Analysis Overview
SHA256
61590230942f18b7af4dde5e14ca1b4794f852b13c4c1b3c653f780b2aa3d966
Threat Level: Known bad
The file 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies visibility of file extensions in Explorer
Renames multiple (57) files with added filename extension
Renames multiple (80) files with added filename extension
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-18 02:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-18 02:30
Reported
2024-10-18 02:32
Platform
win7-20240903-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (57) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\VwcMkcQg\yOIkUssU.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\VwcMkcQg\yOIkUssU.exe | N/A |
| N/A | N/A | C:\ProgramData\hywYUMQM\qsIgUksk.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\yOIkUssU.exe = "C:\\Users\\Admin\\VwcMkcQg\\yOIkUssU.exe" | C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qsIgUksk.exe = "C:\\ProgramData\\hywYUMQM\\qsIgUksk.exe" | C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\yOIkUssU.exe = "C:\\Users\\Admin\\VwcMkcQg\\yOIkUssU.exe" | C:\Users\Admin\VwcMkcQg\yOIkUssU.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qsIgUksk.exe = "C:\\ProgramData\\hywYUMQM\\qsIgUksk.exe" | C:\ProgramData\hywYUMQM\qsIgUksk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\YSIsUAUc.exe = "C:\\Users\\Admin\\gMgEEgoE\\YSIsUAUc.exe" | C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MaMQIMoE.exe = "C:\\ProgramData\\YAcgQYcg\\MaMQIMoE.exe" | C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico | C:\Users\Admin\VwcMkcQg\yOIkUssU.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\gMgEEgoE\YSIsUAUc.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\ProgramData\YAcgQYcg\MaMQIMoE.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\VwcMkcQg\yOIkUssU.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe"
C:\Users\Admin\VwcMkcQg\yOIkUssU.exe
"C:\Users\Admin\VwcMkcQg\yOIkUssU.exe"
C:\ProgramData\hywYUMQM\qsIgUksk.exe
"C:\ProgramData\hywYUMQM\qsIgUksk.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GWQQwkcc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MGgosMAc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aosMAMgM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fggAkgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\doggQYEE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HMkIEgwU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DYYUsUkY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wQwIkMsU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KUIkwAAs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AKoEAwAY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YaQocMgk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RCgEAAAQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bCckAcwM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vGsIkMMA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RMMYsQwk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RIYoUcwc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EGoQEAEM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kisEIgAc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iUIQQUEw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EAEEsQEs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rKoQYgok.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\daAUEQUM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NqAUEAcY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vcYUgcwQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gYMgEUkg.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ossYEAEY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iaswAUwA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QkYcQUAE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XiUQccQs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DkwAsIMs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tCAAckIc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FsoAgUMg.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qUAkAMMM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SaEUgkkk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wgIkksEk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MqskIAYc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZqsMIAYM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TkYkIYUM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZwIMggsE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\gMgEEgoE\YSIsUAUc.exe
"C:\Users\Admin\gMgEEgoE\YSIsUAUc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 36
C:\ProgramData\YAcgQYcg\MaMQIMoE.exe
"C:\ProgramData\YAcgQYcg\MaMQIMoE.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 36
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zookcUgo.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\huMccYUs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UGMgkEsM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CwgMgUAw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mYQUgksk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gukMMoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JgYEogok.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\viYowQMY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lgEEswwQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nSIQsUcA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WYUgMowI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WqMcYYgE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EMoYMgkk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yyUkAMUE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DWAoQoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BAMUYYwU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DyYYAUIo.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xCgYwksE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PqAAEwgY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-227264345550984259-1849401264-1759556048-1965248263-985886884503845281998156761"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gqwsUAAM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OesEckMo.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5721403951255288942-1709635959278763808-130213367-7655877569769412271692925563"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mkIQokYQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10034384351711195468-581986338599590579-158720462-18765092572063317394-1791061202"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cqEAUUcM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QCMYYccY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-42272039230839614-888947483-414580280-17159909021923513715-1477660633705795303"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TKcIoMwA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LGcEYsso.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16126374911597858747977841969-1894395609-285113958652532501567939777-967783798"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hCEAMAgU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DOwcgcIk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YyQEwwws.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mwQkcUMA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sAcAcMEU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aUsoccQw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ougEsIIs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NoEIYgEk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jscUAkAE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TmMEEAgY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11799131791623428802-940268101117400730-438314954-48150793359396861-1972010114"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nKUwcokM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12242340431936105679-12709515831319547973-56329530816805212711388475921624538926"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1593053805-2052775119930830329-11863795321392740789-3550049814662532401204995624"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mWcokoEc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gYkAwUgI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KswoYcUE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1668527585-181801775-745365967257212118-8750830271094065171-1124058980250459068"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yeIsoEkE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZqUwUsMU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RuIoQUsk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dAsUcEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5584905161356289726535035411-3036635472903674566117041991008376538-750377939"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RuoIIYMY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1938438555-423945553-1516319930-6428305357239571211436976797-188384144554402015"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cMIIwQAk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2021709197-4969673593580204031621119032948494652526606321148434199-1873162910"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1075474398151325576634258953210183305551227502719-886507975262267523-1578901402"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kIEgcIUw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MowIkcss.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jGYQwcYw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "543375716154929238-1800006113-231626406-720269717-1568520027389599499493114456"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NmkQAMYk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jywwkscY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XUAcIwoI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-114593881043883613-197337684617846234011077510889-677224606-4437391971518686655"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uQkcccck.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OAUQksEI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YuEoIgIg.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oGsoYMgE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1298826116-1112076331-216790708-474103666184741912036208315779280991868402156"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TsoMwIAA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "459056464-145846240720449125-954364876-11195083231573816197782909459329183278"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1092806473966868515-426581576411302276361503927-682838345887976521884088329"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZaYwUYwk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vCgowQAo.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1673714827-169673823202968157-5856075291685289639156736733-2038193737259892188"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-399743108-16071355051794320985-958879133-657771556-715344142-466361621-1333164347"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1243565386-1920568858-2118861980-664935115198321030620333348537083911621837578093"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cGEsgMYo.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1566669724702977933943692972-4191777141801481053-851282739-10169114151249306131"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "140424288637497359-1626102729-1161884404869351218-139466768914367786921527212296"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gagooIYo.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-200704762212831433991012542195-1927893651-211208947-1651386146-370857157867156191"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-116577959317936520751161373425-231959683-50588951713994150342083013569559039273"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aGIcoksc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aoskcEgM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2021324264-16161668361267858861707378745-838412175108024218-189046801-876668451"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bIoAwkAs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1456770101-149649369862272146413904078071262416343-1319990800-1413903161820257704"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2062411905984583672-1241684661-15298147115501534901303152089845975567-730876691"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bIgQEUAs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1284740497271907508116188614-17115378021702536983-1084726051-1545102828109731919"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "368138791-363326311-21264230701040564143-156718615-1214911077-1292810021-1384010127"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmsoQIEo.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "655755143-18520937631491873760452810685-24888307820801093861176427496901636830"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1831365259-1041333159381377483-698163617-10666378367870899384658805511834268605"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\scsUwIYE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15235794661276022907119634595926982646-174883560-1360203594541977842326058053"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GuAQYYsw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-177940370-1101627835-793594715-13797111071582987565-1226687656-6908712-1187906883"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YucMEUoo.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "614200186-1662038808-2096933356-15218657171400960323-2065748368-1046619348295759357"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YkosEIsg.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1853376128624509011819983124-688186976-81476730-68130333421261750621043990301"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1459967205-16845141741399330939-447340125159812680812781242922046129379-956986968"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8979124196267026251758699803-1723037948-60294846-1997872918-1622496466-1914262567"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RUcMIEcM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\voEcUUEg.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1318255530-575814938773093347-754943308318202783-13520216001253053927-640438541"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-57124632017690065077786158431126713276223963027-1717903037-1729886703-1592380441"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TmgMwwAU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8973313621209247432-85437501055801447-810672418-15250762881938151671-438079061"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hIAckMwU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1663381451064707588-557276914-570976208-410804929-1370244675-546529272-149510148"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WEsosggE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KIAQcogA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "199790973-1138418173303439676-13939282282719734894288133921065618988-756231446"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iAwsYMYM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1719396644-1258126084930664176-223626330-878027825669040155-566420478-1984750253"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PAMIYMUY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1059593080-905172190102483045976417909929101336-1787783715-2110052294-351343076"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dUwYcIUc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LUMoEYgc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OeYkwIEA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cuUgkgIU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YAYAksAM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pEgAwYss.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PSkUwsww.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 172.217.169.78:80 | google.com | tcp |
| BO | 200.87.164.69:9999 | tcp | |
| GB | 172.217.169.78:80 | google.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp |
Files
memory/2248-0-0x0000000000400000-0x0000000000433000-memory.dmp
\Users\Admin\VwcMkcQg\yOIkUssU.exe
| MD5 | ca51ff91a78ccd9c671c68a17fac5131 |
| SHA1 | 5846e51928a5def8b130ec2deac5aa6a75f7c1ef |
| SHA256 | 66e80618b75159d6416c663c6d627c81801d8baeba2f87338d55bc9d04535d21 |
| SHA512 | 58ecd3e3ca5d40f84a5f297dcab43122a4918ef239c5eca0cc04657399aebb08a7a64aad82c6667853c2ce44365af2b62daadb07f3636c01bafc03fadc87de0e |
memory/2248-4-0x0000000000560000-0x000000000058E000-memory.dmp
\ProgramData\hywYUMQM\qsIgUksk.exe
| MD5 | 7f9b1002ee89a4704ab29c816428bd1f |
| SHA1 | e21b696e29d7462369ce508842d01d3f2aef791b |
| SHA256 | 02c558a8b9010bb335209cee007614eaddde47ad4580df762541d3dcfeb3b1ab |
| SHA512 | fbfce9c77ba8bc1775098081498da0abd0003a9a9db621d0b6cb14dbe22447c8c8c7794c431e334931d20afd9c0285d1344b0718f0e0e3a70c4ee43c008d0d34 |
C:\Users\Admin\AppData\Local\Temp\yuoQUcsk.bat
| MD5 | 21f18c293dd441ff79fb730d991b522b |
| SHA1 | 4b1ce5272ccad0dec71404f6f3c3fdbcb7d5fbac |
| SHA256 | 336be22749c821b6f28d7130540f3ccf9416c7f16e3e80fb15c911d0e2210597 |
| SHA512 | 48db047b8203cb99d1c96a0ae72eab5e6e969b3b6a0460a970304c60cf356fe4a1b7f8c2b834ebcb844091bc2079919f97b0e8c4ce6a94133fc008ca87453131 |
memory/2248-20-0x0000000000560000-0x0000000000590000-memory.dmp
memory/2248-15-0x0000000000560000-0x0000000000590000-memory.dmp
memory/2248-38-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2100-41-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2100-40-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2876-39-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GWQQwkcc.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
| MD5 | 59be91b17983f2d8de110d2534075292 |
| SHA1 | 184ce4f6b89530f58a9952fffdce4ce254447937 |
| SHA256 | f9b54f0a6c4a21daea6f41263e8df267367f5b491094bea56179a9c3b4ebd65a |
| SHA512 | 6c37049c71557a3bee37a8380912733b009f68844818f3d2586802ad437c82c32ac51f170056add421976b24e0e074ce619d3987195ce693f28eff657c028c74 |
C:\Users\Admin\AppData\Local\Temp\oYQsYAIk.bat
| MD5 | 39290a633b3a3a598f2f8249504ea052 |
| SHA1 | c255f62a89f33cda550c3dabf5e7c2367f64cf1b |
| SHA256 | 08a7f2a727b9d85fedd2d37690bba713ce3f8aded5a263a2b7d110bc44d12657 |
| SHA512 | 22008cd254bec2e8695ffceb26d9b20eb47d95dc37a510ec600af48fb396654df716f8d0c75861bb58b588e1fd38d230e1dd0de97f5f23203386715468a60c47 |
memory/3060-57-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2140-56-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2140-55-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2876-67-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iGoYwwsE.bat
| MD5 | 8254beb77d73e09f12c8da6c1543f356 |
| SHA1 | cb95e5fddc328357e41146a811ee717f51d1483f |
| SHA256 | f6088a7d9fb206662e9567ac3fd24f447cbd3e299b57d18a28d9b314ea9e2f8d |
| SHA512 | 3d8cf83b32ca205ab9efd6035c253c03a75719a27280389e8fae7c497559bb64dd1fabb3b80d6befcabf5a0e60b5981d1fbb97f7e0ed6ff985b0378991df6e38 |
memory/236-80-0x0000000000260000-0x0000000000293000-memory.dmp
memory/236-81-0x0000000000260000-0x0000000000293000-memory.dmp
memory/2816-83-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3060-91-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pgEYQssU.bat
| MD5 | e9b2d12e65690725bdcc5b59c5713d80 |
| SHA1 | 5ff34eee1aa5a9d985df3bd94fed5e41e9e7deb0 |
| SHA256 | 9519ddcad40761bec84d6cfc35e28745316d073674c6d499f86ca48601d46a21 |
| SHA512 | 78a0bf93277ca3ec2d577340309d395de0717e2673abb47671b64dc153b27bba7524aba518efb75f58fd099bddd631872411dc462a622638000a5fb874942999 |
memory/2996-115-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1856-114-0x0000000000120000-0x0000000000153000-memory.dmp
memory/1856-113-0x0000000000120000-0x0000000000153000-memory.dmp
memory/2816-112-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PeEoEgUk.bat
| MD5 | d5879a76d6cd460d5002fb7f3dda93b1 |
| SHA1 | a60e926bb25071fae8d4b6c4ab7a40d1adc05005 |
| SHA256 | 03835b9f37ee67a95cc33bf31458a47126d99ef219c1e49893c8562e637f7e67 |
| SHA512 | 647ccef055fb50657bfdde816b9126a1aa19f95e4b2f3ce68607c6332a5c9b368759f4e4b859bfe0789ea61e8ada2ae90f82efe142566fe2bca5677f8f544325 |
memory/1776-128-0x0000000000270000-0x00000000002A3000-memory.dmp
memory/2008-129-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2996-138-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hQkgcUwI.bat
| MD5 | 651674d32325bc2562e27250e2663ed7 |
| SHA1 | d382282ba25bdb10b2e15751f06ac03cbc147cad |
| SHA256 | 0ca1de1b2c4db9cf40050fe2649accb0186c841ebfd32e6b9fbdfc7beb6f3c8e |
| SHA512 | d10db3cddc1e2810b642ef93fc138dacbfaf1c061dacae5cc0e116d425d108496de2a163df65d2cbf19b26aa5226a66bfd4500683ec3a690dccdbfaa8da2b0bb |
memory/892-153-0x0000000000400000-0x0000000000433000-memory.dmp
memory/676-152-0x0000000000190000-0x00000000001C3000-memory.dmp
memory/676-151-0x0000000000190000-0x00000000001C3000-memory.dmp
memory/2008-163-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zIcwwggo.bat
| MD5 | edf417295ce17606a40f6ba414a5b6bc |
| SHA1 | a45a3e59eeda8ad2daaec5e6d9c6e3d09ee1bbef |
| SHA256 | d6949285014480a0173ea85135806497aa8a252821e1d88b30249ea2e2331319 |
| SHA512 | 6c79dfa552562d83ee9d3f4e27e9748af22cbdb34598b21855c8445bb40a564c74690617a3d495671b476b9eb350e35922094213af32d02c4672e9c4a4597f84 |
memory/2680-178-0x0000000000400000-0x0000000000433000-memory.dmp
memory/892-187-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2576-177-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nyAsckMY.bat
| MD5 | a059a008f767e544ff2f3cc9a2ac7cd4 |
| SHA1 | 59937246656b16767a9ece3135cbf6a78cbb51fa |
| SHA256 | 888eabbfabe6014e3f0d360571b1feb7bac360bd1d759d3e1194a13c78433e91 |
