memory/1300-514-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XuAMIYUA.bat

MD5 df5cdc2455d27eb3838342ba4d63bbc7
SHA1 9b31a090ab62dfebe902759b953eb3c1b36508aa
SHA256 2af090121f14d562c6344ca230ba772db64fe8e5dde418192af6d0b35001df63
SHA512 8ba737bc88159a19704dabe0e3615d71be15b3874ad264e06650948d46c5df0b83d20ed6e2c4da94bfc640a886f895200e9525b1a7ff6b9f5ace621c47854f6d

memory/2744-524-0x0000000002240000-0x0000000002274000-memory.dmp

memory/2916-533-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DoUwkAcw.bat

MD5 c87bc08b176bccedc6146fb699c91680
SHA1 f389c1a9224727246cab350b632eadeacc5b1d75
SHA256 b144858793ebaf611f5504f62cc1353622bfe6f30d7f726b7148ae168bfb8084
SHA512 5e72d14c7d9c4555eef4dd7061f74200f46538d97628f956913453dae0a89452abeb8a10f395969238c38cd37634a7d4fa786b7894963aaab5c59058aa46f37e

memory/2360-543-0x00000000001E0000-0x0000000000214000-memory.dmp

memory/1012-552-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NMcooUoE.bat

MD5 67a6a4b382a4790a07455b2db78c0730
SHA1 708dd783105be498e6f87637273b8fb193cbe679
SHA256 054b6343b032133db1980bb5ff5f89dcd4f7e8ac201121687fda5732b5cd76d0
SHA512 1db2b262c715339cf4522741e4fd0bf6227fb10feaefad89480e0f9d5f989bf1eeb3a569deda29918e1ef3d5d438b3913ef5cfdd06acb70afc23d77e27c84013

memory/1416-564-0x00000000002B0000-0x00000000002E4000-memory.dmp

memory/2764-573-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PYUAYUMI.bat

MD5 3dc47a33da92785256a39459252bbb32
SHA1 54f7168e2f1abbf3f3cdbe686a6034af2c56d502
SHA256 a250c8cabd3a4a81c8c26e9f7fe8d599aa8a3cb2bde0b7849fb73c83875ae08a
SHA512 486fe5dae9b28f3cadc319cddee59918bba7c65c1841a7f8614013ec982ae5e3f82862db897789d43bf6a85f3148f9ec74dd6d932bc374aae7ad4bd9ad52753f

memory/2120-583-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2076-585-0x0000000000260000-0x0000000000294000-memory.dmp

memory/2708-584-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1748-594-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1772-604-0x0000000000400000-0x0000000000434000-memory.dmp

memory/784-605-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\euUEIAYM.bat

MD5 b4c28170acdf3ba81a09e26eeaeb6770
SHA1 9489a05cb89dd0dff35bfb76a622031293b6c1d5
SHA256 f371e0afc51ee112fcfe8662aa765509afac4106360bcb82dba24c3feb926325
SHA512 7b2139d1b43432ef2a0a09224829c7857fadc3bd42dcf99dcbead31c81a4495eb018a935f0d9ff2309b7fb9bc6e0fdeda66821b58f82e667bd49b65c1003f162

memory/1256-614-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ciwYwgcQ.bat

MD5 43fa03046a9cf8a7eecb716aff7c89a4
SHA1 0709e8213768fcba5237860bcb86a5a072295c08
SHA256 e01b7436f66ed467731d8dff1b1837ab13f0dcbc0a6831e717703adb1b4bebac
SHA512 4022d2b71b6ec7760d375f8f87134c7887c69958b785ee2e2ea0b80e0d859dcc5a77a94c4c1c7a70a186dc74043a18ee36cf1dc3f8ffb6ba8bd9b854acaae684

memory/1692-624-0x0000000000180000-0x00000000001B4000-memory.dmp

memory/784-633-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CIkAUscc.bat

MD5 c44d0fa580cde4719590c5891dc800fe
SHA1 91f8b3bed2fc44ba7f52c5a5212aeecb794cf1c5
SHA256 7830f2d306f0e85e1ca662674815723383cec81051ce176b81a23d0a792c5863
SHA512 8d2060b3d1e8e02d15e736c6395158ead977957db78d867f995ade2273e4de16512a68987e3427d715715b1a80e248b2fda243cadd809c64b78d434e0cb83c16

memory/2428-645-0x0000000000110000-0x0000000000144000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mwwA.exe

MD5 6edb7be53b5f0907a3489f5b120ebc7c
SHA1 a2569fc7240540da4f6ce0f72fbc9a78d251bc81
SHA256 59c4621e256e991d4b95ca1e1c16a1834b1431fd673b835ba91009818d406aa5
SHA512 d262a3fbb9bad4c8debfc1e88ca7a8310f4227b8ac2244f070a43b6ea1bd604ea1c0b5e8dc7ea3c26208afd25a759bd8d395c1bfba3787f70490266310078c8e

memory/2752-655-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wuAAMsAY.bat

MD5 708ca067249d8071841bb2c8c930292b
SHA1 ff2fd8f656d99807fb52c6a274b5550239be245d
SHA256 b6afc6bbbaf5daa22cf0b7f0b3670a6b3e8f0a3c4f1b44def9b0cf939083fb94
SHA512 e092917a1114b139ececd61fa8c3593dba56cdca6cabb30e1e6d28577fa0ddc2454642f8c6c7bc09d5520c63eea9924d00c28ca24ca32bb4c49c51c59a3e36c4

memory/1632-679-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3028-678-0x0000000000130000-0x0000000000164000-memory.dmp

memory/2576-688-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ugcMgwYU.bat

MD5 8828c79b360ada6638e9109d2a527032
SHA1 c876def1c105ff2969bf2a790373eb7c5750f93c
SHA256 814228baa31690b5a6be51460834368ff8963e7e2a64430a3e4e747d01007ce7
SHA512 5ed022c0466e483af403a54a949e56328be08b981ab2fca2155ff11fe235944829706366fcc9a517446d2d22dfb92b2215265ffbfa6b50e66f99bfa681b88892

memory/1632-706-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3016-707-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xwYwgYMQ.bat

MD5 a3b42e9994f41fd353846d667029aafa
SHA1 53d7ea7131e05ec2540274577b9da912545f7019
SHA256 5fd65c4c36a0fb5e9fb1ee514434bf384df37d2aacb1c082e5b76237d05ba7ad
SHA512 00afe46b25c6db763ca6197056eed33f68cb8f0a7472891888be5fb9e8ab0a8054ad2e8868f1e8a29a8c583572a022b4ca8e8b564bd39c1d0044138ac1703219

memory/3016-726-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2044-722-0x0000000000170000-0x00000000001A4000-memory.dmp

memory/976-727-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\joQYUEwc.bat

MD5 bbebbf2a48806165a463a70a34222317
SHA1 aaeb20bb8045cc42f6294761fd482aea04fc437b
SHA256 658030eb78c700e797e1880c4658f7ab195de1601b603016234795733b8aa6bd
SHA512 263030a463f475bb84bd596c1ecf907a336320d6303d78001cc9ebfbe1c640b7d1fbdc8f41afb97cabc3464723968bd708e20b3f8081c9cb27535f3a0d95e3b1

memory/1000-739-0x0000000000120000-0x0000000000154000-memory.dmp

memory/976-748-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DeEEUIUA.bat

MD5 4e10b35f0330c4b7c6ebd16c66a83e29
SHA1 9a83bdcf6aef3b442ff2ad2d2d912986b29ce4b8
SHA256 a3f4756b345f8564f2afe1a28558ca22fce205188a21a5a55f01f4ab2660c188
SHA512 a03e00549323824ea1bc601858c59cff095a5c88b2fd048a53f5f7bf202f75652245e7d9d42eefd3f7bbf51221b5610f4af57e30153590065cae6863da092a35

memory/2940-766-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JAgIcUcQ.bat

MD5 08148a9ff2bfb7d6ca4ffb30da8ccb79
SHA1 a67dfe3a08dc658a9f9ee2e6b79c634a86eb0c28
SHA256 74adfde7d8f51d46e0ea8a4fe866f903d2c82634120e1567f5f672df47ff6bca
SHA512 09bad481507a6a16bbc20cc4f90095dccb79bd0bd1fed9bddeba0cc2a36ea24950034c091c23bf1526c71f5bd02b5bca62be71fcac70d2efb495af6346dfeacf

memory/484-776-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2976-785-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aKcIIUoM.bat

MD5 772165b987d34f731b9aa50f4bf98748
SHA1 ae3fec0aa7e18533e50df9daf6dde9364895846c
SHA256 01fbfa6c2f6f675214c2ecc1d8e295e62e153cc0a7c27641511f52bab2e639ae
SHA512 3744bfcf83e20ff087ca98eb4b3d7ed7cef423925cf22d5ee4a45115dfc37165749b60ddbda07c51ce6a5366bb81b0879a7bcbbb3717ca4c8139766cc1f7c25c

memory/2672-803-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SawYQgYo.bat

MD5 1499c8e466cb7d53cd2dd56eff120270
SHA1 50be85e123ac1aa447a30408058d32cf7110c2fc
SHA256 161ec752554afed2cbf616445ce9139e598de231ddef7dff7a0c53f3375e0c0c
SHA512 518f880175109f0cae038a46091669e56e6d6a50a7fd596d0fd89e5c9306a6daf1a226f47437dacc4f9aa57cc039b6938e4ac4d42231184f3fcf56d118013c41

memory/2208-815-0x0000000002230000-0x0000000002264000-memory.dmp

memory/2092-824-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GgMoQYUs.bat

MD5 6d566d6525c127d98641afcec9128dc3
SHA1 c765c718af9b3c9e025d778f0991deddcfcd31b0
SHA256 86c0c0d0e51198856b14e2e15626ae83f2bcd031570789b45e81facd14ff7e6d
SHA512 33d012db6d2521b70846017ba732b93103a6affb3840c9204fb8ed37723b61fe3858f87cf359991a6f6bb0eb3deec4c7cf87616294348ea8e031addbd5e4d797

memory/1900-834-0x0000000000210000-0x0000000000244000-memory.dmp

memory/2224-843-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tQgcEUws.bat

MD5 6d2ffa5cc6891c3f5e063c5c3872d910
SHA1 91500e0429b5044ceef3d6caad0ab139aa92dd18
SHA256 3a6b337c29c832076e7d0352febe99d6a0d774aac65f79654d8dc64db1fb095b
SHA512 8583e8bb26d8b9e8221edaf68103df19ca5ff86362657ec69fc12732289c99380aae2991ff69f24032a7da239b6296521ce9a17bf5dd8c3486129bd4f2296a41

memory/1968-861-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HksUkAww.bat

MD5 518d0e0d69ee839dd333d1bc435c60a3
SHA1 e6ee7d1a8fced7307d3bd6d268387cb8df46a0b2
SHA256 0f5806f989f4e89220c1873445c777329793d3e04faf7cc6321d447745c332b6
SHA512 7e4b520ef149310c7618b9de9c444dac9c146fd93e9f3ce1f65de731972e47afab1a9f6e357262f44cf5b2575a0ef2f131f07bf80a7766f44bac3a012227b80a

memory/1000-871-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2404-880-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NWcsMMwo.bat

MD5 7d4e222c6359dfe920810418d19bf69a
SHA1 01b94bcb9efbb3a28e332ed3fbbc2a2274b14888
SHA256 75bbeb1d688b8bde8b43ba15dc62aac172bc493fdbdf59c6d8d856a8f798010d
SHA512 20dae22320542057f4677a753c7485894d85377f3be34797876517acf9ea54e5c99fdda2b4146cc6b9c73a7d306154a27fe6eb1f73d59b1af22963af70b4442b

memory/3068-892-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2616-901-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TqUwkYMA.bat

MD5 57018e4fe99a536ae94a797a4ce47f38
SHA1 62624cf7d81107a807119f8e9a938feecb22d07c
SHA256 c8cf2e4a50adbc15ee0e8da9a4bcbdb2954c7a14cfbe86333db9256b1684711f
SHA512 f85c660c6de6a3415286a5f9e99a134fbb0340dcc6d85a25c5c71219952cabed76f562d6f6ab547bf2b5dd526a5e52df977188d22c01072f468f771d4401d459

memory/2956-912-0x0000000000120000-0x0000000000154000-memory.dmp

memory/2956-911-0x0000000000120000-0x0000000000154000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PSogIIgA.bat

MD5 730d41af2b70c7dde167d3251a6cc79c
SHA1 f95f1bc8cd3758b97af7c4273d05bc964e54e01c
SHA256 3157684abb1b0212f819e4e2c2d8838d408808de7ff1dd5510edf1d14181ad8d
SHA512 cb8285af2c6de2453155d8715d85d758c2076aa68ab52adbff46b8891fecd84540cb75b43706aebff75cc8ed2bb13edae4cf8fa89127936adfae52b97d41d3eb

C:\Users\Admin\AppData\Local\Temp\MGgIssAA.bat

MD5 178d96e98eb80a5926c9ebe7818d7dce
SHA1 90ed2211c462d549b4c39da863fd4fe8f3a7472f
SHA256 70fc87e4e3ab26fe4c5cc5f15a09ba3b38b585ec6445feb5bf7542f4f15af928
SHA512 16c738a1574ce59997797cf61c7b209b1bf0d9b048bb498f815d2413366a3e225e6ffd71d1c61a701c64fb46bf44b5810bda7ac6581bcf3e50440c1b5929b756

C:\Users\Admin\AppData\Local\Temp\CcsYEMQU.bat

MD5 d83a15fff09cc769c0b26d34723e6cf7
SHA1 dfbad9103250100873bc50a28ddba813eed686b9
SHA256 98d720262463ae229165957cd141fcfcab685091d4c44eefb66e9c76041c0527
SHA512 d2f5c1dbe4840946d90a264c16d0c2846a0cfa8fb803a9466820f4e6bc6173cbe9c0a8c705e89ce4779ed3baf25d7e91041353c1df799b55e6c30871a5258784

C:\Users\Admin\AppData\Local\Temp\skcAwIUE.bat

MD5 f9c820be6e1c79ac97ac9b399795829d
SHA1 7c9a6e19d2f62aa8a2175a3409fd33f3bbee9378
SHA256 e34df3319f9cd6dcfa2b09e4fe63347f58bda9f1b5519d974bc22daea67aa0d7
SHA512 95234746fc0fe84e9a21bc2880c33ddda3bca97b52fad521f12bdaa66f8657e9d41e3d774f684f21435cde28356f134be1b7654cf03e28d8827af6bfe40f62df

C:\Users\Admin\AppData\Local\Temp\ikAksUUI.bat

MD5 71bdb1b9d5f8664d660c76a894e50606
SHA1 04df07693e5aeb9a0ad6f07935eae26893daba71
SHA256 3c9b3787874ab6773e8e2b3b85b688799a571c114f7080871a9c4c7ba129fde9
SHA512 731ea83ac335f2f8665a4f4917ea1c0fe62d194e198f42f2addc67c0899ec0769cfb609dd841f9c2bdd795dacd2035f11aef247eeb03923bd140429c35dccaaf

C:\Users\Admin\AppData\Local\Temp\fuEMsIkA.bat

MD5 d70d1bdfe30a4cf07e121f4b43525ade
SHA1 db5039d5e3020953ca3c91a2640a0917a3df20c3
SHA256 b3f3d5431edc887be77512dded580a919efe324b462f6a50d16d5b5b56001469
SHA512 1c1de5d5ead11ca59d2cb387252142c04665f323bc14069c3235938b8787d231a4893e154fe13a7e2b3cd8818cf0cd8794c4f79a32d888459e9a97b9a0716699

C:\Users\Admin\AppData\Local\Temp\TcwwIAoQ.bat

MD5 e4677e8004afdea61141fb29cd0bb069
SHA1 62b32f6ef3975418f79631ccede1efb21322865a
SHA256 468cc6f64e8ee52c88e166cb97b9c75d1f7a2293561db161274f7758760e215b
SHA512 3e13a55fd8f557ded7ba5bec076dac7ca64c6eccfa4b382970614c4ebc721de3ec319ae3609a98a00501d966b336073e11c8904bb6c262e23bad4f4c21a4a568

C:\Users\Admin\AppData\Local\Temp\IoAS.exe

MD5 0b042a08ae793f32e34f6290b5d0caa0
SHA1 2874b9a0a6746fc47f9a99bbf69f8ae1f28a45a4
SHA256 8dbabd93b7b4820b2ef90ada561a54c5abee6db2d3be29ae22ea71e8260b6d85
SHA512 328350b38d5308257fe32fb3ea520e49701dc2e8c376133d3b4cb35ce2682018f87a9919f5d5827dff0e4a102925e00c133bb37153cc872857d517ff7e82799d

C:\Users\Admin\AppData\Local\Temp\OIUm.exe

MD5 ad93d0360ef5bf3254b723d3818551af
SHA1 cf2dea1bbd67658dd54976f2aa337bf2a76fe5bb
SHA256 f194a7285af33ecdb71e03bdf2b701086aa1004783fc9652995d70c62188bc2b
SHA512 138f20cecad8a847d7bbf4398288721cc2cd11e1a662015a57a098b288b6d0d4639c32c05aa27a0d857ef3216995dae480c2ea5d16abca2a9906153b98149fe8

