Malware Analysis Report

2024-10-24 18:19

Sample ID 241018-cza9zs1gne
Target 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118
SHA256 61590230942f18b7af4dde5e14ca1b4794f852b13c4c1b3c653f780b2aa3d966
Tags
discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

61590230942f18b7af4dde5e14ca1b4794f852b13c4c1b3c653f780b2aa3d966

Threat Level: Known bad

The file 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware spyware stealer trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (57) files with added filename extension

Renames multiple (80) files with added filename extension

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 02:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 02:30

Reported

2024-10-18 02:32

Platform

win7-20240903-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (57) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\Geo\Nation C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\ProgramData\hywYUMQM\qsIgUksk.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\yOIkUssU.exe = "C:\\Users\\Admin\\VwcMkcQg\\yOIkUssU.exe" C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qsIgUksk.exe = "C:\\ProgramData\\hywYUMQM\\qsIgUksk.exe" C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\yOIkUssU.exe = "C:\\Users\\Admin\\VwcMkcQg\\yOIkUssU.exe" C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qsIgUksk.exe = "C:\\ProgramData\\hywYUMQM\\qsIgUksk.exe" C:\ProgramData\hywYUMQM\qsIgUksk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\YSIsUAUc.exe = "C:\\Users\\Admin\\gMgEEgoE\\YSIsUAUc.exe" C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MaMQIMoE.exe = "C:\\ProgramData\\YAcgQYcg\\MaMQIMoE.exe" C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A
N/A N/A C:\Users\Admin\VwcMkcQg\yOIkUssU.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Users\Admin\VwcMkcQg\yOIkUssU.exe
PID 2248 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Users\Admin\VwcMkcQg\yOIkUssU.exe
PID 2248 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Users\Admin\VwcMkcQg\yOIkUssU.exe
PID 2248 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Users\Admin\VwcMkcQg\yOIkUssU.exe
PID 2248 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\ProgramData\hywYUMQM\qsIgUksk.exe
PID 2248 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\ProgramData\hywYUMQM\qsIgUksk.exe
PID 2248 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\ProgramData\hywYUMQM\qsIgUksk.exe
PID 2248 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\ProgramData\hywYUMQM\qsIgUksk.exe
PID 2248 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2248 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2248 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2248 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2248 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2248 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2248 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2248 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2248 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2248 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2248 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2248 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2248 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
PID 2100 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
PID 2100 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
PID 2100 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
PID 2688 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2688 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2688 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2688 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2876 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2140 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
PID 2140 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
PID 2140 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
PID 2140 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
PID 2876 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2876 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2876 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2876 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2876 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2876 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2876 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2876 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2876 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2876 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2876 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2876 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2876 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 324 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 324 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 324 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 324 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe"

C:\Users\Admin\VwcMkcQg\yOIkUssU.exe

"C:\Users\Admin\VwcMkcQg\yOIkUssU.exe"

C:\ProgramData\hywYUMQM\qsIgUksk.exe

"C:\ProgramData\hywYUMQM\qsIgUksk.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GWQQwkcc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MGgosMAc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aosMAMgM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fggAkgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\doggQYEE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HMkIEgwU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DYYUsUkY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wQwIkMsU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KUIkwAAs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AKoEAwAY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YaQocMgk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RCgEAAAQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bCckAcwM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vGsIkMMA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RMMYsQwk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RIYoUcwc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EGoQEAEM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kisEIgAc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iUIQQUEw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EAEEsQEs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rKoQYgok.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\daAUEQUM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NqAUEAcY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vcYUgcwQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gYMgEUkg.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ossYEAEY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iaswAUwA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QkYcQUAE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XiUQccQs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DkwAsIMs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tCAAckIc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FsoAgUMg.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qUAkAMMM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SaEUgkkk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wgIkksEk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MqskIAYc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZqsMIAYM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TkYkIYUM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZwIMggsE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\gMgEEgoE\YSIsUAUc.exe