| SHA512 | 70466f8577f163bb0c4003104245db42b88636d7d706643db9ed56f7def6fc16e79fc7d7068f27e1c83ab953e5a838183eefa8149267c4c5ea870caa77ef5ce7 |
memory/2324-209-0x00000000001D0000-0x0000000000203000-memory.dmp
memory/884-211-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2324-210-0x00000000001D0000-0x0000000000203000-memory.dmp
memory/2680-208-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\omscAAwk.bat
| MD5 | 61b7ff7f65ceebd376d4cf1006863d41 |
| SHA1 | d3eab28106c4341f9a21db75e1aa9c71be05d6a6 |
| SHA256 | e6fdedd52cf99f290f3b9e302cf658a9ccc04b0df3068c081854998e829a921a |
| SHA512 | f8f1e5e4f36341168b46157b1ebd34c8eccb17ecee1f02decb8666952d29aa8300c55f2ce77037349fff8ea1152e5c283d2d72e7b7aea9648fd3958bae288079 |
memory/1480-224-0x00000000001B0000-0x00000000001E3000-memory.dmp
memory/304-225-0x0000000000400000-0x0000000000433000-memory.dmp
memory/884-234-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IAAMQAcw.bat
| MD5 | b9e9ea6f011f6bbd34954032cd26ce02 |
| SHA1 | af838bfe256880990bdedffc70889d11de96a3e8 |
| SHA256 | d817db0d35224e4fa6f015d14d61402a94feff7d079073a5196c878df3510374 |
| SHA512 | 93efdc695824110ab18aa3cc18c6f9f75e24e28d12ebe587ad59530eeff4a8d5d651c750dd5bd0075012c991bea59db8977bb6ff082e77fee1d08e13a9cd8f29 |
memory/3000-247-0x0000000000330000-0x0000000000363000-memory.dmp
memory/1824-248-0x0000000000400000-0x0000000000433000-memory.dmp
memory/304-258-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ycgkEUEI.bat
| MD5 | 903889e11b3143735f6f864b78a8a744 |
| SHA1 | 738d313dc918dfead7fcf2d893678ea159508da3 |
| SHA256 | 95a1f182acbd45388171a79a1c720ec84ca0f54e3d406076a2ede34b71b557b2 |
| SHA512 | 206028f66b6b38bd2863fe704cb397396f6a0802c131b06715597bcafdfc39d8b52913faa6f0d3f47b9b341546bf92f5f52ea82e63e612149bd0dc4c427563f1 |
memory/1976-273-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2308-272-0x0000000000170000-0x00000000001A3000-memory.dmp
memory/1824-282-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AoQsoYUw.bat
| MD5 | e0a1861b4183cbe86c83cf93de347ab6 |
| SHA1 | d774bd6c47b3a8af16b82d380d67e2701602143f |
| SHA256 | 8b26a54b31948d47a1ba45eac6e661a29677b4784a8477f32699984ac3a3f3a9 |
| SHA512 | fc03637f6b6ddc801d29e56d03df0443d8a319dafa8eeabc87b4a067b2eec36922ae01b597421d6c9c5a3003c3222a780d457350ee35f491b18167026c6959b5 |
memory/2776-295-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1976-304-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nEMYkwcA.bat
| MD5 | 2a756f5af82f17c858b3a3195d162402 |
| SHA1 | aa34df1f2009083cf020f80cf28b072040453289 |
| SHA256 | 20660b6985cd2bfed82d428334af491988111a78cb589b3fea99f9e539f141b5 |
| SHA512 | ee91fa4cbfd524106cfc2340842db3a9be8b0f1b11cc54d8b8360acddcbf571a31de1070bbcf641bd77b3343560f6c5f72d2ebb00f479e348cffed7f76db7cb8 |
memory/2100-317-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2776-326-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TKMowckQ.bat
| MD5 | 10f05ffc98878f5d5da655b11d44197b |
| SHA1 | 0c0231a76185892e29e90e2047af851ee1b8c729 |
| SHA256 | 8c72835fc0fe7f306807b1bf64d0df75609b133ee44b414953f4c1354838d2e7 |
| SHA512 | 89821a8caee34e4dbfda76e9ac65530cfdb2f3b707fd5b6460c009bb6afdad57428332fe11377149690b36bc477e67072f30274c4f8811ac69bf9239fc4cf353 |
memory/1160-340-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2052-339-0x0000000000210000-0x0000000000243000-memory.dmp
memory/2100-349-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xuAYcAAY.bat
| MD5 | 295741c23c8f180b4b1832d723e29864 |
| SHA1 | f6830f3873442c9485abdd4a13fe5e51c0d7ddcc |
| SHA256 | 55b76205313a31749668d321f14af62124e4bd103f270aa7dced7e23f9513136 |
| SHA512 | 6a937ff2908a4aa636944b83ea09d3265a1f38eab7e7e42de76ababc53bcc0fc4b210973d94af9851e32ea41b56c7c210606ebb6dfe504a6689204042def51f1 |
memory/576-364-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1160-373-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LwUoMMQE.bat
| MD5 | 6de1a750e12f9d7c9ab8b631c93de704 |
| SHA1 | 48bc0484ceaa92c53f6b210790d2c819aa0030d6 |
| SHA256 | 141295eafbfe2c12083d4542ee5ec77d693578a37759fa64d1da0671b2d89d58 |
| SHA512 | 8c3e562d00b98d79dcdf90041c607082a1dfbb9d27ddaaa5f9e7d28968e84c5b406da8eaacd7c7f64ac77750c1c54ccf391eba8712fac031c9469f24da79b810 |
memory/920-386-0x00000000002B0000-0x00000000002E3000-memory.dmp
memory/576-395-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GYEYkYoU.bat
| MD5 | 14a9c74f75368ba5b2cc797b4fb6a0f9 |
| SHA1 | fda2252d8d3c1267495a48633678431a2d0f21ea |
| SHA256 | d77c7f4ed0cbe58b2f92e3b3caa170189491c7a4fbb987de5d3868055b98f083 |
| SHA512 | c7e796c60603d951ce5e305ef84881c0f6c08be3092722a5251877122a1cc34259b36101fcb664de460835c05dcb959e77d271f072b2f9925f57374c448ecf01 |
memory/1972-409-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2956-408-0x0000000000280000-0x00000000002B3000-memory.dmp
memory/2172-418-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SsgIwkgQ.bat
| MD5 | 4e938694585cacd581ec7a5f40290a50 |
| SHA1 | c8c11a1afbe7eed8032b802304f4be287ed15e9a |
| SHA256 | 83273009dfb23378341b48f8db4a6e0fc52cd18c68e3fa73d13c319a02fae815 |
| SHA512 | 79f09946a57476d9f25f19547461ce692035cc07e7a7cf0e317f357bae720f85b00c3b6f670a22a9bb037e624bb1bfe12f4cb19f39f7b7fdf1eb8acf4bf2ff8b |
memory/860-431-0x0000000000120000-0x0000000000153000-memory.dmp
memory/860-432-0x0000000000120000-0x0000000000153000-memory.dmp
memory/676-433-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1972-442-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AgIMwYIU.bat
| MD5 | 34b7165e0b2a9ce14f3af0295d28c4bf |
| SHA1 | 8ac35267a5a171a6568f9c3e90f68f00bc78fbc2 |
| SHA256 | 9f81f33b87604a945468a425831670cd1ed4b360b018b176500f95826e3bf7d2 |
| SHA512 | c131b0c8a118b85f45ad78bb7f57492653c2a7c6915c08613490ec8ca27e61f28f9d72e92bbab458e99d788848d66f22a7c78c19c754f4d6b85b8a75778706f5 |
memory/1276-459-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1544-457-0x0000000000160000-0x0000000000193000-memory.dmp
memory/1544-456-0x0000000000160000-0x0000000000193000-memory.dmp
memory/676-468-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MIsMUIcU.bat
| MD5 | 11f3d65b69a0f3bffa406cd94484c8d4 |
| SHA1 | 9d5d97d5bc862955abd1c03615eb0221cc3e6888 |
| SHA256 | d25bb33ed43f24d0c9e6c324f9874699076c3856d6d8f65b7d3020698c13c2a5 |
| SHA512 | 1559a721a3601c2d916711082015a1b46d58f1ea709e2a368580bb3604a72eef92553eb6f7c75610221d74d9627a34b80b9ff9efbd70448d52a8524307375e7b |
memory/2256-481-0x0000000000280000-0x00000000002B3000-memory.dmp
memory/1276-490-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dmUwsYYQ.bat
| MD5 | ac18162dd68ec522e1fefa40eceaac42 |
| SHA1 | aea03be4c5f4a0540266bc4e8b2032fd922bc8a9 |
| SHA256 | 8b4e0d59c86ed06c2b55e8673aea47069410feef90087d0bdca916211779321d |
| SHA512 | af1578999bde2892ff7748a6ebca5f8e52216e37534ff69dbcbcd7de93ca38f1511c5d443b01b85a49285e81714b4b225df59f598ac50760b4750f2174160cb0 |
memory/936-502-0x0000000000360000-0x0000000000393000-memory.dmp
memory/936-501-0x0000000000360000-0x0000000000393000-memory.dmp
memory/1708-503-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1300-512-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JEsUUUkM.bat
| MD5 | 55dd8401f1bcf63365df4602900f7df0 |
| SHA1 | 7b43f84d4d61edfe383ef19199c34fd2692cd880 |
| SHA256 | 16f9a116877824cad363de44005621a7c49e1053a317f3572890ecf1f1b618a1 |
| SHA512 | 955d9daa729379e6dc68c94b422b203e45976fe79a5101d93ab390a50e386ba30163b68a61f481177b987ce9ea62b511d35103f1d852326799c136745246c896 |
memory/1744-522-0x00000000002E0000-0x0000000000313000-memory.dmp
memory/1744-523-0x00000000002E0000-0x0000000000313000-memory.dmp
memory/1536-524-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1708-533-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rGQUAMoc.bat
| MD5 | cb6c06b8dd4c3721d8a6470cafd6a497 |
| SHA1 | 9bf1a87fcc18bd64e0b9822b05e6dd492613e495 |
| SHA256 | 61edc8b5d64d6a5530e2f5f84c539c996125a51d8a0736b9c2be3b99787f03c3 |
| SHA512 | 8b184d18815925d597874222d4f8fb41c6a43dc94bd489f04bb733334ad5dcafda5a858b1fabd4f5adccb3ad07e57bf9094f532c382206c232e6644043a5a42e |
memory/996-546-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2632-545-0x0000000000510000-0x0000000000543000-memory.dmp
memory/2632-544-0x0000000000510000-0x0000000000543000-memory.dmp
memory/1536-555-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BacYwoco.bat
| MD5 | 572751d278001b0c46cf703df01f32ef |
| SHA1 | d0fa69d558a0c34d0dd6336a317a9bbccc67c588 |
| SHA256 | f9e073169df2be539a56ca9a87ac1a527061fefa4ce6fccd308a58e536e3efc1 |
| SHA512 | 6a01255f0592e5c0961974903335b7608d58ff5018c9111fc53ec8e55a7e2d5f37c8d093f4ebe94aa83896d6adf9e9af467cfe35f89ba8ca1269392fdae316b1 |
memory/276-568-0x0000000000300000-0x0000000000333000-memory.dmp
memory/276-567-0x0000000000300000-0x0000000000333000-memory.dmp
memory/996-576-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EeAoAAUQ.bat
| MD5 | 23f1b17c72b3dad6ae70c49a15a698d6 |
| SHA1 | ef3f0ce7c08c086d3e37544419f5f3f6849483ee |
| SHA256 | 3cd5ff4c63ac2cc4d7097b6bc6b0dc817b191d27378826ec503b3b38447d85a6 |
| SHA512 | 340e98112d5ef9ce471ad697216a4889b44ca5809c7645093bbc08d7a18a1c8e141c48b55d70b2ef14f7c9db79bb5e6a3eb789ad908249e1058755f3212c72ca |
memory/1784-588-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2384-587-0x0000000000160000-0x0000000000193000-memory.dmp
memory/2384-586-0x0000000000160000-0x0000000000193000-memory.dmp
memory/2448-597-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uEkMQoMk.bat
| MD5 | ff040ec92fb0014dbad31538ebea8e87 |
| SHA1 | 3013e0a8861afef7f4e1f6df22b4cc3d7d4a5f4f |
| SHA256 | b122277ce601660370fd9803fce4105a4c1b385df6a3d46e07326a9eb4e92e67 |
| SHA512 | ef4ef30102f3b172c5b0466bd58b167ac747f9aff15206c284e9451ab642f22973f44307884bd0b3331e53c0f890366f6c8020eaa39201e928a18cdfabeefcb0 |
memory/448-609-0x0000000000400000-0x0000000000433000-memory.dmp
memory/808-608-0x0000000000190000-0x00000000001C3000-memory.dmp
memory/808-607-0x0000000000190000-0x00000000001C3000-memory.dmp
memory/1784-618-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ESkgAIkE.bat
| MD5 | 51577aae67fd065d436774dacc90344e |
| SHA1 | 59cbd50c57a1ca5291bcb6cdb2c26e0266203e99 |
| SHA256 | 453f19c1b9fd16cffeabcb135b2f421eca75bf824484c2279d63a6af7db5ea29 |
| SHA512 | f951da28824b72409cea60d392fc8042672f084ce0a8c3441acb348fa0dae740734f774790131c30f0355e767d02d9a3002302b550a8a19684d6a658bf6b49c5 |
memory/1740-630-0x0000000000120000-0x0000000000153000-memory.dmp
memory/2364-631-0x0000000000400000-0x0000000000433000-memory.dmp
memory/448-640-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WesYUQAA.bat
| MD5 | d9ad37c3f4195a6ed9223f1f3b016909 |
| SHA1 | 38a253942170f823d9319ffec79d0ad3c0acdca3 |
| SHA256 | 3885670ddc6d80c12b8dbb6009125bdb86f82f35192cc89801d2b2c54c237250 |
| SHA512 | 1aca6e2ca4f288e74d649e6f3a536a5da6f06a882061c0a51f68e5fdd1bdda15be05a53592734bf96f8236c888f8ec9ed730ba3974bfe7bb85e965344c69cbc5 |
memory/2300-650-0x0000000000310000-0x0000000000343000-memory.dmp
memory/2364-659-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JGQUMEQk.bat
| MD5 | 152c4931b0f92a42921beb7cd3b70771 |
| SHA1 | 893e613b61aa792acf96af180f253e49b855553d |
| SHA256 | d76eaaf24c01d54a65d30b770a8d6a268330d6686cb1b857f9ff8d5cafd0adb8 |
| SHA512 | 5f41620dca39c9a5b71f5db879c6d94443561beccc6b34c3a3f52c11a50e44e621640cfca2238bf92f582e5f119577004fdebf6e2534ce214a5d8cc40e168328 |
memory/1720-669-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ZWEcgsgE.bat
| MD5 | 67b603bf924afb70dabf78bf6390d459 |
| SHA1 | 794f0ed121bd489661f69a0ad3e3ab5678c9dc86 |
| SHA256 | 090499092931a6f414b247a95c18da24ccf8378d6e9779193e2458026da05b8b |
| SHA512 | f26686439238a3268dec0f098c6b2ad54263a6209a2b9bc00082560c4b658da22f71f7d96d392412e1d927dea534c9c2276489876ded6af7445ecaad03c09d2c |
C:\Users\Admin\AppData\Local\Temp\AsEk.exe
| MD5 | 46ed258b2d45d44dbd5f48b0a5e56042 |
| SHA1 | 9207014971cc3565a3c77347f5040e42db563a37 |
| SHA256 | f37b6ca8122781cd16b932828321964730a1dd48eaca80067e523e4232679a43 |
| SHA512 | c2dd0f9429f15fe9115b9809c092d87a4d6ba87c4dc68ac024201d6ec68c9c34db7d1a102dc0df47850ad47b8d8014e698459f05df29c23f902fc02d3032d64f |
C:\Users\Admin\AppData\Local\Temp\fOQAssEM.bat
| MD5 | bc79642cb58ece733cc57aae207830ef |
| SHA1 | 744ddfd88237a7c341568ca46804d0a03320dde7 |
| SHA256 | 01ead35507d687542d68798e0da81cc4c00a1bdfd60bfbc99e5318de2ce5cf48 |
| SHA512 | 323f47d02092ac4dafe8ac43488dc6f34412d6e8604ac573223c9190464a2fec6c6709faae84d88687d8cb02c34cf0442eb09334bb7577dcf7a7c8c61bc8f485 |
C:\Users\Admin\AppData\Local\Temp\diAcogQQ.bat
| MD5 | f2902e04b4824377750c19fa308a4244 |
| SHA1 | 5a0e0989d68de969be1b6ddda361769e43c7f77e |
| SHA256 | 4dbe88a2cffec0afc5cecebe726855209b288e90631350a0f5cf34c137af408b |
| SHA512 | 74d5336d6c94cdf51a20e960c5d8c29814b5d02e59b81a1675a4078350db5e0eaafc304a4db9a45e5aae80c2cc030b3a85e2d6f052c1129821b0d9ac2f00653f |
C:\Users\Admin\AppData\Local\Temp\KoEAMcQc.bat
| MD5 | 65a38989eb68d504dc3659eb4e93ae15 |
| SHA1 | 1995b2920ce4b4a86dc900dd37c92072ac389482 |
| SHA256 | 5af4856eec703c68226971ec683492ee83775d89ee1c5559a06e1d6bede5fdc9 |
| SHA512 | fa66b879e5d6dd1940591944006a1c5ed9c9ac7a3e671f6b34a73abbdb9c6bd782e550c601dec333d141047f0032b56892bddd9a12640201264d06490416de4b |
memory/3008-777-0x0000000077510000-0x000000007762F000-memory.dmp
memory/3008-778-0x0000000077630000-0x000000007772A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SAMcAMkc.bat
| MD5 | e08ff4cb0144b8f6df5bcfd96285f823 |
| SHA1 | fbe807420fafcfe2579d24afc91ed65d2bbf9bc8 |
| SHA256 | 0ed8219fe9be5fc6dc46d0de5e78811b296940ff418a32965d1112fc24b47bc7 |
| SHA512 | c5ccc718591686d1024b02da18452640c8c41291a8aa607f01c33356d74c7d0732fb104dfdf88b514217fb8df3c82070858186e1a338458db557c1e49e62904d |
C:\Users\Admin\AppData\Local\Temp\yoAMcsQo.bat
| MD5 | c63a90ef4b096412d56b744f480fd6a1 |
| SHA1 | b08191362da96082a330b026f2618105498813f2 |
| SHA256 | 0781ab7edb6a6f8387c20a712238178f2ee471ca8191c344c6bb4f8c86207242 |
| SHA512 | 382913bbc5b639bedebedebdae72cd2a4a62504fd7d39cdde2de54c4d1ef5242bc26548da09b4c491342bcfcb5d8065c1d7d6449379eb1afecf27188b9e2f9a9 |
C:\Users\Admin\AppData\Local\Temp\CeUoUEAg.bat
| MD5 | 3c26d1ff5ecb08eca6145b7cdfbd8347 |
| SHA1 | e1a7289ae551810759f043f392f80c8d69d888b1 |
| SHA256 | 51ec6b2df5daf42be3d4665637ea746e7961590881b92d502db83a087965de3c |
| SHA512 | 187643a47e190f67a8e58054c03d21893d903f2d522b08c9aaca2b896d7d1b3a9bd7be0635ac2ba83afd71d0174f02abcef4f56c400130cd1c6e668ede5a78c7 |
C:\Users\Admin\AppData\Local\Temp\oiwcUMYA.bat
| MD5 | d96c85cdf6153e41ddc75ab21bf560d2 |
| SHA1 | aeb27503317c1014a2824c264b18fdbdcc604933 |
| SHA256 | fcf14dbfddae004132318d02a5567029e71d694efd1a03eb7d0a8cb0229e1b77 |
| SHA512 | 69ff362a18c2cc18a356a28896e9da11157dcf63285ffb8c9e35bcf63b66fd7028496643438a0ddf1d9ffb3c764681c188fb01d781d2e93e5089161921acb844 |
C:\Users\Admin\AppData\Local\Temp\fgUQscgE.bat
| MD5 | 7a8f1a5d07bbd671eeb7f06c71c77339 |
| SHA1 | 50b9d3a831bb1fc831f28fb1cafa164431885e98 |
| SHA256 | f0eed6c08ec10792762e8bed3d312b3b5898266adfab09ed0854c0e4d319d286 |
| SHA512 | a554b3d0a75c9d80459171c2fbc69332df5d23cf9372d8c88982a1ff684d9251c52f2390e3c6df907d99f80190b7e81a3d873113194eac84a7ed305eb1bafb09 |
C:\Users\Admin\AppData\Local\Temp\ZEMQYkgo.bat
| MD5 | d5b8b348058bc8e23b0197abb415e1c5 |
| SHA1 | ce9a9ccbdf6db45d49b605353579dc604cfc570f |
| SHA256 | 2fd103cc1f4f86025640cd9b5f383631cc79cfd0dfdd5ae7de1514808985dc83 |
| SHA512 | 31e120b291ee5571dbfd895f7dd366b539e5e501ad94f9673ce6ac33adb86a1c891a454e909cea77ee5534a0c3d8faa4511d4c971385d6b70b9fd91cecb60ea1 |
C:\Users\Admin\AppData\Local\Temp\HSgkoEYc.bat
| MD5 | 6338a46e1109cdcf877a7dda044d4d40 |
| SHA1 | bca0414f5e9eb43baa6ab2bea979bb846387d213 |
| SHA256 | 75de0ce602ebedb0e404800b19afa6e8b75731ece4eaad53653041df7702a78b |
| SHA512 | ee946a8db218d2819b77c12472fa998df5982213954958b99699b1aad05f972dae5e8466a254747aa450bf9b20e6d1c0afb93e4fe6042768aafed6b1dc22298b |
C:\Users\Admin\AppData\Local\Temp\IAIMEcIs.bat
| MD5 | 0b3f1ec89492d735d9783fb0e2d04e81 |
| SHA1 | 59978b3aafcae20b53de13217133a59047a40feb |
| SHA256 | 815e5285c1a49041147a846c363ee110dbb882a5701f6a0b82b7657fbadf0718 |
| SHA512 | 5fcd59bb40f3405e706904334f51d84e3c7ffc888a7a279d9e639465d7720856f4c3e925a03b8945b4fe53eb6b5b6c3e6e130e9efce0ec98ca7fed2e52f7ae88 |
C:\Users\Admin\AppData\Local\Temp\WsAgcMUQ.bat
| MD5 | c6bba8f08b92fff5d833b2285fdd366d |
| SHA1 | 175f4c77269c96c341ceb627cdc0bfd675c662b2 |
| SHA256 | 55e6ec908d0029609d4baf31f2019570bc8740f901e1ba46189a92ea30aa383b |
| SHA512 | a2274f797294c697472a2874a48c880222e9ad9a378f03ae74e4e3e201f4678bb0e29a736d8bfd55ff2299c89888fe9e6f73be9410bb9c70554a27600eca51dc |
C:\Users\Admin\AppData\Local\Temp\aGAUkEEU.bat
| MD5 | e6ac083655a593a5afd2a206625f96e7 |
| SHA1 | 729d52a8fe778f31c4d0e37e710c4eeb54ab94a8 |
| SHA256 | a01167719396324ae57a9a810d093aa9310ba4901bc6ddcecb77a7554a62b2c3 |
| SHA512 | 5cf79cc53de372467272726cb0ab7b0f8e8c3c4f5491f95556f5153901b65a60d2770197ed48303096592d7df2251fd29a866cac6bf4b9e601bbfde6a49b664e |
C:\Users\Admin\AppData\Local\Temp\wucIYQMo.bat
| MD5 | bf7371bc3db131f0965ff21c85d448e5 |
| SHA1 | 6796b6993359aa613528ddde453e8fa833a8fed8 |
| SHA256 | d227a72588b0777eb92f67ecd37b8e0158e29650c07ee3e020abdd745e36d019 |
| SHA512 | aff53fadc4421f641ae33b7fe3fdda3bad0efde51c6d286e5786a1e712608b73fa7aab50097f86604f3efc2f0ebfdbbe302ede92ffe9cbc2dab9121ec81e3b0f |
C:\Users\Admin\AppData\Local\Temp\jUEsUsUM.bat
| MD5 | 29cf27e3d735fb5a2f1689d4046e5584 |
| SHA1 | 2024da90486489d8ead75da71452e7ccd15da2f9 |
| SHA256 | 9d285eb9d34605b9accf347dd20651f502e8a531a3ca6a409a0789e908de9577 |
| SHA512 | 19214adeb3d1417bab5ec94c701a1135774b845949579c0010737a1e25239096be96309ba0bff73a34134648d094a1185be5287114a078d1e4b372db080feec8 |
C:\Users\Admin\AppData\Local\Temp\hUUAAEIA.bat
| MD5 | 93e3abd51029c6e26f30e256f80a28ae |
| SHA1 | 5661bef7675f93597b3bf02db3de5e4fa62c7e42 |
| SHA256 | a8d09f96807688a78c47dafa7c4fc0ba6422d86521c166b84a416c3699dd52c0 |
| SHA512 | e65ed86a433508c5308532e2deeace8b97428116716f54ba88c7e896758b83e7fcdb4904f3eee3a4733bb4dba4f89a95523c4c282656242d928be4fe7122e0fc |
C:\Users\Admin\AppData\Local\Temp\NUQYsAMk.bat
| MD5 | 80301523c3266f1bf32d4574e1b6cc76 |
| SHA1 | 0e8d8a3688bf28fa5bb447c58e1db27a99ed5002 |
| SHA256 | a431263233cdb840768d03c3db315d0760b89c8ee12a246a08a404ecd21ad91d |
| SHA512 | 199b6d37017a0564b3fb00cccd6617b7b88e9792b6c3529904b1ea4ff3aed27923624d2701a8e63835443266de69af77cf54a7a20133fbfe56a0f6ffd9bc5b6d |
C:\Users\Admin\AppData\Local\Temp\XsAsAsUA.bat
| MD5 | bac0d9538cff8e7b0659a47208004e6c |
| SHA1 | 11c09497e8a3b87093543435496d78effa22c818 |
| SHA256 | 5345890d1741c44e9fe439a53da8eb05af9032b9079128fcd2df67d11249159e |
| SHA512 | 2769274678756b2f658c526ef2d942f1103eaff3228d4418e785b1faf8f9156315a7011f82d7bc0845c64218a5371710cf88334965f07cdf41d26d3eec72fc0b |
C:\Users\Admin\AppData\Local\Temp\MUsMooMA.bat
| MD5 | 2e7c86a879c7ee91ed286bffc155f4e2 |
| SHA1 | 8d8803d9d06b82ee0cc170a864d6120ef3ce59e3 |
| SHA256 | 27152fed537dacfda81d0c480d106af73b38ba89d4f800c18109a2d28eff3394 |
| SHA512 | 40a2473a55edd1bbe840277f96bc1e93266c833239a988da4bbf8a10c43686d1846fddd055ccac5ef4802770e1c8127ed2082710fb477538f0637b324ab9c515 |
C:\Users\Admin\AppData\Local\Temp\WMcsMIso.bat
| MD5 | 72ab95dd5aa9e36c86435a98e0b27de5 |
| SHA1 | b2774a86c19357c376f25f9475e22742e19e7306 |
| SHA256 | 065e5c3f947f0194bb83db23290ec3206f2ecdcdba66b5a69deeff990b10c4db |
| SHA512 | 5739e50a0c6b98aff0179a27b8bec737a44c179b4d7690fbdd40ac40843672fb093d21077270074c1c28ea50b349880c791383e1a13d5bd6456d45264991f1d8 |
C:\Users\Admin\AppData\Local\Temp\UCkEYYkE.bat
| MD5 | 887ee8f850d6da240acea93f8f38141b |
| SHA1 | 3f20e486e4ae79f1a96525b420c06e3c44b2c06b |
| SHA256 | 62468c09fe776fc942add4172268f4772b4a86019a4011e4c6b2b121505ca300 |
| SHA512 | 685bd152c3bbfe664b4d4e6f837c4f1aff9ef1e7c9cbe2e8769013e50ee2f81cb00237f489511473b5f38f482f20b6454a7f1b4a9bf95e0d2e6318c347565c89 |
C:\Users\Admin\AppData\Local\Temp\IKYogYIA.bat
| MD5 | f4a1d2525c3e73f8acf8e3d24addcb7b |
| SHA1 | 665efd838252edaedfe837cf85834b40b0c6bd1b |
| SHA256 | 1598548839475ec83e6be5c4fbea8a170ecabaa08728fc5346c06dcd45955db4 |
| SHA512 | de101c412f77dbe3cbe8710842b45db24eb9d20b578d41e14f91477aeb92b472ac089a1ebcff64711cd88592ad70fb74cee9fd986cccfd90057bf55185eaa0a1 |
C:\Users\Admin\AppData\Local\Temp\WUss.exe
| MD5 | 6f9ce6c0de4ba04666855bb8e2a1213a |
| SHA1 | 962c3e1219dc8592d5d7386704b9f523039348b2 |
| SHA256 | 80cdee82139475ae3709b8a5f2aaa7132c2aae4f55f329561eab30e3e686cf6a |
| SHA512 | 0f9456a287eb3fd861eb2d6f10cf149759d29313ee45db2f60d21a58e4ab0ab3ad4687fea467a1e659dba006cbba1613a65c6203c46321daebf85c4508888e7d |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
| MD5 | 85710af4d7c792c55f303f9cfbefbd47 |
| SHA1 | b4267a64c8ef1764ddca54e183018f604b49907c |
| SHA256 | 63860848b850ec0616019d6d99781f76599363ba0d0c52a3817fe1ba7b27735f |
| SHA512 | 920666dc6c554125fe0c1b09d5553c4ec5a43d44972f4d3eb46bc05a663c64e92528eb0cc65717a82fc19bca8515456ea9cf7edcaa4e97f7ae769870c89b1e71 |
C:\Users\Admin\AppData\Local\Temp\aQgg.ico
| MD5 | 47a169535b738bd50344df196735e258 |
| SHA1 | 23b4c8041b83f0374554191d543fdce6890f4723 |
| SHA256 | ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf |
| SHA512 | ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7 |
C:\Users\Admin\AppData\Local\Temp\oQoE.exe
| MD5 | 342388c6a45f56eebf1a2699e167008f |
| SHA1 | 19ea1fe4aaec03f299f2b206cfa69f2ffccfd67f |
| SHA256 | b5fd296fc58de9a8c6e3e1bd8d5cfb2454de82c332cc1f139cfed7d784307a64 |
| SHA512 | 4d302eb1c40fe2707af1a9017a9378150e86edd6e6d270a2565ac29d1d5a249d2972d80527a3aa78697762861239b45f2544a6fedcfa81e665b57098c433d131 |
C:\Users\Admin\AppData\Local\Temp\cQQI.exe
| MD5 | e548d5c96fa4ee0078caa9ab1844ac6b |
| SHA1 | 493caf5e18d3b888a45173fa12011d2b53e6ab5f |
| SHA256 | e96aef3b9e5e366126b5470bc37801bdd031d0773137272a7951ddfb1e918bfe |