C:\Users\Admin\AppData\Local\Temp\mEQc.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\sIoS.exe

MD5 ddc7b5051e04fa8965989cc200e97508
SHA1 db9165e276033bf28d772bc618a1fe3c22c594cf
SHA256 dd09eb8fe872fc1f28cc83f4ba398135fc37747f152a5adc4c40fc26f2c0897c
SHA512 13930843aedf307224012ad3b4755104eee040b26a15090a60fa07fcab9bdaaa74d2be502d7d9a2f44c810fafb8e2246826a86d550fd3e575df6ebef57fc6b98

C:\Users\Admin\AppData\Local\Temp\lIQoUIoA.bat

MD5 bf76b8a2c9e55af3c886b7123acca6ae
SHA1 b6902fffb442639baf4f270499b6a6bbfe0583e9
SHA256 93137a7634224a1d92fb0c0c2c08ffd165497a8b7fea3158bb8eda0d84024349
SHA512 093590b626a328ba675a5d83b34e0766c36c0677b9a6dd5b93abae7c36c58cfd74ded50abbe12de9362afc8d4f8cc63424b8f0a9e88c2a7ecfd7c6e6e4ff34f8

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 a57959ab9e8f7e8fca06eefd8e96a606
SHA1 f8fe5187a528f975d8644d6f4103aef9d895dccb
SHA256 73672ba5ff4274876325a87affcc1c7b6a8541351b2bb8a5aaf1e9a6e87420b6
SHA512 078b4b977bc60cbf7215e76d9c60241fd0a3b5d4455cf7036362157cd0c2b1e16b1edd9e1ec0e8b6786e61ae204dfb68a8ec06d3b34de1c9ddebe6b01e0eea5d

C:\Users\Admin\AppData\Local\Temp\EMUa.exe

MD5 adf413ee1a77dafc89efe26c2c382b2a
SHA1 6996a685a96177b63789d9ff59e7efa6908b8ec9
SHA256 e705c3ff897a989972376dce1bcf3bcc9a1596330e52e27af7f36d3778c49bde
SHA512 df9a3dea7f65313da7f9abb4cff291cd4910d68e913ab4a82e0469b44097e5442eebf48e43c14c5e92a301d9cb2b2a1dc9add14d4eba4f61552ccfc50adca922

C:\Users\Admin\AppData\Local\Temp\KAYa.exe

MD5 6a799666aa7b78caf12168b684b0f6c1
SHA1 cb93806b1f78102103dbe064ed3d4f0ad235ee78
SHA256 64a90fef57a99a571eba8a08928a307e35ff6f214bcf42dc52b9727134303c96
SHA512 b9bb2ba23060b56eca0a083a2f7d1b54b4285764a0c2247781a7cc4e60880d979f15d1f202b614ea4d3928786fd2c1d84f24b7640abe77e9610b13980d575ccc

C:\Users\Admin\AppData\Local\Temp\ccci.exe

MD5 219bfd6178e7a62616554f120eb10eb3
SHA1 a2d9c6224b2ce04deca80fa0d836df8c5ae91ed4
SHA256 bab6e84e46e58ba59d0814549dd8eb79936079a8abeadcd428d380ae4b956da3
SHA512 c94803c7e4ad43f3318778d609222747cb8fe1081f239d9570607b50e17fdf13db6497f56d95da73f115437b2293a4a2466e960982c6f60086df57bc9dd0bc3d

C:\Users\Admin\AppData\Local\Temp\uAww.exe

MD5 9394c1035b2331210ec4f939b8e6ea0c
SHA1 addc9a90a373993caad8eb6d959886d7379e1b82
SHA256 16cd608d845272655f4fd74b92a0e6e105b8ef8f714634063cef1999bd6f9d9f
SHA512 3a0be95dc3734421f73f2c938d5dd29ca46be2b2aa120929f5f4cf833af215c69f999eddb1868919755851388fbf3f630090167c81024464d0c47bca0ebd00ab

C:\Users\Admin\AppData\Local\Temp\cwQG.exe

MD5 8206ccffe2eee34212aa7c5828ba3cab
SHA1 5d7b81c30e13cde50ecbb5b8a7d32a4b1c08f271
SHA256 0333229cce065eaa9544bd8aa9e5055a370ce66d28c02d6811e62a27ef4841e1
SHA512 195fd0ae6c2944cc767fddd61d4cf5833919b3599fd400bd683ab73f2104bd9cb58037df189dd82d674b0f3ba019bc606a879261646866235c8fa36fa13e8d1b

C:\Users\Admin\AppData\Local\Temp\bEYokowg.bat

MD5 08fb2671ebef5468c76a385d68753dcc
SHA1 201175fd6b08b3e1b41415f5203ad6654bdcbb9c
SHA256 e8d9ab7e39034a211c881b91e50cfab8807116b5e9c769505da1e2c66fc427c3
SHA512 caf431af0644be91b6fceda48ff2372e0e2b1b21d03cf8d1b0773ab2928b044bf27a254944e53af8bcd1b32ac278ef41a18d477b5c440943fadd74ff6ed470c7

C:\Users\Admin\AppData\Local\Temp\iYcC.exe

MD5 90f97cf62493a9b49427fe0a1eb7a62c
SHA1 b106dba41a12fd1f07eaf04f0271ede863cf44b7
SHA256 ace23736e7ab0e26b2b665dce68e95ce7a3da74eaf7e83f7b99f2f9b6c22600e
SHA512 c4dac8c4fec4c9573a7e9186dbef0975304ce4db0f90b1b93efea6d972fb9e0ab01fc1efb62eb4b20bf017bf02ca7a1dda5264cd7f17798cfa883ef13e2ca26a

C:\Users\Admin\AppData\Local\Temp\aEku.exe

MD5 140245045406e0c99da06a84db0ad2a1
SHA1 6de1b1e4ab2399063e47a5c0ce80468c0f4b3aa9
SHA256 10891b02be4dd3b53b28eabcd96f0968d4a03ca3634798bfa7c033d8695117cb
SHA512 b0866057681808ad1b3ba231ca95245d7c311c9d174fab07a38e53f26022f33c771f1be6fa0bb7b7f27c5c3ade7af369edb0c72112a2e52b3066009cecbab56e

C:\Users\Admin\AppData\Local\Temp\cQss.exe

MD5 78d7e982b2ea04bab0c112f54c1e4db3
SHA1 90879af43488d14fbdb26fe95da041ecae3ad342
SHA256 d21bbb92bab3e36122f495fa16dc78fbd18728e6a1b38bdc6a9627707357999b
SHA512 215953680dd26cec2da32ee7ac7e211d5dee23b6839144136b2f1516addbdfa977d0b17d4018ac0b8454c875e7d9d9755e7a60164dd3be7c34f6574cf8312ad5

C:\Users\Admin\AppData\Local\Temp\iMgQ.exe

MD5 aab6b4104e332d15e5a9ac3226af6815
SHA1 dfc555d5374ab6025e46c3a00f8f9120bce914d3
SHA256 bd867c772de676a2efa443593ac16d168c09000013f472d51af2199e887ac36f
SHA512 a466bdfbf946ae20021d83841d9e01e494a5920c40267b608bd2a21efc7b135d006f1fecd98779e40d209ded23e5298551eeead75be7f697ab3d1e583f2fe116

C:\Users\Admin\AppData\Local\Temp\AoIa.exe

MD5 d1e7cbdc3c07adb2b561f56cb7f1878c
SHA1 f39bc83eb2a0833de53d49b3b14e5cf6c854a79f
SHA256 e3e879d5bc67182c6785d3592c4241821954785ed381d072a53b41fcf67e31f7
SHA512 1315fa6d1ac57b289a250c9b63587f0a3c76e0183b1a228300e647ab909a687849c5be549145604d75fac3443e48315c259bbd338e7e787faf665f958b51198b

C:\Users\Admin\AppData\Local\Temp\iAgc.exe

MD5 79a8ff620c1dc15bb1d1123cdcb9b133
SHA1 9e29b7786551063481fdff03419c40b314411007
SHA256 ee810ed5a6d0746c400ec32d9f6bbcbb0634d6925082ad9f9026c0a0509cad2e
SHA512 20b63be637a8e3c5b24f1063db6b81cb734f35ec34bb04219fd4e009eb2bce5c5ce9323ee6d3c5ee5c287c0e1a80cf333a1497e080bbd3821647f9391494f24f

C:\Users\Admin\AppData\Local\Temp\qQYEsMMQ.bat

MD5 59ea281fbf9201b1983cfd344d83cc8d
SHA1 5b2a81fa7e829ce74625fb239f079ebb1a989d09
SHA256 a606552ba9785f9672fdfa1797564937d5996603ed3070b327270da9031ddcef
SHA512 944baffb784ef941df2317ae1e1188da7e6fe9c72902ecf722227af3a621c3ce145b18fdbd7a77b1e089db5e7d3a380ae6cd9c6547d380f2b068c959c9476e9b

C:\Users\Admin\AppData\Local\Temp\QAgi.exe

MD5 cc32a5778c16acae0e331cf0d3313b62
SHA1 7a9ffd9685047a7adbed11b303e1e0b38eb59954
SHA256 e8bc0a53ffb7a93a070442ce0b0f74ea1470847664562aaffd845e171d451794
SHA512 ad03f937ab77f4d09334b017d940acb15d003860639792eb7a0c19804e71c7ea44e889ba4f35f7134ae5430a0b025fbf6af6ebf95329b21525d0d676618e1661

C:\Users\Admin\AppData\Local\Temp\mIYc.exe

MD5 6277bb2092958efe3f29c097e574f8f6
SHA1 850cc67a555086f6b489bf74a11b534fb64d5f1a
SHA256 676c2dea6b9e852ec4201e565f6a8e539997a330cc5fbd7f68d446b48ce9db9b
SHA512 40a7f80a654a976c89c6517c2b0370b41f80a469be5dd472765d3786162ac35a726d790a93dddaa8cd4c4e811bdbfa3834bfaa76f736160f5aed4baa4b57d02d

C:\Users\Admin\AppData\Local\Temp\usMe.exe

MD5 dfcc3de9e1de0c487905398f384958c3
SHA1 a95a48c06f274c06c5bb312961abe571a03b9bd7
SHA256 c4ff8e7577e5553f8c4deeeacd4ed1dd1535ecb5c67f8fe5fba9321d35a907e7
SHA512 4866dfc651a1353b2cdfe07af3fbf9b9abc1dd06b638a973f5379e2422466a8df7667b813208d12ad2d83c64d66a3441b59790598c68a2de3af0fd62d86879a9

C:\Users\Admin\AppData\Local\Temp\qQcc.exe

MD5 89952b0b2bd679952325c0327ca4d060
SHA1 348d5e0e8a2c021445468a7f0ac0dd19af951f9f
SHA256 bcbace1700013a11df77039aaaa1e865fe4d68d9eed4a086867d914122a7480e
SHA512 d6acffaf7f11a947f09ff9293501e188b7c9d15e265a9109839d001fe1ab05e87695c65ef4ecf26b1c5e12d2faa6ba1935e0e293231334085f7de5b8f72428bf

C:\Users\Admin\AppData\Local\Temp\WIwK.exe

MD5 184942ffa3b7d00f5adca5eca4f4cce4
SHA1 a921de8e5245a5e59eb331416050af76f0081aaf
SHA256 d844bdb014f91558ac6670fac0d6c8b703b7c12d7f55e0cf137019288370245e
SHA512 31b7952452824f81b8aa78063b78e70eef73732677f6e0300271a9e1b2cb626314e48f6f5c1a4270c16b661d0c9d1b2d26c9ba415ef9f449831880a59dc9bd0e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 4f9849cefbb190feba4b5e7b6f19fcca
SHA1 86b67238ffc44d1184d8326cf724cc4ddb6a3aa9
SHA256 c3679769e3ec8dac1059e583961b19c8d1a2b5f0edb84a80fc3e2b310c468473
SHA512 49be490595bf0f89c0b6a81d6a39c2f4e17a6cef63c67643c77eb6d2f7fef91600b7f935f37c67b36ca4d6d5584530365c8a9ca1ec83e5331ae5ee2a5924f0cc

C:\Users\Admin\AppData\Local\Temp\mQwwQUUA.bat

MD5 c751e56f75204d124e86630ae46e977d
SHA1 c916b6f413d6840f78021560d7b8e45458782be7
SHA256 e4c35a510386a90563715716c9f47f49e32e2c443fa9a8ab26415526f0202525
SHA512 2dd18c87b5ffc87f5aec19c776ab71b47f86021819f49dc70e63ff588a68825a9dc4d2ffa9aa422e34af3032d2bce7a04907805a2a7d5070cd2b53f5a30f1d25

C:\Users\Admin\AppData\Local\Temp\yUIQ.exe

MD5 202c04cd6f5d18541025e3fe98896d9e
SHA1 a9c2049d4387e4a955b8c0ea6d53c98c83bf9a57
SHA256 f3c55726779adbe2b9d695bc53d22a3130e243b8ff68c2adcbe60d98f99d7ede
SHA512 b578d1bef081a53309eb45ce594637d86a631e5168ded95900995529744b917950de9376cdd6466c4cfe97f73e70c0f1c2beea8f4fb7f96bd1f003e2713fbdcd

C:\Users\Admin\AppData\Local\Temp\oAYK.exe

MD5 cbd2c3cc67c105870ee5fb927312b403
SHA1 30bf268a083e4342e5914dc1bca0c56f0d71c935
SHA256 2f83fa97232aac2640dff8f3517069219f02809f857b00cfd135d07421162ec0
SHA512 75f51b1e208b21d6c0f437780346d87c746dc76b62855b4ff5980298a1224c088069acd456405cd07903256beec1f1607b528f94d99094651fd6d03656b00958

C:\Users\Admin\AppData\Local\Temp\IEMK.exe

MD5 4e95693ea48882fc5e60efc5a5af5623
SHA1 c3620f41ec20eb96078fff85684d484fc1b408c6
SHA256 5fa40e83e73768ee50264b05c016ebb4a0259513ddbd187f0ac478557154df62
SHA512 5b6b5ee14a72b835192b3711ab234f9c87db5d2467847a4ca4a96f93d9d24219ee650c8a4010a4f45e4b3ad565961eae1a9b1d516fb2ce730e9dc9af0887e6d1

C:\Users\Admin\AppData\Local\Temp\iUQU.exe

MD5 62e9cd89ec2ad43f9e053993a6723aaa
SHA1 b213bf690dfa187fb4e84c5071ea26ff54dae0c2
SHA256 a1215ad26950ea9c9f4af7996df27039c792b1e7bc200bbcf8522e5d947d5554
SHA512 a2077c57d2ed96087d40205fe2e13d6d42431e09df9f9d429d88359b39ba3d7d5d4f78c2dc392aca61db29699b035bdfecee29bdf23b2cd9403519668fff3ea7

C:\Users\Admin\AppData\Local\Temp\OcsQ.exe

MD5 ecf08022afc78a3b8911e19aaef640f0
SHA1 015383667684a4e48090e0d5d162a5bf9f31b284
SHA256 5403f88851c78a8618f043d248a6f846179484783c0e40d50d0bffff17eac459
SHA512 9a002ac87c972e60f505c0760c62e1afad8d0dc414c40be63261c70f6519da2e38d232127491bda0c0f7391fb4903cbab3bf15d9e99de25eb95bd4f0a9d82659

C:\Users\Admin\AppData\Local\Temp\aSIYkUgk.bat

MD5 1127cb832d3ee169258cf5ff6e348270
SHA1 576edf6f41aa89e4356ebf64a112a11822b32c25
SHA256 d28e7ee744c9d6f1e0aa538a0f644b44eb029f7155fddc936f84faf69027b088
SHA512 dfeebfefd64b75af643c1af0e109bf2ffc369e3f8b6f3583c399b9bf658d6127c96861daf3ef287b3704700051d5d7e433a89857b62585953420db0a33247492

C:\Users\Admin\AppData\Local\Temp\YAcs.exe

MD5 3c47197beda901cfdf15612da6eb98c6
SHA1 eae12e5d48d076e363596637dae8d0482285098e
SHA256 f7b3d50186df9df2da23f9e297f89eadd9b5ae7e1a880e5ef1c6addf4f7ed233
SHA512 5eb994e93f741a791f6caa305f3582551b3dc4b49a8a864f122cf2f72e6e987da23b754bc6321fb9334be076f8256e1913e3d6d4734f325995d4f4eb5a771dc0

C:\Users\Admin\AppData\Local\Temp\Ykgm.exe

MD5 7e68b5783edcf652a35080813cbbd487
SHA1 4cd2c542e7719429651d7906752b78b875041788
SHA256 2e00bd8d48b3ac678d105a0b4ef4b14ceff2d3a575b14117646c7f2960b0f6b3
SHA512 c403f1cac6ce998919a60e8a85f0ff5eb2ca6abd5636ab9a90a90e16ca60f24d1bbd77812bc2a4c5c75d587f09f04b39227a154c990c3d7ec12e2203a7227469