"C:\Users\Admin\gMgEEgoE\YSIsUAUc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 36

C:\ProgramData\YAcgQYcg\MaMQIMoE.exe

"C:\ProgramData\YAcgQYcg\MaMQIMoE.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 36

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zookcUgo.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\huMccYUs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UGMgkEsM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CwgMgUAw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mYQUgksk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gukMMoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JgYEogok.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\viYowQMY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lgEEswwQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nSIQsUcA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WYUgMowI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WqMcYYgE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EMoYMgkk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yyUkAMUE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DWAoQoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BAMUYYwU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DyYYAUIo.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xCgYwksE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PqAAEwgY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-227264345550984259-1849401264-1759556048-1965248263-985886884503845281998156761"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gqwsUAAM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OesEckMo.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-5721403951255288942-1709635959278763808-130213367-7655877569769412271692925563"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mkIQokYQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "10034384351711195468-581986338599590579-158720462-18765092572063317394-1791061202"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cqEAUUcM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QCMYYccY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-42272039230839614-888947483-414580280-17159909021923513715-1477660633705795303"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TKcIoMwA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LGcEYsso.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-16126374911597858747977841969-1894395609-285113958652532501567939777-967783798"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hCEAMAgU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DOwcgcIk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YyQEwwws.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mwQkcUMA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sAcAcMEU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aUsoccQw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ougEsIIs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NoEIYgEk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jscUAkAE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TmMEEAgY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-11799131791623428802-940268101117400730-438314954-48150793359396861-1972010114"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nKUwcokM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "12242340431936105679-12709515831319547973-56329530816805212711388475921624538926"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1593053805-2052775119930830329-11863795321392740789-3550049814662532401204995624"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mWcokoEc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gYkAwUgI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KswoYcUE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1668527585-181801775-745365967257212118-8750830271094065171-1124058980250459068"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yeIsoEkE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZqUwUsMU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RuIoQUsk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dAsUcEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "5584905161356289726535035411-3036635472903674566117041991008376538-750377939"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RuoIIYMY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1938438555-423945553-1516319930-6428305357239571211436976797-188384144554402015"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cMIIwQAk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2021709197-4969673593580204031621119032948494652526606321148434199-1873162910"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1075474398151325576634258953210183305551227502719-886507975262267523-1578901402"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kIEgcIUw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MowIkcss.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jGYQwcYw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "543375716154929238-1800006113-231626406-720269717-1568520027389599499493114456"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NmkQAMYk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jywwkscY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XUAcIwoI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-114593881043883613-197337684617846234011077510889-677224606-4437391971518686655"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uQkcccck.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OAUQksEI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YuEoIgIg.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oGsoYMgE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1298826116-1112076331-216790708-474103666184741912036208315779280991868402156"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TsoMwIAA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "459056464-145846240720449125-954364876-11195083231573816197782909459329183278"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1092806473966868515-426581576411302276361503927-682838345887976521884088329"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZaYwUYwk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vCgowQAo.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1673714827-169673823202968157-5856075291685289639156736733-2038193737259892188"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-399743108-16071355051794320985-958879133-657771556-715344142-466361621-1333164347"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1243565386-1920568858-2118861980-664935115198321030620333348537083911621837578093"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cGEsgMYo.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1566669724702977933943692972-4191777141801481053-851282739-10169114151249306131"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "140424288637497359-1626102729-1161884404869351218-139466768914367786921527212296"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gagooIYo.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-200704762212831433991012542195-1927893651-211208947-1651386146-370857157867156191"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-116577959317936520751161373425-231959683-50588951713994150342083013569559039273"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aGIcoksc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aoskcEgM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2021324264-16161668361267858861707378745-838412175108024218-189046801-876668451"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bIoAwkAs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1456770101-149649369862272146413904078071262416343-1319990800-1413903161820257704"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2062411905984583672-1241684661-15298147115501534901303152089845975567-730876691"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bIgQEUAs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1284740497271907508116188614-17115378021702536983-1084726051-1545102828109731919"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "368138791-363326311-21264230701040564143-156718615-1214911077-1292810021-1384010127"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmsoQIEo.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "655755143-18520937631491873760452810685-24888307820801093861176427496901636830"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1831365259-1041333159381377483-698163617-10666378367870899384658805511834268605"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\scsUwIYE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-15235794661276022907119634595926982646-174883560-1360203594541977842326058053"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GuAQYYsw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-177940370-1101627835-793594715-13797111071582987565-1226687656-6908712-1187906883"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YucMEUoo.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "614200186-1662038808-2096933356-15218657171400960323-2065748368-1046619348295759357"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YkosEIsg.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1853376128624509011819983124-688186976-81476730-68130333421261750621043990301"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1459967205-16845141741399330939-447340125159812680812781242922046129379-956986968"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "8979124196267026251758699803-1723037948-60294846-1997872918-1622496466-1914262567"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RUcMIEcM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\voEcUUEg.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1318255530-575814938773093347-754943308318202783-13520216001253053927-640438541"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-57124632017690065077786158431126713276223963027-1717903037-1729886703-1592380441"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TmgMwwAU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-8973313621209247432-85437501055801447-810672418-15250762881938151671-438079061"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hIAckMwU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1663381451064707588-557276914-570976208-410804929-1370244675-546529272-149510148"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WEsosggE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KIAQcogA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "199790973-1138418173303439676-13939282282719734894288133921065618988-756231446"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iAwsYMYM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1719396644-1258126084930664176-223626330-878027825669040155-566420478-1984750253"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PAMIYMUY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1059593080-905172190102483045976417909929101336-1787783715-2110052294-351343076"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dUwYcIUc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LUMoEYgc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OeYkwIEA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cuUgkgIU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YAYAksAM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pEgAwYss.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PSkUwsww.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.169.78:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 172.217.169.78:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2248-0-0x0000000000400000-0x0000000000433000-memory.dmp