| SHA512 | 0ad5853eee4cddab97bbe97cf90fd32716e7912d21c97cd8d4b2bf5b74f892bbbdd14b8da8447a4bfd7d287dedf84401a3f1f704af0223dece96fcee6b067d86 |
C:\Users\Admin\AppData\Local\Temp\kgsQ.exe
| MD5 | 1860e7f230f1db894903a77c7c852ab8 |
| SHA1 | 2f0400b76afcfb4c6ea812de5199885a1fe5afa6 |
| SHA256 | a2e7d582b9fa873715f80dcd9af7ed73ecb82f43d9859bc6d3e81994ce9883c0 |
| SHA512 | 5b0618adbd506dfcdf43f79ee2d93c89922f0b79957a3410bf46e43b77a342eae52e73bb13006fe899ce7857582902ffef7c8a54f313aeada8c46f024ca77c1c |
C:\Users\Admin\AppData\Local\Temp\GOccIIIg.bat
| MD5 | 348d0c1998acf25b668d1f140428e759 |
| SHA1 | 9746dc4648bfd3a77fe8060bb99d9f18fb5a221e |
| SHA256 | 78dbaf6375a350da3ea9e009ce5c5ca796ea44a469626eeecf3c97f5a09f20b2 |
| SHA512 | 7755c1692bddd52f7d7138198a0b7947632a5a6a32e7fd4a22cd6dd3a02c81c3f070f56ccd2c2dc0d3f872e171c99a62364ac9ab0d32b55b12144275490adc8e |
C:\Users\Admin\AppData\Local\Temp\UYEq.exe
| MD5 | 4954a367eaf59e84d652dd9f719bc2ac |
| SHA1 | f44c98719b1f6c1a378360f403fad3a4514cf277 |
| SHA256 | e4ea7b40ebf0ae16f2d27694ca5346c9a29168534cbb8701845ba9e6c8990d0c |
| SHA512 | 19af6751366b87dcd0e563446a60c0c50295df053d87800ee1e49b416b1acc626b4516c7cab384d8d060d3544046117b34acd49b1070f46f150c02300faf9059 |
C:\Users\Admin\AppData\Local\Temp\Ikom.exe
| MD5 | f2d54543789bb890bf073dd81482659b |
| SHA1 | 9877dde5dcd9f0d8c16166a026e5fe52f68e9a81 |
| SHA256 | 2897eb0ca0ceac43c3409d619271ac7683b9fcee1f9e1e8f134b81d880989ace |
| SHA512 | abda125e2164d2ec8d52ef0c34985b4bc8337874c88c4c6db750f45434bab1726660b9823a151fbbd49adf112f633f321c02966894ed84af82fe54163f24a4ad |
C:\Users\Admin\AppData\Local\Temp\gYcE.exe
| MD5 | 54a1e72580a6e3816961c4a781ea3c8d |
| SHA1 | 6eaf4926742f4945608ec269dc5a253ea49c0e7a |
| SHA256 | 9752791b79a8d8d03559eac33284904c608820e3da67c2e5405dc83a731ba5c4 |
| SHA512 | ac1c7a2a62f262e9ba9b140fb61de1c1a60e51c6da1623a73d6aee36519c40247a338138773ba8157425ff42b9ffcdd3317998c25e49e8249df93128f3c3f25c |
C:\Users\Admin\AppData\Local\Temp\OMcC.exe
| MD5 | d436948a284bc0fb9ecdd48ba3827920 |
| SHA1 | 5aee5729ca15ef20a2b820c971f485770737609a |
| SHA256 | b32757002dec69e8971290e3e18f8f7a74b0fa9c2c15bf9d1d82bb297a94870e |
| SHA512 | d552f7075ec3ad69db0419bca9da3a796aeb1a953b33cb6f47d8d423d7085d773ec7cdadc7f115592422e61db779d572b5770419f8bc58964cc61c9568fc8043 |
C:\Users\Admin\AppData\Local\Temp\eIcW.exe
| MD5 | 565a2e7af896197c44ef12e1903630b2 |
| SHA1 | a29f3c4b1aedc0a4bcd7a899a87de2d8254a6ad2 |
| SHA256 | e69a34f6bdf837b94aa16f475351f30215ddb0c613d43a06db46f6350ff678d9 |
| SHA512 | c77e871c3a3f47ddfe9f0032ee574e2632efd4a17ea6f77186eb95979605afa8f269d8e26de95530d2ce5f33ed775f17d7d90e22c00449b0609d3ddb06421756 |
C:\Users\Admin\AppData\Local\Temp\sQUi.exe
| MD5 | 8b7cf87e6633ddbc66c298e6b2d22d63 |
| SHA1 | 51b50fc131fb2a340e9894a1907f117be6ac08b7 |
| SHA256 | ce1e92fd82ee945ed4cca78c9ecbf7c815d347fd9a13afd39ab786c2dc0fab17 |
| SHA512 | 7b34c049d4d9d85f76ca21e453923d948a2bc7a7be275e16f307e58b7fd5ae462a2a20bfc5137e3c32a8b96b66f14760ea983b8daaafefaa02ae6cdf51804fab |
C:\Users\Admin\AppData\Local\Temp\TWYgUEAc.bat
| MD5 | b05d36fbb584630a2c3d2e2b94812faa |
| SHA1 | 710c7ad4ec18d5f4fe68b3acc46564c5b9fa96b3 |
| SHA256 | 0f7e9557e48f2a140e1583f08306ffff32f2a1f4b180cb4f10ddfb1bfbfc63c3 |
| SHA512 | 4d582eece6ee4c8c9839a9f29fee30965e1280f2aacff088bbe500c0f6081545f69361782e833c429f30067d1404fabe571bdef1bda9c01ecf43dfd9d80b7cb0 |
C:\Users\Admin\AppData\Local\Temp\CYIA.exe
| MD5 | 538f290b20e8729ce14a3ce95cca1388 |
| SHA1 | a846d739a707167701813373a2c8a60ed501ddd3 |
| SHA256 | 6c4ca40b5e072a88a2d9369b3beba22ca048c172aa6380340d89a97da655bb03 |
| SHA512 | 59d6a482334854bca3a51a3b057326fe347d232ba1b48b528d52c284cc0ad84a0c1bd942b3d3e9c2036db7035043929bea8b788a0852f30dbd35269ebca901da |
C:\Users\Admin\AppData\Local\Temp\MQQW.exe
| MD5 | 1b7558ccae8da7afde0985fa5c0024bc |
| SHA1 | e045539d7438dcb39dd421e43315df9b5d1ef591 |
| SHA256 | f1dcb6575c368cecf044fbebf892353f19dcc5ba4e49b22fc002e7a031c52dd7 |
| SHA512 | 3cecb18c36ece9bff4c168dc674069c749a4f9cdfb1063844ae072fa754ef2bd05440f0353dd84f5cd95d3264dbdd50a09055e9a972c9ca6f6c935cab7bda32b |
C:\Users\Admin\AppData\Local\Temp\AQkM.exe
| MD5 | e00edba6e655f8313d7a730cb1b2f034 |
| SHA1 | 88a28d7ca57abd14c06dd82dea5a9572e7068b85 |
| SHA256 | f4eb8ed075a902d94444a58b5fe9a0b6e601e30a25d38c358d2f4bd6c425e356 |
| SHA512 | 68a5395f0a2d59f69f1a55190dcf50b70d5d8de3656a5f635e36871f864736ffb01c66cc46133b9ecc398fbf3fd2cfc0f9cbf1afbe3b72993a2013cc17ad90c0 |
C:\Users\Admin\AppData\Local\Temp\aEcQ.exe
| MD5 | 7481365c0c98811d0f6274cebcfa99c0 |
| SHA1 | cbb0f6db89dc8c6b60db31cc0786b93e7370d667 |
| SHA256 | bf1e2c50bccb9152a13591018c4d8078aa5151976071582eea7e35b8ab45461b |
| SHA512 | dcf1ce01a56698ba6e5b8371461258165dc192dc49fd674d154d42d3b1a890a2c298390bfd2b4029b815dac083d368c452092048101c02a343751e1da38b90b4 |
C:\Users\Admin\AppData\Local\Temp\dEcoIIoE.bat
| MD5 | f83e66a7cb181ceb31e237f48ce40c9c |
| SHA1 | d906b1df12fd82c6a1877f19a4d00fcecdfd5fa2 |
| SHA256 | 174abb5d48426e07d8256067229d94a820e3a0781d415633a60e0576bd322bf4 |
| SHA512 | 9d9426ef100a1a1860298f94c2557e2ddf36f88fa144358f48d36a4ee8d505e69ad33f150258c3e5b9d592245dbe84b9be144783681e3731607fde6f2e92ede1 |
C:\Users\Admin\AppData\Local\Temp\QAkc.exe
| MD5 | 9bb657ff9550beb5b1c03ea28a1c25a7 |
| SHA1 | e71a02d1ec82cdf754f430af9971a1a32f83f0fb |
| SHA256 | 7b57a92bca032b1bab3ede6110dbf544cb9ed4fa46c16344a7f577c3993fa943 |
| SHA512 | 85f4e3e94d1ee8c7018ef903a19110509cb064110abd47081b352a32fd3ecdb32d17d0260d8d8a162b9dbbc6df45a1beb7028999ec04e5462e25698286852d98 |
C:\Users\Admin\AppData\Local\Temp\KEcY.exe
| MD5 | 1d390967b714ed27187133c87f5e5523 |
| SHA1 | 1483f0478c88fcf0109b2991b75727eb59bcd9f5 |
| SHA256 | 68e225648663495569876b46b36247af5305cf1484138ef26a51ccdd69798c74 |
| SHA512 | fa24c9cb6d45b8b7ab801e88ed2c3413306b250c0db51004b1934ed94d71abf12d3e4ff1df8cec4b819b61e7ed7fca6fb6283d236c601cd1fb22fa1a117a51c2 |
C:\Users\Admin\AppData\Local\Temp\kkcy.exe
| MD5 | 9500adad417663d1a76d892381e827dd |
| SHA1 | 21f3bae624bd5bf90f58395e6b9b60cd29e811b1 |
| SHA256 | 3701dba57a78e6a46652536f62f7e6081181d3c02c2ddc48c5067e193769f101 |
| SHA512 | ea06e972ef7fe3c11de8945b761282ec01dbd684e961fba7e709bab864068104e6d0cd6fd5613de86d8d030a7ee7f02b5f1282bb6085805d579dbe38a736dec6 |
C:\Users\Admin\AppData\Local\Temp\MMIC.exe
| MD5 | d86baa36fe10f4948c162593b8129132 |
| SHA1 | 61cf370483e7aff1c78b9942964caa73cfab664a |
| SHA256 | ce7854ef004c2b40f1f48db7321c8958aa3b31942e4bddc431fc0ade10da68fa |
| SHA512 | af4f5927100a9c4e7e6621f8ff1c676b829cfc862fda31b219277f1b1625f7fe6b9fd7a3b9e483e17e06612e8093c26063b13ad501fd92deecd9edab0c55a406 |
C:\Users\Admin\AppData\Local\Temp\psUAsAIQ.bat
| MD5 | df4589425c23da78b5328cb263356a68 |
| SHA1 | 68ac133ec2988cffc5316fa1b28536acf235e105 |
| SHA256 | 88238c768a9e31737c698a858ce80b3ee64b5103880d22c6e19bdd63258a80c7 |
| SHA512 | d1e105bf1a2f0a53c1e0f3095a6ad403a2c18fff46b6fd1a024d239c6721090d53e729e33d13f9f291bbd3d1ce4b25cc5e1fc05c1d7ff33ea9dcd399886c22b6 |
C:\Users\Admin\AppData\Local\Temp\qooI.exe
| MD5 | e43476cb9f421b594fea1950b4672453 |
| SHA1 | fa9bdef7db340982909f1d87189fc47c6cb59e38 |
| SHA256 | 361ad399936eda98029dd7268231df55c9890ca81dcdde8a6e83afce9cd93475 |
| SHA512 | ab2ba889c6422261341af1350abe2a31f6a93eb54926e5c68f549215f1ac90cfa200ba7d38136a5765bb01de6a19650b425087f44440f59a3afb72db22083d48 |
C:\Users\Admin\AppData\Local\Temp\KUsw.exe
| MD5 | 61f6f7da17d64593701a9c920f0cfe92 |
| SHA1 | 8dee636d40ebd7b3781163fd60936841b9b1e54a |
| SHA256 | 2a943321f18901cea58b4145a902471a341e53563fb5b5535fb7ac5998b69e8c |
| SHA512 | 280a37bc71075c241d44932018b64d5754c9bee153b5dc5327eeaa6c82797d7d66c08c8232d3ae0a952dda3a80c295e5e0a400502c6c28402639e017cf7a65da |
C:\Users\Admin\AppData\Local\Temp\CMEg.exe
| MD5 | ea04deb68adab5c8f878b59001eb9759 |
| SHA1 | e033dcd6d33e2c4072d324e0faef95e850dd2255 |
| SHA256 | 66b6330661bed3a3410649cfc3b23e3aae94132bd1d0b71747d86a1ecc5115b5 |
| SHA512 | 93ec9c924ea7c531abb184a349f05c294127ee82c8b4374e4b34b16130a1f5599ea58dc73db9f51271178b2b51e3dc0dda45fa6c786b0efdab283a8e06a09e79 |
C:\Users\Admin\AppData\Local\Temp\SsQi.exe
| MD5 | 1e2cfe2e2b1a2e6e8eaec13fb5d0fb74 |
| SHA1 | 773ed2094082a3c63695636250e6db6e5a00d782 |
| SHA256 | 4ce816286192c58b88071290b6df28d3b1a89d06844f0383a45d03afcaa3cb9f |
| SHA512 | ba9c599e2831792e26ecc9f17444d14e8d7bb251aa1870d32880c31e7bee2b2fb5343558d9b4efe1f958f0e1fbb2272e8feb47afc9b4731ae84c34e6ba0a7dd0 |
C:\Users\Admin\AppData\Local\Temp\uokY.exe
| MD5 | 0d6ec00f57970f18c32d00e60c0b7ec7 |
| SHA1 | 6d82188125641c0ad11e7fb66d6f24dbc0a50687 |
| SHA256 | 2bf5922f79c89773d20de9e793e714f4d9dee45c386e6f18d790c07ba5cabb62 |
| SHA512 | ccf1dd9e83fe621db3c9c3a63539ebe352fdac8aa863561df2323d7bca824238ccaf2496a449bfc7edaf6ffdf63c9166aa8c975e67fa38c9d7e3ba8b5adefbe6 |
C:\Users\Admin\AppData\Local\Temp\eAgc.exe
| MD5 | dbbfb18a64755de3f7f0078937a05830 |
| SHA1 | b8f73bb1f4d406095bbb78387adcb6608763d55a |
| SHA256 | a9927c9a76c3ea7f792b9dd8de9ba677fee58aa5c86be26f8fba1974fdd2d93f |
| SHA512 | c64049265b7b876b05ce9c0d48727ef830c856d8a5740723dc504614dd1f3ceeb079550e0e75c4589ab89aab030f154a90bdc6b870880c3caa0a1e0eb4cab8e9 |
C:\Users\Admin\AppData\Local\Temp\DoAMowAc.bat
| MD5 | fc48ccbf8eaba915f64710405a6cb885 |
| SHA1 | fe8c0ca502f7700a5a68f3c7b16018d0b72177ff |
| SHA256 | e1d17ecd5588732acbd2e33ef553ae458b1f4d14d03e89ec37f4d4689a98a6e9 |
| SHA512 | 5684fc8e80b8b2bd189d259494b41a4fdfac47c480b302857044a240918c53d11f0c603acb28da514c107667b55b44c421fa2e73e96985d2914c95a7b63e3c1a |
C:\Users\Admin\AppData\Local\Temp\uQYq.exe
| MD5 | a726de534bea68df0f3bf4999d0a3822 |
| SHA1 | 657d397d10ed69437163fe8b8aa2bca6f792f3c7 |
| SHA256 | fa72a526836a1158dd4a47ebb4a73bf3c64fd60c7ad2ffe7338b09bd7dc8a00d |
| SHA512 | fc98761e7e96e9f905e478e80c88c9bf3ee4abd0c72b1d5af2fe8f567d9bc6e579c853407931e35621885c92a3ecc5e9b401b0f0b5cfdc6b15fac81f8cc6b208 |
C:\Users\Admin\AppData\Local\Temp\sQsU.exe
| MD5 | 8d9d601c3d6b58622577cdbdca733ab8 |
| SHA1 | f623b9db7e240b2544bb243829d85725feeaa473 |
| SHA256 | 65eff5917ac594ba8238d36e5e3e239264300cd57d40b6f611495fdf1b4f7b18 |
| SHA512 | a9e3c9eff3ab5ba37c61a3a22cb98859a44ad58b43715ba36b2fd25a58151a95399d2f62f050558dc7b45c452dc668aff99a36ce33e3ad50dc45045d93d1da8a |
C:\Users\Admin\AppData\Local\Temp\ioAe.exe
| MD5 | 2ab3dddc42b2937b6c29efd3ad97f760 |
| SHA1 | 59d5cf1e0af8e53fc31b2222e5bb30cdb03472a9 |
| SHA256 | c70504b40758c2ce94e450f8ab6c73b0f53b818a8ba1fa4c95531033bbf465b0 |
| SHA512 | 753bbc43566116e191cc533cf8bd58b0db18aef6d664b5a4dbe7ec89b24ba4d257be2b0436118b7f49b52167c8836b693d4ae069f68e62c0507d4e9b36ce4743 |
C:\Users\Admin\AppData\Local\Temp\yssI.exe
| MD5 | f51698183463b1ba30cc5ea4593313ec |
| SHA1 | 96cff76358e3720b3135c4c6b955de215d8f975a |
| SHA256 | a00db7d17be87b8f204dfad385e11dd64f8cf709476fdf0fb1b47c5860bf6d48 |
| SHA512 | c3e2772411b24c127a529e053cd3e17c46c8128ff7e93ef6602347c2361ebe7b70ebcd8902d5bbe11b745473201e24b891b092efa9a293364004037d612c2b3f |
C:\Users\Admin\AppData\Local\Temp\ScAs.exe
| MD5 | e14edefc88c66bb0ace72499544ce563 |
| SHA1 | 44cf54459561f92d62eaa5cb9ffcef1322eae5ec |
| SHA256 | 8aed382830848dfcdd5df2c267865c7160c7f7a44fdb5c175519ac1b854438b9 |
| SHA512 | e6f55a0e6a7fd221e8cbe2d604edf403d49b4a96acc8d005c93ce3f5ef08c24f0935edfa62abc56690aec285343e4e4c3e1a37b5e019329855b358456f398462 |
C:\Users\Admin\AppData\Local\Temp\zmkwEcIs.bat
| MD5 | 190f3127c5bf74d3b313edcb1b23a234 |
| SHA1 | 12e8a7f1d4e5b1b9f6e27afdbcdc8eb49f7a12f6 |
| SHA256 | 1229f2b2b76b1b33596ddf486cf4892c4e38308c529a3f8908684eac0e5837cf |
| SHA512 | 63e13096f1a6bb2c05bd2f1359799a30a59cd57fa11be2873f7286469a5e520a53f1d1c88fc8445a48ab770b796475c08c3fc197088fec1e88acbaf5c930bfca |
C:\Users\Admin\AppData\Local\Temp\qgEe.exe
| MD5 | 528cad9a8831633a2f15926fd2996101 |
| SHA1 | b74fc22614442c01a41bfb8eb717df07131e053e |
| SHA256 | 876a5a3ed4fbc79e21138acd367d96151074fa068d09ae1333a7d3bc2e82a5a4 |
| SHA512 | 122387fc505ba8d678767f03e257f87f88ad9a5c68d16b66f30f12d2c08f6609dd79e14c2912da7d725172f2d2efcfa8c342a95b04effd0b29506f7586d46d95 |
C:\Users\Admin\AppData\Local\Temp\cUcU.exe
| MD5 | d63d30d4fad9db626ff1b292cc7c1481 |
| SHA1 | 5e4240131dff776bb73dba85f318211f987e0214 |
| SHA256 | 35d7fcdd52d65a7ae2f287099dc1b0f32df3324b6aa0a67b4fc4fa29b239ae5e |
| SHA512 | 7c42563b6a417accb92f310d76b4800d2a5a80fca4482beb624890886b039d55b8211e41214e20e8e6dee82b51280237061d07c0696fac63fc368f815b51a8d2 |
C:\Users\Admin\AppData\Local\Temp\SosM.exe
| MD5 | 60b915db9e9b0978e2e7335f761dd21f |
| SHA1 | 60093a6b5a94e0749f8d8e9daa3fbf55b8b5f13d |
| SHA256 | 1920a2a25474d99fe7dbef488fdbf78ea759f512c8c9db1f09591072bdee43ac |
| SHA512 | 4c16350dc8d48bf0ebdac031b9d8d84626060244e2d9377927221bd670ab7542ccf8e784b051352ef8617e0c39c3905da886be8311fa5bd8fa62325a36b7d4e8 |
C:\Users\Admin\AppData\Local\Temp\WcQK.exe
| MD5 | aa2d227b6d5ac50ecffaa361803a7b55 |
| SHA1 | c69fe01b750f6638baede0b52e127f3f1ef8b9d7 |
| SHA256 | c490e9bb594f27b8e9eee20c7c6068ff6f3be345f8488aa0e3539a5056ff27a0 |
| SHA512 | 8251b4850cd21b1dc9e97c62db376758301d0dfd06590790eb28dae09bfd7d4abf3341f6274d4f155d05ed33d70ff1328c8ba20ec7b752faaa5832f5c8d02b9c |
C:\Users\Admin\AppData\Local\Temp\ywga.exe
| MD5 | 2e5c2aeabfc71ff1662570314ac9072e |
| SHA1 | 2cd1429e2a8a3507961f020d479209cc601f285a |
| SHA256 | 9ae7bcbec0d5ec9b6f4a9139b5331efb0622488815cc2420ae4586de7f09fad5 |
| SHA512 | 44c34ba3ee1ec733a2ee7d740b33f41ab1c92f42e579d907635e4bd1c02f506d7459e764dc78b96e39fc4444a5a5178d621566aacc86dca4985f6973459da54a |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe
| MD5 | a607db31afe45e1af49faba84026c76d |
| SHA1 | b0616e787f27fb11cff916aef2d3bc0263a76067 |
| SHA256 | 4e7f22e04fb8bb025f5a62ebd972586ed94568967f2b21322e42cc39b158a26c |
| SHA512 | c8f30c9a70534f2a2447dfb652e028ee035fccbb8991f255782bb6eb5b7614502645f05e95b859c5764b02d13b70788b7e7c3e12279b72ab8958116e18af5a92 |
C:\Users\Admin\AppData\Local\Temp\eIoG.exe
| MD5 | 5736e0b08d4248acd0a7ae2302e892a7 |
| SHA1 | 97014f47f8fe1c6df0aaf875e38c8f5d40df7cbf |
| SHA256 | c9b93f61cf87b10d9f478dcc8aabd59b8324f980444714e7fe284560643467a8 |
| SHA512 | 91604f78b2598c4a69df6e0e8c565aee6f0788ba518436752c963ea1572e46e9c3026c391cb05187693d325dd13a8328646182be2f79a970b7d3d75a8a7bf626 |
C:\Users\Admin\AppData\Local\Temp\CQMUEYsE.bat
| MD5 | d2710648565f339496daf92d3b08f870 |
| SHA1 | b3b69b1f744cbf891860686c6baac768c6b9c44b |
| SHA256 | 8e305a5e300aad62cfa5035205916080d6761d29985f871e690752ba7f5dfb72 |
| SHA512 | a879503f365cc1be144a4dc0bb0bf15fdd1c38e8ea50f07d8a269b393005f0cef961a7e4a5f1bbe5ec069ecde7a9236c49fd216eb065b960b4397f2321124d8b |
C:\Users\Admin\AppData\Local\Temp\wUsw.exe
| MD5 | 68f0e8c90e573a76861a43d235a94718 |
| SHA1 | 492ae2c94faa82dd3940c1ed9571bc9dfdb0be74 |
| SHA256 | 6d946839173e99814233c018c6e5253eb6cc204eb32d95319ce990eaf34814da |
| SHA512 | 10b02dd171d5b493195377f0c50c86528f3cb34bba3e429cb4ac22790a27b680c881903ca0142bb653f285e95c40c1343f039a17f47e9e8660de83a055cb94f0 |
C:\Users\Admin\AppData\Local\Temp\wooM.exe
| MD5 | acd49e3c95a673b44274b342a7c5cbe4 |
| SHA1 | e4fbd489db20c629192cb01ad9efbb9e35b4abe4 |
| SHA256 | f3d6774a3dacc3d680e232d40c3c21d3694e10155197195de1ca3d528ce91b27 |
| SHA512 | 537ed6be02ab4e09a06d97d2a9f345107e982100e4ba853529ad28d88b10bf3ea93eec683127a43803ba730d693ddec990c23b6d2d0fe62d36745e1a1174e765 |
C:\Users\Admin\AppData\Local\Temp\gcAs.exe
| MD5 | 75228084cc2fcf3a4406ecbb8f4b35e7 |
| SHA1 | 320cda46ce2e6e8172f985773293cffe9fb20641 |
| SHA256 | 09b1e41e2c5f1dd98220c30d2441d5b3a427f0fb7400e10e871f830e4ff82c3a |
| SHA512 | afe97e66587fefd3181bc9364a16672b416c7b2b86355702d7aca7529a4982598377218711de401ae276922233391eae9a79112e98c3a3da79f111885d2cb516 |
C:\Users\Admin\AppData\Local\Temp\EwoE.exe
| MD5 | 8b9fc46eff3e2853c0d33b7ea5abf25b |
| SHA1 | 6641bef83fc8043ed2e449f00ac9bc6b9f229fc2 |
| SHA256 | ea8eae655b09b1edb2f90a6cc6386a75b65e49bc5af5d5d10fb6a5868736ad2f |
| SHA512 | 97824bcdbc3cf04b1ba9180aaca00bd5b4de4e65b7eaee19f6fd4398c43817a3facc4d3fc7e68affefc8c09ff9c1ee7e2cc621f3a008ae27e262f8ceb12df6e2 |
C:\Users\Admin\AppData\Local\Temp\iIQYYAQw.bat
| MD5 | 0aaca241ac99c0c0d2c19f92b8e4d7f1 |
| SHA1 | 71386ae0925ae3df61777e72151463824ef71093 |
| SHA256 | d2bd9e823aa14ffb8776e624e65f90872da71487d148b6cf87124bfa061ec8cb |
| SHA512 | eab724ea9108e2fb3730280dd5d761c8e97933e03016f4d6f4676f40373ba705f6745c3f9efad908db6fa41c0d2190d7aa75e49f45cc0fa393139c51a8047a0b |
C:\Users\Admin\AppData\Local\Temp\EUQa.exe
| MD5 | 038eee330475f5e5fbcec74675e4966b |
| SHA1 | e5421d18e0b8482ac997a557cbb17538a8dcf769 |
| SHA256 | f0abc4f6cbd2a0498e46804a1a82c91d2e34eaf018668a306f7a8814384ed306 |
| SHA512 | 386b92bbdf9425718e04eca466b6e22bbb146a66c7c878e0fead4570ca2aac18fe86f6e927564d5cecc0187f9f00b6a077e26f06faf53c4fa9f5d70e937d6877 |
C:\Users\Admin\AppData\Local\Temp\kAEi.exe
| MD5 | 1aeecad607dd2d514403abb0550d59b1 |
| SHA1 | 6282020547d963882b7cf50b38568938c39e94ee |
| SHA256 | 4aa00ae0c271a6bcfe0b62849ffda32d8da869dc29628ca4c7fd6e279447c1bd |
| SHA512 | 72639b419ebc5c46e81765726e7302ebb06ba1ef34666b003592300f1cc6831e0c56d6826f3a03f174bb683aea57ddc59f36963a08019ef457b39dd4c747842c |
C:\Users\Admin\AppData\Local\Temp\GAca.exe
| MD5 | c22fc6042013b97fd5d59e292fa5f6ed |
| SHA1 | 3a25387eb454aa19b3bf0d106b6d90700dae565a |
| SHA256 | aebe1ee5a242c99598892667c47b96e0e363a6516ff1bc17376a165b40cfcb41 |
| SHA512 | 6d28fb5c6a1664ae2ec83d2733e87cad410dd6bebda3ce8fe9773343e0fff891c246efcf1ad70db39a5d55d17d9a50f89bd6b232d705718c8e66f4645e4707e5 |
C:\Users\Admin\AppData\Local\Temp\aYwq.exe
| MD5 | c3deb72c2fd5722190026b35ab22b7bf |
| SHA1 | ae8dda081af881c45216aab722c29d52199c567d |
| SHA256 | 44228ee4a62670d75deac89b21d722c5fed148d32a2d7575e44918f2d45a79e8 |
| SHA512 | 60b30aaaadf93eb3272f42c2880a34d93399bcc2d4b9b612b0aab51b19443a98fdbb3a6facf034dd60be08bcf24df8b213f9f1c9aeb666d9830406317054a58a |
C:\Users\Admin\AppData\Local\Temp\UUoq.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\Oksg.exe
| MD5 | a92ae78f2bc5857966dc8fc5339cb93a |
| SHA1 | 7bddc4f88416ccec13d30246bd4c585652db59f7 |
| SHA256 | 124cda5da322d957ceb712f5bf5ffaa95fb9518db49468c8272689c4558091d5 |
| SHA512 | 5d21843a2f35414abeb7b49afde0a7d52dfc30fb7826e46ba1800afacaf155b52c29d2ecb1be0c7e06c012ae208e67d8ff1fa44883362d1ab2af37c203c3f929 |
C:\Users\Admin\AppData\Local\Temp\GOggQsQA.bat
| MD5 | 88213580f8af36b97e7f6e4d94abc2d1 |
| SHA1 | 7ffdbc7eed7d247e3bd291ec30247b0fa6ab1a17 |
| SHA256 | 411628fc42bc999c42023f9fa672616683e44aaad94da350c5ea0517dada7161 |
| SHA512 | a3bbd47024615038057af8debfa267ff43d18f37c2c47c4dec4cc7245b0dac398d0752e512c91d9920827bf24c9062ea0880905a86ae162c3375a6c7c6897af0 |
C:\Users\Admin\AppData\Local\Temp\oEAi.exe
| MD5 | d13edb901459c0117ebc608dde421368 |
| SHA1 | c1c40c007a15b67a368391e99b960775dbfd5be0 |
| SHA256 | 35957acad9053e6693fcea30ecf7e3235a23865fc402fd3d6b659b9125d61d1a |
| SHA512 | 9ead01064a9f085262ae0f78c2819ddebf35e9637d8fa6a8ce1c2dbeba3f4409ac64af0947ed218edeee59f53d2a37b9bfaf6652347a250b3f715e3a387d616a |
C:\Users\Admin\AppData\Local\Temp\yIAu.exe
| MD5 | be9d46c9e7f997b62a84ae7ab5385d9a |
| SHA1 | 90c6db0b81970ce008a7fba3458f19ebe1c108f0 |
| SHA256 | 0e66bb535a8f71bb98c8f1927578f547887052acd8f16f1aa34723ddf0aebb8a |
| SHA512 | fbae9bf2d587ebb2111d2544dbe2c8878a0fab8f29cf0c4812fdaf25d1c39f3c92db4ca8c2af9e3bece2ec687bdf1271d339cc9f8f4cfaf67bc05e6379661632 |
C:\Users\Admin\AppData\Local\Temp\woUe.exe
| MD5 | c3970685b236948312a36c615023aa60 |
| SHA1 | c672c0b9ea7b4a405a141f419e276ac8548153ae |
| SHA256 | b35515953655c0caac260e7300ae29a56644a315dae557687e13b68eea683753 |
| SHA512 | 7119f3c08142c17dc19997f2b881a84f642b2df1901c559b07f5cb7a4fcdbc4c5c95c8e165f55cbfe85bc0c0511ea7803fbb8f97839fa7b25d6bdfc364d6057c |
C:\Users\Admin\AppData\Local\Temp\AgEsUwEA.bat
| MD5 | 76dc2ac55fede72125eb1ecd416431ec |
| SHA1 | be418e23c1e6ce39f909846f89ed9374496a0978 |
| SHA256 | 3c0c35097cb92270519fb2c71d53ee8e61982f7c1dcadf91a3456513277fed64 |
| SHA512 | 8cce53dab0fd154fdedd5b6ce24d751bde13c60e2c94b345f1dff695fa3bf7358d9ccb1cef6c219bc829d16eb58537496691218d2069c42ee22b4b6fa062b82c |
C:\Users\Admin\AppData\Local\Temp\viQcQUgA.bat
| MD5 | b31385b705229963b28417aae9aecf7c |
| SHA1 | 59f8c3fcaa2a189dcd88d157210a51b885199a7b |
| SHA256 | 9f90c54ecdbf98f6cc8601ebd943de92e7fd09737475fed05efe7d573292df95 |
| SHA512 | b8226e23a063a0a9f16a87354b7b5bdceee7bb28ec2fb33e6ea8bce7e8db92c36e08bb2c76d4a6c7afb4c66ed6a8ad17e4dd7f7f9b7efa983dd445df33b2b2e4 |
C:\Users\Admin\AppData\Local\Temp\dswgYUME.bat
| MD5 | 64f4aae88031327f5d2d5332b638d24b |
| SHA1 | 469bcd7a0cb9daacb9bc44e91d8e1cfb32f3fc83 |
| SHA256 | 8dba669361772705c28ed92d6b73f316b379547d40c8744e214937e927d77144 |
| SHA512 | 0bf3274ecdf9c4d928e60c06ae6fbf0b4e4be7f54c35c7c5583c5cd98fc09b7a4229a80350e7d1f1542fe5b89a0df178b81faeb416d543e3779b10f2077b865b |
C:\Users\Admin\AppData\Local\Temp\jUAsUAUU.bat
| MD5 | 52a0aa1dbcb5b6af2bd13bf7f44ea4bf |
| SHA1 | b0085d288496276b8b40f994993767aff1c9cff2 |
| SHA256 | 76d73c5fd4ccb981e3a00de086262216367a8e16e5f5ee4930a7ed1d42b8dab7 |
| SHA512 | 44e56a2b9ea504dbc4526d12242f509ba5f89b9f1a08c330686475e47173322380c589722daec2674915480d3782aa996abea3ac2a3c6afe4777dc540ed2103e |
C:\Users\Admin\AppData\Local\Temp\RCAkAwMg.bat
| MD5 | 7076ea1286856575ab8857857a64ea27 |
| SHA1 | 3d706640cbbaf71479562f1388ffbc26d2b3d20b |
| SHA256 | 3417767e2d0f4750aa7faf53bd5c01dab0564867cb612791efe484f7b2af8d11 |
| SHA512 | c4a2bb9263242ca52e70b54d3b1d265c021838ac95e118ffb623fa226ef6d417536a5d684111773df7a0a0949df521c769504db2a9b943481582d249097c9391 |
C:\Users\Admin\AppData\Local\Temp\VqUAIgEE.bat
| MD5 | 0592b016eb47a9d2d11737b44d8e8fca |
| SHA1 | 710b09bac07a40e463132371c1910ef808e01696 |
| SHA256 | e873557da68e1dd4bb52fb7a462f5422fbdfa873bce73c77636d4eafc5bf1909 |
| SHA512 | 229c4ae828e7637ddcff9bfaaa8f42f95af2e5e47438eb1dcb7dad64d8a3e960e3ac50acb70dff3fa530d083577d52c7cf45d99d4fefdf6a9db18d7592e83ae9 |