C:\Users\Admin\AppData\Local\Temp\AYEs.exe

MD5 589fe3d4df3a110a0d74916673696e2a
SHA1 06b79b952eb59cdff255f2e3d3c3604850837400
SHA256 d07f44b8dee93a1f96d0a5d0dfefaf4bafeb51e5e05225ee18955b4ba5a41e32
SHA512 35725b25222c4e31f4e4a11f396b33911d9a31b0000202843d288d044df7179783665c1e31576b85770bd3036e4488365a9176f70357198e1cddba992b6d133b

C:\Users\Admin\AppData\Local\Temp\YYkO.exe

MD5 11a899ba6a400a3079a2001e82e148e8
SHA1 0ddb6754bbac0c6668365795c188073697d6c9a6
SHA256 a2dd1a751eb1cb419dcdc808635b049e4e491035118d1f3c5346e135b0a04de8
SHA512 62bdfb25b41b7176384bd0d9bea03561fad7df8c64ff5c87c34f5f36bbe9ab7fc3179f0e238ad40399558f3eb98996e57e10998798cdad5c45ae44feda21336c

C:\Users\Admin\AppData\Local\Temp\eOgIQAAA.bat

MD5 dd3f03cc6b392a11d6c5e2971fd6e29f
SHA1 172b707f2d9d43d6ed5140da1a1513b37452d2fa
SHA256 1493f4b57e4db0deb9a4b685f9207c381f98257474c4de249dead8703eb3ef5b
SHA512 5cebd2d51d9d195860d25348669b9ef2d8a26784333e78710a34ff1f0574216cf4534389a42605547a0a5aba16778f3559377d8329776052ac52972158aea39b

C:\Users\Admin\AppData\Local\Temp\ssUY.exe

MD5 6860b2c4804da0ede76578f2528e9844
SHA1 4d4101fb5f84c64858ba4ed84b491defaa0be56b
SHA256 f4a0080e5b2cab196139cbfbab1d9521aa2980c1da0ad5c366fd0aed41a97126
SHA512 cff49b2dcb8e5e3eac8c6f6fb1f18a463d3f40d32b4d8d1cfad0acc182e340541f88e4ee79998efe83536bdc0ba11dfbbb23176ea4681cf516d486ee7abf6261

C:\Users\Admin\AppData\Local\Temp\oUAg.exe

MD5 6cafb8be31384534ebaa33b56d3bfa2d
SHA1 ee0cb45753ee39ffd8f44a9b75abb01d6a5076d5
SHA256 e69f5ae8b7498e152f4ae579ca768f7bff7ee330409d4afe68e7efa5da8671b1
SHA512 3c6d3a1777a40b5adb87f439f5fccdcd8dfce7c4d6fef6ce72a66f7fc678921eb15d33b74e5e8e7eeeef6fc59e8696c24cee678b7f33659bdd3bd05963b89d11

C:\Users\Admin\AppData\Local\Temp\Uggy.exe

MD5 71f42d074697f8cf6128d72e5b51afd6
SHA1 65da1451bafac053643c2e931a2be07eecf955f1
SHA256 a2215a45cae3a0f2a3a3da3d4962db2d4ae237cd5a279c1588d7c07bb009d15a
SHA512 c35c18b38fca319477b204d8a59eedf6fa73f4f24fc9a16d3775ef51414801813bbdf3d1b3a2375d9bd1417ade8bf88c4779cf97f53d3c5edfbabdee7b703a5f

C:\Users\Admin\AppData\Local\Temp\QkUE.exe

MD5 216699ffc71751c4a0a7136dff41dc8f
SHA1 f95a1c7a6bcbd4c3b663adb0c19fd00d3d4c16c7
SHA256 5d92c2dfa9a75f39489ae434fcfd974875997423a4b3e0aedd4a3a8f24627d2f
SHA512 ab056b54375d28e76b7bea4ddfb9973df46dce5fb34692652e1f2f466df9821f9a2ee21055471d2b6be470c6ecc9bdd86a6e785aa348ff4de7e1c674973017a5

C:\Users\Admin\AppData\Local\Temp\sMkYsEwI.bat

MD5 31380a733e91f2d1595d82e3f81319de
SHA1 624d73298e1bbcde5ea6495607260f4f8acdcc2a
SHA256 91b06641078909d2aa2817e4fcf5922da7d4c8a62bccc702c2c88bcac47a84ef
SHA512 75e302e217681da0a223fcda476bac4765a647554997a02f5ca82d80c6e3f419454d62efd3e08fe9ed5882fb2f705dc633a07fe8d9525b1e98504e1a6ea9d9a9

C:\Users\Admin\AppData\Local\Temp\MkgK.exe

MD5 d36a876c5c25f8cabe219d3be8f91dc7
SHA1 6bace03ba7e1dc5f6114d8ad6c2ec27620819aa1
SHA256 1982fb2f041811573959a2b587142b8e315d71d3a3a1ecb30b460e69fc06e905
SHA512 e890450b4d6bca8bea91a7ad25dc5ab76f290ea926aef81552fafa1483167cd03c4d1325bd7b4e773c7136827d6496470cb4723d0887cd577527bb973bbcda02

C:\Users\Admin\AppData\Local\Temp\UAUq.exe

MD5 a3a7519f563970610e57878f4ab2daf9
SHA1 f3f98c9416ff0dd9788ee04a46b8b6fdbc56b751
SHA256 17146dd8680b26d0f900a0e510a25989e4f4880f4c842494dcb0b368b7f18b46
SHA512 947a0db10e3bbcdb1385cb71ad2c6a4befc224624c2b2a256b7e338fe0d7f0f2b38570d14c845506ae5cf785212f82d5ce082bbdb48246a4925f01025ee58a29

C:\Users\Admin\AppData\Local\Temp\EssG.exe

MD5 de71a5f4a0b8f879bc0e087fdcfe16d2
SHA1 8733203f5c6253136cb19a65b158be867b8bb604
SHA256 47443e2aeff96570c4e5c9e35c14573992e7f87c85150d99e44cf1cbd6861939
SHA512 c5c1bc583dffe521bfc496295e1533599f2cfcad6462e92650180aab01789c4969f457125cbe34d96171aaf220ee77e65f2cdf5c4f6d15edf3bc7bdc18dabef8

C:\Users\Admin\AppData\Local\Temp\WEsy.exe

MD5 ccd24195dad97d4a31b52812b335e016
SHA1 59e124650b3110b8f33edaa7f5a1d127ebe126ac
SHA256 f5f8251910dfc379d771fb7355d254a45f97487e046611d587a11169240eff22
SHA512 7cb76c0f5afd81ce5fdbb7b04ba492939e12340080ecd45accb397e4b548153f5fc1196426e2bd2ba09f0508f909ced539f904a5b3acd6ad48e01de92e0796eb

C:\Users\Admin\AppData\Local\Temp\CUYe.exe

MD5 3a8d51260674071ab8901ddf61e06b82
SHA1 a6ce087d65571af81a79fb43be6e10d635c7328f
SHA256 9c3a980763c39f43d6587178da6d91ee4c1323b0eb507f01eba64d5032726572
SHA512 645f6a109b52bb7e52a3c4927304da6277b9fa0604ad2c7cf3d3e2b5d4139f8de8dd7917435545bbb01c606af93b8f96382a95bd5faa7884128515b03bcd2e98

C:\Users\Admin\AppData\Local\Temp\TcsEoYow.bat

MD5 00575bb523fb5220240faa979e03334a
SHA1 47f6abc1994eb0d799ad79f15def8eae4eb87513
SHA256 9d6916a3041dbd6e58a1ebd2d111c2838359b8132e3a8fe105de903d99663afe
SHA512 00504b9c78c5a6d6bc5992a4afebb339858c111c9042eb192a9bddccb6d3542c81c85739135d2a87ebef8b92604140b57fa3ebb8d06e2a5a0ea48cbebbb73e5d

C:\Users\Admin\AppData\Local\Temp\eIMU.exe

MD5 f3c2facc754f12fc8e5144da028665ec
SHA1 025032c6c9c2876fe989bb731e17ce29e10e7d40
SHA256 85e4be7b33dcae467518c050deb2fb451190956fc6e93313c9b25efaec68d7dd
SHA512 012b095e0216e54da7e8f94ee740866db28e74a4ff2fc413e052f40102218c37e3ac9b52d0025f833183e8cf43165ee05ab03e6981b1ae6bb60e7f4504aa3464

C:\Users\Admin\AppData\Local\Temp\mIMA.exe

MD5 f847948c3f78c0ac49025c2aaaf3f469
SHA1 1d3ea15dd561b77d6e995a5fd4732ade4dacb1d0
SHA256 dabc7cc494b5aea3c58c54922df71cb872e98bef070ce6fbae9ca9f88a626839
SHA512 8cbe7ba0aec00aed5ebf83ee6a4cda55bbfcab6bb040e4a91eec316cc337a49d8c99e4a15bfa63cfe91880811612ffb6b457d2cfc48c5e6ba46cfbd00a0a0f00

C:\Users\Admin\AppData\Local\Temp\IUoW.exe

MD5 b81a2d93966c2d29e23f3a4b89a07d94
SHA1 71f0849cdb99d1da9d8c2c474b760ff552ce2684
SHA256 5039d8ccecd97723a160a618e52e8f602f95461c2b50d4f8ff016dd7ba7379fb
SHA512 16ba10511fc9634d256fb7208139dfbe920c45bd4fa7409810cc746d1df4148f34f020f4924c90117eaa17c9f0e944721a9abbb14e38c7ea94415ff451fa5f6d

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 588aa539657d9d07d20d5be893071162
SHA1 4a5b15bf48fbb55be08af99791243b9fb92e92e1
SHA256 272d3817f9605ba84783c482d962e58c7abe3435153f711ccfd6627d390be2c5
SHA512 9ec2f08de6a51cf42005fda6c9e86995507d2070f5353131b152f274e1b57ff63ca093f965b03c45a65e88a07b28d5bbd57f6fd88396258d77a75368369134c7

C:\Users\Admin\AppData\Local\Temp\KoUI.exe

MD5 823b12d3677d3f5906b3dc7904ea1625
SHA1 6a741d46882ba234a0c107994902d686289badf4
SHA256 f0fcaba503ce53687a51175e9e9f253589bb5d2bef96bde365a6895c85d4558e
SHA512 c75cb7bd30c9ed40715b41817be7e6e28610b3bb450434bbf3ae90fd94c95d7d3891bb6273c73c143713c5933683571422e357922a825017059a6eb091c62e3b

C:\Users\Admin\AppData\Local\Temp\EkYq.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\kYIk.exe

MD5 30bf64391ded4242111b42a2322ced04
SHA1 6030fdcb6451e5774abd1085a3866cd330e903a2
SHA256 6e227503bbeafa639dc1592e1ca23094882035a30b01cd95f2bd53e81d49771d
SHA512 032f56cb073972b24c770e6745f07ae13b40f30d428da00cf51f6ceca5c34d9a32048cbd21da0e60d6e5a3e4883ac7f44be34cff7f56fe16109d69cf3f35fc1c

C:\Users\Admin\AppData\Local\Temp\lEgYQQkI.bat

MD5 34a0908f8333c40220b413eb2271a2a6
SHA1 f2136ba8f2b05581a9fe99aaecb3c991b08c3959
SHA256 b3f8386ae41e4e3bf4572ce6ad612673b4dd738e4e8054368e2ee53fdefa7543
SHA512 8bbe48aaf39adc17cf80095ff7c3ece60293d0fae21d711181da12138e0af79cd863ee5cdd275d2fc863c393ed9379e88bd3a0b26169855210c2b29039f56463

C:\Users\Admin\AppData\Local\Temp\sUEa.exe

MD5 a1d294d60cbf7a2c505e48c51a68fc03
SHA1 6ac59e5efdb326a5b116c5422b3e90a415c17a19
SHA256 30fbff0d2db196b4979742386006753e5fd07f1ed7b3694875b6f1ab7628a0e2
SHA512 b2e66d54fbf190715f50178d43c191aa6aa138006b4a5e2c55a5f946381556dbf7fd38d8da2596c7cbd26bb3778ef8854a415739035c85f53a3e339fc530f82e

C:\Users\Admin\AppData\Local\Temp\GckW.exe

MD5 b2a5d9593484a5a2da0224bef339cd36
SHA1 0870cf947b5788d05022aeea868c831dcffe62f5
SHA256 c40985acc7b99c125f7722ca6d9da631778d63d686c91bd8495c727b129ef015
SHA512 30de502ba445053bee2c10a2b50be3fbbb7e823b8453809e7c71e63e6c9b838dcdca0940dcf30ac4ec22cc503665f7be94224bbc2cad4bd234bfca7245c689c6

C:\Users\Admin\AppData\Local\Temp\qEwe.exe

MD5 b8f67c5b02ec760a679cd97e6733fc3d
SHA1 a93b4abb45696403b894e7b39759ad0feda29ab7
SHA256 1b6ccd6a7d1f3a2a39825c6b3a4c94041e57f03fcb18108ecb0f0a865b64c49d
SHA512 1e4e5f26cf21762ea21fe2d2d08d52a6fb3ab6cfe79ec826210cb33b7320b0c2c153b4fa01f5bc4f8e0d6ed88a82c44c42a1a05d8f925a614ae8aa2342a61f52

C:\Users\Admin\AppData\Local\Temp\RGUcwIws.bat

MD5 bb44ba591ea2d03d9ceb65cd15eeebc2
SHA1 57bce201826152add88b05f7002259b980c8f589
SHA256 a7443dd2ed39bd0330a6952dbd0d77d0d82721cf10085182f1126bd73fe34b6e
SHA512 29076354dd5119929bcdf02d2550744c772709233e339a8a18d293c28e452b1bd1a3f89194645d5dca9b10b87f00f170181b1608a6cc33dbb5573f38854b5806

C:\Users\Admin\AppData\Local\Temp\kigYkcMQ.bat

MD5 49dbe6703242dcdbd685ecfaa77a21b0
SHA1 a40f382e0dcc8f7039f079c683850f3050650826
SHA256 c94cd0b82d527cc59d825548f6209968e52150dfb4c7a494125d367f715e17e4
SHA512 b99effe9d51ab5e45f9d5a6e0c3f3130cfcacdc25ad56f6ff56900efda2bac52ffd8f6ec538aa21b513ee46dc4224549785a0a7c13b625db6293c0602ee2a494

C:\Users\Admin\AppData\Local\Temp\yusYIgcE.bat

MD5 9a59a97f756cd82f0e937320de068873
SHA1 8675eb5952d0f96c3dde95c77501abd405899846
SHA256 252df2cd26cf92a7aae3965cec5b246f64023377524b393f810c0bec94e973de
SHA512 13a780b36e9220c5fec738e53e98a12669d615aa29a77026435629bf211bba771678872d167466b7a5f412e34f25cbc9b1c2f3aeb727c9438b1a69bf522fd98c

C:\Users\Admin\AppData\Local\Temp\kqwwMQwE.bat

MD5 482924e0245c42657d64374f9f315504
SHA1 b0105357e81dd6e3f993655146d26528c44924ca
SHA256 f0ae4133dc22bbfd4142ba9f426a8570c186ca4c47d9cd859891d8adf40216e5
SHA512 903c3283f72956f5f28ce1fb81d2799aafd48d4d21d08044f3a6dc1f17a36c7b069dc3b0ba1f28d531f6d2b64a6d66b31db303ae01b4193897d6f682fe326b44

C:\Users\Admin\AppData\Local\Temp\wysIkEIk.bat

MD5 ed60671642fb9e0aa3406cd05273813d
SHA1 2020f7474767ebe378b8fae3b1da5a7afa97133e
SHA256 bfad4d15202283f236e9b4fcda02e7f20c0c65f75be3e5d12f78527b63533a84
SHA512 bb6dba695a30bae274b59eed3cccdc5138183f685fb78a7b5a52adff2080689070409acda8bdb02fe742d3bd5269a6d6f8d1947b0f563389e25c4135b5ee2367

C:\Users\Admin\AppData\Local\Temp\fUkgQQUo.bat

MD5 022862539cf2f9accbeec00d8963108e
SHA1 e1b1731d3a470898c3f2429617bc0f3bb266938f
SHA256 4f895156c6ccf1fe6aebad61de03e6b835be3e458e2d267d670c9f6fd00077eb
SHA512 86c64f7a76a45f457e155b75148311dbb630b3467bcb4230e267f18d340a2650e89e24b0ccaff48cadce31e3641d57836f9ae7f3252ca3ab0c59b6f3e1927ea5

C:\Users\Admin\AppData\Local\Temp\JKQMosAk.bat

MD5 feb5129b8bac2843c77a47ee0922d6ae
SHA1 775420b91129844c2f65da7e26726293083d4eb8
SHA256 b401ff3160df6b9879cbe8f5c97e18f904026c96d2b56f5ab7d31960bf827b7c
SHA512 569f59dbba24325dfc3a26d8a144d894dacb9e0dbcd5c91f63ed15565a632fabb590be985c2ed4b8277095a3d0defe937670575616281f3e81f832356a06c5e6