\Users\Admin\VwcMkcQg\yOIkUssU.exe

MD5 ca51ff91a78ccd9c671c68a17fac5131
SHA1 5846e51928a5def8b130ec2deac5aa6a75f7c1ef
SHA256 66e80618b75159d6416c663c6d627c81801d8baeba2f87338d55bc9d04535d21
SHA512 58ecd3e3ca5d40f84a5f297dcab43122a4918ef239c5eca0cc04657399aebb08a7a64aad82c6667853c2ce44365af2b62daadb07f3636c01bafc03fadc87de0e

memory/2248-4-0x0000000000560000-0x000000000058E000-memory.dmp

\ProgramData\hywYUMQM\qsIgUksk.exe

MD5 7f9b1002ee89a4704ab29c816428bd1f
SHA1 e21b696e29d7462369ce508842d01d3f2aef791b
SHA256 02c558a8b9010bb335209cee007614eaddde47ad4580df762541d3dcfeb3b1ab
SHA512 fbfce9c77ba8bc1775098081498da0abd0003a9a9db621d0b6cb14dbe22447c8c8c7794c431e334931d20afd9c0285d1344b0718f0e0e3a70c4ee43c008d0d34

C:\Users\Admin\AppData\Local\Temp\yuoQUcsk.bat

MD5 21f18c293dd441ff79fb730d991b522b
SHA1 4b1ce5272ccad0dec71404f6f3c3fdbcb7d5fbac
SHA256 336be22749c821b6f28d7130540f3ccf9416c7f16e3e80fb15c911d0e2210597
SHA512 48db047b8203cb99d1c96a0ae72eab5e6e969b3b6a0460a970304c60cf356fe4a1b7f8c2b834ebcb844091bc2079919f97b0e8c4ce6a94133fc008ca87453131

memory/2248-20-0x0000000000560000-0x0000000000590000-memory.dmp

memory/2248-15-0x0000000000560000-0x0000000000590000-memory.dmp

memory/2248-38-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2100-41-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2100-40-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2876-39-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GWQQwkcc.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