C:\Users\Admin\AppData\Local\Temp\mCEcYcgs.bat
| MD5 | 981e445bccbfc7950d31891ec10aef8d |
| SHA1 | 66a2756f1a938020269c5450f07b4194d30c5c8a |
| SHA256 | e14d7cda5b3f1672554e7b66e9b230314f3f2a92d28d146f5e7937e350685738 |
| SHA512 | f347bdd505ada59263087cc13891eccd84622076726a5a78b23802bb5c04a3eb9f2e90ba9a6b1a4e108c244036893c601722431cdabfc8e5033d6c924e94104e |
C:\Users\Admin\AppData\Local\Temp\YgoAYAMc.bat
| MD5 | a22ac19f32782cbfd67ab7d6f750d82c |
| SHA1 | d3dff88f0f5da985978d09dd786836be2d420620 |
| SHA256 | b1c34d03303d9c9adac7dbf3993a246b265818d42a325e1078b7b981f5dd51a7 |
| SHA512 | 222dd4a2f72188476157336105da69c2fb12519878957dbbc31f517930f1063c19213cab9c0e029072c8463409fb39ccd22eac978d5fc16e7488ea26de895273 |
C:\Users\Admin\AppData\Local\Temp\KGAQgMwg.bat
| MD5 | 1842db709d57aec03a0e262931108e24 |
| SHA1 | 079452f91c9f4e62c4e71478a8669f22319711f2 |
| SHA256 | 8b1f9c670988c5090b1a7e2a69a4e364de960e2e63111324f920dde0718b9a6b |
| SHA512 | d17dbdbe75631a84bc70ec7214073f09737f17f048471234f69273adf69c525f5d776f43f7ed1036537cda22476c0bffb7b1191c48cea8d7cc00fb423009787a |
C:\Users\Admin\AppData\Local\Temp\yssoQIcY.bat
| MD5 | 27515fac29ded756b0623063ab41a434 |
| SHA1 | 73d866779e7ca291db2de88ae2d6b89e62277e1f |
| SHA256 | 466b0ff1afc5941e1c6afe91633f0dedc7f704514a1676c4abaa133da61a6ece |
| SHA512 | d268b268bb2b1f39adcd6ebc91179703d2deb91ba2e0b7356246713b831c556c00f64a833162a7917137edb3ff5389fda11b18e68271db7f07f341c38e7bc916 |
C:\Users\Admin\AppData\Local\Temp\biIEoEMQ.bat
| MD5 | 647868f659ddae0deb2bfbea3a9b48e7 |
| SHA1 | 6fe40b265532585d1834657472bc7e3eb62b8093 |
| SHA256 | 062b8d14088a1144627082a04174d21608d89dbe56978eb97c18e092f69348d9 |
| SHA512 | 138ea2244732c3f88efcdf08fcc94efa982778f1d9e1f03c899b6e585beabee98bf95addfb7fbdc4f489070ebc5b4cd4ee71718811fb4f6649d5182b1f687a1f |
C:\Users\Admin\AppData\Local\Temp\vssskskk.bat
| MD5 | 1c85dce97938f4d5d3b1d88bf7565978 |
| SHA1 | 93d3250d2f3469915dc2c953eec7953f4d700cc7 |
| SHA256 | aeff7cd5920e49d6744f87335e03eb59d6eb4d180c4777764fe1fa57f2ebeec4 |
| SHA512 | 43a0c41db63e1685089887f7d06a1a45f63254d3de3963a9c407c0ddc1b2cae3ce11d5217bab68daabde768f810a164d070398b309cbf504271f0fd7b9582447 |
C:\Users\Admin\AppData\Local\Temp\WkAE.exe
| MD5 | f5af5a126d6c1d0453f3bd493d347f06 |
| SHA1 | c6941bf05fdf351151220fb7dba7a3e6bb329172 |
| SHA256 | 9fd1c3585d96c3073320b26f1837dd93df4142655d0e903aa26f7c9fc00c3c03 |
| SHA512 | e7160699e91f9e10e647771db88e16c98054dac622ac8f0494df581f63db0cd7965c5934fd59f1d9b60552c32fd3463b162ecf596ebd72b6cb5a6a1b37ddd80f |
C:\Users\Admin\AppData\Local\Temp\WcYk.exe
| MD5 | 3d32c3b13e4981f290072fe65a25dcb5 |
| SHA1 | 820beaf1a717a838ce6f96983a09b41409059788 |
| SHA256 | d7fa5be40a3b83b11af16c75aa68ef1ec58a5d81395b9bf144daf7c2208dadde |
| SHA512 | 9cf65d997474301637e306463ae0bc81abbf37591823d8dfea0f690425aeeecc4972bcf3a902427938f676ff7b9b9efbe61ed0bfca039d0921f8aedc2b252fc9 |
C:\Users\Admin\AppData\Local\Temp\UMwQ.exe
| MD5 | c86dde5b75e38935f51398059b54cb9a |
| SHA1 | 44326d923378f6088940ee8c03597fd29c7eb2fb |
| SHA256 | 656804cd148d5f91c101eaa9b0441c78b73751802203107ab5481c357a2270ed |
| SHA512 | 5a052d1f07c92b6d52845ceebb14d98c2f56a1605bcb82b00cf15c99f1d5579bdcd409830c43c2702d1585493cbf868b4794ff107f7430e00ebfa2ad17ba8b87 |
C:\Users\Admin\AppData\Local\Temp\gssE.exe
| MD5 | f90c156cce69e152364db69744c48b01 |
| SHA1 | 2cf84d156a71b50ec041e3f16c46626805c8c9df |
| SHA256 | c4a77587744551c0ce9edd84e76c35d8fd9ddf040873bc23607d6df216339d55 |
| SHA512 | 344b108bf17d65f0880240b520a8d1196693b9f7e37f0eb62ea78b1fd154c2e69f2d6d1ffcd93c6fc2e45c14b579eb99d372ba2ecc735b81a369298f5566dd46 |
C:\Users\Admin\AppData\Local\Temp\tCEsEQsI.bat
| MD5 | 2d484eb5af7a49d6724afd2f48081d3e |
| SHA1 | dee03b08faf829dcae7c7918d232cf16ceab8fc2 |
| SHA256 | c550710a57f6c91f0a252ca599cf564c108c75c5ebbcfdb32262dfcc031df996 |
| SHA512 | 90dfd0a4d2640fa704a68e492460c029b2fa33709f84749dfaba1ea52d55c3be74aa9213e1e5cb96e9d873865125a1356148e299a0b66c3f263b27402ca509ad |
C:\Users\Admin\AppData\Local\Temp\EgwK.exe
| MD5 | c68f3c759c1908902061ff81d9be7fd7 |
| SHA1 | e97cf7b2507e6733d3af1be01d02d59710740740 |
| SHA256 | af6eed4294e3b83d38cf49ef63992d021f849781d7fc057abfec94c23eb56718 |
| SHA512 | fec3a76cf3c43dff10c11cbc2b1fcdeaa593d038690529499ab2f78f9eefd4e261edecd332750bd6acd412b6cdeb07c87a0d40b4dbbb7b41575c5bfdf0105f35 |
C:\Users\Admin\AppData\Local\Temp\IcgS.exe
| MD5 | b2fefcc6f6465a659bf5b746f04bf057 |
| SHA1 | 8fc6681ea70d2a44a9c8bc60726aee805fc667ae |
| SHA256 | ad2256277930593599d784bb6f5816da1683f33e404dd81658d5a70493ef4611 |
| SHA512 | 373d504504eaddbeba6fc4fd40a51e67f3e36e846d0a4fd81de678c3cf1b029eab0e87665bbab65d62a928aaee0898fe22c432133a70426105d167134535eb5d |
C:\Users\Admin\AppData\Local\Temp\mgwU.exe
| MD5 | e644f2b89543442344f10f3b90f4d085 |
| SHA1 | 819f73fcbda643f888f616a027d274b4236151b5 |
| SHA256 | 75554ea643e91f6fbf84b17349ded512b5c6dede6fe8b2e54b7ff907f0bfb366 |
| SHA512 | 84397c4c59e487847148ec4b3b9fb4e6953ebdd70b960570ddc88c0d48d15379c8452826c054ed1682de0d7cd16b44cef64309cd832bee313b0bc6b327650538 |
C:\Users\Admin\AppData\Local\Temp\ookg.exe
| MD5 | fc47ea1c372b9e5aebed85ecfd4c48c7 |
| SHA1 | d662518ae0a220f50fc5eeafecccdbd5c9477ca6 |
| SHA256 | 95717d57c6b3f13d06b40292ac497ac79cc1d252abe9ba853a629e51814ca85a |
| SHA512 | 45c28fd718543160b448ea76e87a9b4a4ac1604a264d483e809f2df8a06e99bc8beae21b1422bc33cfaf26c3896e3175b751891e277e9f2e3e632faf0860c490 |
C:\Users\Admin\AppData\Local\Temp\sQgm.exe
| MD5 | b75dadb073ebfcc9f3d061ef7ac38012 |
| SHA1 | 355852b4d2d8970516107cb17f03c3480fe8bb0e |
| SHA256 | a37e4a1f13c923bb9ba7d69ff31863c05f62cbd7414d396e588ef2378f17ca2e |
| SHA512 | e59f406f1b1163b014efaebceb65b8e00c3dd1f77dc0f900da4f1fd4c52ac1fc3463c0220465e2d37eed0036b1e417dbdbb22d2046adcecd6c2aa379b31f6c3c |
C:\Users\Admin\AppData\Local\Temp\soAs.exe
| MD5 | d6591e05b4506e13572c4b4032b0621b |
| SHA1 | 4d8394de14c7cb8a2f89bbe04ae8703af2af492c |
| SHA256 | 1074b379a03b85b28d89ef0f7c8fbffcefa6cdfeea9c7380ed074da58f469683 |
| SHA512 | e74b2b758c2862684a3a754e8f6e05a67b02a4a086d6518fea6f1c8df69556bc4ce9cda7b128188d54a2290a80039ca27c6dac613acbb54ec5a84e4b13a5b926 |
C:\Users\Admin\AppData\Local\Temp\GgIU.exe
| MD5 | 00cf1718b8299740dfeffc032d7b5f4c |
| SHA1 | 317f39213a6aa5616754edfd96594df579d0f01d |
| SHA256 | 43ca23edcd80efb8ebe19ba72eb000fd6b7c11b071402260f50c78cf389c612b |
| SHA512 | 05d5aee47c1bf5245b51da42a32ce1af865ecad404527f733b888feb225e10cb541ccd28766eb3c1bfc73a9e015d726f64d1ed803b92e517c74f95d72d8f40ad |
C:\Users\Admin\AppData\Local\Temp\LqMcIQQI.bat
| MD5 | b1ea0c46108885c162d43877dd774c96 |
| SHA1 | e55f14dc57b79ec4500a1381f401ff3a01b3ccc2 |
| SHA256 | 644926085604140087263af53139b3b14a348e751bf97784eeb49bbbb0fb1f03 |
| SHA512 | 35894682e7a0c83ab4c81b891df429d78f576651802ca1e3fd09ab065a81b6882ca590cd30135aa775ad8c72b677a1b3839f8f7da1bad583c3bdc471dad61d19 |
C:\Users\Admin\AppData\Local\Temp\aEsq.exe
| MD5 | ce64671fb1c510d9bbf3817d00581c87 |
| SHA1 | 3b385be1f2b1ebfdc44ba1e925c6ecf340b3866c |
| SHA256 | d26ca926347b2591e0904395c293a2052de9765a23af9c9b983d20fe1b9af7a7 |
| SHA512 | 1a66858a35ea2550837848fca19bf2b97095bbe0a07f551f3e59a5ade8e2fabc81b8722c46d084b0e6246620ba661c2f484e4b8e8592a2a310ccf88cb91bb59e |
C:\Users\Admin\AppData\Local\Temp\gcga.exe
| MD5 | 55b4bda6e8b69fbb53d00a7792ca02b0 |
| SHA1 | 850210be76b6ec06ed477dfe3be9b53943d29362 |
| SHA256 | 1f6de4ed772d977335ee94a9fbecf516f5523d83a6f11688c14543f29b4d008f |
| SHA512 | c3b3406645fa20b3be49eb196a353093cfb0c078819fa2570e1ada5a4fdbcffcfb4523622f0e56c2a76ebc0eb10c496b0c02327d6e08e2adf43250dba226dc47 |
C:\Users\Admin\AppData\Local\Temp\qcUW.exe
| MD5 | afedc6b7352b2032cc7c71f95bd2750c |
| SHA1 | d12772002a9668d96acd9208e5a7d4e67e5138f7 |
| SHA256 | 3235122c7f42c12ae105e9bfe7b9e12c2985eca25c21cf89ca29a6064dc3ff67 |
| SHA512 | e66a1c0c144ad092d587387a9f8d3a46fbdd3fe18c534a3807bacb86f2ee0ff36ae11cbe954d9402bb32052461ba5c835aaf5a5d8b659dd427810b34ec172fed |
C:\Users\Admin\AppData\Local\Temp\oogC.exe
| MD5 | 31d75d92807b4f62d560f46c9a7f1375 |
| SHA1 | 50969ae4aaec1a5b80c643e724bfda9b765e0048 |
| SHA256 | 68c685e5c44e8d09085199d8f5e38d43656ffe262fef40fc5c734a1f342b2709 |
| SHA512 | e33d280d74790af4273921311b633051fe415c8c5de441f4aff9c964b9ee3f3d43a73fd63a0529276cfe920befa8a6d51c6dba1a868a9b6a52d45a9e4e643783 |
C:\Users\Admin\AppData\Local\Temp\aGYAAkwk.bat
| MD5 | 64746d324981851c06965f3e67bfe933 |
| SHA1 | 6204ba6183a1f08dcb63c3e926662efc01df0665 |
| SHA256 | 2209cd48d3a7544f3420ab68f5c0a6aa71c21059cfc52ef1caacb8b8f23d388d |
| SHA512 | 94278b0243f1b35cd15bd24ec5e2e6bfaead6dfc24633564a0f7eac4849001bb705b6e0c1dea1f0f42c5c6a578b157e30eecea387da2a53a68bd1d9e3d828f0f |
C:\Users\Admin\AppData\Local\Temp\IQoI.exe
| MD5 | bb5efebfea66dc14fd1f3435dfb053cd |
| SHA1 | 481d1a4a1f1b266c4102b6b66b0ef331ee76ef07 |
| SHA256 | 99ff7a08af463ba6ce28f2b6c158b1b03ac137adf8407375a3a076954a55f7a7 |
| SHA512 | 95678d73caf794a2ad1466b15cd791148e0463d36dd490ea1f30c7e6f8093c5a5a518f3b4f8843cd145fe45305d79d3f91e4fad1d2c805faf82f7b6185c5497c |
C:\Users\Admin\AppData\Local\Temp\uAIQ.exe
| MD5 | cbf3fdb5cbf83b5506d96ea147133eaf |
| SHA1 | cbf642687aca267dc09661c9e2be399d785274f4 |
| SHA256 | 5014985c8ecd0fa022fd60870a3340600415ac879516d2a8b50125a42ac15ddf |
| SHA512 | 1707c83ba4045674da2ebda1afcfb040579761fbfa70c8d4a931de161d31e7bf761b47a1568c82ff9181c5b338517b0f4deff7d1e3e23954ceca19c7b116ad60 |
C:\Users\Admin\AppData\Local\Temp\SYoc.exe
| MD5 | 626a25114fb420208ee24b736b915da5 |
| SHA1 | d56c59d94587664019a2f09d4888f3e81f7765d5 |
| SHA256 | 16cd821d5c263ccf6fc71e97b52728617b0029805ff5a118b0dec8d7405f5526 |
| SHA512 | 8a9f09375bb1d535523d22ff8e24cbd7c067b7af268718f06136568c916599d4f7df017699aa6ea444367237c22198e79cb5b7888ba85891725a904bcba6be41 |
C:\Users\Admin\AppData\Local\Temp\EUwYMcAY.bat
| MD5 | a20c978bba7cf80c52da463edeae7ec2 |
| SHA1 | 63124e0a4a0631bbc902869364cf6c1ba3160010 |
| SHA256 | 4343f2035e0a4f2ff23a29b68bf6f5ccd4f9bdc54118b0590996e39e1ba524e3 |
| SHA512 | b1757be01fe3946f209210841d55eb51a23eedbe1e6a2061733e4df1a7364ebc2cc0d85a668b26e1cd7b319c15143ec5291ca09967e4fa2dc809acaeffebd82d |
C:\Users\Admin\AppData\Local\Temp\KwAk.exe
| MD5 | 118506c35bed71edffaaa68a3e897ed7 |
| SHA1 | 233dfe1dd2e06bbab3329efbf090636dec3d3686 |
| SHA256 | 0bd15dd871b3aaedfe26a6eb85935a301d149ff481ff3bd575b45a2b3f87f9ab |
| SHA512 | 90a018f192be1b91aabd4bf5e40e40fb5a89a7d9caf4fa87f37a5f997e39bf65ad76ed60387635dbaac61f554507b0f4f68b25884b5bcfe6b0156aa6800c2d8b |
C:\Users\Admin\AppData\Local\Temp\sowk.exe
| MD5 | ba0aba832ee99e99f99f6b526b19bb9a |
| SHA1 | 9de4412beb6c1c6495d93aa5d6444835c8421c0c |
| SHA256 | d64482cc133db67e0f2d4b893da61034327f92ee3bfb8862bb08a673535ef44f |
| SHA512 | fb4c8bd5825017be71ff43066ab409cdae172ca580a9c088d77003508b2e51d64103d07c26b239547f9c3b43a5330a973ae99c236d60fb04d529c868baf45faf |
C:\Users\Admin\AppData\Local\Temp\ssYU.exe
| MD5 | 72afcf71aa9025221f2e962cebb6c40b |
| SHA1 | 0e7e1c22d0c3c0f5aa93f3b26c5f0aa5e1fb6154 |
| SHA256 | cec1c7f31099212fe1a4221ff677865e1382811152613582d6b82eb20af17372 |
| SHA512 | 9ea7052d7b4639cbab812732d36a11bbac93d2b477fa97c78ca89e7bba3bb21d0c4462d3a479b99cd8754f2716e90ac9a9b660437a343478aaaba180084178d3 |
C:\Users\Admin\AppData\Local\Temp\Agki.exe
| MD5 | d3a7acb4d18a72c446847a313056e9d6 |
| SHA1 | c0536f3bc04e8d1af9f77a4b7973389e3a9a28da |
| SHA256 | f25246936bf424e50f037e72e2949c74cd7bf5c0154dab208a8c0db1384de86c |
| SHA512 | f7a965e127bf6e43410cd8936963eb32bb6e3c9b54b14212995474ae8df794d9767596f804fca580d34572bf90f8d77f0d3ccb4f9cd66941c804cd1531bfbd20 |
C:\Users\Admin\AppData\Local\Temp\SowAQIkU.bat
| MD5 | 6a440e8ff8ed93371f35bc0dce63d6ef |
| SHA1 | 29bac4c03ee9fb388e27b32ffdad02aff5e70589 |
| SHA256 | 3b328d5abf0a5f7091337edba7165d9f0aa0bb7bad2a7feb8e987f34fa67a6c1 |
| SHA512 | 86956e24ca925c469487351ea4aad5252aed27803612418500311270bd322dfa5bac3a73c4c36231516a99d2331e5dc526e5a26cb567a62fc8e3a7d046a225be |
C:\Users\Admin\AppData\Local\Temp\GYQk.exe
| MD5 | 759e475508cb368a97cb7b137cfbe0ae |
| SHA1 | a31e598cd7973118fabf36f32317a37077466f3f |
| SHA256 | 540dff06bc1fa346ac5a4575064e3c34406d7f9e13edcc506c7651995873f515 |
| SHA512 | b856e9c7ae0a77cfe64e68158c9a7dac5720ef6c8db198ede3aa54d93e3a48d972e338de114dc3f132a0e7e6863bad45b4a376d07884b6452166372e1d732b3d |
C:\Users\Admin\AppData\Local\Temp\qukEsgUQ.bat
| MD5 | 4b91b9ca0c57d6c707692d4154e1ffb2 |
| SHA1 | 5240cb7e52239800b726fdcdd223e38f0ea03c8c |
| SHA256 | 78fea6bf14160d564cc809aea140cfccbf26c4c4106e6ababc2227a33dc5821a |
| SHA512 | 050d440c609ea90528b74998a45b85541d51b771407a5750a2f7b119d7a0309ea70e56f666926b8525ea437dc5ee66c1227093e5bf6fd58b8c57dc913c7cb56b |
C:\Users\Admin\AppData\Local\Temp\AwIY.exe
| MD5 | 2a74e45f3b09807d6f43bd63dc50e982 |
| SHA1 | d41ac7a7f7d82bab901aa56fe8ccb97e41edbc22 |
| SHA256 | b472af37db4f93fcd0cbc3e42f70bc6e728588f17848e7f513ef3394d0f1b00b |
| SHA512 | 56e6b0b17e560de0b7102e086204bed5d312fb8ad5cc05eb93c776d6f08963737d2b68eb580703d8314c2381fdbea487d09a526d94790b10f0cc1529ab1f69a8 |
C:\Users\Admin\AppData\Local\Temp\qEIe.exe
| MD5 | de4701e848c2e7a721d7bd998d909189 |
| SHA1 | 3e91d83587d63801c770cf340f3b5f257111d6b7 |
| SHA256 | 8160e4d7424a96f5323418feb52d07a007dc078ef42969e6574333bffdb09da7 |
| SHA512 | aec19383a4797967c5cbb6dff56896797289627771ef26da0b3abaf4ec0411505ca31f59e9faf72f38d66fa5c877a727309f74fd3bb894eab0787b7071b95493 |
C:\Users\Admin\AppData\Local\Temp\HQEgAksQ.bat
| MD5 | d3bf4f6924fbb84f14be3ba68da32b16 |
| SHA1 | 851d519f55f7ee4edb600908f5e19f2d57b1ea08 |
| SHA256 | aedba9a9ca7b4d5930fd1a2a05c9958ffbb352898a4797627b232a869546a783 |
| SHA512 | ebec677855f2f9937c85b17ba99b009a4701f1a07a6fcd353c1ad4f29ed805551663885c0a002813848451d7350f89ef93b28edad4ed31d2b042173aaca2ff20 |
C:\Users\Admin\AppData\Roaming\StartPush.jpg.exe
| MD5 | e80183b0ae185a29f504db32e019a0e4 |
| SHA1 | bcad87eb5a13f274b57810233ec3156c3e5c90cf |
| SHA256 | 25097f86fad4725ab31cb6c9d47f0c10d56d8c16e0cc783ca59f3c502fba5d3c |
| SHA512 | 3036db1096c1d6fb5e119a24b30614ad6166952457be2429f7e3c2798feb4c76d489cdaee06dd76b41292470f35bcb0d2550ff670e06bd7d14361fc49dd35d57 |
C:\Users\Admin\AppData\Local\Temp\ywIQ.exe
| MD5 | 94d154c6fae563cfe169f46b78a86ebb |
| SHA1 | d7e4aec79fc3e749f600fbece8d67d6a2a66a437 |
| SHA256 | eeefa760bea421a528608649672d1f6a05027fd0f89f16af1fc2e6eeaa19c597 |
| SHA512 | 3d4fc8ab8146fcc8e1415329e7bdce98fecb16ebb7fbd579e987d1a54f839734ee8d4b1101197eb94ff3ae398e14530a8dbf248b03fc33e2f09d400537da5c71 |
C:\Users\Admin\AppData\Local\Temp\WYoS.exe
| MD5 | be71a78cf4f69db7a35e4c9da8420f1e |
| SHA1 | 291ba9ec0c5e10d8762cdefedf7aa3d421dc2be4 |
| SHA256 | 02279506be335a5e3b2c0e74b8ac90730fc03e0eada7aa819c2fb09b8a340abd |
| SHA512 | 170e3137c9cd2bae002a137ffed1b86879820d5ae88f1a17f70f611a439a9d45b24b8d63bd86490f18f078f13404abc1faccf6d5275bbec83b06ae1d395568d6 |
C:\Users\Admin\AppData\Local\Temp\pGUskUsQ.bat
| MD5 | 9c42e2b777182af2b9b9b4af8b2e7bf1 |
| SHA1 | 85d48c097fb30d0f825e91ca64da8bc581c383dd |
| SHA256 | c8187cf3d10ac1348d725690a7aef6641529ec843edd5908e9af857edf60d1b7 |
| SHA512 | fdb01185c41f7852c362c6d7c487527d00f732ab5091b2d4e11bb8428aa61eeea7ad8eea9d7b81862c60406d4b84935735d3ce44a3e899e5956f44643cd41b45 |
C:\Users\Admin\AppData\Local\Temp\UcwI.exe
| MD5 | a91bf072d9f86b86b672240db4b84865 |
| SHA1 | 8efeafdb0838a7e77942054434efa4efa5f795c2 |
| SHA256 | 80bb550cd7e7fe8187d783ce640e54336e50537b4aae797a003a8d5d1c087777 |
| SHA512 | cfe4ba13a73ce8f04e07b2021db88d082ab0ddfccb1f24090ade69008d671fad64c3146d765fdbbe67a965bad8ba515ada16e8c622dfa89c5d872fd49231d45f |
C:\Users\Admin\AppData\Local\Temp\kgAu.exe
| MD5 | d40530353c0f5d45c32a49be99e6c75d |
| SHA1 | 2812125a04916bfa9c365189c1c1b2f1b35f97e8 |
| SHA256 | fa814ad3d6cd769507f7804b10dc46dcf47f06952486719d183c94197f9cc3ae |
| SHA512 | f29d64fe0202f15bf1006f14c8b2384251d2f3e0fab73b2cde4b047779533d91d6f1a13cf776c817af599d7b6619185b11bd1d46081ebd492f0047b8b7fa7e82 |
C:\Users\Admin\AppData\Local\Temp\UkUk.exe
| MD5 | f54c3a1b76fc6bcf6722a777b26e77ec |
| SHA1 | 04534e95d0bdd8121a0bfade936a83b707291c65 |
| SHA256 | 424d9bfd8fb42640c94ee3fe898225d3e517c442f4a8d2bc0be911828fe759fe |
| SHA512 | f9ebe2460f29feb7b3faa072ff82b3a9ec81c3207140c5104114ac2c42831db73b35a2d722a77fc1aaa709f31543c2bd4120de78b61ff09b4f0698a64ce5d2b9 |
C:\Users\Admin\AppData\Local\Temp\Osko.exe
| MD5 | 5037407ee898f22e5152d64d231621b5 |
| SHA1 | 81999c307f1ced174d533dea10321ddb079a2e31 |
| SHA256 | dfbe4335e6c126b8fbb0d4f1a0341e57ad62b3c8bd34173312ab3546319f0438 |
| SHA512 | 8ddcc3b91bab580902a47ff886a11a692114bc3b4ad2b44fa20af78d0eb2a15d14b61784106914630ca6602c2726825377c3a66f87506734d3c57e721941c11e |
C:\Users\Admin\AppData\Local\Temp\UYYo.ico
| MD5 | f461866875e8a7fc5c0e5bcdb48c67f6 |
| SHA1 | c6831938e249f1edaa968321f00141e6d791ca56 |
| SHA256 | 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7 |
| SHA512 | d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f |
C:\Users\Admin\AppData\Local\Temp\YUcg.exe
| MD5 | 25390d871a58030da1e2ba97934319cc |
| SHA1 | ac28451c6c7efb5a6223adcf764194849073534b |
| SHA256 | 3cf3529fb3ae965aacc18ff70e740c872b945c5fab9f1582213f711269f62c67 |
| SHA512 | 5aa08d15df4565ff6ba0bd26d567261d84dacef91c99c53db53b812d0e178ac4c43e87c76ad96000870285f8f13069f4c6240a1c972e6095390885746849f157 |
C:\Users\Admin\AppData\Local\Temp\rsQEIEMo.bat
| MD5 | 5ad2b64bcabf839955ce4c3cbb8dc90f |
| SHA1 | 2e2010a7f3ddf480c892435ab3c2fd9e69b2f3a6 |
| SHA256 | 6f18c867ea93f9760375b4fae7bbe1b45d20b0def462c259796e2516ec99eddc |
| SHA512 | a43307757fdafb36c6905bb2a2a2de05cf6d58be69d978f6875dba8ef249e4d6576acd3d19228f73a219176edb089c2b839bfd172f66178c1c12b36651d59514 |
C:\Users\Admin\Music\ConvertFromClose.mp3.exe
| MD5 | f6c2600ed83d76b35bf06319d38a63eb |
| SHA1 | 9ac61aff87c644bdda07ecfa9015e5e1b4e906ec |
| SHA256 | cfbdc816b0f0541b3d13e0e6fc36cdee538772194d7b5555aa0bc15e897f4061 |
| SHA512 | 28ef60065bff27cd8b983b1131fb240303cc53c33660a84232a38defec449ed62efee35aae1c03f1046cd641b9d9ee9c3db2e697fca9635d981e70884fc75b15 |
C:\Users\Admin\AppData\Local\Temp\ikwA.exe
| MD5 | 472ccb7b92f7c72f1c3ba02071ed1bd7 |
| SHA1 | a0a8d9bde0c35e9acd33c348b23e262350e43e5c |
| SHA256 | 04ff9bcb00e848750a01a148c54bbb50d45e3f328ec07f451e8faac669b6e75d |
| SHA512 | 2480e05c4d3016848cc3064b8fc0ede40808cb4c654cd8db79ab6b11766501ed12ad40a49e8a8d32dc10c92e73d38f271f62c61292a7f435ef4dd81a719913c3 |
C:\Users\Admin\AppData\Local\Temp\oQQs.exe
| MD5 | 3e1140df5cd102c25be7b685e5cb8195 |
| SHA1 | 0030d1b1fc7ede6ac892c9434d0ef55a5cfb7944 |
| SHA256 | f073adca7518f920343dd2b58065537415dc0ece1edd1f9eaf25915213e9e459 |
| SHA512 | bbd7eb811cfe55bfcf77d161ad0b5c4927f3a01b26f0430098701375ab70519e9aaca94bc04ea3805f7fd23db6ea067566d8f1de1e2d5d930a0a4a601d13b00f |
C:\Users\Admin\AppData\Local\Temp\YcIy.exe
| MD5 | 8a2b2252e677c42ee3c6842a3393c5a0 |
| SHA1 | e5ceae4a976ea0300b5d327158e1118fbc0b1f95 |
| SHA256 | 5d3e6796d1dfe49d24a92345a60af00a69dce34453a898b50305e667f8b1d369 |
| SHA512 | ec6c59f64a4fb56bc4554f43baa73cb22cfbdc0227c0c00b765bd87a5849d4b13dcd625e160540ad3b1bd60de386a308e82c2b2f0cd4f37439654bd97b6e1dbc |
C:\Users\Admin\AppData\Local\Temp\HYMYYkAU.bat
| MD5 | a0ea7a824d6dfd8a72a66a8435586413 |
| SHA1 | 1b6570ce965680144e0c8c3a547803b5a700e076 |
| SHA256 | d38a4571e0187562ec74cfaa666ca046d434d58ce851d02b6a6d7d750785315c |
| SHA512 | 6c92c032e5162ae602f6b7b0800b7eaa33b36a83b27518f3be8a7e68ea1c5c62588c26607f47e77d634073517ebbf3cf2360c26907608e14d731d5c08967bc91 |
C:\Users\Admin\AppData\Local\Temp\cIAc.exe
| MD5 | 349b4266b04812ebf6fa8fae422869ce |
| SHA1 | 158d939ebe5f9aa1dbdbb85536fba70f73b64bb6 |
| SHA256 | 2d4ab49a0d6b2a03670c55e2da81c68cf8e8d478c6e31b6420ceea47d0e69be8 |
| SHA512 | ba077763a640aa718d57461d1a40b365d4d477897c244af4f18f5e75edc9a78673c2073892f530856d5777246e0d343542c12eb73fd8c49eda6934a311241434 |
C:\Users\Admin\AppData\Local\Temp\CgcU.exe
| MD5 | da1025d06e5bf284029a5feaa726e408 |
| SHA1 | 65bc70e7aee3fb4eb329d48c047dc1cbeab50214 |
| SHA256 | d997c47954b1947cb95b59aaa00bccfdd101a0073d73e4c0018f288ef949d8fe |
| SHA512 | e399806ddccf107caf4640de2e556c25137355fe4a3c6e8e152df7be60a59769f92be4feec48e591c9915875ba9f2dd418071c3abd18be80d6e9a7906b7d7698 |
C:\Users\Admin\AppData\Local\Temp\MgkM.exe
| MD5 | bf3639516124eaca8ee1414b75e55f98 |
| SHA1 | f65a1004cfd74d838a0a9dddc2bcd2d1a768b331 |
| SHA256 | 234a5ff6be7c6076437309e739359012e41231de224d74c39e168f0667c296a2 |
| SHA512 | 508865ab8fe1fa35b752cd799e16b64e0670d4831a0634079fc3dac10ec3d0fc7bc9d18a0eae2f25002a3324ac5f07fdffdd8350305c2c5db6700dfc413b9800 |
C:\Users\Admin\AppData\Local\Temp\wQoU.ico
| MD5 | 964614b7c6bd8dec1ecb413acf6395f2 |
| SHA1 | 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f |
| SHA256 | af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405 |
| SHA512 | b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1 |
C:\Users\Admin\AppData\Local\Temp\eYgY.exe
| MD5 | 732a553cad9ac307e95e68e3eebf672f |
| SHA1 | da273bc722666dbcfe1069dc3564c6bbe682017d |
| SHA256 | 6dae0c3d667cda89679f78ceae8903fc35095b5c7bce2a37a5339cc092f6c5f0 |
| SHA512 | 5835342b93197fbbd9312790a1442f13317ebe0adda62b105592dd17a7b974ef7641fa7d04e67bb753a129dec6ee43c20678e88925253d732c6e8308ab9d423b |
C:\Users\Admin\AppData\Local\Temp\KIIC.ico
| MD5 | 5647ff3b5b2783a651f5b591c0405149 |
| SHA1 | 4af7969d82a8e97cf4e358fa791730892efe952b |
| SHA256 | 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db |
| SHA512 | cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a |
C:\Users\Admin\AppData\Local\Temp\YUgssgkc.bat
| MD5 | 6359627e2effb1d5ef8edcf30fa7d520 |
| SHA1 | e87bb93333be27fb08e9dcf0c45dd2f7ce5e4f2a |
| SHA256 | 7ba248171110f2fac13f3af9a111b77db92750f5eaf994fd23e88346dc3df491 |
| SHA512 | bea1dde483d16e479fc41ef457d7fd917dd1e01395384adb43c51600203578fd45ffe7f12efd314625931fc4662a4e924611a2b6774aa83226d176a6b12fb610 |
C:\Users\Admin\AppData\Local\Temp\wgQq.exe