C:\Users\Admin\AppData\Local\Temp\taMgoMgc.bat

MD5 aade23e12a54adfdf168c4a655dace87
SHA1 e67319c8581d264bc14072f1de007eba7b65c257
SHA256 4531565c4b7bd638c7c802cc3eae1be413a4cca11990aa6687184eaa62084f8b
SHA512 90c0fb60e41e31399282b64e60733ada76d25460cee0d8c7475899d5b407b5ea15428d16b9736fb2d9c63bace824f8f26ed757b5702c09c0159226d6429d4fb1

C:\Users\Admin\AppData\Local\Temp\DmYAwQMQ.bat

MD5 8a8fc0764c44cea0eaec4ed964a17a75
SHA1 6cbfb479b261d55387a36485bac5f51688e71d3d
SHA256 487021ad64f9636ce00d78b14b54489d8715437ebbcb8c3fd5d7614eeaf1b2e4
SHA512 249effe00bd2a410facfea8dcf46dc46da85521a98a17de90f223af08b9469296a744b816e1e137fc966681faabc504a57eb043ae274e3ea9870749efc2818a3

C:\Users\Admin\AppData\Local\Temp\gqcEYwYM.bat

MD5 8414d2aba1fe758736b6d638ee37005d
SHA1 0ffaeb88ed42432cca8f1affde39158cfe093416
SHA256 fa270415eaccf667a4d51e1998c649c7a5f3c28ff89e27093feac65834881751
SHA512 7b0605e2abfe29ba546cfb59ae657278b5a6576716c736c901d0b27aacd3a59df7a8c0dc5a599aa55c8f914af85715f8e622af7f810d3cc68a1f6a14f345d8d4

C:\Users\Admin\AppData\Local\Temp\msgskkYo.bat

MD5 952bdb3b21aa0086b7008a62509ecf72
SHA1 b3d150e2b3737b46aeefc59614a7459075ef9be2
SHA256 8dc321b9135ee4fbee83a304b911e871f83e7ae84d344bae6f464804f77b2f86
SHA512 e016f51a53c8582c43c3fc432f0dce55685b83989ab490fe23037f976fb7b6fc9d976b0b105ed6c1db6398eaa42abffcb4b97e1dcfc86620ea121d6ec850ee88

C:\Users\Admin\AppData\Local\Temp\iAsc.exe

MD5 ed93d25c7f3ccab78b1d44f666e1b5e9
SHA1 ca7edf04daa53edec2df5d64e3602479b560e172
SHA256 b620330d2093a9ffd610d88482e36e4db48d39e7e969def27fc162a3916d4eae
SHA512 faf43a588332ae455f5abcd817f9f9b07b445e1de58ff4d0299e81fbe82cf28ef8e6bcddaacb7636c042d74ba8ad6c55010aabd4add47f2e1b47b252bece8604

C:\Users\Admin\AppData\Local\Temp\MMMg.exe

MD5 369bbd1e59da61482ee08c09cad052be
SHA1 90b5e58ebeb0699fb03492d1d2585bcfaa08a82b
SHA256 02208c52a9fe36693bb2977f891782f38c0f7ac5257f1e79ef527a12e1069067
SHA512 a4a62af475537868681edea0319367e0708fe4b0c0372d7630904ea90eb29d65eaee13b0d9d194c7d764d1258292c12a7442665889ad9f88d3fb162ffd4c194c

C:\Users\Admin\AppData\Local\Temp\uAsw.exe

MD5 c4900f7e9a3fce1feebafe04e0831202
SHA1 78047be060acca1377f540b0ee6ba26715dfaa7a
SHA256 b027f5a6ed785763639183681417cc7388d850c466482f7323bb7674529390e6
SHA512 dc3d18d45b31b121eeb471c15ac3cdd350b10572980e87776a9a4f02998ff4327c903019670153fd8677e8926803da291579640685d3709b5f0643f3cafbc821

C:\Users\Admin\AppData\Local\Temp\Wwou.exe

MD5 6e4ce9bc65958824df9bbd622692fb5e
SHA1 3455160945de4380fcb7b93b20abb8c19edbd3d9
SHA256 77885a016616a699400600d6b102123e7c979d7b09136e3f80ab70a71a105c0a
SHA512 a088fe555eb2785f1f383e1c9d9fd9e1d9f22b00f0052a5b1d3ce248a43b143aabb5458f4385e32ae85ba116014818af230fabaf768dfd74832b45dc7f2dffb3

C:\Users\Admin\AppData\Local\Temp\SwkAQEsI.bat

MD5 ddd9022300e741b971dcc69ba2ec0a02
SHA1 4942ea9e6f985b593837a7844ff12454843f6957
SHA256 4e31112659639fef123c009cef7c0ca3cdc14e589f08753795638a9092a1b4b0
SHA512 3a2ec977ad5502942a2cd8f9fc612fedc854bb49c08f190fc13221a05cd3151b3735db4b599608111b8144ed5223861b83525776c1e1add100f3ea0a489cc0a8

C:\Users\Admin\AppData\Local\Temp\Swcs.exe

MD5 d9d3b9b3972cf65e90dfaf5ada58e031
SHA1 77a86733352f0cee35bc5b11ee1a5812a63ecdb8
SHA256 8e3e95c0f72616fb1c184d9d876c530fa38e5fd6607a4f37ca9bb979c011ce8e
SHA512 78f54b8b5a655bfa8b917a64ca562e571f6baddfe32e1daa730e1c3b36f86e6a96beaebca8845c50e4b6d596861e3b3b52b66f4b229dfde4ac2263dfd63e6058

C:\Users\Admin\AppData\Local\Temp\MAIs.exe

MD5 289450a62f8576b3175721c7bb79eef3
SHA1 427448ae568f150f256c87dbe5b8844d33c1a18b
SHA256 cb0ebf69cb782e1107b8297fc9eec8c0a43f6942802e18c843e1eece26fc6a4b
SHA512 4144fc1900bdc79cb260ea0e13e5eb0fa81acdd9d476ce684309a049aa5211c71bd5fd2e6495424cf0738115c12e4b64ffa1c147d32d1487a3417e8a635ef2a5

C:\Users\Admin\AppData\Local\Temp\mUAY.exe

MD5 3aa378aa9cae1e317a91bf0921f48be7
SHA1 8007efccbfcddc0e50353db4f5cdfca0bdaedf55
SHA256 b5dd5e8872fd835063eef0b30e994c9b02e4a11f8affa47c4860b940c23dce04
SHA512 ff7d9c60b32a46ebd0fd9c2bac7fad7d2ae9c53a7dd1f045992b021d063696f81da46316d9796348396e3693e121021fe1b1e6919ae988999fc19dcd8b2fa581

C:\Users\Admin\AppData\Local\Temp\aYUE.exe

MD5 364db0e044e9a6dd461022ebf6892383
SHA1 562978e9dab3a3cc997f3381dde30a619628491f
SHA256 a6c25511ccb1527e56b31fbf27fde3b1542d6db7b88879cdce8cf3a626bec37a
SHA512 f60b6f5bd91059a0d94e2e1829fde6f37ecd9de36c10317748de7927fa2859ce92c117d64aeca40cb037e353b917ee3a0b1e4a9eedfc0b167cdd620278285a47

C:\Users\Admin\AppData\Local\Temp\gkYw.exe

MD5 105da8210b500f3df3792da7ead440aa
SHA1 c91bf8ed9863abe357c31c5ff9185612f49b4405
SHA256 8888d120e837f07bb345250c449f738595eb40beb0550c0447c9b5de7a7dfe71
SHA512 fd74c515f1aae3d5cd4a1fc5e321277d02979d3662026caf51acdd8c494a584345c6631302b46a7f800f2283eb5fd09385bc808d741911e82ab1bd77c19ea8cb

C:\Users\Admin\AppData\Local\Temp\kocS.exe

MD5 fde9707ec9799682568bb89f8f41234d
SHA1 bdb0f4e186ce089b0322c5a601799a305352c6e8
SHA256 6cd5801b2c3f1f5b9a7c057ccd11db7fd08a90f506dfbe56efaedcd029027a6d
SHA512 6e60425d92f8a250b1fa60522f31c3b070a20b13e43211065bfb1736f277c303102cf382eccfd3646ca4ba4f2d9fff95a564485c0473c24df675534aa7c3dd1e

C:\Users\Admin\AppData\Local\Temp\mYky.exe

MD5 6bcfed8aff1a3fd07f0e89c35fbb8d18
SHA1 d93b2fbfcd36eeb37db4f0abd772d308f9662e9a
SHA256 abc828fcaef40a31e40aa707596f94dc85fef6301e90eda4c622f6b61b82f252
SHA512 38e80cf7dd0b00f8853e6125a73fc6d77fe9de0f2ccd910dce7ce363284076a8235128929cf645e5099242bd5ff6292caac5b14f695db0d244522d238553db5f

C:\Users\Admin\AppData\Local\Temp\KEYw.exe

MD5 d9c40be5a2948bfc1b8036aebdd342a6
SHA1 920977c566ae825df226910ec3faaf63d3502429
SHA256 c51e442c97eded0662167682295634b20eb1f45858d4848b15d96e583626ef0f
SHA512 dee74fdf27b15a65f846bcc42072f1d71e415792fcd6e5a529d8686b534bd031630a7cb38ee312f12af3a435e41a5e55dbf6fc7f32273575b17ef6cf05624ea4

C:\Users\Admin\AppData\Local\Temp\yMYm.exe

MD5 c20673c9e61b20d17a3abefc9c7a9a2e
SHA1 70e6315a78fe24202b1191b6b8b1993fa01fa125
SHA256 b4c6f442fa15848423999a7c787d551c1ed81dc5cdb3c6c889a3a7b6c40d2246
SHA512 205c38e8ead8273ecb41e5cdde1de9f4bd9b78b150d3fde11a6bcaeeea386bfc9acea3c0ab19e292ff0b31e84b1762ef674097dd3a8579bfe57508ae22211cfd

C:\Users\Admin\AppData\Local\Temp\AycowEYk.bat

MD5 48216b6bafdd21c7212408a6280c6972
SHA1 4b61feaf9033b6b0127de9d83a2f9b48b70ffb93
SHA256 282d95851453075e6bf7650aaefb720ceca96aee6ecfc4d3ef899889976dbe86
SHA512 9491adf79cc97a86c9ad084c4059e0d9d5d2b9c921f9a59e1fcc8920f91caa11cd8969fef14d9f420d4a028797595739005dc33e4b8d03a7d9f5265e9eb19526

C:\Users\Admin\AppData\Local\Temp\usQi.exe

MD5 b07c29f538b9dd7e3872152349cda8ee
SHA1 a52e414e7320293a946e419f0a799dc050be6d8c
SHA256 045e2035b45b2cf30732a9724882b19a60f8946820dbde729e7fd0eb9f8817c8
SHA512 70c9474774d7a3db826a37ab890d20d2d97f79ca52a83510df1d51bab3d094a5c1614d0bebe73016210c8cd294d3c118bb68f17bf9ac82a1c8f5a8ca2a29ed6e

C:\Users\Admin\AppData\Local\Temp\MUUM.exe

MD5 7aa61cbc47e1dfd964fe9fc5d572901a
SHA1 4871e0748763e81eb81f1b9e978eeb422ad4fb9d
SHA256 97ed8572a091f10062fc70605dcf246439eb73aa5e79de94fe81207a944094b2
SHA512 13688cff99dad0511eadd7c8dc11fd4f5239a3787970a731682410b60a9b536f1a6b98f150af4525e45009ee72bed70fe7f7a0a3ee900776f230595d94655fee

C:\Users\Admin\AppData\Local\Temp\FMQwUsAs.bat

MD5 cff24c2fec69afdad915e76513016a05
SHA1 fc011fa7fb217db48af72669e0fe0f93ef6c26d0
SHA256 cf73e1943045fab77212ca437e3b47061dc5587f82ea04ac169bd68a5a74ca08
SHA512 4d41bc0145db8e42572b110673a8b4aecff25fe82664cfe3f23cbf7e056d4705c912683f5737c13d204ec8be509d2d5d647f16656d442328fbfed7c6c7b35dce

C:\Users\Admin\AppData\Local\Temp\goAk.exe

MD5 7ff8cde4315680af213651adcffc24de
SHA1 f3ecb655bf137b0846a51af6ab7d9ca29f4e8b16
SHA256 a40748ad6d2c6e842bc1b344de031cba8f19d4dbd80cfb3c9facd66adb038923
SHA512 ffc90573017c34e4f414bed69bf535f007ffbe52e1dd7cf3817d925ca6e75debf1ff6596155cb7ffebfe5045ccedc4709c1f799536f9b085ec0546fc72cbe747

C:\Users\Admin\AppData\Local\Temp\YwIA.exe

MD5 ed911272efa35ce3cff39452ff47dfea
SHA1 4b71793c004ec02dab5a46226da6edd5bbd7240e
SHA256 fd724928be8dae1561437779e4d624c958b256efafcebcaad82c5255a98270ac
SHA512 cd774863c6c2c6094925bd197d93c8d8642d442913493ef53ce41297db993e59332ded7c5c3a0b05b679f06fe3d5456e632e353e948157be8ff1358a40a3ca69

C:\Users\Admin\AppData\Local\Temp\uYkE.exe

MD5 18d6b75cc82a5613e4a66649e77a773e
SHA1 7cc70c571073ae0d7415590c21ce9c582c0c5844
SHA256 15c360e61582cadfb46c928408bfa4d97f9e040b92141f5f25e87887c723dc0a
SHA512 50b6f277c4543316247ec244282c88618dd632cd00ed6d5f2e99b2c35c27e4c5116258fe5a144302360173ca9c5f655c165670da7729160bd9806241fbf635ad

C:\Users\Admin\AppData\Local\Temp\YcAc.exe

MD5 7c6cf8679e4cd2f1e150d615dd502822
SHA1 29ad5b18793a4132bd3d9b9c434dbe559a9881ba
SHA256 02df91a250dad89cc202037a75f7e6d8d15975792587d91625f68b7ef5d23401
SHA512 cce8e30e21e13d62b18cfd96d813246aec548ef5b3876898f6a2a9d1a9d5213bab1c40003651fb5166abe4aae53cf0c6ab52ce22707fd5186fbdf21f3032756b

C:\Users\Admin\AppData\Local\Temp\qYgc.exe

MD5 9175417bf8da830abcc6a1812a2ea49a
SHA1 df334f4f7e79d0a3f4bdf81ce8f76775ce09016d
SHA256 78df00541c364fac08932e60aad293abfb8520cd0d2672e7f412be132cb56de0
SHA512 6df61902fa59c0ee4ce5764bb651615261b7d79e6d363062c01c20ff94ad271c8171d28c43a7d59cb9c2f04285eb7f0e8ebb3f2585dbcfdd04b9ff059758df92

C:\Users\Admin\AppData\Local\Temp\ZWgMAwEM.bat

MD5 65deb928648bd2987f2831c7b56ac888
SHA1 945b9c467b4899a01b35560aceebd9efff7a56b9
SHA256 1ec9318f18f48efbd9ab1761b8a4fbb7bd9fd71868e511815364e537a09d51a2
SHA512 652ef25aeda79dec43313326cf9468e1763a1b382bc48cee19eb623535fda52834340118482ba174178f5cbbc38e7dc67d0bfae5b301ef404b8d8e6c6faa0d84

C:\Users\Admin\AppData\Local\Temp\KYwQ.exe

MD5 779a86269ff9f9779ed47be1de43593c
SHA1 ccfb9161be71ecbbf126fb0211c22b048ecdc8fb
SHA256 e6e6e031e4ebc9e4b8ee73ab8b9fb3887002ce3a43f60819affb2237d347c87f
SHA512 bb0ce89035980fd37883d730379ae5a6addeb385038a1bd8ac21e70446a230b0d484507e52f00b7bb1d24d4c1fba6c94fd6b4a4bf4b3a1aeed237569b45eaed2

C:\Users\Admin\AppData\Local\Temp\KQAE.exe

MD5 aa98e665121243e6ee6390247a51a5b6
SHA1 24bbf0ba6ba11dac21da1f494d4fa29be7f34bcb
SHA256 91e8589fa2ae9d6070bcaea5cdb25b36f02cfc2dff43c6e347c5f0bebfcd8842
SHA512 0807d44ebc130389eb5d91a422b69cc5ba817d4287cea7ef5c31aeff81fd9e652212efbf81457c84580660b1a7e3a60e4d3378ed4805da025521797463b4325a

C:\Users\Admin\AppData\Local\Temp\yMUI.exe

MD5 754abedfe2ac2e226f4760dfd43dc6a9
SHA1 57ad0f1f5776c5a1c96ab583fa985f4a4be7524a
SHA256 b1ff94a52cc6ba862a7e3dd063a70f5545d547a7e11295f54cd510d4c3908914
SHA512 bf7511034cdb3181baea4b8df9d24251beaaa7e35c5f916c76f5fe4e79f0be83cadacb05728f9b4aa1ea81ca068c6c8705aff9fb91e480e614a9b6a35b508937