MD5 59be91b17983f2d8de110d2534075292
SHA1 184ce4f6b89530f58a9952fffdce4ce254447937
SHA256 f9b54f0a6c4a21daea6f41263e8df267367f5b491094bea56179a9c3b4ebd65a
SHA512 6c37049c71557a3bee37a8380912733b009f68844818f3d2586802ad437c82c32ac51f170056add421976b24e0e074ce619d3987195ce693f28eff657c028c74

C:\Users\Admin\AppData\Local\Temp\oYQsYAIk.bat

MD5 39290a633b3a3a598f2f8249504ea052
SHA1 c255f62a89f33cda550c3dabf5e7c2367f64cf1b
SHA256 08a7f2a727b9d85fedd2d37690bba713ce3f8aded5a263a2b7d110bc44d12657
SHA512 22008cd254bec2e8695ffceb26d9b20eb47d95dc37a510ec600af48fb396654df716f8d0c75861bb58b588e1fd38d230e1dd0de97f5f23203386715468a60c47

memory/3060-57-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2140-56-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2140-55-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2876-67-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iGoYwwsE.bat

MD5 8254beb77d73e09f12c8da6c1543f356
SHA1 cb95e5fddc328357e41146a811ee717f51d1483f
SHA256 f6088a7d9fb206662e9567ac3fd24f447cbd3e299b57d18a28d9b314ea9e2f8d
SHA512 3d8cf83b32ca205ab9efd6035c253c03a75719a27280389e8fae7c497559bb64dd1fabb3b80d6befcabf5a0e60b5981d1fbb97f7e0ed6ff985b0378991df6e38

memory/236-80-0x0000000000260000-0x0000000000293000-memory.dmp

memory/236-81-0x0000000000260000-0x0000000000293000-memory.dmp

memory/2816-83-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3060-91-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pgEYQssU.bat

MD5 e9b2d12e65690725bdcc5b59c5713d80
SHA1 5ff34eee1aa5a9d985df3bd94fed5e41e9e7deb0
SHA256 9519ddcad40761bec84d6cfc35e28745316d073674c6d499f86ca48601d46a21
SHA512 78a0bf93277ca3ec2d577340309d395de0717e2673abb47671b64dc153b27bba7524aba518efb75f58fd099bddd631872411dc462a622638000a5fb874942999

memory/2996-115-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1856-114-0x0000000000120000-0x0000000000153000-memory.dmp

memory/1856-113-0x0000000000120000-0x0000000000153000-memory.dmp

memory/2816-112-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PeEoEgUk.bat

MD5 d5879a76d6cd460d5002fb7f3dda93b1
SHA1 a60e926bb25071fae8d4b6c4ab7a40d1adc05005
SHA256 03835b9f37ee67a95cc33bf31458a47126d99ef219c1e49893c8562e637f7e67
SHA512 647ccef055fb50657bfdde816b9126a1aa19f95e4b2f3ce68607c6332a5c9b368759f4e4b859bfe0789ea61e8ada2ae90f82efe142566fe2bca5677f8f544325

memory/1776-128-0x0000000000270000-0x00000000002A3000-memory.dmp

memory/2008-129-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2996-138-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hQkgcUwI.bat

MD5 651674d32325bc2562e27250e2663ed7
SHA1 d382282ba25bdb10b2e15751f06ac03cbc147cad
SHA256 0ca1de1b2c4db9cf40050fe2649accb0186c841ebfd32e6b9fbdfc7beb6f3c8e
SHA512 d10db3cddc1e2810b642ef93fc138dacbfaf1c061dacae5cc0e116d425d108496de2a163df65d2cbf19b26aa5226a66bfd4500683ec3a690dccdbfaa8da2b0bb

memory/892-153-0x0000000000400000-0x0000000000433000-memory.dmp

memory/676-152-0x0000000000190000-0x00000000001C3000-memory.dmp

memory/676-151-0x0000000000190000-0x00000000001C3000-memory.dmp

memory/2008-163-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zIcwwggo.bat