| MD5 | 732fd0f2b4d73f7de0680e88b46552b6 |
| SHA1 | f3f571f21ce32e0b08cc46966e0ea76e1cff45ec |
| SHA256 | 6f8f2fca73ece2e2c0d57806d44fa3e2f99719d6969c24d3170548b8ac677f56 |
| SHA512 | 0b92cbf75ac0463f97e48c80e3d21973e10c79766a8c51ff4eef31a220de62c73870e937f115ee1847964e61c6b7fd06df0d2de7bf4d0fb24c152a794f85d6ba |
C:\Users\Admin\AppData\Local\Temp\ekAY.exe
| MD5 | c47add5c60efaa6c567ad40fa3bd7f85 |
| SHA1 | 3e9a5a220172041f3601f70c2ab76c43f553e5af |
| SHA256 | b6f0988ae5307318b40036b7c9f50f5151437c681e8eaf00c14f7f2124a8660a |
| SHA512 | fcc9b79e33a58c348120f8ed166f8fab538f4001d4bf6ba5196ffec7faab0eedc4eb3bbb26a5126214e19852fcbefa6353d974fb87e72d29989f7d23d378ebed |
C:\Users\Admin\AppData\Local\Temp\iccA.exe
| MD5 | c7bdaf9c2e9e29ce38c469070fef434c |
| SHA1 | e9664cef3872e991a99cb9a9fe6f9d1ff3fd3d14 |
| SHA256 | c3b734ccc75e38dc6751167adaf6f811f1e0179464b0feaa7f5ef9e0690a2a99 |
| SHA512 | f67dc2ec70a99595f4b8d5065aaee44f4044bfa22dc2a5733e0e0d3e41c847b493703e394ab1ef76d039e12eb03ec990e8bd53b37f4c17895d566814d4fee0f6 |
C:\Users\Admin\AppData\Local\Temp\ykgQ.exe
| MD5 | ef1e3cd3ca1362b4abe8aed4ddb1fddb |
| SHA1 | d23bdd00d41adc3fb8c6c6ab01c0779aa7c36c84 |
| SHA256 | bc0766a53755b389880df2b94999bf037f27028e9d1ff6a68bdc4ae1d095105b |
| SHA512 | 8fd2a0c03659560fff3025275cc08460ca5b19bbc403a6c38314a24a2be89ce1814fc8d6f007d2e94c97eded3ec070bb54105b61bc2871650b9f2b61176a1c46 |
C:\Users\Admin\AppData\Local\Temp\OUUYscQU.bat
| MD5 | d8c9fc9eb4d54ed9f09bb5197a066955 |
| SHA1 | f989f4ee49e8617870a9093ab912c08db0696831 |
| SHA256 | 0a5a87f326edc1aa1b9a8b35da4536223c275339c965d484567e37b0afc4aadb |
| SHA512 | 16401c68f424a549dcd50e8aea281f4ded837c81956078dd6558b39837d0fed282d4717ffbb5585a1bfee24635627cb3ef636b4508196c7c96bf9ea3176b8f26 |
C:\Users\Admin\AppData\Local\Temp\WYUQ.exe
| MD5 | 6c5c2345654094cd1cb12f2b107f3131 |
| SHA1 | 4f73eac837fea9cd71b7b28fa2f61a18f6296182 |
| SHA256 | 3544398fee4d7d48d763940d722e1f646dcaba0108e097235595fcdcee48e4f9 |
| SHA512 | 00a72b2214f00d84f8be6f5a60bbcaed7d8d9465a76e15b1d27d3c6a459c2a10cee539e07fcbc5f2a54c800239299576d367980940622201375fcee63140cfa3 |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
| MD5 | 2ef94b150bd7e08f80a023ebb258da21 |
| SHA1 | 1844cce1d800443dbb7ae5584c3571c772d362ef |
| SHA256 | 99d289908881488dde576a6970bd8c6e9d96017814bd63869b59269344ad3882 |
| SHA512 | 5bf6d23e78569f11bfbb73fae22bdac370e4ec73558d9a0cc851b14c89c21e2c8a34664e66db7dc7df84e2d0524c1f83bab6b1b68c367d0782b867744f418954 |
C:\Users\Admin\AppData\Local\Temp\KQsC.exe
| MD5 | e50f46c29affcd3a2d624dcb043065b9 |
| SHA1 | 3db33d1e48d956fd14a95537bc90fc528c463dd2 |
| SHA256 | 2ffde5e72de3ca3a3306799de62caac4fa3fb76d2cf81529f3d88d7349e476ec |
| SHA512 | 98c51e35c8dc330dde98be4c51b98ceff56cd510e933e75bfe767fa82d9bb38e17e54ea23f363a6473234e4527c9ffe94bc18ddfb7a2fb580f63d733cbac39ca |
C:\Users\Admin\AppData\Local\Temp\mMEs.exe
| MD5 | 2c7bf3072df98334345ea0b79cf08025 |
| SHA1 | 510aebd2b41f46ebfa1ae0145603c27af60a48ea |
| SHA256 | e4f0bf40dcc12ef9b7e45aa55c8c65e4f78255ce3bbe2b1278c27935a67088ac |
| SHA512 | 5ea027d82b654682a9dbb61e4d2f48f492e86de31281fd4e1e158965529ce873c2784bde7a0629b287d51d8bf13a76bacb6f402ce9f6910dbd4c58a4df495162 |
C:\Users\Admin\AppData\Local\Temp\QccG.exe
| MD5 | 75d138ce28b19c6c783e93c2b07814a1 |
| SHA1 | b26c79451717363c927d1a017ebcc7a77dbeb5b2 |
| SHA256 | 0cbca5d4222373b0934bb6db4a89c1fa625c5422322cbfb983e7b445227137ad |
| SHA512 | 704da4bf381fc95b71b047e1aed2cf6c8cd422ca4fd8fe274b8ffa7b61bae43bed362155a540920b5b925a1efb7dd6bda0266c7b8453bc62f69e50ef4b8ecbc3 |
C:\Users\Admin\AppData\Local\Temp\GWoYQAYE.bat
| MD5 | 97df453ea6ee8c352f6f82fad0cfedc0 |
| SHA1 | fb2304ee3b3b22336cd6d51397c9e281198473a6 |
| SHA256 | 334bb67a9a1e19ce2d177bdf16a333be4b94f71ec3a2f348b67d6aa810d98b07 |
| SHA512 | af05cdd004093813ed5120fdc7a355b1881191622cfb2331241a7167f94d98f2c10f4caccd8f0cf9ae6ce80a703e81ad7fe24991a25120f9ff83d56ef9468173 |
C:\Users\Admin\AppData\Local\Temp\WAEk.exe
| MD5 | 92a252411fa413ff556c5ef296a0d1d5 |
| SHA1 | a394c8f4b2353c6c2e49fd4b95334d9f2027bbfd |
| SHA256 | b356b3da7de841626ffae9f9f98ed7f2be226f4e46507eb595831a211eccc74e |
| SHA512 | add34ff0dde4a916a3507ebbae908fec0859f64a3817a9a375f23e4df792002b4095c4cf53e5be4dc58eaac84276c025db5f183b3f0b3278a832a1b27bcde3f6 |
C:\Users\Admin\AppData\Local\Temp\Scco.exe
| MD5 | b4b02611fd4c6e28cdf8e52178522819 |
| SHA1 | a7f0bb9dedd26accbd3dcc308149b2ed40defd49 |
| SHA256 | 630413fab57c5cad78db17d36ac3c067f2b92763fc790f03ca8f94616b0efddf |
| SHA512 | ea4247aaa8d701763635dace68f5a442ae97339f4b73b2b2d462060106d3983a9c188efc0a9127e1942c692d46086fa5e1d737a35cdfc3353afe17fb4de11903 |
C:\Users\Admin\AppData\Local\Temp\MgcW.exe
| MD5 | 0e33212ceb4fe010f9662c94fb7ac8d3 |
| SHA1 | 3e352187ff60fbbfa9492746dd4a2f86aa968d8e |
| SHA256 | cfb7796b35b1ef8756d4380cae6df89a0de157dd38ceac6011a520f795b5de51 |
| SHA512 | 603d6123d310537b6bea867376f27aab8eb3154960708a0b8593c7b4065f897ab3236838e2db914303860091e4d6811ceb2ea4a30e583ec5a21ecd132c5a18df |
C:\Users\Admin\AppData\Local\Temp\dqwwokkU.bat
| MD5 | 30dea5d419dbccb5638b9c4717c68bb6 |
| SHA1 | 4c84609fe765662af0a4e823bdc3c4a46266808e |
| SHA256 | f516ab5d51948c3f9ee55ed248a820bd791de4e835d89b03bb0175fb7a2d6f7a |
| SHA512 | 2e8fac9d4c4b760ab2deb5633c146d88bdbf7f3490a7aad24002ed49d457f4e1ad3be7dfbbf06ebb026e8a24a42ebe8f2ba11e55a455b49ed1c5e9e2f22e032c |
C:\Users\Admin\AppData\Local\Temp\KMcq.exe
| MD5 | baa8c8711705ea53578e6528bfa866df |
| SHA1 | 11b17b71a119664ba29c27fa32318054ca2b4c7c |
| SHA256 | ffed88d7ec6f2ae7368bfd04d64bbd3fe0d98270f1ea01f12583d22affe864ae |
| SHA512 | cd5725125b9ccda3c8c0aa3bef4d0aa28d4c63ff2049fc3796062837052a64502e666ff540f17ccb9e93f8bff82c793c15741be4359f978e9ea3a0c29bdce9d2 |
C:\Users\Admin\AppData\Local\Temp\AgYg.exe
| MD5 | a3c4b379fe1eeb918b8112c5e71083c9 |
| SHA1 | c7b8c47a9ed15524ab288e818b218257a737353a |
| SHA256 | 24a97abfe5898b56c23a14ef11351f2a429c5153c3c821aa9a6f364ad8864ffb |
| SHA512 | 97892f95a76714d5a263efe1d6ac90120795ca78c61bd6b3dcfd2aa9f5c22be145b7d6e8d2ad6cda3299a5e85e2b6b58344ab98eef9abed18a6f683ad73ec71a |
C:\Users\Admin\AppData\Local\Temp\EMES.exe
| MD5 | df00c76db396aecda873c1ce4091b85e |
| SHA1 | 08ca9ceb9bc89d51e431d2c4c337c49f8640e909 |
| SHA256 | 52bf5b10afbcef81e3b1a473609ecdd24b4adec03d4b926b293cbfbb3a9a9bf3 |
| SHA512 | b9b8e0c3384174df427876e9454fff006444add5d5f11e66e055b554581136d8d235e3ca758f6d3c79b9f14c68f14383c187292cb9119010e0449c279b1bee1c |
C:\Users\Admin\AppData\Local\Temp\GAEu.exe
| MD5 | d6fad6c487349965ddc5d42c23818d0b |
| SHA1 | 4dc8e533b6bef24382ac28ddc38b47b5ceb4cd10 |
| SHA256 | 456e3e9d042e5caff548effc29264ec37ef5109ea55d929627edee6f32788cd6 |
| SHA512 | 287b381fe5d8ac9186b252b79d7f4520d2f30af02e6b2b39328fbcf90ec32c8de0a2d5019d4520d40ef4b8233ded66f8248927eca1b60086abd41aa0a493231b |
C:\Users\Admin\AppData\Local\Temp\jCwUoows.bat
| MD5 | fe385a1b60e57987997035faa5405ed5 |
| SHA1 | a94d8d4da12838968876e887b733774f9ae063a2 |
| SHA256 | 93e23da710d85b74ffa7ce74956f2c1420db92af2e45472ee6746422fe5d764b |
| SHA512 | cd64236f6cef561ea748fc4b8362b7ac18ad7fb6ca3ef41a3a894f14e4b39740ef7cf22323a73ea8a8084a0cf17b23385ab80ea2a28e911476639222a84d8638 |
C:\Users\Admin\AppData\Local\Temp\MgUi.exe
| MD5 | b39e4e4d46277c13e710c38dbf4cfaca |
| SHA1 | 1a37df8aa18d20e92bbcbb63e0fd9d8f83bbf9e6 |
| SHA256 | 6b2f6f58b927749b03f70e5a447c30307c673338a5c0bef19172038e7ae2c4e2 |
| SHA512 | ffa36036d89ee2e31c29e70d2d3462d8e0db7cfbf430f2d0ad075ac19c27ed56390d0bd1a29f8383917676ad1f25be22f3df938b07b71bd884b3bb235c345ec8 |
C:\Users\Admin\AppData\Local\Temp\OwAC.exe
| MD5 | 432341548d7ddd220279a28c5410ba71 |
| SHA1 | b5bf63bab75ea4950c2fa8553309fdfbbd71cd1b |
| SHA256 | fbe31b977a4af4c9af830312c6449c2d215ccaddf8c32d9b0e9e43f1de59c5dd |
| SHA512 | 4ae752a2599f4c00c9b34843e20f64979084c6eda5dafa81063d60a3395a9432d3d57f151cecfed36cb11dce7c0d432ab234a173ae0406495b2363cb7d7b1b94 |
C:\Users\Admin\AppData\Local\Temp\wgoy.exe
| MD5 | ab2afc800d13d728969418317fc38c13 |
| SHA1 | 346776ce152219080708f2da1a858769f799e80e |
| SHA256 | 43f5ddd24ae471fd864b247962d5e4e8c595fabdefd6f1c9d990b51e1cb77e50 |
| SHA512 | c78801353309baeb593dad0abfa3de30869a0a16ead719d06ef5c4f3a9cb142c01dfafa8827336385fb308a4504f7a5bdaf237ddcdcd2424fc39f700247bfcf2 |
C:\Users\Admin\AppData\Local\Temp\dikkcAEw.bat
| MD5 | b672cbe375d1b1ca526670a4de9c4463 |
| SHA1 | 0db9126f5b9d150c466197e328fd059c3815f95e |
| SHA256 | 5ce7c6f76b5ba9359708f26ffa2b87aca9102abd0ce177b957bf6c6b09557910 |
| SHA512 | 536c798d69d0df12c7bf5229737f487078c9f1b659df1d0fd6628f80e14819585d2bc86c3be979d9e085d1845e9f7c0c7d951af9b331877984c28e6487eeed15 |
C:\Users\Admin\AppData\Local\Temp\ckMs.exe
| MD5 | 1a7967414652a74a687412ec9de1958c |
| SHA1 | 8486a41c22565010a1225cb691a6e0d18e83de49 |
| SHA256 | a512f23c651dc9f2b1c2963506620d36732287889d2176372f50214b3f1f737d |
| SHA512 | 7b0edaf533d777dcff4acd99b9fd9486040cbd68fbc9e16ef0cf51b108b6cc2b3985826f92cf025a00028f209ebb1df6079767b9d6a0f0385e693865fd99280b |
C:\Users\Admin\AppData\Local\Temp\WQgk.exe
| MD5 | 1c27b0254b1f9c4aa3abe2a61dc20499 |
| SHA1 | 4ccfe06e541861bb8315cad0df4930d68a2604e5 |
| SHA256 | c0c6acddc4f8d4cc9ba805db302101f12600b59dc21bae56b1fa7f7ff10583a6 |
| SHA512 | ebc54ea9d491f45dcd6dc2fb713353290a44cb60d7e6ef42048950dba9e39bdeb5cf0f4bbf6cdf940ad8d55da34e5c09461224254ea770fcc18e5f56651c3fcd |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe
| MD5 | 705ec27ce0743128785d03e5556a8fdf |
| SHA1 | c93193c720b2e13f14bc078d39f1ea4b40406d50 |
| SHA256 | 834ecfa2d923a26c943f22af45d1029a86691e887e1a96c3346dc7cba7b98a1f |
| SHA512 | 4bb3a9e8d945d8444419a4f55978fdd510c8d45b6c17d202d76f7b612904d4a530f55ae2ad07a42ae868b4307aebb473c905f52c87229b4bfdf8a9eb109cfa67 |
C:\Users\Admin\AppData\Local\Temp\zEwscAkA.bat
| MD5 | 3869bb5de7423d3dcda9f7c3d095f111 |
| SHA1 | 46e22f80c2435f4804a710f358a6d14fa8913542 |
| SHA256 | 7d0860b6aeb5243f395910c65e864d0977e287f27875c07ce97f8d6ddd379998 |
| SHA512 | ac6c2af1a3cddc2970d6db1ac38176c76fa145032631f772a32c04225af2f3553cc3db42dcb1386b4aa19930137dee68a26999f88917571088f07473f78d01ea |
C:\Users\Admin\AppData\Local\Temp\Qoku.exe
| MD5 | 950fbb1ca4e6a6ce5fd6dd5e3bdff8e8 |
| SHA1 | cf6c12efbf4339c674abb9b7b38ae1260a4d0b01 |
| SHA256 | 9a402b22ba3f94d1ff8edc6939a2f4b5340eee7017ece2e02a85f57478cd5678 |
| SHA512 | adf594d0d51afc0837a993d35b78233a0e6e8ec8da9ad0deed84496a2861362802706bae7247291c93ac597c38c38a6ad546cc1f84e91ef57c5be816bf1734fc |
C:\Users\Admin\AppData\Local\Temp\MIQQ.exe
| MD5 | d9f4d1681f4b0ed3aa8d9c629f47c671 |
| SHA1 | 1794605905f5b56d24ecf6f7f1312cb326a9471c |
| SHA256 | 0efefa22dd7020c99c3a04da918ba03c9242f44db1319c51ea7a7c11dd58fe40 |
| SHA512 | f0bb4e8b3ee5cf149f5a485ae9c65e54f5455d32711dbfcc15b8e64e72a1e1eaf48e6919488c5ac2436bcd81ab35bc99a01685b31a966f244e7ead4639b3122c |
C:\Users\Admin\AppData\Local\Temp\sEEW.exe
| MD5 | e05a8e5a9af20c9d78b2c1e229a6397e |
| SHA1 | 4576816f69a79c48caa69d6cbcf2361554223691 |
| SHA256 | b5ff7b2f13cc1e20ae306ad95e032b2851676b9f0e5bdb9a546bf071ccecf8dc |
| SHA512 | 7c028249344e04f312d71b8d409fa05663725ef12099ec1ef4e752326f7c35f2477d302e3afd6c3865a199d64b8c2dcc3da67074de64169ad5e231128e8b95f8 |
C:\Users\Admin\AppData\Local\Temp\sIoG.exe
| MD5 | 6a54e57ebcb7740d0a0649110f100a55 |
| SHA1 | 57c5171e7757518b767a32596cb9ce827c2b68b7 |
| SHA256 | aa013a16ca40579dec0809596c5399040eecde7c80a18dea94dbd921233ed1f9 |
| SHA512 | dc4cda51ef0bc666201272048c7ba08a9728472b5a0b3364ee252093c98f18290249b5f55f3f802bd58e67a2e11c7b8aceaa34f30d6ca3352eaab4210c84807b |
C:\Users\Admin\AppData\Local\Temp\eSggAgoc.bat
| MD5 | a4382399825726f17bca0038b0c1de15 |
| SHA1 | b2d564398922545e3217d27d7ea25287737caadb |
| SHA256 | 0da0a0747cfeec92a05b9bd596ea165b783faa69bb244d0bea9e8f923e5e8921 |
| SHA512 | e20dc67b424f63739474dca8e6bed3da8b67417b31939cf5b2fafa575ac2e8c4940e69925e01320809fd217a24224f18b0810ebe91d99ca2374f1285d9ab88cf |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe
| MD5 | 4f38c72347e0b50d1326fe3500a45460 |
| SHA1 | e9d4ec30e38b1016581e4085b9601d64f146d73a |
| SHA256 | aa9aa36bde9003560d32020c06877da4a3f32e33e5f50c8cbb4260824ea233ad |
| SHA512 | c9e97e8dc538f9d29256a415797a3bb9ab2b4296c65d03a8ceb1216ca3b07d6e923bf20ead20dfce4fa1da81f8b24545650a481135906924c88790ae242c2001 |
C:\Users\Admin\AppData\Local\Temp\Wsgs.exe
| MD5 | 4a548c46da2aa9f1846d0c6a73c6067a |
| SHA1 | 9a435460174e08a521890ab62ecc32c4e62c5937 |
| SHA256 | 677a5f888a47c992a7a93d08e9e75ab9337669b7d280acfdb76e44def1e43b54 |
| SHA512 | 15d786177e7eb1e32367278d124f654e6a6631c896d9b7cc72adcafa12921b7e8da5723f9558d41e784a93735d0a35d32ca8cc6e99ec39d3e057064284a63b2e |
C:\Users\Admin\AppData\Local\Temp\MEky.exe
| MD5 | 7d4539177b1c211f732070a03f6482be |
| SHA1 | 88be15a916701485c6788fd4ce784c3c08d279e5 |
| SHA256 | 18eeca665209f1beba3f230bc487279dbe8f522bd962a1ec15add76273ed24bb |
| SHA512 | 815c95a94f7d6725d98f1669b7afa1953ddc4cfb6dc949bab5815c0ac9f9374ffce096ea8ef848a0516619f23083d0e6103db5fcc03ec19fe7bf2c3507bd9cbe |
C:\Users\Admin\AppData\Local\Temp\osAMYkUQ.bat
| MD5 | 21f9142bfcf0392a67664172a61e8276 |
| SHA1 | 8c7b01d7024ef06243a5d0e87bb20c8b236284a9 |
| SHA256 | ac2102a7fcac6b5717d7dfe4c13aad1b34605c52fe17e99673e4d6f105fef712 |
| SHA512 | 6a8f4c35acb572bc0e1a9622a14b904faf6ececffa16b8739b9c3c50abd2f9f83dc7d40f7f8a74d5e7cdcf71e44ed0c19df0811ea1004b870b7fb361c762be85 |
C:\Users\Admin\AppData\Local\Temp\wkEK.exe
| MD5 | 9634c82385be224e914f60680544e0c8 |
| SHA1 | a966254d0df2d8b1fb141ab6a6e1b74720115e81 |
| SHA256 | c0dd2155513f5f5d70a520487ccc9a4fd07430a8232cad0c379806db1d94fe37 |
| SHA512 | 3783480dac70c88e40f7af668859d8c417bc4b30519bb117259a0a6121a25f56a7f13edd18c2f67a2a6e27371242c9b34fd0dde08ff03fcf0a20445c733854c5 |
C:\Users\Admin\AppData\Local\Temp\IcsY.exe
| MD5 | c1cfe3e4b53763d28ad639dce5ad5406 |
| SHA1 | a848131d005f074a9af45975f60bd290572489bc |
| SHA256 | fb3f95749282ca676011a80c523dec2e570bba7f5e0a2950e91d2989cf32373d |
| SHA512 | 47f2355f7484af4427a8d0adc9877ab3a4b83276fbf53ff763afcd68c5aa9dc95779f7c3dea0dbb5cd8e885f3ee23e465d2b5a973f5e48252dfcea981382af83 |
C:\Users\Admin\AppData\Local\Temp\AgoA.exe
| MD5 | 3a9c539a657a84177d10e23c45df3058 |
| SHA1 | 2f25f2a8c890ca773a8d83765f46577b6294820f |
| SHA256 | 718073831abc4c45a5d613887a7539a8cb6124ac2dc85ca7114cb9650a028956 |
| SHA512 | 1020738e1affd44dee8aa526e0cdf969a88663e8aa674463415f4e5db3b93b642ef72803b89eda02dbf047d7cd6a8166bf4a046882ff29543d61464550d59d3c |
C:\Users\Admin\AppData\Local\Temp\ioUccIEQ.bat
| MD5 | f5d2d039a5130dae018d1e882ec0fef5 |
| SHA1 | 8c21b4ecd0bae8c857aed7ff36970cd1f4c9c4a4 |
| SHA256 | 259c8db4d98ceb399593ac68a8fc549fbd00292921c520defe37c561853d987d |
| SHA512 | ed279ce2b1942c069f326bdb687afdb51f6e730c37c292b4581c8b1cd58097136014aa16e593bbd38d0ca2e5b39867b9364c98c160c4b5497f1a20518cf1c7d0 |
C:\Users\Admin\AppData\Local\Temp\MQMs.exe
| MD5 | 93108b13dcfa9b601242625c7a9ea3cb |
| SHA1 | 3ea6b0c1aebbfdc3e67d9059e988f9c6c039b5f3 |
| SHA256 | 918f870cef02eb4393d04641953c7defa038ed7279bc9800bf2801da4ba5bfd4 |
| SHA512 | 00ee274102ed55c5e15edace6ffe7e38c0945a2de925215df14d8bcbd3ea056496ea495ddf32d1ad961f407d8d3de5320e0b0959f9df493220ec9496239919f4 |
C:\Users\Admin\AppData\Local\Temp\cIgQ.exe
| MD5 | 0d3f48ff48a35b137dd1d37d75044208 |
| SHA1 | 9622d2cecb1a7ab8299070170dded81bd819a943 |
| SHA256 | 9c5fb6a66e80d7273aa04bf7c9a9fda13a9a8f7021ff26692985eab43db85026 |
| SHA512 | da2a0e4e24324593b328b020dde61e4f6ba8b4d001fbc2ea3d501773ca580b5181a89a32a8cfae3368e8c0eb80c9dbfa79c771a5f90edcb07bb5f7cba0e34814 |
C:\Users\Admin\AppData\Local\Temp\ocUk.exe
| MD5 | 0eb509f13115c2e86474d7466177107e |
| SHA1 | 158c5555113f8e51769213a4f98b66515eeac4ce |
| SHA256 | 0580f686a24dc0a88d11a36a4a538b01d767d49e03d14efbea598c4a73b7b6d2 |
| SHA512 | 250b5cc4d2f2e8a07a695457a0a637357b033425cca3d7e8123b89cc3c05ae8a5eb758c1d317e83be5a3e8e19fc056909ff0b1edfa2065e9ea92ad6475b9d4b9 |
C:\Users\Admin\AppData\Local\Temp\YUUQsMAI.bat
| MD5 | c4cb69c13d0f2d9d323a03dc0ce58480 |
| SHA1 | e5907729e1d04d311f627d8c7e4a39eed46da999 |
| SHA256 | 891eb8b1ce1656410eb0d5460d476b558e7105c7268237a6c93af967b2ccc272 |
| SHA512 | 6a690acc7e3bad17db0aa3140b6f9436194436d0042131611a4bd208992af2ee41b0a1a5d49842f9c2a02882788e94dff3eda3807964ede951c8ddddb1b5c4f3 |
C:\Users\Admin\AppData\Local\Temp\gIMW.exe
| MD5 | 3559d7e9ff2781bef5149c60ae573aba |
| SHA1 | e0be62c0ece9c5afd9f715680866d92fefc6a535 |
| SHA256 | 013e11320149f89b8a6f5adee669800a2a4b216b5ebb44809eea9ac3f3361e53 |
| SHA512 | 4cd4a3de0a519db67f62c264c5507b22ce47fb0543ec09811d45c9f788736c158f21614da8d71ef324bd402f5f3a3a1f1b3d09e276ebef1a97e794baf59a7111 |
C:\Users\Admin\AppData\Local\Temp\sowk.exe
| MD5 | cd23af4e32abbe44fc5c5468d96d041e |
| SHA1 | 4f125301a004178b8f64893d4a8a57a9242990ec |
| SHA256 | 97ccb5faa57d3530be5896b423e989865fd9082c77d6ae85694f46a01576831b |
| SHA512 | e2e589baa76f7c83b7358febd86d1be8771e14a062a6c80dc24a4751969551d7ebbccc8e6edf0ae1b1c33ec38165ad3c590488835e02148ef59b901fa2092214 |
C:\Users\Admin\AppData\Local\Temp\EQsi.exe
| MD5 | 0ac9bfa8c25c8ca7c29b0c3f700c8d02 |
| SHA1 | 3433e21b0ada492e2ac047b32246e24b963f6c79 |
| SHA256 | 108e856105fdc6ff2624da977f9fea542aad63441d864c60ca7cc0b22810b2bb |
| SHA512 | 9862ffbe26ee548eae320da9625052bdfc87e5c4197b8ec0f0c6add619ab88386f8a3b8a86eae22939bef6490c5bf58474d25044e69e7238290e57e406a8cf7a |
C:\Users\Admin\AppData\Local\Temp\hkUEIUEk.bat
| MD5 | 1dc8a8f2f0fcf8d83e9ec4c4e379c2b4 |
| SHA1 | b6b0ee5a44c962577a0d19d38e3292062d2df05a |
| SHA256 | e4c93f2f8ed451da09f8305755b01af0ae28b66b38bf386d6673da4399e9e2df |
| SHA512 | 49142430923b6dbc9854af1d320cd58f805d7526095c9deefd5e7becee8062b4dd3273bb1d0f5b2b052287c3ba39697d8da4b1f31235525f97e95ae79219c494 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe
| MD5 | d3bb19e998c9e6fd1af58c8c1215dc1c |
| SHA1 | 4c5b1a346b234b1c28bd4169a6bb3f2d6523930f |
| SHA256 | baaf17da90268388cfbb528a36e8ea2b23415316d1ab844b9200094be3f87982 |
| SHA512 | 5550af03ba1a1527a99ebba72d9534b53af8c39dc62337eb78b7a2dbc0e1245722eeb795dba91bbbce0ad88ab0d86e50fc9a8ef6537d5b7f6b373117729643c4 |
C:\Users\Admin\AppData\Local\Temp\sIsg.exe
| MD5 | 38d3fbbab598951bcc82922d697cf68c |
| SHA1 | 53273b27f80b23d01c5d59ad9f454a565af1a9a6 |
| SHA256 | 32105cfb11907b127336f1d77e5685d414dfc7b77480f5927ca988ce5592444b |
| SHA512 | 2d54543d4d21f45418f6511734c7c5dc4591984ba321bcecfc4d114ae94cb026de97d1ce406f60abe5eae923b4294cf4c2d05f94b1d35776425ff184a0c7eee6 |
C:\Users\Admin\AppData\Local\Temp\mkAk.exe
| MD5 | 94171372bf0421a07c33f6dc01e7dba1 |
| SHA1 | b6b5ae834f1c7c2768eb35c7b807a794c8438d9a |
| SHA256 | 3ff334191542684305cbae6086069693f2f9a7110a5c6bbcc3d938c1f44b4aa7 |
| SHA512 | 1c216a3640d9ebceae5e2338c255c8fd4c2d764afa0f57c1b3ece9c810cca1f165b818977002c1c65da97ae9f1f53cf2f880900f37e4529a2b389bdb222e6197 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe
| MD5 | 52c8627ae22441e96cc3a9f35adab79b |
| SHA1 | 0058f1824b674fdeb2a4844e60909bbb1d2a9ef2 |
| SHA256 | 03f8348ae4d473f2f05f10b1bd501e40e15fccf32b3bcb4b2fd34e92b5ac3cb8 |
| SHA512 | e6ddbd30b9abcf77318210696f06af12964f7c9886fc571b9f07268f5a56e6ea8232d7623fa4a37b77e6b5427eb5294a6835929fccfa4b97666fcc45d1dc1795 |
C:\Users\Admin\AppData\Local\Temp\jUQgsoQI.bat
| MD5 | aaf3162942aa22291dacdab884d43504 |
| SHA1 | adcbb363c74290070047a220940135151197a358 |
| SHA256 | 09470ef12a2521cf4d8bdf7ee0c91f0d87b5d7a58b20b47a7e180f4a0e0f0504 |
| SHA512 | 856dad187109c7934d785972380ad9cd1835ed2db80dc8da78158685e2e2a8ba72d9f2797018d7b87b9629f35d96c895dab5cfad1f45e12355bf5ec8532e9d9d |
C:\Users\Admin\AppData\Local\Temp\RGUsocwc.bat
| MD5 | a810db6b107a5ece64ae8ccb573d61b8 |
| SHA1 | cde6b4e9d3525185b932f7eddd5895e63c264340 |
| SHA256 | 07c2cd4b27d3ef2cf865b25d27041e3bed1a89017e9d37d786405908d99b5844 |
| SHA512 | e13df7cc0b1258a7a17ec0a077c449c5931cc4a0c2c88ca3a7dcde6dff6b0bf01ec87dbe428d1c5f8c547879e5d7fe413991a7ed3b963eda5668b15bf7ecb86b |
C:\Users\Admin\AppData\Local\Temp\acgY.exe
| MD5 | a73f3fb57bddfa9c65ec067c9689e7ec |
| SHA1 | 64e8cf5e0c5ea694f5eb495399480629935f5aff |
| SHA256 | c360c4d1d2c43fee23c8f01325bf1e3ff445aded6658fe51c3d952aeeaa593ea |
| SHA512 | d90add9c71a1ad66960ceeae728b5de0788ee6bc95a6fe032a1ba478518dc1c1cd9362ff6f244a457b5010a4fd13c9c6f14e076913deadff529d4729811a168b |
C:\Users\Admin\AppData\Local\Temp\ywsu.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\gQYS.exe
| MD5 | 7844973a5b3ed165917891a90140cdf8 |
| SHA1 | f3df0bd10a784a39d5ff0e448480ac796449436b |
| SHA256 | 15d90bf55af232ad2c548e83206d9234f4106a43abf2cea35b45f4021f07826b |
| SHA512 | 14eab0cbe72262d1bd2c2cd4d5f76ab97499b0a5fb8e9518bff64092c30631b4e7eba83143fa0840fa0ea42b108ba58a834d4792d8d6aab61f308fe11c79bfd4 |
C:\Users\Admin\AppData\Local\Temp\sowG.exe
| MD5 | a16e1e3170445413c97edebb889966e7 |
| SHA1 | 94ae147faeade410dd3ec0358a146ad58410de18 |
| SHA256 | 295d03be587d830da7fe05338b8f5ed305cdf6f9de459604f5d8acd7f6257143 |
| SHA512 | e881cae42e0379057dee338a207c48e18d312ae7fa750879011243ce55cbc06aaffee364d06f26ab51531feda4c35f74dc12d87a1f4d37776fbadc906f7392e3 |
C:\Users\Admin\AppData\Local\Temp\yAMQ.exe
| MD5 | 588dfee1aef326cfdb9c0b681741fd8a |
| SHA1 | 863d9ec2036e0341a91f8dd4378ffe6f89a720b9 |
| SHA256 | 049a52b095c6024f628bc48db4d4e7403de3794114f0bdb51e79334ce14a7007 |
| SHA512 | e484d26aa446497825ebd8562e7ac1bd5326350e6c486e1e9de1cc3524ed5d5cc9dd89e2269ec8bb21362e3239f1c5f5681fd42182642f89d3b6b9b014e45f2e |
C:\Users\Admin\AppData\Local\Temp\cUsC.exe
| MD5 | 79ee746e8e86a6b77950f321c2b6da7e |
| SHA1 | f90e87f865a42a4016cd62c5c33f653f45311a80 |
| SHA256 | 54c215f35ec779c4b4e2031187a7c7a2cec53837b81bd77baf89e71ceca5e7b4 |
| SHA512 | e43ca61dcd3836aa9fa002f3855571362eb410e944788fdfc8fe281909b931740dc1cc3be0f298b39a232d4f8de82650449fd7d28b87affc9871c0937e63efdd |
C:\Users\Admin\AppData\Local\Temp\WIQYgogI.bat
| MD5 | 5eb29b68dfeac94c100bf9baddaa9796 |
| SHA1 | 8e7671a42195283dc2119d04d4a7f5bf2ba8ffbe |