C:\Users\Admin\AppData\Local\Temp\QwMS.exe

MD5 2fff6acc322ff23128fc6212a55446e9
SHA1 0592ab5ded3aa519606dbba9dafaf5d86bcc1395
SHA256 c9ca629eab676122fb7287f5e14f53599d059ee1109f57afbf8a67ebaa8d3b19
SHA512 65e5dbcf5d46a0d8d2e2540b96b4b9cdc0dbdd9c2c8461f2158ab9a6be683be017b6b389df32d8b447475f67c912b0380d5bb4762f4d8d04ddb8d5eca394fb4e

C:\Users\Admin\AppData\Local\Temp\OQAy.exe

MD5 5f0b894c792fe10c0cef033c7cbd4f97
SHA1 008d2706eb10679570498bb626c419df82fe44e1
SHA256 d829b7706652c38c4ed1e5a408e45e5302bc909777b6f100560a3a16eed6e8d1
SHA512 7cf3ee9342c480d827cb1ee098c3d7c7cd5fa531a89a943f878540929b13eea254fd2358a681f3e80a1c1efab5cf0a4f41596f3cb4adb2a0b784890bbb101683

C:\Users\Admin\AppData\Local\Temp\hqcUsEQU.bat

MD5 9ac8d848d6a440781ecd8c371ed885f5
SHA1 511d18e04b6882aa2b4170545af568adc63658b5
SHA256 5ec2d3c207f83937789ec9d50a19f4bf09f803e388cb93cf6ed951814c32d5f7
SHA512 ebedff8b41a4ecc92af4b8ce7544d2e55b6adc388f58c482a65ed144d633df180bfaf1d1d0ae19bc71b84f91d331d7044d2e2fd455c9b49211aa23d3c85cfbb2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe

MD5 faceb7f26dd1652bca9e39c88b702f1d
SHA1 a6222c62e654e0ffc8cb666fd8ddfaf666d49e33
SHA256 375094ede4a7d9597f2382893d4f2f4b329c252ee2840ce5e36ed4e469030c2b
SHA512 57e19476661994ccdb78860aec43a628c1ec7a3570c0134e9ec5ef0a05eb3556acc766914599370514b0aef9d1937f243a3330032211c7c9933c14b75911e3aa

C:\Users\Admin\AppData\Local\Temp\wAsa.exe

MD5 32e7f040f98e6b1300db8b275ea71e4f
SHA1 a1c0c370368657d4fba171b97363ac9033a95259
SHA256 af510b9da99b9a61a40a878fd9929ccdc506e22fff5a409c3a9cb66b8231b2b0
SHA512 a32ef8746469350ff5f5540645c7acb21c51dbb284d003a9e79110d9ce1bf958b3e08d8d7a09b069ccde956c78154efd8d5d2bf53863558aab30b42fdb4708db

C:\Users\Admin\AppData\Local\Temp\MEcsoUEk.bat

MD5 4d0d254faadf21586b34dde6414d89c3
SHA1 965fbb7208fd4f19b40ac9b518cd8aaaf3df642c
SHA256 c43db941b0f7c41931e2044fb93616b7b51281deb0cabc98a6fe6e19fc6f66df
SHA512 610cb465164dd59861f7232fdc42a7f2f3cb22650592966c4d33f62a86b02b9c8aca745b21452e1ba77304df70a8c864ab4683858bcba7aa47aa8f5e15571d2e

C:\Users\Admin\AppData\Local\Temp\AYQi.exe

MD5 1ee93d2f4ecb2ce6e4bc996dd32a8cac
SHA1 ffd998d1e6add3c00e5633e84c10c83e23249e0a
SHA256 f4e1d4d82c15166d2c20dda81e76db382bb999a869827b082321aae5e8dd9983
SHA512 b589bdb6d86853e2e4d540c1aaae15a3a505781e825d70e157ccb935893ae8c06f2b7163a267a8499e5cf565c84bafaed1d414560d779f7bca4c377d71366c01

C:\Users\Admin\AppData\Local\Temp\QAAMkcEE.bat

MD5 f0475aff7c427c54bd3976ecc61e24bc
SHA1 62eeb86e19e8c048c01ec02c6a328c46792c4262
SHA256 977b168e223d403a560e817afc0c92520145b293cdb29946c88e6145df395eb4
SHA512 21ed1b4c54e4fbb0f72c5dc4e76234b849f04b9858fcc580082a4bc8824e2ba903abd1020727e2a3ffa95800e648d3617ce0543552ebec1aeb97bd5c8e4eec4a

C:\Users\Admin\AppData\Local\Temp\CYAW.exe

MD5 751efd040e3527b803be6d11de57c217
SHA1 a9d0935e22cb1aab088a1a6a93f5ac1e17c3d3ec
SHA256 9080d8feb1e32c964b7a165dd22cce2e6275f45b751a3abe39fd379c2c8956ab
SHA512 60a1322745d13a677f34db3b8156d60582e6d66356566c1d3e4d8be9a5227ee9331f1ac9bff068b4251d4880faa37a4d8748f9ade87315a74e9d0da1510e9062

C:\Users\Admin\AppData\Local\Temp\gkQQ.exe

MD5 2bd7e78f97763f2a2fe1ade1b23ef8bd
SHA1 d04e8b8a6c7a69c892f84d7853728b48c68665ca
SHA256 e06bc9d6628a5b88f804dcd4ac79aa37b4abfc202c7b7dd20a250dda9ab38c88
SHA512 876db18457b54f9d40dbe73ae3cfc418d94752b91369c489e880f49d267b35679de35b11b96ac039a65d3faeb174fd1f1c3aa6c74034f5a0bf863e7ef5c5272f

C:\Users\Admin\AppData\Local\Temp\CYMW.exe

MD5 e1792ba8e5bf18c9748dd6217a390d60
SHA1 e8cd64408d3a28786049edaeba3188f711f392b0
SHA256 1a451a3bdc0018008443cc1b8d1a3f211a0173edb494f21d3a5e101ea08bf9e9
SHA512 fd4f55c5104e485dbe3f62984f54f251adb29bf71a0920f56db2c57f83d4d74a214629d8a864d5087b37dcd4ca8d152cf0e67b1c64c86c5b960a9247e7b7a8f8

C:\Users\Admin\AppData\Local\Temp\eIoU.exe

MD5 8d247d2d356d4ca475f382f0f73e910f
SHA1 7b8fb4190a88c770648afcbff041dd3856224287
SHA256 7f19adce96c59a829f8eb6af853fcb7316009440d5a824621aa123d464a8029b
SHA512 6e3acd22efe56563207776b6a87fe95449cdb42aa9544f1e812e42278f2481de91b8615c9dfb2dba51e098333805d56354c3263a4ce3e9c5beaceff966c57f54

C:\Users\Admin\AppData\Local\Temp\uAso.exe

MD5 b262a00c9456f217252721a0d8488180
SHA1 ce8e5ec3307f5f323030042c00d0a8f4dc0d0472
SHA256 4dc3f05ac637c4e66604b955ca6d277ef53e69ed96f8302d5dd5c100190c3dbd
SHA512 39363fb6529c73931b21a4e18735189154407050604882e964774f9a2d5d5bcc861780c47f378290f66d2c4711896841d07c4b53243f06c8ff4de03a3ff27444

C:\Users\Admin\AppData\Local\Temp\YywAksYE.bat

MD5 f719dbb4537fb83a6e9702a853a31379
SHA1 6919341e9f3b6fc4d64eed9ff9ca37bf5128eea9
SHA256 4d121049a7f88ea67506529d41bcb42ccaebd7e75e2b78e0d634a441831e6718
SHA512 1e4724911368d79b44491cd673bb0b4b8b6c8ab042555e06c09b26cc58e0e8bdaa5752e8ba4453aabc22ff07b2c21ec896771c863fac618260c89f0c0e2a26a8

C:\Users\Admin\AppData\Local\Temp\OEQg.exe

MD5 2c5a0ba98057923026db94361b87b2f2
SHA1 f7628e99521cf12f4bae19a078619aa03649f6b9
SHA256 40627fad2475192be4d120178cc3120499b6f69c5a73cfbbdfb187da5fe7aa66
SHA512 71ffe6254032cc13291bdab7a270065bcfa3d0f2eef436748f1a5e7b2582c2dfec152171790c833a1ee7277a1328326615619f596446d4fc3db3ce7e9c8bb499

C:\Users\Admin\AppData\Local\Temp\EQAA.exe

MD5 91c40802f53300071d1d3a76c6e77e37
SHA1 730119343585235826408a39468280ffe19d5f08
SHA256 3bdf6d938a1642e04df331eff7df51494be91a0d300ef2ed4183b4e021a14c4d
SHA512 29861fe93ca6aaed6f45fef08b648e285bd3985ecc9a2e61c49f18ad3f331e04da05623694c5f14138a109af122e39c7393529e33552bbad3e9bdcdab84fb62a

C:\Users\Admin\AppData\Local\Temp\kscw.exe

MD5 7ae8cf460d1e6847e774c3349916c45f
SHA1 9c966f05165438e2a29e5e40ff60cfcde4fd8f80
SHA256 093c262042918ad228db00f61a6f2fdd59a6ef2e4ee414794b2ac7c065339f09
SHA512 f222807107a5dc64f5d8f563093b813101bfa91cd9f54475e78c735cc6c10d0b17732bee3b10724314baddf21694e1c391da02d854083f2bd3a7a96f404cd294

C:\Users\Admin\AppData\Local\Temp\MsEe.ico

MD5 97ff638c39767356fc81ae9ba75057e8
SHA1 92e201c9a4dc807643402f646cbb7e4433b7d713
SHA256 9367b951a0360e200345d9aa5e6895e090fc3b57ae0299c468a5b43c0c63a093
SHA512 167328960c8448b4df44606d378f050ca6c24969fbd7cc8dcfe9ddeb96ac7ccd89e507a215b4c1debff0d20a0a239d547f1e496635fa2f06afad067c30597c46

C:\Users\Admin\AppData\Local\Temp\aIYggQoE.bat

MD5 faf3574e9bf7254889228765cca2d90d
SHA1 833ee708053c6c84cf008eb089eb604c2c2a6236
SHA256 16c77cf1c28af7a402dd1a0e767d571834ac42ad3d4c8ee57c1a7bffab0d43e9
SHA512 18cc2183275d7db6cde77835c60648ef2d6d178f67189c8fd546533510f18221bf912fb7f7ae299697854366c2af5886a46be816d963503c2c7e4bd9cf1d2260

C:\Users\Admin\AppData\Local\Temp\QkAi.exe

MD5 98dc4b0bd656a3e93078e222ddbc9a32
SHA1 1413d43e41fad0f50d707313d9d3cf8a4e500948
SHA256 d6c025b85af07163037ba19fc5a018af7ba509dab0835aaed34fd04d8d1c0e20
SHA512 a2cb631e78e0ee2c0fe0d00b0c0e3096d05666e75689b33c5476a0b53e446655a6b420c866f54f4b8b15c696c79897cdd64e4325fc8483b23d632cc53340bdb3

C:\Users\Admin\AppData\Local\Temp\YMEQ.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\AYYM.exe

MD5 4c25175b85502bc0e55e6d672110aac1
SHA1 0673e986a9bf38827afae5d1e86f4d2b20420ef0
SHA256 0e31d1011a70ad36d44846a6b4cabff68b0d35dd5cb24f2eb2887fbb618631e4
SHA512 1ec9fa6bc8617725930ada7e5b2a0ffb2ab5dff720d43a1dd7ec5b968ae5bf35186434202dfab07012795fe50c374152d34a6b41aa497e518dd9f9d869dca140

C:\Users\Admin\AppData\Local\Temp\owIw.exe

MD5 f17f9c77888e56ad45a7b8a4f4e77dad
SHA1 2bbe128853a825c8e8520c718736d6c312ade29b
SHA256 6ec0d1c8ad2d3832567177dbd3f0d9d29b4b8686c94f5606bcdf43efe7eb5510
SHA512 76916671df834915eb406939b0ce601cbb0e87f8eca2d0a8a3fb75490a0f813ec7f1696988e0aeef59a4eedca575d367056e4fbf58afb6fa309af7110bb8c72e

C:\Users\Admin\AppData\Local\Temp\aooI.exe

MD5 3115fc3239325a8bc51dd1a33b2e0afd
SHA1 a5ed69f2a388705c3c1869703f4f207c9ba4f372
SHA256 67ceabf8fc64c7bbb978b702c0dcfe359a17c8453b48b8c63a7c5c388fa28fda
SHA512 5bb7e3ca5490c14830fcbb0ed30c9bc83d35b04466b6b54e6446697d586ea11dd4848176095ddd72d5cdc547d6868ce77694d9947cb68f0be38795d554b44111

C:\Users\Admin\AppData\Local\Temp\QQYg.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\qEcK.exe

MD5 127ed47732dbe630d51ad26b5ff63b71
SHA1 d75679604c5cf8f223a6ab83aa4f03fd51b708c3
SHA256 17ab7e4375f133261272fcd8def6b2fe31bc1df28b4db4f38a10609f685857e6
SHA512 48a38d574376046e513962f8fe7c1acf439f6c10004ceae9b273c7f3823cdd11350d80db397e6d444c63e006bd2cd9c75cae6e53822e67e577133958872f1e58

C:\Users\Admin\AppData\Local\Temp\rmkwEkEc.bat

MD5 3ce037b4737c4ac73bdeb2c33aefc97c
SHA1 11b4447080878767378099a0f79c323a38ae9a69
SHA256 6d063cb77565fc6e7b3ea0fa3cdafaddbc783e2ae7dfa65165b965671b531be8
SHA512 3d7cd983497ef74163e5737853f0aa4b69f4a56a94d6bc7ef59d5d636e5edb989817ca1f433b90cc3bc43699fc8777a379c10ffef532975e10dc0eaf1b3add79

C:\Users\Admin\AppData\Local\Temp\yQUM.exe

MD5 38239f62b661d8eab6fa45e8ddd24256
SHA1 1457d09b9511101f1be84777588e57e2a1571529
SHA256 7923c25685301a1da5fbb105f801b5d62690e521feab4127d2e3712cfe50b3b6
SHA512 233a264bf5411b8b6408e47b0c9e760e9b7ed867a1765d0b5984195e8498e4da554f33b6b98e77b2c4ce110a142ed50910d466f1ae4939c5e06e26406a2e16aa

C:\Users\Admin\AppData\Local\Temp\Mooi.exe

MD5 37f5ab03de9bd55a49e155bebb9191b5
SHA1 792e553a9bbc060c50330b7348974ca2a211a894
SHA256 4021512018bc0b9e6e0fc5c2d4e4741e9570d00768e1eb442b7f684ae5801e87
SHA512 2e130242c3a48706a814861a488f6d2391eeb2291683d3241e493b03d7b774be3311155bb28745198f4a9d284a7ca11a2bde2d3d0bfb940f8344a39f8042b27b

C:\Users\Admin\AppData\Local\Temp\EUYY.exe

MD5 7649c3528836617f1eb3e380e0b208a0
SHA1 78f8e7357b5f88709a0ee4fbf0b2b208a41124d5
SHA256 a3f81c7cbbc4e2e1364ea212f4c4b86c1fa8c4fd7b6b2f0a51479dae08d2d0e7
SHA512 939a45d85e70ef1068d76650874470e19c9c8fcd4e08f02a031d495352a338404dc313baf849c8c7fb1fefde9f9b4b88ab2038ea597cb2813948cf1941be63c3

C:\Users\Admin\AppData\Local\Temp\ywEA.exe

MD5 1185e0004ca95c93a1d612d02863214e
SHA1 5b3bb5b59842816ecc61f1068a4f42c44ab22868
SHA256 53c02cd008b3ba5f3ee87c23477f6d800b1904ef5e61b594948dc02ce0db98c0
SHA512 da833d08b0589fc0c82d3ffe5f040aad35b84617d15ba4db4f1eed7d36afc5a4a8e2f2a1612460893b6a7244fcb0ab6406153c3fdafd7931aa402c046e0a7a93

C:\Users\Admin\AppData\Local\Temp\aoQW.exe

MD5 eaf6aab472d7e122977aab46400019b2
SHA1 6a6961acfe993020bb84f6ce373a31873779a3d5
SHA256 b333b2218ea965c747c921c42abefb7a6e5020e7bf2eaf72b338204f9367c1f9
SHA512 1eabfd5ceaf59ae46e1a05d2b5ec9ce0ee79f4f7621814fd70ab7e1676e7d942374f87933ebaf709f5483a78a66dc70e596410b58e6262f386ff5f1508f94a12

C:\Users\Admin\AppData\Local\Temp\ZWsgsEkc.bat

MD5 9993fa0f9a23806db21ce09619f0cc70
SHA1 a34e52573a26f9311b7d5b3cbd99cb779679c717
SHA256 d4a60018a03011f201aa6e3ffea317e3f71b450432730a3ff4e57ae4ef31f2a4
SHA512 522feeb379c5b894d5fad20153df5e124130ed93b9af55783f4a3913362fb40c50a5afd067a1bb48f924dde77ccb5fc222f2ef0197ca61489133571fce0ba550