MD5 edf417295ce17606a40f6ba414a5b6bc
SHA1 a45a3e59eeda8ad2daaec5e6d9c6e3d09ee1bbef
SHA256 d6949285014480a0173ea85135806497aa8a252821e1d88b30249ea2e2331319
SHA512 6c79dfa552562d83ee9d3f4e27e9748af22cbdb34598b21855c8445bb40a564c74690617a3d495671b476b9eb350e35922094213af32d02c4672e9c4a4597f84

memory/2680-178-0x0000000000400000-0x0000000000433000-memory.dmp

memory/892-187-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2576-177-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nyAsckMY.bat

MD5 a059a008f767e544ff2f3cc9a2ac7cd4
SHA1 59937246656b16767a9ece3135cbf6a78cbb51fa
SHA256 888eabbfabe6014e3f0d360571b1feb7bac360bd1d759d3e1194a13c78433e91
SHA512 70466f8577f163bb0c4003104245db42b88636d7d706643db9ed56f7def6fc16e79fc7d7068f27e1c83ab953e5a838183eefa8149267c4c5ea870caa77ef5ce7

memory/2324-209-0x00000000001D0000-0x0000000000203000-memory.dmp

memory/884-211-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2324-210-0x00000000001D0000-0x0000000000203000-memory.dmp

memory/2680-208-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\omscAAwk.bat

MD5 61b7ff7f65ceebd376d4cf1006863d41
SHA1 d3eab28106c4341f9a21db75e1aa9c71be05d6a6
SHA256 e6fdedd52cf99f290f3b9e302cf658a9ccc04b0df3068c081854998e829a921a
SHA512 f8f1e5e4f36341168b46157b1ebd34c8eccb17ecee1f02decb8666952d29aa8300c55f2ce77037349fff8ea1152e5c283d2d72e7b7aea9648fd3958bae288079

memory/1480-224-0x00000000001B0000-0x00000000001E3000-memory.dmp

memory/304-225-0x0000000000400000-0x0000000000433000-memory.dmp

memory/884-234-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IAAMQAcw.bat

MD5 b9e9ea6f011f6bbd34954032cd26ce02
SHA1 af838bfe256880990bdedffc70889d11de96a3e8
SHA256 d817db0d35224e4fa6f015d14d61402a94feff7d079073a5196c878df3510374
SHA512 93efdc695824110ab18aa3cc18c6f9f75e24e28d12ebe587ad59530eeff4a8d5d651c750dd5bd0075012c991bea59db8977bb6ff082e77fee1d08e13a9cd8f29

memory/3000-247-0x0000000000330000-0x0000000000363000-memory.dmp

memory/1824-248-0x0000000000400000-0x0000000000433000-memory.dmp

memory/304-258-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ycgkEUEI.bat

MD5 903889e11b3143735f6f864b78a8a744
SHA1 738d313dc918dfead7fcf2d893678ea159508da3
SHA256 95a1f182acbd45388171a79a1c720ec84ca0f54e3d406076a2ede34b71b557b2
SHA512 206028f66b6b38bd2863fe704cb397396f6a0802c131b06715597bcafdfc39d8b52913faa6f0d3f47b9b341546bf92f5f52ea82e63e612149bd0dc4c427563f1

memory/1976-273-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2308-272-0x0000000000170000-0x00000000001A3000-memory.dmp

memory/1824-282-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AoQsoYUw.bat