| SHA256 | 85a8e59dff9551cf6135c12cd1a445c7980bc3552a342f97de879733989d9f38 |
| SHA512 | 3e2b556e1078862fef2d6b6897044f0191067d7ff83144387f3ff794c48e5307dee3d3fdcff0f993e12254eb0d6dc42984010f7f4d8941992fcf78d1dcbc32a7 |
C:\Users\Admin\AppData\Local\Temp\MAws.exe
| MD5 | 3ab51bd597973df945d4f125bf262f3f |
| SHA1 | 407ae1a5e2688ea21c263a9d23854bb2f3633776 |
| SHA256 | 9b001df9084d80e62c3e9f3491a16f618513b76b8dfcb1c5a2d7d90ad04b10a3 |
| SHA512 | cc20ebbbfc3c1bb0facdbe0a05e464165026cf4516388bf9672b4cf2e2db4145a62e59129269bfd68bf0a74d4b5aee30accf976e108877c5a85f406c1854c570 |
C:\Users\Admin\AppData\Local\Temp\KAIC.exe
| MD5 | cf40afd4f05e9088d6ce4d8bc1bbf444 |
| SHA1 | 083e46c8e401a0e3119b528479d4cb29787f5b33 |
| SHA256 | c7712d6175c8e059ed136032c448911ba0c1642fe3184a10a31d2f6e47e2e793 |
| SHA512 | 05a3a6587bd094ac65baa586fbbc535655480e0cfe9106723e40b45bf240cb90936b2d16e14f15de331456247ad0a286a172aae5704fe8a29050822e14914898 |
C:\Users\Admin\AppData\Local\Temp\qssG.exe
| MD5 | 09b82cab6080165ac7df81eaf5194565 |
| SHA1 | b4397674be8c1ba9e87302a445e0f31d23bbe841 |
| SHA256 | 648378a361a151cd82f11961aee4ad5d44338d9bf323ef0e23e670a095726975 |
| SHA512 | ad09351a37fb8a37834bf43961d7e0868e6d63ec8e634b22f7391254e87ec07aba903e4f26224cf482e14747c8569b4e0f94a384d38c116de90d9e75dcf3d15e |
C:\Users\Admin\AppData\Local\Temp\GMUUoMkU.bat
| MD5 | a7a6d0aab87f0e6c4683d3d962e5b5f2 |
| SHA1 | 7fa337dde55fdf859df4dc77d054a99b771b0f57 |
| SHA256 | 25839a7edf11f6aa1d25d6a513c45e7068a9865ec5670a46d3c3c4f4c41c4a84 |
| SHA512 | 35688cf6fb90a42983f4379f5e136dbb761eda238ef9cf263031db9698feed820d2c2af1692961019f8af31c0237b38e0cbd76b49db50f993d7f175402d9659c |
C:\Users\Admin\AppData\Local\Temp\EUkm.exe
| MD5 | 793b51bb17ebd86217ccb0350838d3e0 |
| SHA1 | 37a2c43fc85d211f5d3518f24236bfdcd6dea327 |
| SHA256 | 1a972acffe56a19c489b0d45307a8a76a42568e8ddf091aaa2e9b86a725c93d4 |
| SHA512 | 34837736902b0e6a7bff4dd7da102b4193c2704beb0957b141ed8ec513da7fb3d8a7d5e60a6bd4469a4ecd608803d0e270d76063a59b8cb62932ec0f093b3080 |
C:\Users\Admin\AppData\Local\Temp\AAow.exe
| MD5 | ae2eb76f226c5f4ea40d1033a3e7b5e5 |
| SHA1 | f25a07bcfd6838c7dadb6fe6d4268c89219dcc3b |
| SHA256 | 55e2c572686152d19d574b4916a68f01b0f1ad85abdbbabfc71a59523d90fde0 |
| SHA512 | 1d26fba63d53b82eea715e40abb0597a04395bdec6a13df4e32570bc0edb9eafb24a089dc0e34b0be1e9283b94761ba61f53105c6e48765a7af75529be3e6083 |
C:\Users\Admin\AppData\Local\Temp\qIoO.exe
| MD5 | b6b6dd11bab05e313d3dd9609d723c0b |
| SHA1 | f38f72faccfa7c2aa24721af80de10c7e583212a |
| SHA256 | be19e4799f5758addc31bd95cc01a4f994a0f20676d376f6cf8d35cbe13e7fb4 |
| SHA512 | e2e8d15704a1440bbbd86494363dfea4c22cf4865016f962c9a9e8d678f340e457c8ec831adc53214c264b7cd97eed88c99e280a647f9d65492f961da4375fb7 |
C:\Users\Admin\AppData\Local\Temp\KkkEgYEQ.bat
| MD5 | 40a89f07bb8972a919f683b0e789dcee |
| SHA1 | 7d51998d403a3a631c03f4aeab522ae599462197 |
| SHA256 | 5438319febbd2d1da3649db8caf2213523dc3029d5cf84e7baa81d38cdb1539e |
| SHA512 | d842926a789d74cd58c2d4a2a86ce595346f0d43ff111e30123a7dc972d27540e82494b1a796291fd45047be5925d8ee635f191cca6d5c06d7166be19096d762 |
C:\Users\Admin\AppData\Local\Temp\IWYQIYco.bat
| MD5 | 62b56330bed543235d5d53ab1202ef80 |
| SHA1 | ee0e24baf9914718827ff624defc2eadc3e71413 |
| SHA256 | af689d11555839149395d5b178ec89d7c8bfe39fad7cbdf380a5495a2a3b72c2 |
| SHA512 | 71063888ec231fd6c11b5cc13f5286448d7af62bafebfa49ae910bb86c968cd5037fcdf2d4683dc54cf57ac8f5ee74be25f3758462e723cd49c9bee7fb01798a |
C:\Users\Admin\AppData\Local\Temp\tIsAokcs.bat
| MD5 | 1585815371f6376b93457ded21854bed |
| SHA1 | 47a800f7f7d59bbd7d8ac504d88d65d173c8c565 |
| SHA256 | fc53004dad4dfef651a722b50bb5dcc0c6ee46e439c65159f5f5f868de9f6fce |
| SHA512 | eb56af2c46243b4e43cddf7a3bc3ec907617171eed3289afb290d1e9eea08f07bba59b23571207fd90db2daa315002ae74d2f888520534076676961f6c1155b0 |
C:\Users\Admin\AppData\Local\Temp\tascQQsA.bat
| MD5 | cd61b00cc9dbaea7649f2950d13754fb |
| SHA1 | dba407fd576073e52aabef2ffecc384c8da2cafc |
| SHA256 | a93d389aa4c082805a27c39366d51a36fffb38970e3a4777e864f4ae0e3fc1ba |
| SHA512 | 7d30ee61b28426286177319b1281a9d54113ea10d03ab5df5e4a915c2b25f2f2c7155646e91c3995435c5832668fffa08892304ee95bac6ec2fa63bdbfdf4e98 |
C:\Users\Admin\AppData\Local\Temp\FokYsIoI.bat
| MD5 | dca11d7f82fb304a86a71ca5660c86d0 |
| SHA1 | 6843206e62c98f4b5f5288476cbc3a8573b20e2b |
| SHA256 | 1daa9e27ff97782f5a58fa8b0be163e67d86454caf33b9bb56c983fd61d593f6 |
| SHA512 | d6d24093793f8f5b39b54c45b51b27e1bf47ee1d1ab2be0ea2b063bc56b5df99d22328e888048ec45b73da4b580a597cffadf64f34f53e22262d276ce38d1e09 |
C:\Users\Admin\AppData\Local\Temp\YsEQEYcM.bat
| MD5 | ae9bc033f1c4d66df623d6b317de63ba |
| SHA1 | 8cf729df05b8b03e2c1f9a2a207c26b20e879be2 |
| SHA256 | 26b793a88cdfd316d8ee36fc1ed311dfa991eb13f81074f4d60a95467e336eb4 |
| SHA512 | e521f9832c6a8f5ffa2db1752a8b9d2d420f1326cbe49455e7160d5239089d7e975d0019f18e8e0757b8616c42c5a452e0d583aaf2ae03e427d85ae255a887c7 |
C:\Users\Admin\AppData\Local\Temp\uuMIgAwA.bat
| MD5 | f82e060d669e02d9e148a765707d7917 |
| SHA1 | 0006a00ba232e07f95028ee1e9f7161e5034a30a |
| SHA256 | 3cb12fc77921c0a48ce6b1d3677b79f8d112f55e30e36cb7fe088e87d89858e6 |
| SHA512 | afde173fd60255f36f0b653bd44bf56ac19dde3c620aa3486730018acc34088b9a9e782cbad49a728129f4d9e9727d0744b6e56c2761a7b910cb931050368455 |
memory/3008-4335-0x0000000077510000-0x000000007762F000-memory.dmp
memory/3008-4336-0x0000000077630000-0x000000007772A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sAQwAccE.bat
| MD5 | 46f57ca4cae4f36214eeb6e4004ec3e2 |
| SHA1 | 0d797b90c9f70d8bb3706fc516259b21e6e7878e |
| SHA256 | d9621961d1fe72d648e232950287fccd9ba54785da6e00502024175fbc61955e |
| SHA512 | 54e6904e37c8dbc7d00ea8d886a421d09debd4a189adf1d5897ba083dc087df219076f46586f15b273a93d0edb5b41aaae72316311cd7c188fc1c68c3926049c |
C:\Users\Admin\AppData\Local\Temp\OKgwkMwE.bat
| MD5 | b2f71f472fb0d92a55d55d001613eecd |
| SHA1 | fb486fe1ef73a8068b013cdb7ae99f1cf2c46ff9 |
| SHA256 | 269d2dfb5d99c1a6394b70df5236bdc9931b19819607b0d2ba8d604cad69b8a4 |
| SHA512 | 07839c362565d08f78dc1b723582f83f4ac3ac35ec50c80da14ca069bbf119d44db356589057184ce9f89334e40893b3cacd0893f67e52799664372cca1b2075 |
C:\Users\Admin\AppData\Local\Temp\nKAckEME.bat
| MD5 | ae3bc6d3a260c8e753a5f8270194c379 |
| SHA1 | a6c3254268f1adcf58032a7fd05623252d770aaa |
| SHA256 | 6d2e67e1342fa6bbfb754bd780fb5a397c10d55aaf6f13d5c43aea750f5ceed8 |
| SHA512 | b686215a41c37fd10885ba7c15cbb629bbfdf538309e16a02cb94b7f84507608bc2733ac2607ed1a765192dc4cf86d16bf529343924a33bbc2beb5a19ecf020a |
C:\Users\Admin\AppData\Local\Temp\dAoAYgAw.bat
| MD5 | 12e79f7adb3513d3eb25572b29d62a76 |
| SHA1 | 7a91919bdfc75848b30e8087e955f537f261d9cc |
| SHA256 | 6035ba3bfeaf712e57a952e9b61716cfd8ea8b28953ae750ac25fc53eeee88e9 |
| SHA512 | 424cf8ab9c9fd66c55eb6cf47ad7d5ac37866044a0e2cd91df6eba70c11f25b7c605f605a0f4fe644f394282be76cf5446a826b1ba5eeb2203d562c1f5e5e636 |
C:\Users\Admin\AppData\Local\Temp\PMMIMIcA.bat
| MD5 | 4d0cd5cf3158c2d75ac6ebe65eef1053 |
| SHA1 | cd82c60b139757f48d89860e6ed37ed7c215f49f |
| SHA256 | 4143212f8f09858444355a294654c37e16cf24eb1169028d182e6159683903c0 |
| SHA512 | d956d245ea2731d56ec47e9ab73e94f2a99ec716a3207b6deff4de7df1928a4ca8babd7573e967158cb005d672829c7e899ef27a498454a6380921e7523e9790 |
C:\Users\Admin\AppData\Local\Temp\LmAEscMo.bat
| MD5 | 413410ae93bea61989b44a68f277f41d |
| SHA1 | eed9a46607c6c0ce179351ea423062796b20546d |
| SHA256 | 73780fd1a6e8e6e6b0e4fcd3b433c9da20676f6a613e6c08ad6d65019fc49453 |
| SHA512 | 22b656258b2cd69e7e4a7081b4a55d09c232a47d02f48810fca88f578291d0e3610101065fe6a0143e9a398fa35c739b65d97c63a6d9db26dd11a083138f5753 |
C:\Users\Admin\AppData\Local\Temp\gEAYwUEY.bat
| MD5 | 14dfb74241b94dfae826d1b4d169bb97 |
| SHA1 | 6e4f694e21a6cb48d70df3958124142c109be747 |
| SHA256 | 5737b405c65b429b311936939e5a25d67a6ee8255c9bec33e44a67380ddf6c76 |
| SHA512 | 1d685a983c154c82f0ac2a87995586e1387d36ac7cbe1a240622d7256f272dba1176ed3ec99b44727533f6fde72df68856bd79ba475798901d82bce6375ee88a |
C:\Users\Admin\AppData\Local\Temp\YawQEwkA.bat
| MD5 | 9b90562c11da04929fcfe623620bd3fb |
| SHA1 | 7ad7dee4770d7d875e0abff2463356d7e2a2a523 |
| SHA256 | 549761f1c4c1a9083146c8b3dcdee7a42f8fa0f8da9adf38a6c628150cea6893 |
| SHA512 | 4027d28c101620b650f10fa40f3cef833231693fb7735205ee8261543d088a0c4ad2caccb2bd0c842fb137c0156438f8ef09a97b7af2d73fc4b0bc52274f7358 |
C:\Users\Admin\AppData\Local\Temp\QsoEkEAM.bat
| MD5 | 392606be70f4edae903cb3080b544cb0 |
| SHA1 | 43cfe8f4400c0cca91c99db23823d00ad697a956 |
| SHA256 | 3e58db73166624f945882607c8bfcf15b9025d2fe583c62dafa4844e3ecd9f48 |
| SHA512 | d8b365b10b187e75908dc7dbba51ce1cec9183bc26cd04a6d372151a43c3403686ddfff06497f155c5291c0802a6eefc52859aeae09db6aed00f34299855121b |
C:\Users\Admin\AppData\Local\Temp\jAcYwEwE.bat
| MD5 | 5a9eb7efb3dcdc0fbdbbcfffcf2bcd43 |
| SHA1 | 398dc96ffaaaf1cf6edb89c46c945f04d31a863b |
| SHA256 | 7d61225a3e41da226fbc8f49011beccedbc181eab95c2804dd15215f40ad231a |
| SHA512 | 1952b5a36471ad0ab72a25e1927a1e39d9758cd95bfd028e85f1126cbe9e21bac7891c03c4931ad394cf66b2d65f60d6814d7e71a639ac1cdc8cd730a7f7e6ad |
C:\Users\Admin\AppData\Local\Temp\ZogUIAUw.bat
| MD5 | 73b22f6feac4a1884ba64da3baef34c8 |
| SHA1 | 29444eb95112018ce55063961b3d4b5e8f1b059b |
| SHA256 | 9a95a39cb8b6b4ffeaa7b65f3906bf7639f07751dc60ed980cc3fec581ce49c1 |
| SHA512 | ec5d3569dfd67cf945a4cbfb9c0d6851dc0a256ea26114e10c960c0558a814290ad3307dd5d516582237a862d6a486c6a00d875e07e81d6ec725a94c9cbe4b13 |
C:\Users\Admin\AppData\Local\Temp\nmwQgEAQ.bat
| MD5 | 03bc13463dff64645f2529d5fe1d0ff5 |
| SHA1 | 8da7c504a448a58c029097869d6a40770ee8af45 |
| SHA256 | bb2f6f82f3cb52a7d1a5a16bd480a497c6ee1b99bedb471af49e82385e22282e |
| SHA512 | 3f5352ff1387cd777a969e14450e739aa58c7d4d212f5ec239d7e4e693a6e1e2e02a5effb9989b372222d24060081fd0fd839c5eabb885ed801dfc82c621019b |
C:\Users\Admin\AppData\Local\Temp\uIYYAoYg.bat
| MD5 | dc1bfdaf7a3d0b6968803254afd2101e |
| SHA1 | 82ca306db79dc0039b047d47ea262e938c4a3ebe |
| SHA256 | c5d550a2186ba7695febc248749e77a50fa79b8ed71d3a7a94b1f34374bc3de5 |
| SHA512 | 8e069c2c98533fccb25870793679bd634bded1130cc4a73fc43c049204045493714754b911b3e55f09365fcfb450d3c76e9775ff632d9e08744ae0f73e7a8d30 |
C:\Users\Admin\AppData\Local\Temp\UMoIYcko.bat
| MD5 | b9b1cac54a5d80aa403eb60e10145bf8 |
| SHA1 | 544be5386bace712df4e03b42a1c039c0bbae071 |
| SHA256 | 885f286bafe01257a6edf9aa521f5d6d7f1f6950ba0db574d322b6b3fd21cfce |
| SHA512 | b39d529a3d2720631b586f4b38b881350161ed1c5ae3ab4fdcaff2a0ba036337e779fc319e832fc7d1b7c8c2207ed013219209be38d501d47b2da0d9d84b28b0 |
C:\Users\Admin\AppData\Local\Temp\EksgMIcg.bat
| MD5 | ae28f90aa9c873d705c514b7882b5297 |
| SHA1 | dfee5eedc79d98dc294633692649dc1e34aee07c |
| SHA256 | 4915cee6c17b900fb659e3c1a63bb1a46f0a969650d5e9047439e30e57efbc0c |
| SHA512 | 0e73a8936cb27a1f30f82788b32284e5d66ec6bbd918d3b86de856639aa0b4b736703e7a470a0131663efe1a4491d61c0ddc16abfb7b86a61002d4588f4da014 |
C:\Users\Admin\AppData\Local\Temp\puQkYQog.bat
| MD5 | 60de585187f0701c22d7b8049284b5f7 |
| SHA1 | 55620099b1872b23caca6a21718a4f1dddf068df |
| SHA256 | 6cd55139569d571c958e00212f79536cf47fb08dce8e73b8481f0deaa1426c9d |
| SHA512 | b4f2b529698a93d44f4ad103a06f786f3c54f21363e660124683fe43e0a9b7a05be946bb8ed385f9ee09cccd444a5c78d4a54c0a554e24732a5b1a47d3d4bfee |
C:\Users\Admin\AppData\Local\Temp\puQAQEEw.bat
| MD5 | b3d9ebb645e3563a15d6e428aa01471c |
| SHA1 | 8136ce156de0e853c6c8051ce9e268e85b7ff18b |
| SHA256 | c04109348ce9c938484a9339d327d11d9cac1ba44a66bfd959381974f2680277 |
| SHA512 | df960eaab3b978c535794de00d40f68b6860540ede46abf10ebb604ac676c87bb412c9d966cb3541a9071ad35c6c1e50f8eff9804943613b9e7892624239b744 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-18 02:30
Reported
2024-10-18 02:33
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
133s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (80) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe | N/A |
| N/A | N/A | C:\ProgramData\NcYMskEE\KeQMowMs.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KeQMowMs.exe = "C:\\ProgramData\\NcYMskEE\\KeQMowMs.exe" | C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pAQgQQgU.exe = "C:\\Users\\Admin\\fOIgMYgk\\pAQgQQgU.exe" | C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KeQMowMs.exe = "C:\\ProgramData\\NcYMskEE\\KeQMowMs.exe" | C:\ProgramData\NcYMskEE\KeQMowMs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EqIcsAoM.exe = "C:\\Users\\Admin\\sGkYkgcw\\EqIcsAoM.exe" | C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lawQAkkM.exe = "C:\\ProgramData\\XOYIggoU\\lawQAkkM.exe" | C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pAQgQQgU.exe = "C:\\Users\\Admin\\fOIgMYgk\\pAQgQQgU.exe" | C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\sGkYkgcw\EqIcsAoM.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\ProgramData\XOYIggoU\lawQAkkM.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\XOYIggoU\lawQAkkM.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe"
C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe
"C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe"
C:\ProgramData\NcYMskEE\KeQMowMs.exe
"C:\ProgramData\NcYMskEE\KeQMowMs.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYYIMAMQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BekcUcws.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmIoIcQc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQMMoUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YksYAEEY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OmIcAswE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dyIMQEgY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psskMUYE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWcQgokM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGMQYwIg.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYwYIYkE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEIooEwQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYcMUksc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BeAEIokc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSQQAIkQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYcIUYcI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCUcEAgs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIEkYccs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ByIIEEUI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCokEEEo.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQYEkkMQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uaQsIwoE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIgQcUAA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAAUUkcQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYUUkoYw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAYkkooE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMYMgYQs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWYUgkIk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UskkYYkM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQoUoEII.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 25de4b785844f03fda3918e399084898 bOv4goY3W0ai0jLffGy+6g.0.1.0.0.0
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQkkYUcI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAEIEwIA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqokcIUA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\liwocAcw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REAcgIkM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgcMkQYA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAQswwUs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWscgEEI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CaQkQQgw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dKYksYkI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BogwgUoA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKoAgEgQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGUUwMAk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsYEMUAI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QIYosYMg.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCIMwYMU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiIYAEMY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWoYYgoQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heQoIswo.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DEsMEkAc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCUIAsIU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awAsIUoc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kuMwEcYQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiIkcgoQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LigAYIMk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DqYsYwgs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGIUwMws.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OYcgwEoQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQQscccw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEwooooY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSUkIAgA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGkcIAQw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vugUQEgw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYgMAEEA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uygMkkYI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUUcoQAU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOEEUoQo.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCoAAsEQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\teMIkIMg.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGkwgAEE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mMQQcAkA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQcgkEwg.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YsMsUUgk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCwQUUII.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKMskgQA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqoUgsEY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PUYsAwEk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIAEMQYs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQkMQwwQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIEMgwgw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BucIsckM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwkkkAIw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jkwEsAss.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAcsQkMU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\coMQYEwc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MaQsQUYQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMEIEAEw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuckEUkw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nOkAgAsM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LssIYMMI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fgcYEosM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yaswMIMM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKIMUsoA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gIkswMok.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XqAIEUkM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGwQMgoE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XooIMMYs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uqEEQUwc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\sGkYkgcw\EqIcsAoM.exe
"C:\Users\Admin\sGkYkgcw\EqIcsAoM.exe"
C:\ProgramData\XOYIggoU\lawQAkkM.exe
"C:\ProgramData\XOYIggoU\lawQAkkM.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5068 -ip 5068
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mOIMwwoo.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 540 -ip 540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 220
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWwQsUwQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWwYggsw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NsgcUEQU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkQsgYUM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCkAAowU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqosEMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.179.238:80 | google.com | tcp |
| GB | 142.250.179.238:80 | google.com | tcp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/560-0-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4228-6-0x0000000000400000-0x000000000042E000-memory.dmp
C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe
| MD5 | e8671b59931a45aaf27573d8c0233027 |
| SHA1 | b89e67381632befaac806af7ef047499f6b82c11 |
| SHA256 | 31c37366ad0f804444a90cf7f704f110c2230d6b4e79a3fc647fac175a7716ce |
| SHA512 | 219f859cec23ae9b287423ba14cc3063fadf57213a4418cbb691294e247138cd2b70c77830873abd54726e66c2d1257f6d88e0f2f63f9de4c5f5606935417e72 |
C:\ProgramData\NcYMskEE\KeQMowMs.exe
| MD5 | b3b42f97c37fe68e8c04eff1d3885037 |
| SHA1 | 5997adcbc7a05feaeba5cc332dc83d9867ef24b9 |
| SHA256 | b6d0444bee9eb4a35e782b492e3a6659ff3eb7a8d5d4ee3df81e14be96751854 |
| SHA512 | a86db95a7c8e4a414e8ec8a87b47bb752643ccf797c8f1409faacc2a347beea5e9d72b26bdeeb8fb52859d50e8498b6171658ea61f4a5e6d1ae6ea69d0842cc2 |
memory/2396-14-0x0000000000400000-0x0000000000431000-memory.dmp
memory/560-19-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JYYIMAMQ.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
| MD5 | 59be91b17983f2d8de110d2534075292 |
| SHA1 | 184ce4f6b89530f58a9952fffdce4ce254447937 |
| SHA256 | f9b54f0a6c4a21daea6f41263e8df267367f5b491094bea56179a9c3b4ebd65a |
| SHA512 | 6c37049c71557a3bee37a8380912733b009f68844818f3d2586802ad437c82c32ac51f170056add421976b24e0e074ce619d3987195ce693f28eff657c028c74 |
memory/1188-28-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