C:\Users\Admin\AppData\Local\Temp\ugEG.exe

MD5 411983e98e3234ef90027add0b602e92
SHA1 77612729e1aae2356e27ea4cf18633d3b6205e69
SHA256 4fd966e01a2784d2b4cbb483fe9221f73248327bcdc295fd046296bf847382a7
SHA512 842f77311433593b4f972f47d06d489a1b61ee963f493be06a8905eaa79e1f6f3f416093ff76538006d961d29924b18025fc3b2167bbc137a7c88b094b529343

C:\Users\Admin\AppData\Local\Temp\EIoI.exe

MD5 70709d0f17d458c48e22eee34a57e796
SHA1 c91f9f5e21957db803efd827edf3cbda7edad2aa
SHA256 81511b0c7ab9368301b25bd81b2146f54a23eb3d4a137a89016b0a8df2ca2a24
SHA512 c35c30a1f0062757fbc1320c49391076e82f947b17a56153024132c8898e9d6e5a5bd3e8b12af18f3790c3d19e411d1549153b38abfe11afd14cf096d2903c77

C:\Users\Admin\AppData\Local\Temp\MckG.exe

MD5 663d44ac5a9ef721dc02d4ccb000a750
SHA1 52158be2185acdda039bd59d4ea22a522f9102d1
SHA256 ac0f5d6d066f9bb281681a07d4d69a25d9175b252aa9d90803d1adb42f06772a
SHA512 bce32981bcdd1a1535f8996bb68950beac7a00a38e280edbfcf9326ef926aad6fc8ecf3fc7e8ca583f2899655db64db82f5b1ea3cb2bfae063d41245b9d1f6ac

C:\Users\Admin\AppData\Local\Temp\zOkgUUcg.bat

MD5 1095c68b0f45d79f8ebd78183f596473
SHA1 32deaa9e4a1ef415340f76de1d932a497713807d
SHA256 87c2e006d028a04e0e50db768de11ca5a66b7875c92581b7b6862c2f8fdaf779
SHA512 61a24bed533e2e1da77bac3b3fbedc868bb27c20dcc1f1ae254e9b89fb3bc04ba72a13c9a329fbcc6e4073019e40e9152f18e1c832e4a9d8fa2abc18eb211ace

C:\Users\Admin\AppData\Local\Temp\Uogy.exe

MD5 ed147c1527aec754d297a0e801b8bfa7
SHA1 6ff5ee423855008c62e0806066417a85a01eb8c3
SHA256 0286b55a884b46935c1c475671463d22526d233c673a4b4b6f2e96e7da99fabe
SHA512 868a41d28d644829f827cfa47e1856194ac8d74f4d10405c67b53e78500014ae1d29647e067ac61fb036e3504443f6b7c281129d22e68d33637b915233f835c9

C:\Users\Admin\AppData\Local\Temp\oMYc.exe

MD5 e8062c2ebd8a56c709de4c3d3bcd9580
SHA1 05ac1c23c814403259ec27de85ff6c89059a8790
SHA256 bfc3aa2b72de9a59fc50a278b8a7f0142e3169d855356fbc5a0cacb26acdcb1f
SHA512 2e749fe4e2751408856ae3567ba74b2163d65d11447c3da6cae117af604fef8601bddb95c202b38e4ff16240b9b7e274836e40ce58656bde9e2367131097797a

C:\Users\Admin\AppData\Local\Temp\wsse.exe

MD5 11508d1166b2468f7caa18ff4e007054
SHA1 c05a714a32ca0041aa030c6352a51254c18bea4f
SHA256 e346022674072d6d8860142a7bb19894dcfbef1c12ac59ab115dab9bc2bcdd44
SHA512 6a92edcfa0908fb8322f18f179539014c3e663e8654736e3977a0ba4faab7b11d565b1f0bf7f29855c84fc8e96627d4550751d4aaeeef4405990bb84784cf211

C:\Users\Admin\AppData\Local\Temp\kkkU.exe

MD5 fea8e7f1f46adce9f2fb4511e53669cd
SHA1 56a6ec15be22341af66fb7a3cb8c8c6e904a3e10
SHA256 165e30dfdc200bb6bf975fd264f32fa73f2c50e8a68d2883ab80f0ec0092456d
SHA512 36d5f35705b6e702e8aa67d93251028d00c9dfa44147327d1db3ec237adecf994d0c77d7f7c353d37734b5dc8bb4c83e95e2d77afa9441149af8d7aa90330d39

C:\Users\Admin\AppData\Local\Temp\NGccoQIU.bat

MD5 1acba6cd3ea146f507bec7792098685f
SHA1 26d00ee7c4f6d554a85fa1f6678f2d7c4de242de
SHA256 a346a696ed3d1cd4acd82f07568768d793e9f452d434d67bce449fbb46fe8962
SHA512 6c60c13a03c33103a8c835bb4d9cfb70cbac29e92f9d4a6a64792617ac8c782d7a68f86255cda1a37df4f6d243e67fbd76d9ec7fc62e8895f37e7dff17d003d6

C:\Users\Admin\AppData\Local\Temp\mgwk.exe

MD5 83037c0dfb2d4a4c1a019a432e40aa78
SHA1 a938b87be014f81c823cb60af1c179b76bdf4533
SHA256 d9ad7db80e195e0c7e566eb422145eb013f4710cea6ba7a15cd4677a1bcf79b8
SHA512 620932385ffc30f818a563e1a1b292e6beae80aff953fe57ff3181e31de4e0d5dffbd2e36aa1cd35d256f3b6714d87b6b5def16b8375d584fc1dfbbd04efb877

C:\Users\Admin\AppData\Local\Temp\gIIW.exe

MD5 f2769907930b56e2f0c8a99a19a1c5d8
SHA1 f681294a5b3e2dac6f3a290ca3d7ee51f763094c
SHA256 5c5af3d6712e18faf279363dcf039fe8486a16d46ac1c3651c9fca026024b3aa
SHA512 dbfaa4dfffe092301a684882f2c09fc7b038a99293ae5cfcf451fdb2951b1cdbd4a6e603038c2905cda11f192e38288ccfd8a22b2873b1cddfb733c0ead020e3

C:\Users\Admin\AppData\Local\Temp\SwIA.exe

MD5 e13bd9f14a41ba8896e2068a0c5b1fbe
SHA1 abca7e04b7fe6dfc402cae4cc70b72426d990a29
SHA256 65c35947dc05a9b7c6f4423eefc181a50873c606ac2ad8cb77fca45d08ca445e
SHA512 c549a3d87d8cec205a9b063f891bfc8936ff9be8c7d61402eaa6d7b3bd294d92164abfe731a826c3807eb421f60ff2a23158e8d8f902f1e3ea3f3cebf9429ff6

C:\Users\Admin\AppData\Local\Temp\oisEgMQA.bat

MD5 88bcae69ae5602998f6338a6dd7f70dd
SHA1 cc16ee7b2b732bdec1ad8b437a334714a8498750
SHA256 12c1827a9f4035ed63956c8287a7737de3573c02e7e36795772812faf684d889
SHA512 831e0c796462d976d9838711743c0820b072fc6897e64b833105474fa16dafd85ffbd0332864e29813613651dc69d097e2e339e090a471afc436a7b50e4e8de4

C:\Users\Admin\AppData\Local\Temp\UUIG.exe

MD5 0d13758a2b7978410633dd0512c00528
SHA1 9fcb461f8d1f22f25698239d7bae43910a4ac37b
SHA256 600eeba19036c784d9d4efb5128c78313a0c77543b62105d3d61c0cb131cc2a3
SHA512 8ae65392d4923cd064149982c1ab9923371c93b22231574aefe52a649997e6e9150f1538c75fb0e768feb624a8fa244343fca5f916fd4fc503b8addc05d81f36

C:\Users\Admin\AppData\Local\Temp\qwIY.exe

MD5 54dbdf7615158232f121696f076efdc7
SHA1 8685e051f798189b9f2ab3f7168e8c1403a3e921
SHA256 434f6d0ee15ce8f60749e723ee5d862b42aa98306f4155da508d706f3909fee0
SHA512 d2ffcfc0a97f71d6181d43fa528a6b57ac82bcee948f7d2ff21ffdba2c785a6a14372d058a6c526410850d96a2d9ca9bbf407e5f1bc0766621157d4602c9a9f5

C:\Users\Admin\AppData\Local\Temp\ecIcEIkI.bat

MD5 31cbcaa4495519eabbaacf51466d630b
SHA1 4872ae5e245104b14d31b63d4c1abbee7d908a2f
SHA256 e942321d20d08347df8b1f39f4058739c2a2e08f91f1e4be6a52f64746dbc273
SHA512 7a45d412a596edfdd84474d80b53ff1524b803afb1ce3a3b2bfbecdc8fb18618b096df241ef4ba28376122ac8aab76b62873a019f3823c9fe93320b621ace3c4

C:\Users\Admin\AppData\Local\Temp\wwMs.exe

MD5 44837594762c4839178f55da15697ece
SHA1 4ef1df6c92eaec6ee85d82a9a6c87da597813804
SHA256 f4114d8fa0fddcc4bbe12a8752d9da546a23afdb9172ed83d6fc139824902d7b
SHA512 a9470dbc826dc30296a30c338638c85aa18be6c550c105b5f777f85329985ff29027001b863140ef474bc84250b148241b963e3b71761ac672cd58e2b3d40d24

C:\Users\Admin\AppData\Local\Temp\WIwS.exe

MD5 a70b7d6c525124a572fc8047bfeb7775
SHA1 2a8e16725f29574b4da97bdae114b8983672f3b2
SHA256 5ea0dd3bb22459df3d6a8396b22bc3665ca1f24c59edcf6cc4a6431c0d7bf889
SHA512 7c1bb91d9174de77d4b9a1a7f92855924d86173942b11f053f6dce144299175c4edc82996ace9452cbd23e5cd76683087d5ec80233d60ce6c751dc710f39ee7b

C:\Users\Admin\AppData\Local\Temp\uSkAYkwE.bat

MD5 0930af1f282c42d310e0c4556672338b
SHA1 f7653d4c54637777706c2693e5941b82daf3f4d0
SHA256 7a6c4723999816643994755cf96ee976a7be8c3ea8571e0de0ae9315a704346c
SHA512 64f1dd8cf128907391494095bc2d4d37a41d50bfde4d16b3d20f846b2aaa8b9c574c3b03bc26f0443d36f018d8d37eabeb3e07522ff7437340ced4d0546884b7

C:\Users\Admin\AppData\Local\Temp\ywIK.exe

MD5 fd82a94f882f10297bff42c575cf4a36
SHA1 d099da2819661e7438fd29501c635bec2ec2727d
SHA256 da0eddfdf7716cb91833907e042563705d3f66ea15858a445b38f81c209e21ff
SHA512 dc55c3838803fc2dee33a5f3c44c33aba7c043c83bea6a9e84c71f9146d77908ccc2431fb69a4a7e631958daaf50abd6b93f73c8c28e6f9e7f2f030fdc79abfb

C:\Users\Admin\AppData\Local\Temp\mwgq.exe

MD5 b3c420b8215f1e59dfbfc7735567a018
SHA1 4a6beefdd37c8defa36285b1f720387a35948edb
SHA256 0f0f753041dca5ca8ba84c352ff93f5e62528ea06ddb8bfd121fbdfce390632b
SHA512 4adefcd04d12e369939ae1ac34058c8b7effa4ad09e2fb32139dc61b1eabad45d81d200c35f63db33280a132c52613a1670e98666cc5f16f557707badb2eac2f

C:\Users\Admin\AppData\Local\Temp\Yowc.exe

MD5 b793639993bb13ffed13c3903f94f283
SHA1 8018ee12ecd6e665e2c6cdcbb8968d8bb360277e
SHA256 15c43a875f9d57a0a4f521081cef64723a2f7b2a86e104f53a8bd6dc3a6f133c
SHA512 d011f45b15159dc6e8f9cb681edffe011f65b7454c3cdbccb69fcfaab6e700806ca87f35dfa31c23fa9a2a252a973d6acff822dd49bbe62fad53a12c65b2ebe1

C:\Users\Admin\AppData\Local\Temp\IsYAsUoQ.bat

MD5 4697d68968247850d56e83c651979d62
SHA1 060cd8b370247b2a7b78611674f5b42b77b2b390
SHA256 faf455cb6adb28521fb66f6e53addb570babbebe051d8f6f7f7d3d90ee5433b8
SHA512 0c065aa975886ddcbec09f57f463bc6c7aca677b8dba1a092afea146fd553e2017af8bd6e4e873d0023581c6c3dec76b346efe2118a871ee08dd8cb7214c7cee

C:\Users\Admin\AppData\Local\Temp\IgsW.exe

MD5 487901eb1bd09df98a038fea6f7581e7
SHA1 f32c12beb3f29355ab7eb3f4c7d27f150fc8c103
SHA256 3e2b52afaf4957af39a1b56a417d3feccd8ac7add739cc5215fc917366d8f4fd
SHA512 41caa154e64a499fb29760eb18586cd3557ab310fa0ab5ae18019a565ae4fedc399d829f669f6291799df7e6c88d613edde47c96737f36242d5be780b2836e02

C:\Users\Admin\AppData\Local\Temp\Acww.exe

MD5 608f929c3de0cb706241742493ad4c29
SHA1 b00396e4491aec17036f6a2b346d4c77a7946dcb
SHA256 ccbb4ab4ac4fa1484dbfc91fbe0993e70f40e191a228b7f30a7be8b622670d66
SHA512 872af429349b9eb8947d49c406ae249459edb0671e6deea92687772b6c1ef13b5df2415342e89c0904070a47aae9362f99b25ea9ca971edd34076371f93ecde5

C:\Users\Admin\AppData\Local\Temp\KQMA.exe

MD5 a435dc5f405f7893bfd7e7f35a135fc4
SHA1 901ea5c796c8033ebb11e4b34408f9bf6b0f338b
SHA256 27f3cfbfb2221d8aa93b54630b79d9bcf8148710ec3bb4093a13f1a7f2776c01
SHA512 9c06558bce76d23a129ee8b0a54f1fac9eb1ce7542a0d83babbc5afa77052c5d9a13116cc080ce3949c09f3ef710daea21501dd7da999a91f2ab0765e371abe1

C:\Users\Admin\AppData\Local\Temp\WwIMMIQU.bat

MD5 22756a8dc94320006b09ab2513936279
SHA1 4d021c7ab67742762c036bbc6d4f5b508087fddb
SHA256 4d03ececbc8d39a9d3d0c058add4fcb7a32fe9c767296d2ccb423a4ca895bf2c
SHA512 832f1e358d44158b616a125b1eb447308f2468743b277f6bf3aac1201eabe623b7151d6d5fc074b8f0cc6ac8060e952e42ff06df9d387a28f105014a97e0bcbe

C:\Users\Admin\AppData\Local\Temp\mMYo.exe

MD5 b3ef0edb823c3449c503055fe735bde2
SHA1 be8f3b1598311f19794a7ddad5fc6b957239e713
SHA256 12389f6b00de411fce5092ed97769f7f59d78639070757b1e2a4e1dede1de39a
SHA512 725fef11023fa71ddde39798d060c1345354023c820c3e60d64b0d1f6e209642d23b44a24022ef02231daac2caf2b604e1d0ea78a3f5ef640b54801700bff893

C:\Users\Admin\AppData\Local\Temp\gkYI.exe

MD5 9e8a1826332d6b0f6dc97884b3ec23ca
SHA1 f6ebe704f38063eada58f1592e2ea385cac897f0
SHA256 1e2256bacd024045e182e7e73cd9f6403b45ab1d0d14bd74ac512f4670836145
SHA512 01d2e684b1b72faf0a3885c95eb89e8046673ad02edc38ca5ce4e9a45617692346dc4fa2d46020f1b333f4df2ea53f8f6c471d28ee9b8885ee7bae286e6c343c

C:\Users\Admin\AppData\Local\Temp\IGgEUooY.bat

MD5 f8d8f1d91e50e4d25d233d6289339128
SHA1 8e692c9905820eecafa722f621d336d22514dba7
SHA256 4d29cea32684eeb0d00f95424a152ed8f363449c2827b790911ce602fab3eee2
SHA512 d4cee281ae175cbcca698de833290c6019d493270ee30ca83b7b84ca4832302e043c8698d099d94b49551f7f6177888afc2a5740938478343d175bc9a886db62

C:\Users\Admin\AppData\Local\Temp\Uoou.exe

MD5 6d031eef754b9d7138bf2b711b5db059
SHA1 3dad139b25862eaf405e8a04b78c46a1c1dd85fc
SHA256 d9daa3ea00711d1768557152b91a654c803748bf1701e7e2118e3671340b03b6
SHA512 525ad7ff7e874c0763312a8f05fb0500b3a41e79d8f1b546a48c9e2fb2cbacd779564b033bd3da9c01f38877748121835f8c10b21422a994f67ea8f3674eeb24