MD5 e0a1861b4183cbe86c83cf93de347ab6
SHA1 d774bd6c47b3a8af16b82d380d67e2701602143f
SHA256 8b26a54b31948d47a1ba45eac6e661a29677b4784a8477f32699984ac3a3f3a9
SHA512 fc03637f6b6ddc801d29e56d03df0443d8a319dafa8eeabc87b4a067b2eec36922ae01b597421d6c9c5a3003c3222a780d457350ee35f491b18167026c6959b5

memory/2776-295-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1976-304-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nEMYkwcA.bat

MD5 2a756f5af82f17c858b3a3195d162402
SHA1 aa34df1f2009083cf020f80cf28b072040453289
SHA256 20660b6985cd2bfed82d428334af491988111a78cb589b3fea99f9e539f141b5
SHA512 ee91fa4cbfd524106cfc2340842db3a9be8b0f1b11cc54d8b8360acddcbf571a31de1070bbcf641bd77b3343560f6c5f72d2ebb00f479e348cffed7f76db7cb8

memory/2100-317-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2776-326-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TKMowckQ.bat

MD5 10f05ffc98878f5d5da655b11d44197b
SHA1 0c0231a76185892e29e90e2047af851ee1b8c729
SHA256 8c72835fc0fe7f306807b1bf64d0df75609b133ee44b414953f4c1354838d2e7
SHA512 89821a8caee34e4dbfda76e9ac65530cfdb2f3b707fd5b6460c009bb6afdad57428332fe11377149690b36bc477e67072f30274c4f8811ac69bf9239fc4cf353

memory/1160-340-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2052-339-0x0000000000210000-0x0000000000243000-memory.dmp

memory/2100-349-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xuAYcAAY.bat

MD5 295741c23c8f180b4b1832d723e29864
SHA1 f6830f3873442c9485abdd4a13fe5e51c0d7ddcc
SHA256 55b76205313a31749668d321f14af62124e4bd103f270aa7dced7e23f9513136
SHA512 6a937ff2908a4aa636944b83ea09d3265a1f38eab7e7e42de76ababc53bcc0fc4b210973d94af9851e32ea41b56c7c210606ebb6dfe504a6689204042def51f1

memory/576-364-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1160-373-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LwUoMMQE.bat

MD5 6de1a750e12f9d7c9ab8b631c93de704
SHA1 48bc0484ceaa92c53f6b210790d2c819aa0030d6
SHA256 141295eafbfe2c12083d4542ee5ec77d693578a37759fa64d1da0671b2d89d58
SHA512 8c3e562d00b98d79dcdf90041c607082a1dfbb9d27ddaaa5f9e7d28968e84c5b406da8eaacd7c7f64ac77750c1c54ccf391eba8712fac031c9469f24da79b810

memory/920-386-0x00000000002B0000-0x00000000002E3000-memory.dmp

memory/576-395-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GYEYkYoU.bat

MD5 14a9c74f75368ba5b2cc797b4fb6a0f9
SHA1 fda2252d8d3c1267495a48633678431a2d0f21ea
SHA256 d77c7f4ed0cbe58b2f92e3b3caa170189491c7a4fbb987de5d3868055b98f083
SHA512 c7e796c60603d951ce5e305ef84881c0f6c08be3092722a5251877122a1cc34259b36101fcb664de460835c05dcb959e77d271f072b2f9925f57374c448ecf01

memory/1972-409-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2956-408-0x0000000000280000-0x00000000002B3000-memory.dmp

memory/2172-418-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SsgIwkgQ.bat

MD5 4e938694585cacd581ec7a5f40290a50
SHA1 c8c11a1afbe7eed8032b802304f4be287ed15e9a
SHA256 83273009dfb23378341b48f8db4a6e0fc52cd18c68e3fa73d13c319a02fae815
SHA512 79f09946a57476d9f25f19547461ce692035cc07e7a7cf0e317f357bae720f85b00c3b6f670a22a9bb037e624bb1bfe12f4cb19f39f7b7fdf1eb8acf4bf2ff8b

memory/860-431-0x0000000000120000-0x0000000000153000-memory.dmp

memory/860-432-0x0000000000120000-0x0000000000153000-memory.dmp

memory/676-433-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1972-442-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AgIMwYIU.bat