memory/1428-33-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1188-44-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2384-55-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3256-66-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4260-80-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1236-79-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1236-91-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5096-92-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5096-103-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1528-104-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1528-115-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3788-118-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3788-129-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4176-130-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4176-141-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3908-152-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2760-155-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2760-166-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4208-177-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1028-189-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2720-201-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1948-205-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1948-213-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2760-214-0x0000000000400000-0x0000000000433000-memory.dmp
C:\ProgramData\NcYMskEE\KeQMowMs.inf
| MD5 | d550859a3d648bd8a5637635c061e620 |
| SHA1 | 62010b48c3bda5fa92b8235a33b650cbf71d7ebb |
| SHA256 | 470f1c5e5ba87d948131125870680f200b0722627c1bddeee7856aec56926a91 |
| SHA512 | 8c326bd5ebf41d252cd558dd650b2afea41d4a47dd628716598ec0e06ec46c4e8a41feb672f35caf74a1b1ea91af2831ebfd92fc471d0dddf6c69febabc18529 |
memory/2760-229-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3536-230-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3536-241-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4724-252-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1964-263-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1940-268-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4040-272-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1940-280-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3724-290-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4528-298-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3184-306-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3292-314-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4960-324-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4172-332-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2720-341-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1600-340-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2720-349-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2636-359-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4540-367-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4248-368-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4248-376-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5116-386-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4044-394-0x0000000000400000-0x0000000000433000-memory.dmp
memory/208-402-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4456-410-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4172-420-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3172-428-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2348-436-0x0000000000400000-0x0000000000433000-memory.dmp
memory/832-444-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4712-454-0x0000000000400000-0x0000000000433000-memory.dmp
memory/396-455-0x0000000000400000-0x0000000000433000-memory.dmp
memory/396-463-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3860-471-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2020-472-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2020-482-0x0000000000400000-0x0000000000433000-memory.dmp
memory/208-490-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4292-498-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4564-506-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2640-507-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2640-516-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3664-525-0x0000000000400000-0x0000000000433000-memory.dmp
memory/512-533-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3640-541-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4640-551-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1380-559-0x0000000000400000-0x0000000000433000-memory.dmp
memory/440-561-0x0000000000400000-0x0000000000433000-memory.dmp
memory/440-568-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4148-578-0x0000000000400000-0x0000000000433000-memory.dmp
memory/220-586-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1644-594-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2972-604-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2284-605-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2284-613-0x0000000000400000-0x0000000000433000-memory.dmp
memory/336-621-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3188-622-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3188-631-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4176-640-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4420-648-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3624-649-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3624-657-0x0000000000400000-0x0000000000433000-memory.dmp
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe
| MD5 | 9955667933e798747af2fcc35b6504eb |
| SHA1 | 22beb84701d936418fd01430cdb821f90611cd0b |
| SHA256 | f2af14e223b98bc58fe9934835995ac3def73b26357adfe994053930175bf36e |
| SHA512 | 42bb8345780a2d01aa83fe3bdfe24ebc11296c4bb899086b56be1a308eb4a3e9a2ecf2351afce6f1a80efaf757a6c20eb9e9b27f27d815517756f0bea3d59ff5 |
memory/3572-681-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4604-682-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iEoo.exe
| MD5 | 065930a7cf8c5cd739c3dd86d05a944f |
| SHA1 | a67fb8950aeae32ade26795c896fc895814465bf |
| SHA256 | 6a33024a14b2b9d007ae2ca15ce16f78f369bb575204d9a03f669506383527bb |
| SHA512 | 62e5cc70f7be49b9f0a6420f117678d66dcde69719357e1fda0500fa97116e952e479c3866e0ceb9b84438d67d08cb40bbdd90355792f5ed71ef7a21e4402e0e |
C:\Users\Admin\AppData\Local\Temp\CwsU.exe
| MD5 | 14234e96d6a779d2a5459eeb9db8f1ec |
| SHA1 | d51782be12fd4f7ff124c6fdd37b2795b7c73655 |
| SHA256 | d212fd6937f6a88f98bce5eaeae6b5a04f9bf60dccbe803e33c76b7f0748dad4 |
| SHA512 | e3e8e2ff24b463e783b36d07f2cbc16bf2f2802d0ecd201d9ce21c6b6c5983a63a983050f873b8da9607d782ff1e8cd8757aaa3dda7c52319ff6c0e4022fe59c |
memory/1496-715-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3572-719-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sEkO.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\ekYg.exe
| MD5 | 681e3683853feff7d06eaae559765c5d |
| SHA1 | 889a2b59e4f920d1ae37380bcd196cea1c79ea1f |
| SHA256 | 2a5dd73d503aff81665dd4f901a165fbbe8b15bbcafd165f23c1ec01729a0736 |
| SHA512 | 07a35e8edfcbd17195ac27cf20f06224aad60adad828022f36b88fb4c8b8b88766e370b3380a5c67cb565e84a05e15f9d2b4ed0348b518f9b90d87c482723568 |
C:\Users\Admin\AppData\Local\Temp\kEoO.exe
| MD5 | db259022841c4ef62acd74269dbbfd4f |
| SHA1 | 63672fde1b61d4ae5f6801808c00fcf803f249ce |
| SHA256 | 583a5fb48fe7fd47c88052817c55e81ad42f46388d2133c91093c5d2d10aa1c1 |
| SHA512 | fa1901609f91fd70881f0bfe9cb075465cf5f574c1b8596253012a0a0efb316b6ed925c1f5497f9e11f32b657e4dacbe26ddedc96171f341c87e545fbacf48a1 |
C:\Users\Admin\AppData\Local\Temp\qIEu.exe
| MD5 | 026e300943aae16966fbd8f255f0ddd6 |
| SHA1 | 1f140486bbd86144dbe1b540ebabee10c1f3ff7e |
| SHA256 | f858517e83e97c59e9a2d230fdedcace4c99ea56ead6a3e61f11a2a76a1af7b0 |
| SHA512 | ff6b20987c05c7bb0c179895fea20c9555e0f2af257da4a46e79ba8fd2f5b3d906a995069c1529bc07f911e969ad1ffab6c3a5093d026d66d96a2cf2ffa542fb |
C:\Users\Admin\AppData\Local\Temp\coIq.exe
| MD5 | 83cab8d892d51481c2f08c68b4330c16 |
| SHA1 | b5d1e700c9579a0e5d58c1ca2f87d3b5b84e75b4 |
| SHA256 | 3712a089bb939b0a4db781c0fce71e0f9f1dc4b76367f639de2a43e2cc509232 |
| SHA512 | 11c144ae8153a15c189fe0f020df458aec1b2cb7bb7ee28563bc6302b3ea4de5678f554e70cfa5d0749e3e9291c8c6a5dcc9022ee0e202cc9eb2c1f68f834639 |
memory/1496-782-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ekoq.exe
| MD5 | 9040b41d8cdc8fe62d3f9d89957fe4a7 |
| SHA1 | 7a0501b31a42ba9bded12ff42dd0a8b443df4eed |
| SHA256 | 071f2ec4890e4e4d46ee32f76cd41a31e8e4b1dfa5b71bb119d746796f0e5276 |
| SHA512 | cf605a37a5a8dea41e86e2ea58b2be1baae268267ec3bbf4ef206a1a55113a63fdbcf14c186dfffd6baf64af7f9fb4701f585e3ed39a50b7a7b4107258ed6371 |
C:\Users\Admin\AppData\Local\Temp\EEsA.exe
| MD5 | 547d998bb6c42c5a5ef5d2573d63e1c8 |
| SHA1 | 4f317bba70d51e98ed051d6d1e728fe0521cbc91 |
| SHA256 | 1623af7a0f43c9ba43b5609b0c9886bc7a833d76d6edc4cc01fbb791a042a98a |
| SHA512 | fd40e08d94e55afa82f35e006d2712adc2b971fc2d1ae8cb0c83f0d3d352c90a859c1706dba1bf730966d89221676b6d92ca1bc97bf965dd1b1d92b86145e755 |
C:\Users\Admin\AppData\Local\Temp\Oswg.exe
| MD5 | 7a0f75db68ef54ac764ed3fbc5662d4b |
| SHA1 | 837164112c7b8b82284dd18a91f1d5fe12367b7a |
| SHA256 | b3ab99af8afe7fe4ada17ae296e1e26fa2d157504d4a39ce17f9d30463d3f72c |
| SHA512 | 411696fa976e4a44a16f3a2b46dca989f023f4215e94aea0258c18eb05dedb6a5bcdd9acc0314fb105247cf52c0764cf71b26cfa615c76b067155cfa2db1a318 |
memory/2520-834-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Skki.exe
| MD5 | 14618c40a708abd05d783457cff9ace6 |
| SHA1 | 2d0ba4de43fe5559cdda2fc794e437cba2df7f21 |
| SHA256 | 7c6e0bd7c004c5bb283427de520941496dcaa351e93c0cad7a5be5e0c9d740ce |
| SHA512 | 05b49960fced728e781ab4f5ccf16faa0cb5112978bfa2ffbe570f7a597b9437d6ecf99366f6243f9f4042fcd96e23a1c01f1ed875320a1338297c08e1084571 |
C:\Users\Admin\AppData\Local\Temp\AQcq.exe
| MD5 | 453eefa33c430db087d6a9e58be24cdf |
| SHA1 | db08507909c73aec1dcfa0ec47448922513a5c63 |
| SHA256 | d1224b2b4974c47cb4e83f390b8885375b23631745b66b27e968a74f30e49e46 |
| SHA512 | 8d5341d8b56b15be97e0097d432f10cc40110c49ea56d69748b6848003c310155736aa5fed7bbd5a02485c76bb2dfd6839f0847cf771b3fa7a5d4d53a9e27cb2 |
C:\Users\Admin\AppData\Local\Temp\WUYo.exe
| MD5 | 649a3771f0ca92f479dd6eff2873c8bc |
| SHA1 | 6831d2837893030662c7103007f17a39f25226a6 |
| SHA256 | 5b716b9302df0783f76024b01308231232a802697a64023c85c345100f0fc56b |
| SHA512 | 7a78cf0aa1afbd63956ebf8b38e01c8c5f53cdb962ee362dd0e7a5a50a9403a6c37d3e58584dff04ebd604742847e6096f421160133068be080245ae45e1cca6 |
memory/4172-884-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IkMO.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\ugYc.exe
| MD5 | fd3eabb9b4dc3488cd38868fd0c2ad1a |
| SHA1 | 9e60b4e94bdc2f041743dfd2bf2395e1d6486352 |
| SHA256 | a4fdd007e6f09f5742f7def61b5cdf43277e4ed8e0e3bc356c9638f2cd582113 |
| SHA512 | 144cdd45cd521b532214a63bbe8d66df6c437eef8c3026cc919007eaa29801c7cf6acaebbce51e6af60a4f596122156038cfc3283b23be2d64fbe7eeb5b59866 |
C:\Users\Admin\AppData\Local\Temp\isIk.exe
| MD5 | f7526f545a245e0e8bb10eaa77a56601 |
| SHA1 | adeff66e0b01c5b51c22bc2cf1db1f21dabaa726 |
| SHA256 | 7574a31e5c65f6223041b74d400b4c9ebb43e17eeba9703e4b91dddf22c3d43f |
| SHA512 | 98652f51b3deed1f2f9348cc5ce2fe907191b66d3191f3f2cb22e6675eb7ca5e7032979a5875642cf88ad2307a6f71010e446b4b9e0b2aa1b2ef43c4d3323988 |
C:\Users\Admin\AppData\Local\Temp\WUYK.exe
| MD5 | 5add5a60ec4546749d0d75dc480af017 |
| SHA1 | 3b10fde7b31d9c9baef5623f361b3232056949ae |
| SHA256 | 1bb06ed2fd9665317b76c91d65ae5dbc93df48342a5efdb8eeb0fa09fe982685 |
| SHA512 | 713e44d740b504156bd7b3064f413288379f6dd10b7dc0dcadfaa983d86091646441e18317a105621a4c59b2418218c5fc14e45ceabf299a144831bf35b51e74 |
C:\Users\Admin\AppData\Local\Temp\gcso.exe
| MD5 | 8b77229c873568cf0ff389b89e29a362 |
| SHA1 | c28dd8cd71dadc799ad6d1c2cd4684d137a89c26 |
| SHA256 | e9f28e9405fc1dd7202015ba1a705aa1454f36921f797b22853f193298d23ec8 |
| SHA512 | 011370827747175438e9e2f8800a1544c8dee628e7bb80f1a68c23941d1dadf84f91025166d42eea8ac724c3915d8b849e0605758d9d103920f76fe83fcac02f |
C:\Users\Admin\AppData\Local\Temp\AoYM.exe
| MD5 | e3d67ab57446e68e5b932dd9f8feae58 |
| SHA1 | 43d3e0a8ff327532e7b3d92b94c960674f27dda9 |
| SHA256 | 9c37f37acc3f4c741e89c498cdba849ad77e10bd196b0d0c4637806b7c617a77 |
| SHA512 | 7c9e4e963f0c9453675bf8749110b2300766ff7998b1e988ca73d105bab8896558507f14f2e27218718f7eefa5d3fcd828ba1d0352b26c466016b4a483826dfe |
C:\Users\Admin\AppData\Local\Temp\igwY.exe
| MD5 | 61de332645fa6960aba1046a1ac1d928 |
| SHA1 | f73ae6293a25e6a5c194de40b41578981da135da |
| SHA256 | 601813981622d7c1989e673b18e31ae3472d56af331587f2f3460c664668106c |
| SHA512 | 35a863a9f648454f1b8cd8b1068a47c45456bd0c5e3dfc37be5a1c95c83aee96ac17d05ddcb6f3f5ba40aef94e7bd90c912d7e07d74eb9da16a48986c5c9d142 |
C:\Users\Admin\AppData\Local\Temp\gEIy.exe
| MD5 | dc7f22de3fb639c1893ad4461dc098b7 |
| SHA1 | c6fff42fbac2da8149b11f30dd7a2b3af7f4a149 |
| SHA256 | 7ed1b8f77235758624510b8285f1f4f51855ef372d8687fc34fbbfc7c768b5d0 |
| SHA512 | b23aaa15cfe32183e27959fd6215cd067e44a3879a649e7a0a67ead68c0b278c79d0ec787a3f27e6d4f59959374d3ab27defeb4b60f8153e4aa6f2d48756ee0a |
C:\Users\Admin\AppData\Local\Temp\IkoM.exe
| MD5 | 6eeca4347203d76683100ac88a2128ad |
| SHA1 | da24864b44449b007e183ca2f73304d2eed19268 |
| SHA256 | 3df85afcb323030e9477f14420e4862547f0e94c08a5e2c32c42ecfe148f80d0 |
| SHA512 | c7550fb1ac9949cafb07ec00b4e7b9c64035b8882f8c35dbc600ceea8c814acb47e43573405c3263fe35306535686c6160de4a08bb105d9a4bb2c86fb89c3e02 |
C:\Users\Admin\AppData\Local\Temp\cgwA.exe
| MD5 | 494f3055de1142d10413ca33efa1aabc |
| SHA1 | bb8f29f908c3de34867a913669af5843746fbc47 |
| SHA256 | 4aeade84a165a1bf388daabf5164f699995555761c3330652dfd74de64a86854 |
| SHA512 | ca8dedbf5935ab7038422f5f0661b735cfae65ccf3562b6c27960494369c1195b52e3b8beb939dd8c50ee9cdf714acbd0136270e62aa9a0ee4df79fea2e0ff4d |
C:\Users\Admin\AppData\Local\Temp\OYQa.exe
| MD5 | 6b29ea1d02d1358073f904a85e2039fe |
| SHA1 | 07288c6dd39f5a008d1b26cc679e148b386d4df9 |
| SHA256 | c8c941e41161b1b0dadcf2e0f3b8e4d5233c7e22b31754f3a58b49100d4a552c |
| SHA512 | f33aff877c30578e468e30260445c911de69d2be9e76f278c35ca9ed6bdd995414c65a997074e2428af26ec439f8d573fd579e412d6fddb21822f34be886e539 |
C:\Users\Admin\AppData\Local\Temp\iMEa.exe
| MD5 | 563abd70f3979694bd3706c6b2cd524f |
| SHA1 | 74f46a1fd005a4844e4c7f779e4b80d2ad5a6c37 |
| SHA256 | 3a459510710f13aa8727b843844c909a7c7e68d183fbc27576c4a360811befd9 |
| SHA512 | c12b40546bb2d0c9d957e75252d07e72d2daf5adecdf509a7427bb8d5f9458475889e3167e7891285e31ef7bb3d2fbeb7c64d81af6e3d1aadd03186208a2a219 |
C:\Users\Admin\AppData\Local\Temp\EocO.exe
| MD5 | 1bfbe13dbb7107c6b57d6e9c3d55e66c |
| SHA1 | b91624376cdb59b067fb49444d7925c578937006 |
| SHA256 | 9fda914107272859c6b6c98e1eddc3ea04426360042d5cb25b5890f8268c773e |
| SHA512 | 510569142adb19edfa5ea7c6ddf0ba6a48e245c4085082c19e98a69ff25c7a252e053767c7b9acdd748402f0752943546a5182673d1379e155e66b7f1c83247e |
C:\Users\Admin\AppData\Local\Temp\gIoE.exe
| MD5 | b99db219ede67bc3507ef1b11f8bdcab |
| SHA1 | b35af2c45e52ef7c4e71a40d5aff4436c7aa3e43 |
| SHA256 | e779e950ba1b34b6fe83877f3bc5815713fc1b7b94a05ad4e1365f5db7181e34 |
| SHA512 | 508b412dd505a6c05b99f4fa554449ecc012699e27fcbd8884739bc910a062372184235f663da5da0ad50fe28654df8fd1bf5fc351b886fac58849c436c13fbd |
C:\Users\Admin\AppData\Local\Temp\Ccsy.exe
| MD5 | 01af251f96d2e316b7c2378202eebdf2 |
| SHA1 | d8795a490d5c7ad95d3aaa21e229c426a06604e5 |
| SHA256 | 4537b151707039681a180b9f2af5c43e0590866e112213d95c74551d22d24fc8 |
| SHA512 | c5fe737bc24244dffa810623fe086c3a8f9a0fe235cbc42d4df65b3890b78fa2beda91d1a81ad7cad6f4800e404f20ef6ee3e43059416871ca080386cf490c2e |
C:\Users\Admin\AppData\Local\Temp\oUgs.exe
| MD5 | 63ac6ebe3d1a40d67da1293bfd5b807f |
| SHA1 | 4aa7354d6e073c7123a34b72ad4df37bae90f35e |
| SHA256 | 0501665f6f81219f9c7a612e420e5006af952f90770bc843c7eb9b0c09a8d01d |
| SHA512 | 296f78b63a47b8001b8de23e70d8a551e5063ea86b4103659ad176aecda89018c61fc193dd13af21542ef9794422c67cb0e8a7cc646564cc246f8df882573a9a |
C:\Users\Admin\AppData\Local\Temp\mIUi.exe
| MD5 | b6234379ddb54c9cf5dbd222d7654814 |
| SHA1 | ba492d4706dba8e04ca29c447dc1d9aaf717fc76 |
| SHA256 | 2504bab1713683aaaf6510bd8adc67f1a2b10e54640875efe438078b7157b885 |
| SHA512 | 4656ce88e5dce040b66fa91f49ac1724e5f93a74988f535c7153e39b2ebbd5fd6dcc1409cc1458b30964cea46e357d741c2b494e628419c46b133895e6b2f6e1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe
| MD5 | 0742ab1c6943fcc074535985ffd2f662 |
| SHA1 | dc511ca477ad2d6db1f32d27947260cb1c33dd63 |
| SHA256 | d1639726cfe77264d5bdedcb7e8498e88ea212ac39084d72a36129c0f91da81f |
| SHA512 | 0354ad8048177bacd5d5430dfe3602ef3d9258d0fd337cb99a124625456c21c41a612c710f0b8ce1689c46174a635d80ab40929c8b66ec8d3af1e56e1a2e4d13 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe
| MD5 | 04ab38dadfa1467caf1f364b1228e2da |
| SHA1 | 0323a2b3905f07ab137f4a9992938f885ee8d8e4 |
| SHA256 | 73cc3cb02aadf962e3942351762d6f7e352b48bd353495833bf8d6e4392ce3e6 |
| SHA512 | 9f25aa779b582966040ad6cac279a5dec38bf4c9c7ccbceebf1a62d1302574d07ef80240b360f876e79301849735f1172c0dd4570ad498ae373831445645beee |
C:\Users\Admin\AppData\Local\Temp\UMUs.exe
| MD5 | 4057ed871472a3c0b8b0bc51b6943620 |
| SHA1 | 0c55fa8099646a2beb289b506530f10af44fb507 |
| SHA256 | 4d5276d28ed7b584666bc13032bdffd54259156da02fbd604b0194330bb31f02 |
| SHA512 | 7672742cb585a6bb4ca18dafcd93cc21008055a6c92af1949c6be872ffd314062fca22145bf088b42c7bcefd30446857e9f8914c9dbcbe659d6e03b699d0d5c8 |
C:\Users\Admin\AppData\Local\Temp\UEMk.exe
| MD5 | 401c3aaa487fcc6c45448bed6ff6c461 |
| SHA1 | a2391cbfa59eb3bb430c5dab6cd7402cc05cca70 |
| SHA256 | 263d19e25d921346bc9ec4950e446e3bd425b099fde201c0ac27fb91ff046255 |
| SHA512 | fdd0477f795ee5538181a35ffaa55062ada73ee7593a740cb079eed07c362377dd4e4b40312ee0122f4ed644c3100b31c824cc04d1402f2fd458054507e1af0d |
C:\Users\Admin\AppData\Local\Temp\UIMI.exe
| MD5 | 00ed73f09512cd738f6b289ba3d53b8c |
| SHA1 | 22e78b2da8b0fd68360707ac7a0c347ca0d14cc3 |
| SHA256 | f141483612b55349ed6ab12948cb7093437798937db2f0e699ec4299142c8971 |
| SHA512 | 47b9fe302caf53d270981da7b25c11cac3f3ff180b41656ff8e724a2ae8d6823beb818eab50b76df1bff6d797d7797b76af92457b19ba49f9e5179574e551058 |
C:\Users\Admin\AppData\Local\Temp\eswY.exe
| MD5 | aeaebe8b6e811154b46f240e2d13a70b |
| SHA1 | c76b9e0d46027a10fc4a593c2b351acee5dc4ad0 |
| SHA256 | b5f3a1d277717e2e52bcba68fcfbebb6748a275dd428f8371cfb76c8e47c097c |
| SHA512 | 6957523ed7d99738a4563049393591f19cc17023daf47fb44f86fefa4dd277e6326fe7cccb05c28972443c82fa9905704b2d4416d70861b7fa0aec0c0eecacb2 |
C:\Users\Admin\AppData\Local\Temp\IEEY.exe
| MD5 | 1f4478a6e13bc3b0b551dd5a18d93562 |
| SHA1 | b92394f3f16a360d4f1caa3c0469bca439c46201 |
| SHA256 | aea9e76cb65afae8253b6b53ab0a2320ae3196b2e6458e9a16edaf75095bece3 |
| SHA512 | 0ababa406f53cef7e1602457f87ab7407e41f77ef127ef40b278958d1ea7ea23a8c00b10a65fae854f307d2156fabdb460a75f98d9c00380e59992ed17169a6e |
C:\Users\Admin\AppData\Local\Temp\qMYU.exe
| MD5 | b957e2fbe2eb03e5dd4eb51d125f2bd8 |
| SHA1 | 2ab593a3e21e9c374db9435d23780ac004888f4c |
| SHA256 | 65a9ede774410ddff239420d72582e305d97f46f55fab7eba6adaf184b682d30 |
| SHA512 | e42df4ef4e6c8f82323cb2eb0e84f9161e57e1839a4a6e164c869cd5a836bb9e235743965fe477dda1950e7c998098b044ed0376c761010ba31dd7985b74965d |
C:\Users\Admin\AppData\Local\Temp\UIwS.exe
| MD5 | 48aee9f006946d06779f9c65ab43b681 |
| SHA1 | 6f63a1289698243a7f77dad654cbe6ea80f99e18 |
| SHA256 | f93fe507b957478951318a133c2a8790125d87d5db7a2b2c6879676718f7a135 |
| SHA512 | 522cdb1e4a52efa54e58ae5b3b991aab7fe87f6bcfe46adc77727c2b5fe4f8f658abea656d5a7b502959757c71f9886ba6d63a1c310104c6d7ee77e934366318 |
C:\Users\Admin\AppData\Local\Temp\KkQK.exe
| MD5 | c9dcd87e0bc7338e0411b086fb907345 |
| SHA1 | 1fb9bf0d6c0dbb59380b2ed82144601581ca1590 |
| SHA256 | b2440d5c82b05789480103884b8537d0ff717b64c193f01e97dfb4e78a6b72f0 |
| SHA512 | 163f3a5a868e834bd2f57e175fa6c65e26404babbea67282743ceae54c916c8151b3a1f8dcce87c19b365d3a61f4e5dff7ce7d1aad8a84cafe4911ae060e2558 |
C:\Users\Admin\AppData\Local\Temp\UIUQ.exe
| MD5 | 21902bfe197942a9fa0825e37cb9da39 |
| SHA1 | 4966addbf2570d55a05a09e39cac7322138f6874 |
| SHA256 | c936f54bb3028f637cfafdc64dbce843855fdc8381b8bd872591f512d6829c83 |
| SHA512 | 1ebc4e552c11c82ef497b2cff8e4d8959d9b3edcaa960e254ee0dd04f11cbab9fa98f82000cca1489fbff44ccee7b658c1117172034b76a0097fb52d99d8fffe |
C:\Users\Admin\AppData\Local\Temp\qswk.exe
| MD5 | 1b188323b152e2e6830a06837ba5a2b3 |
| SHA1 | 90549b5a20026270a21d551242ebcaec9b9e6a67 |
| SHA256 | c3e1243f1db176c2286f96d28bf77d24870dd421c6babc4a713698cb5bdd0a79 |
| SHA512 | 04cc70e0ec2275446401f30e82bdd68f2be54e63bdb872b216e654351280ef12a8b654094ea2cb09d53be6e8861ae3e369fd3e15b63a5ff4b996ce9607100940 |
C:\Users\Admin\AppData\Local\Temp\GUQy.exe
| MD5 | 24a34d44ee24168b7eab2f13a45c8125 |
| SHA1 | 90405b71ca684f21ed10467a6fcd68eba9ed66ca |
| SHA256 | 18400687fc1c1276f8fcbb92adb6dbdfc2da7ca232984995f93ad41f155d6254 |
| SHA512 | 75a0d82353f43a1162b634c0949fa635f1f37974a6ff802b5a15b3523cd571a3e3fc276ff9694b1f41a143fea870163a3a0d27f435eaf4bf83d22e3f739b70af |
C:\Users\Admin\AppData\Local\Temp\ycEU.exe
| MD5 | 02f1f989ee8e8ad082140240edf7affe |
| SHA1 | d79d775ca22fa0f686b89275296f5f3dd4c68dfa |
| SHA256 | f16b76e70fe9d77a3e55b60d35d90f9ca61d8d4d0d641683a1acb1ad93bf651c |
| SHA512 | 92c70d3c3cd19118575cc09c6e3ee4a889e2968687328ab0af5acbb42e2665dfb052eb0f21d7889e93483895aa647f81d77625cb89bdf31f1a09da68ff6cf39d |
C:\Users\Admin\AppData\Local\Temp\ukwE.exe
| MD5 | 73dd9349677d14873df0d37816b0b07f |
| SHA1 | 93d786762bfc34d61e16a32d0398784e6de0b731 |
| SHA256 | 134385916575b3a8ebe93c76341c86f4e99c5b39e4f3107170ec0ba6975f45ca |
| SHA512 | 6c56c8846268fc72fd73560fcd802e03b139c892df412c849de0bf56dd8a0d8bf673205dd27d4c11b8dd3eee05d82117dd48d1f2a12c03279169ae104c9b284d |
C:\Users\Admin\AppData\Local\Temp\KUow.exe
| MD5 | d71ddb695c88d9fe4b7eece17c40ad58 |
| SHA1 | cdf4cfb0fa7fd1c88f56bb1a473eac524daa71f8 |