C:\Users\Admin\AppData\Local\Temp\KEsq.exe

MD5 93449b84ad03af7d2d2bf00e22bf9db5
SHA1 03b28f4cfaf745ac40492c31c4a77cee893b4e87
SHA256 3fcd0d58295124dde877b80f6413ee3551df96477e9c4aad83b6b75816bff8b0
SHA512 a18c28e6b0433e7b2e8806d79d07457160a4a7d77d8de3d567a872405b3b867f991d5081c4295c7270752d718c46489b4b9c3752ed11e40ec680758f234ebabd

C:\Users\Admin\AppData\Local\Temp\mYUu.exe

MD5 91ed0f4af5f7924569c4f5c7f51f3ada
SHA1 74b4453df9331205870042411c93e612b7f87dca
SHA256 4bd0d6c6d837cc34235db059c440011b02c3922822146cad248c397588936fd2
SHA512 481b8974f8621e77e36380171eceac273e8c19bd18b6c6e0917932ca1d03fd4666cb8817f2b60004aa4887af51e23463f78d988d20775ff683a5e3bf75c7e24a

C:\Users\Admin\AppData\Local\Temp\WgQs.exe

MD5 a8dae6bfc5890149ad2eca517a065088
SHA1 f252d28e95da54b774893943b3420cc5697884ef
SHA256 57361bdd042ae12a69671e814c9c496c6b0c2c7220c2127842f646dcaea09a9a
SHA512 ef9287f24bf068e717bc816000501595d3665fefc64819d6d601bcc568571543442a281884993aae7a683ce6bc3dacdbfd96ac28050ccdc8b6d257540b607bdd

C:\Users\Admin\AppData\Local\Temp\gYsE.exe

MD5 4bb1385a9c39f521c1d4f597393270b6
SHA1 c7c2716512819f76d06b72364203bd3fd5476781
SHA256 18d2b2f601c8d62638f542f63da470c6ee4f15d9c62fc78a50f1711510da6fb1
SHA512 6820f3203e549f78d69a5619c4935ebb570df81f4d71f2ee5bee0f25f58b4cc665b7ba52610e9db304f148a65fc58dfc8dd3951d533bfa70189de5a365bead3f

C:\Users\Admin\AppData\Local\Temp\zIcEsAUQ.bat

MD5 d44c7a64c760648cbbea6601b36d73e2
SHA1 16d1e2809849806ba1fa6a8502a0abc7dd5257e1
SHA256 79f0edfc5d37a3b82bdb99ced53bfa7ce5d39d0845cf8eecf235bfefb8c23987
SHA512 b1edbe3c2667bfba689882168112a3086b150c6c307b9425807b9fe22e3f799e1f304793dff7f6f8da39f0ef4ff78f9d7a9a3bbc9b1c9edcd4baa6f7d645fd07

C:\Users\Admin\AppData\Local\Temp\iIIU.exe

MD5 10da93ccf57ec9b8c2fef264c26290cf
SHA1 95ec69b3c4090cf5fc8b0f69dd6e6ebd864efc5e
SHA256 9fdf31b87d1d3880b13e3a642f5bd9864e1513df5556fa2fd8940cfc53754e9a
SHA512 996383ed112f9b370f484037024690644ed7595a3df4d5f488de8eecb6f452363d082f271b9860dbe6688029aefeb565796c1ee65fc830bf4f007ceb6437718f

C:\Users\Admin\AppData\Local\Temp\cUQy.exe

MD5 56e7c0ca9ca47f7bedff49ce1ccc0bc9
SHA1 37f99a344e35e22838901eb3e15afa784d1e91ad
SHA256 361a27e7db6c5d48f669079d98b96fc9e7a5cf8c2e16482b467a4b95994e6132
SHA512 c1efc733969bf9aba8bc6fb371be41d5965b3418f92d57694f758bb21a7b7ad4115c3648cd78a10be2e67bcfa9f69789c82ea36848d4aa377b9483d8e331ded2

C:\Users\Admin\AppData\Local\Temp\CYUK.exe

MD5 5c18fb29041bdd3219c395f6b51b600c
SHA1 b04279bf819fb09d25fba12211e8699c59f664fc
SHA256 b4e3870200479c12da930fb94247b74095a34f6d1e745a803099077e8f68f2e0
SHA512 079cd6a0057eb59d8390c073c8f6948f962b8efd78dd9aa8a9ef01a3d143313e19251dee1f520a5a02a1b1b765aed9614a7cc054426f96b9dd55040fb552105b

C:\Users\Admin\AppData\Local\Temp\bUYAkwEI.bat

MD5 d804196ff70ed91a55c3df7661ca4cec
SHA1 3d8fce49a05a5af87b42de51a613c6f1625b8007
SHA256 e83a8b53551938010a828b1fc68d290816e0a9fd83c442b2c94b46cd6cfdb45c
SHA512 e86dcb62db61f49590707263dc31253643d3cc2e5d86e2dd2b8cde847527384182b7030b229defa43b9c18bbe94f04ebc8573db708dfa9ca52d2b8caea898f2f

C:\Users\Admin\AppData\Local\Temp\SUgQ.exe

MD5 87fc1fc5feba5a79053bdfcc05429a78
SHA1 30e02b0945fdd1557bdd7ad5b3103b286b44693f
SHA256 a3933c655a29d91310fc65f1a445b7be23ca0fb1551532b6a6482bcddb3d8248
SHA512 2b797657168010af9f2401fcd4d1a3c5d48deea63c721b610929bd8447115333ac02921754c03324ff955ae2feb2df7d7fbbcb13f4a4d4d491714d844964b7c8

C:\Users\Admin\AppData\Local\Temp\iIYM.exe

MD5 288918d967f678b30dcf15cdde6c5f11
SHA1 1d47985a52094dd60b30e27a8bb385b7436bf1d3
SHA256 2d80e485fc013a2bb69c627ba376b787078e4405e6be32db1938e74e451daae9
SHA512 589cb0f641841b17dcb500780c1fdcd53b3b7681c708bc225a861771cc7b83dea1729b68ed39004b657598643743762be54f8c646e40fd89ff65f93dee7c058e

C:\Users\Admin\AppData\Local\Temp\GMYi.exe

MD5 9c967fa8a239e6340258de034ab4b054
SHA1 9a0521291e43fbf4f10c79640c192d7c1b1482ee
SHA256 19a9137532be4a32c057d9b8ee4d64cc11eadff04f06e9490b3405db767e7308
SHA512 49b2c6fb11e32c9c8d410d3da64674234146d09c081fe955bd47ebab9d96fee09557cf9cebf6b1585981ac7b19df9ed09bae59118c6b099bcfee3bfdf2bf0502

C:\Users\Admin\AppData\Local\Temp\QMcM.exe

MD5 2f40325c1dac64bc4c4617760de9dc26
SHA1 dfb6712e6e299c509cc1ada57e59932d7154d582
SHA256 dfcb2296161bda9d7b6d380e9d47145061af18ce39f9402b1b337d2b9816d85c
SHA512 86658c90457b11484b92376b83cd5317195b589c32d3922e2b35062e7d39ff9d37975853c7ab6bfce874c5a56eadcbc3616af7a952198bcf666b98aec3d6a7c2

C:\Users\Admin\AppData\Local\Temp\IoAm.exe

MD5 e49a623e785be52594d414e1dc557846
SHA1 a2e366306931e93c445677cce70ab34e4d6597be
SHA256 c6468e018fe4b7d386575532fe9d244d05f650ed3e65b0fa04159eecf4d11881
SHA512 21922c96f881775b37e3b159559d0504cf7e2326613bf0b2029cf0b347689c611fd6c35dedfae54854d6d00f8f198baf6c04390a3557736eb1ded38f96f56039

C:\Users\Admin\AppData\Local\Temp\VsMwEcwg.bat

MD5 29cb788102dc534b2a7e15e02b718290
SHA1 ca88a59fc2d47fae85370b4515e54b9fd53b1022
SHA256 2bdbcf77f07ec9a3d47f61d1218d99455b9c361c1d402017ce4b8f4b64bdc837
SHA512 0e77dbde69985aa02d0f851ad5aff0cb93910070a9fac13ac23e3af17cfca60936ae1c2d68e739a82f64870bf96932703273a2b5261aadd8263b3e7df20ae571

C:\Users\Admin\AppData\Local\Temp\uMgi.exe

MD5 54ab1fd4e6837e4b78f5e9a3d171d510
SHA1 1f503598043ca4f3de206bb02422bed638994604
SHA256 68bd04f0d8a586fff1f61c27e9a7cd2982029e9e9279f3817f0edb9f69eb5cce
SHA512 0372f94bba902b1d8363a0a429ceab5810e6c2d525a6a3e837bfe625053acc85d93110adc56d1dfa281d89d6b50e0343927efe367edb29b80953687cf8e8a201

C:\Users\Admin\AppData\Local\Temp\iUoS.exe

MD5 a17f0dda272e6c7829652bef53983187
SHA1 c13ab36d1e8034014336974eaa520ffd50eb0f30
SHA256 460f4ae29b054e6ef2bbb9bd673484b9dcfbcd77194adbe36dfc417ea3acf17d
SHA512 856bcac75c762f620995b66672010cd59169d5e8d777c517942e19ae213aeebcbdd779880fa2f30288d0a4495861f6bef941b771748f1920178e6beea9a6e5cc

C:\Users\Admin\AppData\Local\Temp\wwEg.exe

MD5 e48eb655a605ccfa58127e010c7734f1
SHA1 cb91e202c8e3aaefb76129001611f6b5e16c9294
SHA256 641a17c7c0f1e1b325d7285a51eb2524d53af6afd223f952100979a516abdd29
SHA512 ca1f19923dd0ddff1d9fca6811e25b236adbc8304e56aada01bbeaf9b1c2588add559b005af870071035788d0e5ea032ac2e410cc70a385f736ee2ba19647d76

C:\Users\Admin\AppData\Local\Temp\HyAosIwc.bat

MD5 aa2fce6cab3a6a5afcf6a71862a4bd41
SHA1 ef911be51492638cd7eb5eb56d9e514bcf0185a6
SHA256 03e07fea68dba2124fde540342f4db99ec46b7dca122d4d8422bb4b6b3b4db39
SHA512 203fe82d90d5b6dffd35478749563f9736c715616b23739abcd8a32e8baf4c1f70816f06fedd4982d4c0d91cf662a8bd11d2fe920e568d76c71c6693671a3847

C:\Users\Admin\AppData\Local\Temp\MkQYIMsM.bat

MD5 1204629e2a4c719264bb4d3a1a13b73c
SHA1 bea49f1f08cc7fd4fcea3d4664c180375633bdf0
SHA256 279b9440a6785271becb56add08a85acebe19438dced26a2b3faad12c32de6e5
SHA512 1c547209c3879f58cf095031c6a1f84b5ce557a354ec0e5790f1444138329552b5c9625ed85b3d6ff5b0d81d440cc729d0ab6bcfcb0916420bc2b0ebecad30d4

C:\Users\Admin\AppData\Local\Temp\KQEwksgg.bat

MD5 fb3c4b9bad29cf2cc52699b87e9a2cc1
SHA1 10c8ca5152ebc51aeac8f2d95d9bdda762e8d57f
SHA256 520cab138f9d20b3e5afcaf481c49c04820a139977e7b0d2bda03ed7b9823755
SHA512 0d1daebb56fc75be3b25d37fa674df393dc002d807d8136af73d9cc0af27978b5924ff0bc8583fea9bd65474b3c5c49728314b9897f72a564bedfafb8dbb8f6e

C:\Users\Admin\AppData\Local\Temp\eQIk.exe

MD5 1aabc7a85777e7d4d228f9464c15acde
SHA1 be1e331d6b591e7b90c57d5dc204ecca7638ead8
SHA256 cba6d3414f3b90905cfb4bdc29e79f718cd41c0fecba2a53bb0611e9f22ae92d
SHA512 6de7dd035882244f3f5458f19a8e1f23c70eb8de926e84663f8a71a84f9086bba38ee5967f3b29a77e54bcc42c0e5f11e91a2d615ade0782e1007e7de8bd5c4d

C:\Users\Admin\AppData\Local\Temp\SQsC.exe

MD5 647cea9fcbed0bdb37f9d356b3c3455c
SHA1 115ae07cf63ec092ebcb8bc1092f43a3c48feeb3
SHA256 e473c05860d00b3ed8cc68e848209b52502419b2cbfd8ff3cc13549724a149ac
SHA512 9124c92c0050a53edd534356c568dd3cebb91c03541b5d87ae0b36784e8af362ceac20112c4d2183332d6d2c5ae131f63cfcf541e8c7e41baaff502ac4b233cb

C:\Users\Admin\AppData\Local\Temp\cWIgkoQc.bat

MD5 6075611b8644771df60e3782118c0b11
SHA1 ff45df3bbfe03c1b48bf7c23d68e22611e56bf1c
SHA256 864d01469441af2a2ca51ca06a1c9f489e4d1f446d67d47631898526ca2fbaa3
SHA512 c3816ecd6dcc5e89944dce8ca5f5275fa0d948538ee8f796921c76cecfe4e36f34ef376bec9a44d8b609678034cf676a048256d389c6237a2768daf3f42a8466

C:\Users\Admin\AppData\Local\Temp\GgkE.exe

MD5 78a2fe0d5ba0706ab133b971ed98c935
SHA1 a7a0ac9d2b5a056739667c02cd3923af68dfd9cd
SHA256 e7af23d585631ed80bb9343719571ce2d4af27002ea217bca9f1cb54dec52f10
SHA512 82ad256998c755a229d66fb3834688d55aa6b1c86bf3d0cf0b648dc535f5167f6b9fe774abbdac0d7ab71fb6b5882c49f16892051d611c0aafdf0d288165bec8

C:\Users\Admin\AppData\Local\Temp\gQEq.exe

MD5 090273a465361481bad56b922890d44b
SHA1 99af2d712fef7af5d73cb13011e7ba4b190fcb41
SHA256 292ff2b6167ed59587d74af4473d67bac6c297fd311464cc2adab00ac342ef78
SHA512 4974552e166e7411d6576c3269c44ace067b4d4d68887622eafcf57a628a1a00d3c21681e15a100208be5d5fca74a19848f2f6dd6b5439028c5a3b0da6574506

C:\Users\Admin\AppData\Local\Temp\SQoC.exe

MD5 d309f885ffaffa98c3c434e30b060adb
SHA1 d5c45d53e3b0d550b10a679425cbfa99158e9907
SHA256 4a6df37eb921f70baedc66015c57bd1885a5a6fe0c9d1f99c8e1200ccf8450c3
SHA512 db751f078272423f6b3bb15560da600094554f3a6d7a28eebd3b28e31216b33f1142ac345a4ffecfe5e016b32e987e7511665ea1839736de3a1343a703ffa0b2

C:\Users\Admin\AppData\Local\Temp\SAEo.exe

MD5 3cc50313de3c889e61fcb845f56bfdf8
SHA1 046cd276e4c1c5c53d1678544194760c404277f3
SHA256 ac47e2add3b9c64f4387d5ddee46ce584f0180c377c44edced894acc7ac548f1
SHA512 cdfdfcd4667951f265b90b64b82eef6332c5879518fadf7f4ee38c8af331fdfc7aff796af15c46edf9843148aa42a4f04bbf8cd1b4a70d324e12f8c3719cd538

C:\Users\Admin\AppData\Local\Temp\ycQgcUkY.bat

MD5 c09c7e6fd8c433a0b4f827d7295c420e
SHA1 f56da8e5c98139d957ceffbba3eac0f52ec24afc
SHA256 d4c6d6dabd81fa4cc6004ac0d20140d2eb422ecd8a4dd8c3fb30dfdd6cdeb7a7
SHA512 4d61a426a2fe2d0b8a65ca318862c985c8e672c95e72e2659e30fad723247b25069284d2021bb0ec28bd003c146a0b90ba0fe7e723727f2d15db5e6a012c02b0

C:\Users\Admin\AppData\Local\Temp\EQEk.exe

MD5 3941f13212992ddb42e008e481467420
SHA1 1deb2fdb106931e0c60a5abab1490d5c0ac64b50
SHA256 a45eb524ae9a48c6519faa8a44191681cfbb9bcb71763d67020fe97efe316b8e
SHA512 4367f0c4fd288848183580da7df447242e9e44297e4573052e408788e26b7938fa784bc97409caed001f606a1fbeac54f9c5bff05ef7af3716f2d3068cf5ec12

C:\Users\Admin\AppData\Local\Temp\qEAe.exe

MD5 36c1d5938d8ee40100c20b59ec45e3ec
SHA1 c68bff5e137198b801b84774c184abee530f0b13
SHA256 6ee1e5e65a01f5bb31fa0aeadf10a4a348b909f00d9a5c39d7650b7d3d126fe6
SHA512 b31c8fe42fc70aa599328acb5133894b825f3e3ea240845d2a14c76bbf35c94f0a98801e41bf2fd4e018d65d7cd6f1d9f08685ec5f97d0dc0ec86f8b9e7f18b4

C:\Users\Admin\AppData\Local\Temp\qcoI.exe

MD5 c4dcfff6ba75fc91e95a42e4ecf8f7d8
SHA1 54ef51727265bb3d2932d994f52cd52686665a72
SHA256 c27f42f844022279c0742bd4e176e4143f93309213548723add0993d3a91b0a0
SHA512 a5dc510afe13910ecda912553c7c43e6bf94ac85af6356c397d28085d00c2cc3af0798e73d44e5a522fc9dcf94297c9a0a124373e7e2101c73ed985fa4102ee0