MD5 34b7165e0b2a9ce14f3af0295d28c4bf
SHA1 8ac35267a5a171a6568f9c3e90f68f00bc78fbc2
SHA256 9f81f33b87604a945468a425831670cd1ed4b360b018b176500f95826e3bf7d2
SHA512 c131b0c8a118b85f45ad78bb7f57492653c2a7c6915c08613490ec8ca27e61f28f9d72e92bbab458e99d788848d66f22a7c78c19c754f4d6b85b8a75778706f5

memory/1276-459-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1544-457-0x0000000000160000-0x0000000000193000-memory.dmp

memory/1544-456-0x0000000000160000-0x0000000000193000-memory.dmp

memory/676-468-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MIsMUIcU.bat

MD5 11f3d65b69a0f3bffa406cd94484c8d4
SHA1 9d5d97d5bc862955abd1c03615eb0221cc3e6888
SHA256 d25bb33ed43f24d0c9e6c324f9874699076c3856d6d8f65b7d3020698c13c2a5
SHA512 1559a721a3601c2d916711082015a1b46d58f1ea709e2a368580bb3604a72eef92553eb6f7c75610221d74d9627a34b80b9ff9efbd70448d52a8524307375e7b

memory/2256-481-0x0000000000280000-0x00000000002B3000-memory.dmp

memory/1276-490-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dmUwsYYQ.bat

MD5 ac18162dd68ec522e1fefa40eceaac42
SHA1 aea03be4c5f4a0540266bc4e8b2032fd922bc8a9
SHA256 8b4e0d59c86ed06c2b55e8673aea47069410feef90087d0bdca916211779321d
SHA512 af1578999bde2892ff7748a6ebca5f8e52216e37534ff69dbcbcd7de93ca38f1511c5d443b01b85a49285e81714b4b225df59f598ac50760b4750f2174160cb0

memory/936-502-0x0000000000360000-0x0000000000393000-memory.dmp

memory/936-501-0x0000000000360000-0x0000000000393000-memory.dmp

memory/1708-503-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1300-512-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JEsUUUkM.bat

MD5 55dd8401f1bcf63365df4602900f7df0
SHA1 7b43f84d4d61edfe383ef19199c34fd2692cd880
SHA256 16f9a116877824cad363de44005621a7c49e1053a317f3572890ecf1f1b618a1
SHA512 955d9daa729379e6dc68c94b422b203e45976fe79a5101d93ab390a50e386ba30163b68a61f481177b987ce9ea62b511d35103f1d852326799c136745246c896

memory/1744-522-0x00000000002E0000-0x0000000000313000-memory.dmp

memory/1744-523-0x00000000002E0000-0x0000000000313000-memory.dmp

memory/1536-524-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1708-533-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rGQUAMoc.bat

MD5 cb6c06b8dd4c3721d8a6470cafd6a497
SHA1 9bf1a87fcc18bd64e0b9822b05e6dd492613e495
SHA256 61edc8b5d64d6a5530e2f5f84c539c996125a51d8a0736b9c2be3b99787f03c3
SHA512 8b184d18815925d597874222d4f8fb41c6a43dc94bd489f04bb733334ad5dcafda5a858b1fabd4f5adccb3ad07e57bf9094f532c382206c232e6644043a5a42e

memory/996-546-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2632-545-0x0000000000510000-0x0000000000543000-memory.dmp

memory/2632-544-0x0000000000510000-0x0000000000543000-memory.dmp

memory/1536-555-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BacYwoco.bat