| SHA256 | d59fb52eda27a600079b2c2891724078f03f61433c664a9f0a2ae8cdb72729aa |
| SHA512 | 759ed4d8bafec25b85eba5d7e4cf44f1c15291b6c1f031802537d32b281ba65f30e78ce74f526edb31f7deb67ceda471c1a7ffe544ad0e7d9503bc5f071a3acd |
C:\Users\Admin\AppData\Local\Temp\MAEg.exe
| MD5 | 05796176cf24237b434875ee5e44ca0a |
| SHA1 | b046797b30f45a160b88078ab8eee9a17199d77e |
| SHA256 | 84597697d7e5a860620544226506e12dbfb614f94cd85192e5d131a5417b554d |
| SHA512 | 66c865ecefd6b2593756b214e21cfb7465493c72a3bec0aa1de1e3c3c583850341fa41ebd056d1b150802f8ef04c086dfb8f31e0ba414af7c541e782f5814ab0 |
C:\Users\Admin\AppData\Local\Temp\qgYO.exe
| MD5 | 0f905b150fc267682af3d4d21b1c2ab4 |
| SHA1 | bca931869d62a7ec525278693b26e88bf594420b |
| SHA256 | cd47e034e5b479f05a7c27cea275c6b998915b42268921725412406636f53172 |
| SHA512 | ff6e3429744896aca23eea5b3f6c5ed0f50899ae44448aef41a9dcdb1fadf1a00359799726772410de2338f50f3e782b1f9ef86331ce586502dd3f34e72d87d6 |
C:\Users\Admin\AppData\Local\Temp\ucQO.exe
| MD5 | 07cc69acd35f744c612d1fae1953de36 |
| SHA1 | d39e155d746a3b200af62537ec7383c4919a3012 |
| SHA256 | 1c7820abf2cfee3f6230a037f6fd3dfabfb2d8d1278c00e7edb18b4854effb22 |
| SHA512 | 4d29b7c9712a99d0b94f7c96b2e84ab3d29938c264450c4d01a75685b712af46ed6f3337c07bed001c9c617da7a70a38cd3417b0a262a37ae703dde584f299f1 |
C:\Users\Admin\AppData\Local\Temp\AoQu.exe
| MD5 | 97ab133ebfce7530537fef5e702efa24 |
| SHA1 | 67a36a27402e7ab0e5b65a4780343d91ba9e1b81 |
| SHA256 | fcc5793e322018f14adbdb6c40e893ba5aaf00e2160a02957a68ebe6c54cbaec |
| SHA512 | ca81cb5dde9bdbe38b8aaaddd73fe61af2aa2f59e5ec256525c5963efede921736822bd2335be2505268b9a03a09fa5bf62b4a3be27d78028b70b730970f0d3a |
C:\Users\Admin\AppData\Local\Temp\MoYy.exe
| MD5 | 3762b48af981a1a81401c6c00237326a |
| SHA1 | 9ecbf1778562cb2d2a5f93f690537e6aa244a58a |
| SHA256 | 26cf12f013abf31fae6bd0ddbc53f731efc4edc0d879042ae3c04eb1f0e224aa |
| SHA512 | bccbfc803086d806cca5dd2e1f0b049897924f6eb740161680f3fe59b80ccc3ad3b3aebabc5eb859e5392e6283a9ce6efd7b596584bccd1e43b5e94bdcefa2f1 |
C:\Users\Admin\AppData\Local\Temp\QoMo.exe
| MD5 | 9b6426345e0c207db8221000a3297843 |
| SHA1 | c8e6e8922ef3581b4228aeabb09d6fafcf835733 |
| SHA256 | 0a044b1a38a4ff3f38b385e8dfa37c71dc7fad3add6ae97b27b81c2a8aa288b8 |
| SHA512 | 971d361625a821453e2c35d9a725ac06b66c5af6d4bff7b32b08b79f6be2e2974fa8f048eaba6644d237289e1fd28f831379bc2d5ebd2c71397ceedbda30e31d |
C:\Users\Admin\AppData\Local\Temp\OsMo.exe
| MD5 | 3a09e036765f5a12d0b2e625091e11c0 |
| SHA1 | 85dbf14ff06dfa193d5a61773289ea1a3382f62c |
| SHA256 | fb838cc211ea8b54dd08906cc924898b63cf8cb29f299b0810313a38511539b0 |
| SHA512 | 80c986859e83c7eb8e656ad8095d4a47053c4d9e805838144e6a5a62b66d7dca3f83a822eb6a4dcf1be4e1429f879d921fe43309547ab1c44b19b2096e9f9f31 |
C:\Users\Admin\AppData\Local\Temp\QQMe.exe
| MD5 | cbc35c8307eda8916c2001087ec7e158 |
| SHA1 | 9f5783ff8b39f25b1f214c257a835ccda1545244 |
| SHA256 | f821f4a842ac74f93bdcebb1ea848e780055b6b5c7c7db5c2243ac399c545310 |
| SHA512 | 658e797269f49c10ded3b09d6b9bd3675cdfeaaec21c8a360c656137accb4fa1ba5c77eb00d6890f578a9aac045eae3812559851fb05515aeb5743daf2cd970a |
C:\Users\Admin\AppData\Local\Temp\GcgO.exe
| MD5 | a5e60f48466cadc8fcd1b4275245b514 |
| SHA1 | 576fa715957d4060dd6dcd8b75a7f0101da6de96 |
| SHA256 | b756ccdec9d9701cf73e7821503e3389335427d56b5c035e14cc80c0814c109c |
| SHA512 | 22cbb31705faac10c8aa256977a0c65f355404a009da8021985c449a29d9897460c68879918e1739641e8a4298089dc6bea3104cf987dfedf427bfabb6c06353 |
C:\Users\Admin\AppData\Local\Temp\ygYY.exe
| MD5 | b1f5c4b4841fdfda35628b6932f158dd |
| SHA1 | c3b59218ef448174c990052fe91b9fc04301d7cb |
| SHA256 | fb1e96683a701d487dc65df90b69b665277893c6b68d820f938cf1e4e957f090 |
| SHA512 | 0d8284b5a0d7e1ff7072bfb7bb271dd1e126aaecfa690cd4beb06292a4b1f5cdb35407452e3d82a5780663d35382b300e0344a847d699b4102f7cea5ba389d0f |
C:\Users\Admin\AppData\Local\Temp\moIc.exe
| MD5 | 9e1045ca2579e5d9fd815b14ac88e050 |
| SHA1 | ff4a866bfb1a82a9122e2d8b72b1a1cc0ac159be |
| SHA256 | 05d053e861a3ddea788d546600a48991cb4f347dc9986aebe7c7f56f7e7a4b9d |
| SHA512 | e84b7cbc2f84cf0acce952c879ad9063e2031accba191c22af8d3d0b5d1c053c556d39ed92eace6efdeb1cd176ad79da44aa7329a1704d67b62520c7a05e9c27 |
C:\Users\Admin\AppData\Local\Temp\QUkw.exe
| MD5 | f7f6a421186c3207a9d6740a869c85dd |
| SHA1 | 58cd921b1d9df3b291ff5b7a3769b88ae0536e70 |
| SHA256 | f6192305cc920ab281abb4912a6b2d23cddf5e2b64eb5bcc3708cbb8d83b86cc |
| SHA512 | aa73a7b9d3b962d0d91f9b1e89cb1603cb755bd3e5eeb9709733fdbf4301434d7c2de5fe7f2d891601044d4aad32dd4f2ff9835280e1e775730ccd2df773eb06 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe
| MD5 | 69f514034c3f34164752980196e639cb |
| SHA1 | d4e76f18ce54db3e5a88b7932ac1b4edd93ddf4d |
| SHA256 | b270b0cc4c6e3d89151ba4857a394bd91d97794a5b1e13b301535bd4ecb3562d |
| SHA512 | a196b698d01546cc8c0dd61295dd68067cc1d426fb6a76ed5b77f1e99945f927259a4fb659979e417db0944c296dc9532ecc928fab5c4c6b2e9c02e68039b236 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe
| MD5 | 6c20ddac8cb367819e35fe1c74082e7f |
| SHA1 | 183db1ce2143d4007469f236f6abf767d26bcff7 |
| SHA256 | 8b1a474bbc2e16995ae61cfe7160cdc8c9b1f2773dd9164bdc3c3fe0de79e61e |
| SHA512 | cf5c0ed350fd75635f8729ad167ad0094ecfd3a9f5c191b2a24b17e2558fcf4459c279da6728e05061c2e94582a9a894a205c850439b81acf477751cef9daced |
C:\Users\Admin\AppData\Local\Temp\aMAy.exe
| MD5 | e5ac02240f28db4a1e57dff23aeb9e98 |
| SHA1 | eae5f2b3bd45ffcfdf859275244ec5dbbed3a8b3 |
| SHA256 | 75686bf46dc0b0e8d08998a252e5b3619300f6fe271c4b298785d03e73d5e572 |
| SHA512 | e3493d9cf81c616b544fe868675947ca67d3b7a91ba6b943eb7fd41ffbc7617cf3a1021ec5488db746092bb3e6338375cbe204f65827a24eefbf0263e79b6220 |
C:\Users\Admin\AppData\Local\Temp\cAMC.exe
| MD5 | 9b21122710c710c7d33f8381819e8020 |
| SHA1 | 720c42d711c1549386cee59bee16196b01a1fcf8 |
| SHA256 | 71cf32530de5bdaf1942bd02327fd542b1f9a7776377c4c95d40c21c661c54cb |
| SHA512 | 0c5f1359396925a3ef95e55fb35d0cebc7cdbe45e514a3e9e065ebb484107ecbcc74a50d21d4af3dc3c0445aa292045971acf0ed797422cb1d54fbd74060e96f |
C:\Users\Admin\AppData\Local\Temp\wAow.exe
| MD5 | 36ae05a3f0721d42ce55cba9359de92a |
| SHA1 | 493583aceb4a4ca967039dc6d215cb2d9aedb10f |
| SHA256 | b7ace65299a18890cd350b24f20fa343ef267509af0157378ee54711301eeb32 |
| SHA512 | 81b103e345057fa67653becc05d01c7267d99f1e57edcfb7c142546e015a8babced3f4a1bf20ea5694aa477578d4d87cedc65b67f80b2af72c8a1516bed968f2 |
C:\Users\Admin\AppData\Local\Temp\msYo.exe
| MD5 | 4b0882d2f1533aa73ba9084d35e3d3ff |
| SHA1 | d08b7f4501aea99e71ad4208dfe9f4a94ce5145f |
| SHA256 | ebda289c099ffb29b9e520f520a08d282a39279d3c7513003abdf29c8f46c42a |
| SHA512 | 1aff3eb2b0c861d074fd0b7667a914179da1a716b457c2bdcff8a20a936b35212d9d13a3768c7c6c24199b4aad881adfcd4ce5983b5e2395c922dced4f58c2e2 |
C:\Users\Admin\AppData\Local\Temp\gMIA.exe
| MD5 | 653f7d726d057ad2764a2a9ea9e99287 |
| SHA1 | 77c72356c024a5346df052a8dc737dc6051482d5 |
| SHA256 | 1c67e2e887e05d01c57cbb8b57e1af768fa15818265dd3dbf062614d9ad2a0d2 |
| SHA512 | 73e09e4c6981b439ab16b7e70e72a16654593db4234463f93889a09796627cd4578b70c077f5dc16aab5dc401e4dd3aee4c9789f8bc1909cd5aedfef175a2a8f |
C:\Users\Admin\AppData\Local\Temp\mkYm.exe
| MD5 | 274dc56da6b626e1e8931d4ab3725719 |
| SHA1 | 7ac2d9daf1f0738e7f0dab970459aa8d18d2de98 |
| SHA256 | 263fc37c67fc2ee514849c96c86f7453f7320fbc27004bad583051a11cf4685a |
| SHA512 | 98aac6a54d07d1a29e0dd32721d6680325806a7d90f349fabc2e7b4e8f9262c59ce49c3f08eec9d759393d61fd5fcca495e5f8f8e94c605d9de18ff011c44c05 |
C:\Users\Admin\AppData\Local\Temp\woMY.exe
| MD5 | a80b6ff40fd6a3f79cf6ab4399a4d4d2 |
| SHA1 | c61816b841fc06eea8abfab9a608fa4665390c8b |
| SHA256 | f11372979ef5e2367471116fb7cb102e2a2d123505e582655acfcf5d1604c7a0 |
| SHA512 | 452bd01c366b47d6633dd3068146cf2d91326b412c74d0218d831dfb953f1bce497f3825624253bb19c32bbb1130572cf6d75dc50c00a8820351cdfef9314e9a |
C:\Users\Admin\AppData\Local\Temp\YAwO.exe
| MD5 | 751243c16cc5fbc7685663a727df4e07 |
| SHA1 | 01fcaf9eee574624b0dacadcf2995c43323e7e2c |
| SHA256 | 895e413d3d30c9b9bc5f77e023121e16091e02fd0b7ddcca4967698576b60f9a |
| SHA512 | 075a98c6cceb4806bdad946154e1c619850c7f0688b509382419adeeda1d1277f3b6641bba4aa4e6c92f312e5c14e54c4ec21d98003ec1aaec7b9de1babd5cf4 |
C:\Users\Admin\AppData\Local\Temp\qAcs.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Users\Admin\AppData\Local\Temp\mMEO.exe
| MD5 | 94eb64168f3b5a1396b6a13f40dc0a53 |
| SHA1 | 42742abd451a58ae57b9b9c1e50461968eecfd1c |
| SHA256 | 1422d2ba08981b5f9c7a370c8e6370e4d6d892bf4348c68247c70c519f6bc26d |
| SHA512 | d13165410480647a45fb548bcd2872ebe5e8673ee59c8ba2a46dbb0d8d8f29a7d4542746026c4a2d9cdcb1179099bbb3afceb62d6af85a1d634c7e2dd770d695 |
C:\Users\Admin\AppData\Local\Temp\ycQe.exe
| MD5 | 75812fe3b4cbf54646bb2d93c5bb1608 |
| SHA1 | 0d6dc377b13ab3af8375ae2010d40a64ed2119c3 |
| SHA256 | 567e37d4a320b65d5fb2f3d3fd8bbc0ab4eec04648898169edc035034a5c6210 |
| SHA512 | b9c62a14362a17589e27440134acf85d4ddbb5f37cf640f8afceb17e31f72a5ae2faff7fc28e9e27925a366b2a6ddb6f17eb38bba8ea14ca9047a0196cf6e25a |
C:\Users\Admin\AppData\Local\Temp\akUY.exe
| MD5 | 8a691268d5bb2a302a39a7e591e5d9cc |
| SHA1 | 6d5945f896f33b1cd4ce4b48780ce0006e3dab45 |
| SHA256 | 29ac5cc9f9cf1929ea0e4fb21a388c17220f5ca1141659fc382401d5389012a9 |
| SHA512 | 9143a91818adc5fdcf0371f94062a716c9d2f47bf9d06c83b2ba8b496f885d2ad8a4a0f546bb94cd10f2238073962e0b0ae235973acc423c74e55451cb190000 |
C:\Users\Admin\AppData\Local\Temp\ugIw.exe
| MD5 | 35708af9a3c36f619e46fa0e4d35bf5e |
| SHA1 | 98d1880e38b85922196fb94990ad5e5db85d0f24 |
| SHA256 | 474620fd4498cb417c3f073bff2bd6eba0f9f1aca544a6644904215c1b95d835 |
| SHA512 | 9c2f3a5f450d10f22e2e0faef1e97d710f3785a1a15d73cf1e1a4e036b4f25115824eae250f084b945be1d93b30ce987770fa4808b43c17ec496b24662faa042 |
C:\Users\Admin\AppData\Local\Temp\YIEc.exe
| MD5 | 3b69c9250264ee2eb405dad9836c1fe7 |
| SHA1 | 47360b65122975c07e863057c17676a6517b4d93 |
| SHA256 | 1f1099799a7967abf0df147cffa4f0e9efbe5a4592d1198167485d11be274ea0 |
| SHA512 | 2ed7ee258282d5a130ea0d18b8e8612bde1e694028370adb1deceaf4f5e8da6ea5ab1ff5e8c1c5f724399cf7c1499327d9c80e0612da5fbd0a3835bb847bd6e0 |
C:\Users\Admin\AppData\Local\Temp\IgMq.exe
| MD5 | ce42f878d2c8fbc4a6cbeeef81410915 |
| SHA1 | 7c3e137c92f943ffbebf7ac798790eeaada12a51 |
| SHA256 | 6189753d6b2ef8a4ce107066a03c04e3580427183703917c48cf4057912af772 |
| SHA512 | 310622fb3c54ec3184cc5bd7d193d90fa5c5ea489fb407dc95aad538f4c4825590a50a47d40ab50d93b1460a8b0b55e361908801805a74cc8e86250d917c3ada |
C:\Users\Admin\AppData\Local\Temp\askg.exe
| MD5 | 101d80b11fe13af688d56e1a6e19359c |
| SHA1 | cd8c92ee14f1af7e6cc3e60c9481390974f03c41 |
| SHA256 | fde8d6814aed5f281733660dca33d18586f6a64c707f23b717f6b53273d59fda |
| SHA512 | 5b510393683656935ced6b9a9870d121e6b4a60ef4628f547d036a093d86eef6adb2a6b39aa0bf21957fba0da99418e2923c5043858f18b5741876ae9f695823 |
C:\Users\Admin\AppData\Local\Temp\QEwS.exe
| MD5 | e79c78fd2cd83d4f4e7777cb017db03e |
| SHA1 | dd24f471a63360025372386237a55f7155b777f6 |
| SHA256 | 54d02670171d5a3aa3e40923a752c3bb74610a9e0a7f534cb386ae2b3581891f |
| SHA512 | 4221dc99557ccf83a90c00fb17bd2598773e12af63234afbb3168279f4e7e01c344d1c39878240d565bae5035da2011eb5f6e4720d14b909e1361eab9793da39 |
C:\Users\Admin\AppData\Local\Temp\YEQE.exe
| MD5 | c062564ef0dfcb4debdbc9e51b922bb7 |
| SHA1 | 7d500a889793392ac8297aef2ffe4c623211833b |
| SHA256 | 5fb49aecca152abde0d55adbdc739241d365e176c984f2cdbfcf5bd5220cc2a9 |
| SHA512 | e3e8bc7f7b9f7e3cbee0d215030dd6326fe9ed870bcd38fb3f3a983a70818167b46de648d2b5d50e1e32a475f14d8797d1cb6c59fd1c256fbbcd8ec86311d7f1 |
C:\Users\Admin\AppData\Local\Temp\SoMO.exe
| MD5 | 82cf9af68d2dbb7507c5240050bbe220 |
| SHA1 | 19bf50c8aed7db7d7493eb59420b9591c1e8d1fa |
| SHA256 | b0712f7a232af18d2628dfe9f890b32d6e02f32712e77e21402b796b3e7b73ef |
| SHA512 | 15677bd97f15a0a0e56ce8186931c0750bbf8c36079269e26028fb00adb82119fa788ea3162782f909612dc25054fdfbf82fb052563f54ace4798af577c941cb |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe
| MD5 | c4eaf7f60afd4c362f7313e13bada026 |
| SHA1 | c8785f6f5e6bc8c0e783835a84d7c50751fc5727 |
| SHA256 | 0a141da533ae16f95b8621296922d768dfb734a7b0ff2796f6bfb7915a084cc5 |
| SHA512 | fd305a225576ecbedaa925add7d50a3ac4c025cb545226c5da67e02e1be6664d68ca7c3971469d9592ce8d1312d8aaad795b41c99a9d4ad632cef263b2047a32 |
C:\Users\Admin\AppData\Local\Temp\OwkS.exe
| MD5 | 0a048428f546c7636967168641795a53 |
| SHA1 | 42170964d0da14da15b46c922a30f7cee89381ee |
| SHA256 | 7c2dfd90847bb09687546d13f0e2872c68dd0a71409fe551197bb12730d43ffa |
| SHA512 | acb915b495bf54f1a1f71be98f98361f6bd2c26d8957dff3e1f1e5ded38c23437b62294cb91f5c9f76ad841b15d335ee9a5b61950ca552b47792c2e15203d027 |
C:\Users\Admin\AppData\Local\Temp\eoEk.exe
| MD5 | ee83853c19bc64d61baa02e1c43e5e7b |
| SHA1 | 7e3ecb9367572af1c304f9df7d088e7e7d7b9ba4 |
| SHA256 | 4dd6686f17b12bf4212f3f67a9923d1d68f7c7957a9172cb43877162a01ae2ad |
| SHA512 | be0bd6199d92b9957394be697ce722f69de15a4b2d91c9f7d3c385295479cd7a8c7871f661fce1d93e4469da2fbcf76fe62f11053f01db48ed65d005d28c62fb |
C:\Users\Admin\AppData\Local\Temp\GIcW.exe
| MD5 | ed17246d915c0e6987b6aabf9600093e |
| SHA1 | d12367f94cfa8f1b457104d0fecb0c0fc6aa1491 |
| SHA256 | 6717475088faf1da846b861a19e1ea457c2f595f2d92ef133f8324aa99b66935 |
| SHA512 | 347fc29162ec758973b569eb9e642fb6cfdb4a7cd9bfd45f7e226e76f43a59eaae64808ffc0acb6d737d4b39e4f35edfd93990fe5e244caeec57971a7087b7c7 |
C:\Users\Admin\AppData\Roaming\ExpandGroup.mpg.exe
| MD5 | d4def941ab512453fdc2dd85bc5c8712 |
| SHA1 | ff648c145f8612bf5354b59f433624fda6fb0bf8 |
| SHA256 | 6543ca077be1f8c134ff0fe042345cfc998ae3aeb7f194f5989faa19ba47d1b4 |
| SHA512 | 47d932ea0fd22b7864dbd7c5e2ad104b24a3cca2feb9a4600b1ed637e816d8fba6586e59021b12e6025cfe5a3c0fcb6e4cfaa141498d38084a29a52a2ff7b7f6 |
C:\Users\Admin\AppData\Local\Temp\QssS.exe
| MD5 | 9be614ccb835abfc33a29d95194a0f0e |
| SHA1 | 95bded175ab4e25aaa590b2f8506af4ac0dc8a7e |
| SHA256 | 336864896745aa5708f16d3b18ea8d40cb15929cc42ff75950e7cd4b7024d500 |
| SHA512 | 576ffd32cb11250cc11e97e812edfc927fd4a94fa7176bd35abca488674502f9c3963ba7ea5c20cbcd5311bb080dfca522ec59fe0d0a150247a055dc73ba1356 |
C:\Users\Admin\AppData\Local\Temp\owMe.exe
| MD5 | 320eecf329629676fcad53e121b870c0 |
| SHA1 | fbe7baa756beb0e0b3dc329b1421bbc7cfdaa9bc |
| SHA256 | 22c20c5332a21605ea9ae40225d846c9eb6665b9e920566246d104d0ed96bce0 |
| SHA512 | 3fe22ebd480170b4ac715a242d0cca03081c86560b5e721dd764d4deee1807c5afedac745bedd899c046fe5ab517c76735d7f68d6cde4680e07572c7b6cf9e67 |
C:\Users\Admin\AppData\Local\Temp\QcQu.exe
| MD5 | d7f9e1f2125366e7fae64ff313e11909 |
| SHA1 | fa9eb0815c1931e00ddea2835fb50fee78d14f75 |
| SHA256 | 2d516a142d956e85764a7e876ff654139e2389091967c04c23c4e0ca7293cd1a |
| SHA512 | 2b7910e6127c01db69138f812fe6315a26aafedbc3c07b1d6bf8aba262cca980bdd32c1d07f6d33684b255ee16e5dc8a766430306a67ceeb3f508a5b0e445852 |
C:\Users\Admin\AppData\Local\Temp\OIIa.exe
| MD5 | 5d5801c3bbb38f93b79cc02a94309e6d |
| SHA1 | 9ee5d08e9d1b19b8fb444e79bb9d081e2d6c99c0 |
| SHA256 | c953aeae6c262bdd837398e7dd38ce1e0c6659c90b390752e972e11cd100f07b |
| SHA512 | b0cae707b8c42dde92b39546b244df19506209b0806ea9df1e5e81a8ab704133dde3c94b06dc78bda7f09d41378f4cef4dca59eaff95001599d03607220d9d70 |
C:\Users\Admin\AppData\Local\Temp\mcAW.exe
| MD5 | 20f604daf1fe5c70a62ae28ccc211cf4 |
| SHA1 | 757cc458eed6c1ebbfcce5043e4e5f9f59f578c2 |
| SHA256 | ea73c412484605fd640e258eab77a40292dd204ed74cea0abfc6ec0eec272bb1 |
| SHA512 | 370fa5139cdebe9f6805fde1ad2ff79c5b83135319a92e6fb13290cf34b56e5b1f35bff6474e2a417ad64a71fa163e8d5c0985f87a77c44bf2c8bcfc3eccc4d4 |
C:\Users\Admin\AppData\Local\Temp\CEIc.exe
| MD5 | 20c3b872002b4d2866404dbe151c7d60 |
| SHA1 | 686bc59acc9de8ed6d8dc8d739045cd58b584929 |
| SHA256 | fb74402d8130c09260a6d1c880a10a89660d7157a6672862a24b484566967152 |
| SHA512 | 7347988ff0f6cebbd5c54cdf304672614ca5d64585c17d54587ffe47ade18eb5389705cace1f92f3c2c879d0ffe10d3ae8da0577495449f3e295c9410d22031a |
C:\Users\Admin\AppData\Local\Temp\oQsk.exe
| MD5 | 90aa105ba7a56986fc818d6af89ce530 |
| SHA1 | 2dd79c51b139fd5b68d120caf0a8d7ba930c2b68 |
| SHA256 | 3749a89d8a1d30fa26ed84d33d42144239e0e0f72e9887a6b6b533cfac7fa979 |
| SHA512 | f83abad2b0b9b8dcb9031bcacf48387d24e7f3b62d17e013e2a42c319a015eb7832db6c1d59bc557106928a9329cc4b3ac407bb328488c60ded21d8a176e87e1 |
C:\Users\Admin\Downloads\ConvertReset.mp3.exe
| MD5 | d78cfe83202a55e419aa79b38aaa6917 |
| SHA1 | 00bab913e84ce917c1c3bf7d632ec47edf54626f |
| SHA256 | 4482a03e95396f91ab4cadddb573b1e03fb0a242b3f2c892647ced081be2ce39 |
| SHA512 | c93214ee00ad49597137551bb1f6a6a8921ae95c89228e3b692cfe169864228dd31212da659351c500fd40be70418264abb6a7fb748598c58346ec2a1b6b00ec |
C:\Users\Admin\AppData\Local\Temp\acIc.exe
| MD5 | 80ee39246f8b89deee1225942ff0386d |
| SHA1 | 16c0b0150ac9969160de1647763547b947b40116 |
| SHA256 | 8622e18dd866fdb245feb943fdbb548af8217bb5e6c911d4f6650d7f2bb9ae2d |
| SHA512 | ca5d2b4e414c8e13fa3c2be7082c037d1c74dd1052cc49ed1db46b4de47ceb3b210b2982fefe309efd959b9c3f812ad4a4527216014ab5fe15b2f7b79da0fe77 |
C:\Users\Admin\AppData\Local\Temp\cgom.ico
| MD5 | 7ebb1c3b3f5ee39434e36aeb4c07ee8b |
| SHA1 | 7b4e7562e3a12b37862e0d5ecf94581ec130658f |
| SHA256 | be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742 |
| SHA512 | 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6 |
C:\Users\Admin\Downloads\JoinResolve.bmp.exe
| MD5 | fafcb065d1022b49fe190f6a777ee694 |
| SHA1 | a39a6be6fb3c87a8c855a00cee0b2b43099324ee |
| SHA256 | 83d017621a843edf914c60f25d99351adabfb97bee779f59818518d5683a488d |
| SHA512 | a4b0ef1a2a3635c1fce37e7017de5cb046f4907b6b7cb13b221f6e86f8a0a85be2ede7ff87cd2a93aec00a255dfdfb4aa50128718a5f593b6ba8c49cbdf12704 |
C:\Users\Admin\AppData\Local\Temp\OEQI.exe
| MD5 | 4a073916c4245ae038477823ef44fd62 |
| SHA1 | 8900522fe5ac29bd5547ba85235dbc516e79f6e7 |
| SHA256 | 7dbdaf8acf67fc1fba0fd984dd2f48d7ec75753829afd7dae99322d480ae50dc |
| SHA512 | ce39a4a55f4177c15b359742fdb63b8ee1141641c2dd1b599b6ee15f8a82b567bd9ea041f39c03676c06ddd6a30ab848728333ce628d58be50cff29c0b95d340 |
C:\Users\Admin\AppData\Local\Temp\okQs.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\Music\SendSwitch.wma.exe
| MD5 | 4fbb6883aa9f866a7efb2874fda8d7b2 |
| SHA1 | b5a4e0dd24dbaa115a432bfb04fc613fcf7478cb |
| SHA256 | 5997e0c88dfae85d12ce72a50a4417138a2dec0e622c3a4c6ab1484b51eb5f08 |
| SHA512 | f33c1e7aad408dbd92c2bbd315bb4ce29d9db981f96fe5aae2e13b3058e47dce508d9ae0c0f11ca53d57158878ce1a1dd1b220f2976a2cdba38daf02f9d11265 |
C:\Users\Admin\AppData\Local\Temp\iIIg.exe
| MD5 | 8ad9ca28cb6afafe29b1a2083241e513 |
| SHA1 | 7dc6dcea2896b04be1b8ac15dcdc032c07823a9b |
| SHA256 | b5ec73fa1d78a2a4ff2021c4dc13711ed7d3a0c6dbea107e9aa815a1854a003a |
| SHA512 | 8f5f7deaa8b639a9774a303dd02ef3ea64022f5dbea1eef14aca9025efedc3f1bb0fd1a6fb74a707db7d0a2accba9f0d1c6759e92a1b7e9a6d1bad4f5389854c |
C:\Users\Admin\AppData\Local\Temp\iQcC.ico
| MD5 | ace522945d3d0ff3b6d96abef56e1427 |
| SHA1 | d71140c9657fd1b0d6e4ab8484b6cfe544616201 |
| SHA256 | daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd |
| SHA512 | 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e |
C:\Users\Admin\AppData\Local\Temp\EgsG.exe
| MD5 | 485880657867703d087d29bf0741109f |
| SHA1 | 4a09adf8a22ed7647129dd51a8c5497261369ee9 |
| SHA256 | 3129820a3318fc3688861ad1d0ad67800b48dd107a80fe90c65a9ad3f4231ebe |
| SHA512 | 33a379199f215409b7d7d9c58bb9c3b0f037eded156025a38e39c02d2ab2434c98ab2ba69231916383631820713568e98f02a43a71f59c9d226ab124b79b1f42 |
C:\Users\Admin\AppData\Local\Temp\UMQa.exe
| MD5 | d7de16e36aa4ad06725bf62249c2f357 |
| SHA1 | 660cdd0ce6808831178c40a51ea2e8f07f9c7530 |
| SHA256 | 91c4501bfe0c61cef7db6f4669cff506992ca3bab64f0be7c4663742eafd6909 |
| SHA512 | fcd0a21edbc5add92b2893368da585d9a7ab499aac60de4efbec0437f4698be8a744d8abd3dade0a421fe8f54b7743d40f2e25cb9817ca635b5bd3d2699b4129 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe
| MD5 | 91a9f7bc23700b54edde82f550d4ad58 |
| SHA1 | 5d768f7ed5d1fb021903d2f0cc131824d8dbaf23 |
| SHA256 | 6c876bf4b47085976b0ca0f3d51f6b332265177c6e0e614ea69b8c353c30fb72 |
| SHA512 | 4ff58525019f155cd197d04a3a92c51d72611a01645fd423eec488822b12732622f59f495de405feb76a01b77769c7f62e8921bdb7788eab2ba2f12eff69eefd |
C:\Users\Admin\AppData\Local\Temp\esoK.exe
| MD5 | 870c45ee1be0b6e4876228c89421c592 |
| SHA1 | 21098d39d21a123879fcd5ae5b4a5aad2c17f1f3 |
| SHA256 | 0f46e200268c4df18d8448aec54907ae7789597aa6e3b858d9ad951ea8ae286e |
| SHA512 | cc31200506e05e7553fb3decc9950c92964833bb33b82137df9f71e9ff9db8eee704dc5ee31f7bfa3f82abd43f9133fe22c7366c8ce5587dba6f522237c4ad95 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
| MD5 | b35b0f9a5a494c1bc7acfcb9b06d2339 |
| SHA1 | 3e8529ecd6eedef8b70d129152587afce1139e07 |
| SHA256 | 81784d5552380afd5e21e61cdffe06a2a637a67866cec7ef7a6ca78d6f9197d4 |
| SHA512 | e14fd784db07c03da421bf04543c8604f832a22c98aa5117520112939ae40758b57126182f5a29d26c60fdacd1356e09b7ed31296d2ca0001c437a4f8c684c3e |
C:\Users\Admin\AppData\Local\Temp\CEIa.exe
| MD5 | df92f85e688d96daa617cb81c67fd6cf |
| SHA1 | dc28be73e747e8005a20d4e21cb22ed269dfa71b |
| SHA256 | db9e31c8c5c992043de139d929178d11e5f38f675e4ae397f4d249a0a9478285 |
| SHA512 | 8bd91cadbc11987c461c6c4d6a962bba491345e03f88cf1c084f9833571be55435aa4249096e61800aa3b91fd7fa5d7a67b9f91b3c3a4d055aa63631c668abf4 |
C:\Users\Admin\AppData\Local\Temp\wYkc.exe
| MD5 | 5c82b21f25d3871220e23b6467c84f85 |
| SHA1 | 0929cc50071bda7ac93a98ac1775b254e6904a82 |
| SHA256 | 8944c47a056019cacccebf372743345d84a1bd7471c3bac39b3e5156e96c9c01 |
| SHA512 | 9741f0786f9c3e33538f43a1590773b72b9aa6934a32227696cbb7d3905618f2474f70859dd610113994304112db31e40b4ad3d7a0109da48a95dcccd6fc8099 |
C:\Users\Admin\AppData\Local\Temp\QQAw.exe
| MD5 | 6111992069039b534bb1c6b9cb3f8ebb |
| SHA1 | 7682b7ff0ccb85afa7693b80cec2b56364c04416 |
| SHA256 | 3c532b6589f8613a4e31c561193c4f21bb85bcf2721cb779d63499e0be96f7c9 |
| SHA512 | 67bde63217d51f4efa245bcb9331f57240bed2c58e163110466a968ac752f12a1638883501b3982662cc741285486a7783f22b2cb9da33b13048f137868448a8 |