C:\Users\Admin\AppData\Local\Temp\GIUI.exe

MD5 4c4935a2b0d92dd1267a15d3b4f28a9c
SHA1 aa6a903bb333d504b127488dbb080235005cfb39
SHA256 52e6259b98be1cff559e8f5f1c2160303a262766b5e8869d79796edae583226e
SHA512 f67990e140a6b646e39663c16b9fc80fa5815d432ce640f98a4300c9e1b856d03513cb426d2c7a71c07fcda24bd18291a8e3059a9eb1ffe82c9bb55eef8cef13

C:\Users\Admin\AppData\Local\Temp\ruQEwggU.bat

MD5 f4ee0a7071ef2c1adec3e9d70edadf3c
SHA1 642a2870ec88b577154f57ce5b369d1251d49907
SHA256 c0957c37ab0b4497f90727dbb2950678073afac3b66f096ecdd595fc91370796
SHA512 2be0a9c97115a4fbf750cfd5f193b8f0f3a98911e16d8ffdfe18004aad3576ed5b3a4026b6f59bce16928c2e87aa5a9aa81b249c43f136bd288eca58ad023dd3

C:\Users\Admin\AppData\Local\Temp\pQMQQwAs.bat

MD5 101573382e7e674cc5d8421e4a679389
SHA1 cae433907d9a13c1967954e9f31c03428ea24569
SHA256 ed0705e66e09ce19fe7ef46ff3716b497577c7f64f86f50c3074d8e6dc1f5285
SHA512 a288bd15fb567ea3b51642e31c6dc01ee213972b9477b64c20f5add42eebc54b98336952b03a1035d247ee7a7e90b52c5a2c7c135d875c616ebbb1db67f458a6

C:\Users\Admin\AppData\Local\Temp\ZGsQwQEw.bat

MD5 c37da4ab27d69fc15a00f78cfb41290e
SHA1 65e4dd5f450a18c1893488765030ce186c7e3651
SHA256 9533c6f9fd56c259094c4edd67d45ec2e1a66a0148532a189b75c3a53fc506a0
SHA512 ddda1492f973c667d7653ec482766d0fe9316742f2f611c9418cb69eb42c4cf8e65fe8a209667518a30abe7e196e10af7bf65edc622b8c5fc1eebde320946fc4

C:\Users\Admin\AppData\Local\Temp\VqwQQsAQ.bat

MD5 8ee7d7bf33bba46562f4b309c60cbc01
SHA1 8613419143169b9233a1a3a459ebc193cd30e803
SHA256 3352691f5061749f27ffc99237a2baeb26d34c8c60bbff9e20f6dd755055df45
SHA512 134f385e941d75ffb512e2ba3d301f0d769b2c5a81b038dea6eeb945787feafaaf8fc7ef880458c3f7aa904385b242d66f95f135c254607e97a5b0b97e84678a

C:\Users\Admin\AppData\Local\Temp\usAYgcgU.bat

MD5 0df9a523a4cab03079e3f795d5994b68
SHA1 4db9393b9b076da1523211b5914dc3bdd8c120fe
SHA256 bbaee103a085690eb1e4f38dc9ff8d8d21344b24893937bb30f98079a467155d
SHA512 06d1ea088d29dd2aec72d6f667d9b1cdad514c35ec2c18ad50de4fb903bffdc4043a039fb55cfb8f727e456e1cef87c928165ba3d8689df83752a106e44602f3

C:\Users\Admin\AppData\Local\Temp\wqwMgMIE.bat

MD5 d107d7839ea050c21e0a9651c3f98506
SHA1 85e96314fd283b7f95c4c5457c4a902016bbfca2
SHA256 db1c2d8dc2086311b13d9b7d4b3f7efa1ceb7d4d427272f708d5fe9b11ba6b7d
SHA512 6fb31ee546b7108d7ab3d378823ab0f8b4cfbeff04ba5cc0f5c5ab770f03af4da7786e93bc98acf803decbccdf73826a4a7d756cb5c14a95b0273567b46b3b10

C:\Users\Admin\AppData\Local\Temp\mmUkMcIc.bat

MD5 49f6cd529172c75c234135199a2982ee
SHA1 9268ff564a35aaddd3d9b79dccadb6aaa59f90a9
SHA256 93350c4cb266f5f3588236d1ba6ed22130f47d3ed95503e5fd9cef9594e02e26
SHA512 011dbf7e9b99040f6dc3208f0d3a4d2bb19066d015708f0995c8576cfe8e74bd8b62a46a2a0cc8b703b6bf552bd48e7a61d93825ade1aaf2197932033d3377be

C:\Users\Admin\AppData\Local\Temp\GkkEocoU.bat

MD5 ee2d13d09067ff6b082f4cc004e28d1a
SHA1 48ad79f51f45c0410bfc6b03be0632a61fe57095
SHA256 09ef2ca016a475ab766e8d1808c84a7b5b3a07450a939161ce37ba022884d0ab
SHA512 cbcacef82959ed63c7e37c08422c0dc9b5019e9c9af32de6fa97681fc135996cbdc6bec5c4ddd58ffb8bbebe3ae22c6f8eedfd5b4bb5345d789f3287617b67d0

C:\Users\Admin\AppData\Local\Temp\iqwcowgA.bat

MD5 0a483ea6a617f740f587655bbb673e7b
SHA1 cf71e0a5614743e4847df2a46a0bf27f411b4dd1
SHA256 bec9ee4c02f0755e0ed1a1fbbc4ea9183549531eb3c4f3e8b5fe7dc9a2d8235f
SHA512 2eed398e8b6942b652d0719bd55d0ef4d795629b8c1be8575b8bf9ac0ce65a40344ba5406ff3e210b037d139b5637edebadc7c02b44d03db95c5449c2f106fbc

C:\Users\Admin\AppData\Local\Temp\pwccYMYw.bat

MD5 ed2b6bf0c5efc8583c7f50003ae92103
SHA1 7c731c8cf772db49b724f7488d93beaa9b7e00d7
SHA256 78511a0d7aad84449ffc97f3adb1192d40d91c2f3536fa8530d20a8226b6a74f
SHA512 6ffc4940a91e8bf1f0f7f50ea9e1886d997f1f363ca27edd897b2b4bd3420ae01fe07f1508d09292f372f2644fd20e78e49949d42178db32f54575322984c6a0

C:\Users\Admin\AppData\Local\Temp\TYwckYYA.bat

MD5 781b4491eb28ead0fa62c96b023a48bb
SHA1 14375879f239ea484167f4b8c7cef54d6aa83922
SHA256 3667acc2440e85052ba39f4da82cb91c908719af4baf4e2e6ea779597b8ad908
SHA512 7a5dcd796222350a037e51985aba77e617b46669d69a64b86dd42388dfc055e32e120c4d202c5d7d0e09a8b05c5ca49ddd3a25fa32198fca93cf985007107b96

C:\Users\Admin\AppData\Local\Temp\tYIIsUkw.bat

MD5 2989004fb947dea374a05b0f954c0cfc
SHA1 867e58c6c49092464ee8b6b98bb91113b6722a63
SHA256 fe53a98ad6b690a777a266e49da38bd05777d3665a1f94ee313caed7860ea691
SHA512 5787f47ed456db964ba892bc951decf2e1427a18aa4e4155adac063945f929806a1adabbf98c30a8bb7c5692731bbc90944168496bd6d3540c7c796fed0bbd51

C:\Users\Admin\AppData\Local\Temp\VgIcwYYw.bat

MD5 75cfa8a42b489c3be47d74ab7cf87796
SHA1 539f40bb9f2aabaa5c099d0ac9cbe97750e3c9ba
SHA256 fb762a4850bab4c9963d7af515c21962fb63fa6ab942c1787c734f6dbd65e936
SHA512 f5e921457110b707e6c2134ccaf406936ea61af5b81c988cf8bcc30afc0afd542e91967d21affd87e1d9f7e25b8e34834d479d026f5968ddfd3dc8870c9454c8

C:\Users\Admin\AppData\Local\Temp\wEkYEowk.bat

MD5 440e4ccca0f0fad1d76e1b4e2812293b
SHA1 37031f85ea28e4b5190db082073b1c273ab54743
SHA256 c049d9ba9fab52280710323cd25a6050fd59e75b8c058f64ccc33611ff4ef702
SHA512 42806f005efbf67c0470f9627527458fe79df9020900e707de58f41e2ae5eb32af070f79d1b0ac01fb7f1c3c6907103a9eaa400b2ba31608368af444b496d0ae

C:\Users\Admin\AppData\Local\Temp\QwwIYAAU.bat

MD5 f4056eee2640b106f40dcd3145cbf622
SHA1 908764dbe56658297fd6a4f6fbab770716720634
SHA256 595a99f1804a1035a6c5f86a43d2eaa390ec5f60e504ceedfb4f9027df4f0c2b
SHA512 4f42006b488be8314a3519be2d541cb9120b951c8d6d31f07fce97b187c0211a570c276b26e501a1a438ecf5ec379703a101a664bc586e9d54cb3c2a988473d7

C:\Users\Admin\AppData\Local\Temp\UaUsoQsI.bat

MD5 8b787884bf4f8cad094df84fbc4ff6e1
SHA1 96365c6f4f9b90d2cb36299a84f4d593513ce683
SHA256 a65a285c3aae5bf4ad5fa256e3e6387a618978d398bd99f05ada865379c11a42
SHA512 7c4f27c55a48793b4498233b091d0c4485fc34724c54b57c90b524c5dae57f285d2fd3ce0619580522ff37744b17694c6cf7d0a8b4808413ec8e76b1483fad7f

C:\Users\Admin\AppData\Local\Temp\YsAgIsoM.bat

MD5 4fdc8a3fc9f7e5d944f3f714a4de46ef
SHA1 b7551ac6c09ee90ba4f49633c01cf8b4ff6e7d90
SHA256 c04b17ed4cad7380d8bc1e8652593689a82812b018a181796ac2f8338799bbf7
SHA512 af23958dc3c6f389d87e92234741eb929c48dea468ec21e0564ec803376e4b91d8d2c6b7b2ef7cdbb62470ef9bc0256e6fd3195352fc2e16df46fbbef3605991

C:\Users\Admin\AppData\Local\Temp\IYAUAgQY.bat

MD5 59732da5353dbc378c2a869db696f225
SHA1 e130d9b3fa57b04cf2298d043e726ba3bb0d207b
SHA256 f47331c1674f16c7031750f077f7f9bc7c7908157838860223d3bd77a50c617b
SHA512 06f8e65ff56e0827630ec7fb4683dc21da16c0588ba7e8e53b095b764a954beea1efa8a98d2ceef5a9a411480fe3308ce674d592ca5a542dcd83a88d580c78b7

C:\Users\Admin\AppData\Local\Temp\noksAgAs.bat

MD5 8d6dfbf48b4b1d1449fdae4ba07bd7f6
SHA1 993310883e4c72a593aa5a452772a731025604ff
SHA256 973fa94e6e7619f011bb20fe09d94c0e1e92b560a5fc23e5fb1e97d2766c3eca
SHA512 08a01e72cc121bc6c628f69fabec229b19c91932ec027a7978b0a18fdc6c4729c58dcb0399d93e0116c7c8b4a9d679248b30121b50484f43f8adccd369391d4f

C:\Users\Admin\AppData\Local\Temp\HeAogYcs.bat

MD5 1cb92851c7cf2a0c84e2d05a03bc57f2
SHA1 58600524a9b46e92b22aaa7c576b0a37d606216d
SHA256 a936570d6b3b88e1dc7d2424093fd54207eb852fea01213b32ab867dd1871e19
SHA512 747b7439b3c0ff065952eaa79f073080508ccb799712b98ac4660ac1b92dd76997cd4b4bf1c159768b36db4dd91699eafb1513cb4e95ad03db9c5d77d2d45a51

C:\Users\Admin\AppData\Local\Temp\daAYAEcw.bat

MD5 7e34e0f1b6dd398aae424e66d031034b
SHA1 867c91fe53701df98bfb3461a27e4c221693d2d6
SHA256 348bd9c5ebd02809ebaf362eb70845bc9622a74e44bc2686b38429247c25deda
SHA512 3f657929be149b9a4c5846ae92af546011a94a1bb7f24ece9a814d043cb4a6d86b37bd396549022bf16978aa01f85b7b03b00534ff7a8d51dceaac54fe7227b0

C:\Users\Admin\AppData\Local\Temp\fKYUoIsg.bat

MD5 a4107a4871dda388457faa931bc806c1
SHA1 66d88c7f46d1f2cd7da429fe61bfe531260adbc6
SHA256 6a85ce6d9a60b7540eece2dc5d6ad91340aa37745ab18e981525f1a999ca37ac
SHA512 769367fe0f7ee4ad48202aed851f433eef1833d0cdbcf11b403cf0867b93e985485885b1eccb35ae4a084db62046fe3ac8cc373ac79d277030e01ac606671838

C:\Users\Admin\AppData\Local\Temp\OicQQwwI.bat

MD5 33d0c72df5fbbfeaddf00b3f67709bba
SHA1 8b9fbb5b9ad22aae4093c3c4d0862f8b5e52d899
SHA256 f9cf95c5fdad30e79d382e1714b49f1c7fec3e074b6002350c021b7d17f1f612
SHA512 07f4da37477795303ecd8a181a64ef7045191d51c4c8d809f07a16ba07342859e15cedf8d816c4ad07b4950cfa244149dab8e11028f4ffc8ef50f1de354dda1d

C:\Users\Admin\AppData\Local\Temp\CeMQEIAs.bat

MD5 11f6cf7193f35ad3462b0dc38906a6cc
SHA1 631c4e8633c59f5f10afda9e83e4c12040e0d0d3
SHA256 dfc5570eb5ad6475eea4aa2b7705156be2569f069ed3cb4186d7d64fd7f96e10
SHA512 7664aa850790cf1102baf711c4b7b1536117ac5d636d1f6cc09fdd6519d2f8e58ff929afa904e68973d4908ce1975b67128eae61058244f1d280ab219178805e

C:\Users\Admin\AppData\Local\Temp\GSQccgcw.bat

MD5 0629b515cd18bb3e3d2494c451340213
SHA1 581f2621108a5d005465d648823b4449bfdea9f0
SHA256 07e65437972cd0edde455a1c8bf2145f91aa1809d95f00fb723a6a961997cd02
SHA512 9da21f8f05af2fff5ddd1b9819b8230f89751636170da4e2a62a2ec2212bbfd131fa6dcd3b0772fd8d03e0b29c3bd5775330a62d56fe50b0c49f16ad48c20470

C:\Users\Admin\AppData\Local\Temp\cakMAosE.bat

MD5 91a9a441f62e3d29ea2367af50da4c4d
SHA1 7ef7c8302ced855839ecc3cafa869dd624139421
SHA256 8aadbcebdfd7e9f8ee7dab4fe6709d5df63dea2e08f8e2bcc9be432b5ce5dd4b
SHA512 b62a33ce72c8dd5bcfdb31875e3676b248750a7ca02ace792a3e9bfe6db5a9069ba98660a4fb9acb46d6a9e17fc1b688e7b56db246e517c940e7eb58a1891280

C:\Users\Admin\AppData\Local\Temp\eKQwosIM.bat

MD5 e3dc1e2ed641c24c54a8c839132b5eaf
SHA1 b0528a6ebe5e7b9419647cccd5f9f14ef7f52f3d
SHA256 c0860ea4ce6e8df1d96da8e554f2914c2f2491f569bd3ea24bd4e65d693dbe35
SHA512 eb31d292fc53d16d5152d5c47128a405b31e9ea198d2c06a92281fee16df2debd10d757ec08423ad7bb918cc99deb9f767747e9958d14542c05673d641aef97b

C:\Users\Admin\AppData\Local\Temp\NeccUYwI.bat

MD5 c33e1f2a607b96c0c023fe9d6c520f45
SHA1 2e492b309042cedbeb6e08e09fa6977caaef4733
SHA256 2cb2e4e5c9fc14da5be6a2a4b478ba48182b9a2b331f6843cf78cc0c1133164d
SHA512 506f6e34def6092304ef054e4399ab80ef91b162bb0fd9012f8ac803a4d52d7d71f20ead2d9dcc102b96d6abd3935ed1adc1fa56615a66db31cda7fc5202cee8

C:\Users\Admin\AppData\Local\Temp\fUMkQgYw.bat

MD5 4dbf735ca03a5fc747ff3da1f8ffb8ad
SHA1 27986b9e301f379a8cdd5bd7d918ee746d0da038
SHA256 44cc7825c019de18b96f81289ac90c33e8011c3e8844aa4e5b908c1775c633ad
SHA512 54f55dd45e2b41aa847c708749f2aded9f1b2fc46050154ab51eee71bf488b0180a53017bf481ea94ed65c7b74e3f76d4ac53ab0626d2e3e31626690c89e5ee2