MD5 572751d278001b0c46cf703df01f32ef
SHA1 d0fa69d558a0c34d0dd6336a317a9bbccc67c588
SHA256 f9e073169df2be539a56ca9a87ac1a527061fefa4ce6fccd308a58e536e3efc1
SHA512 6a01255f0592e5c0961974903335b7608d58ff5018c9111fc53ec8e55a7e2d5f37c8d093f4ebe94aa83896d6adf9e9af467cfe35f89ba8ca1269392fdae316b1

memory/276-568-0x0000000000300000-0x0000000000333000-memory.dmp

memory/276-567-0x0000000000300000-0x0000000000333000-memory.dmp

memory/996-576-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EeAoAAUQ.bat

MD5 23f1b17c72b3dad6ae70c49a15a698d6
SHA1 ef3f0ce7c08c086d3e37544419f5f3f6849483ee
SHA256 3cd5ff4c63ac2cc4d7097b6bc6b0dc817b191d27378826ec503b3b38447d85a6
SHA512 340e98112d5ef9ce471ad697216a4889b44ca5809c7645093bbc08d7a18a1c8e141c48b55d70b2ef14f7c9db79bb5e6a3eb789ad908249e1058755f3212c72ca

memory/1784-588-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2384-587-0x0000000000160000-0x0000000000193000-memory.dmp

memory/2384-586-0x0000000000160000-0x0000000000193000-memory.dmp

memory/2448-597-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uEkMQoMk.bat

MD5 ff040ec92fb0014dbad31538ebea8e87
SHA1 3013e0a8861afef7f4e1f6df22b4cc3d7d4a5f4f
SHA256 b122277ce601660370fd9803fce4105a4c1b385df6a3d46e07326a9eb4e92e67
SHA512 ef4ef30102f3b172c5b0466bd58b167ac747f9aff15206c284e9451ab642f22973f44307884bd0b3331e53c0f890366f6c8020eaa39201e928a18cdfabeefcb0

memory/448-609-0x0000000000400000-0x0000000000433000-memory.dmp

memory/808-608-0x0000000000190000-0x00000000001C3000-memory.dmp

memory/808-607-0x0000000000190000-0x00000000001C3000-memory.dmp

memory/1784-618-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ESkgAIkE.bat

MD5 51577aae67fd065d436774dacc90344e
SHA1 59cbd50c57a1ca5291bcb6cdb2c26e0266203e99
SHA256 453f19c1b9fd16cffeabcb135b2f421eca75bf824484c2279d63a6af7db5ea29
SHA512 f951da28824b72409cea60d392fc8042672f084ce0a8c3441acb348fa0dae740734f774790131c30f0355e767d02d9a3002302b550a8a19684d6a658bf6b49c5

memory/1740-630-0x0000000000120000-0x0000000000153000-memory.dmp

memory/2364-631-0x0000000000400000-0x0000000000433000-memory.dmp

memory/448-640-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WesYUQAA.bat

MD5 d9ad37c3f4195a6ed9223f1f3b016909
SHA1 38a253942170f823d9319ffec79d0ad3c0acdca3
SHA256 3885670ddc6d80c12b8dbb6009125bdb86f82f35192cc89801d2b2c54c237250
SHA512 1aca6e2ca4f288e74d649e6f3a536a5da6f06a882061c0a51f68e5fdd1bdda15be05a53592734bf96f8236c888f8ec9ed730ba3974bfe7bb85e965344c69cbc5

memory/2300-650-0x0000000000310000-0x0000000000343000-memory.dmp

memory/2364-659-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JGQUMEQk.bat

MD5 152c4931b0f92a42921beb7cd3b70771
SHA1 893e613b61aa792acf96af180f253e49b855553d
SHA256 d76eaaf24c01d54a65d30b770a8d6a268330d6686cb1b857f9ff8d5cafd0adb8
SHA512 5f41620dca39c9a5b71f5db879c6d94443561beccc6b34c3a3f52c11a50e44e621640cfca2238bf92f582e5f119577004fdebf6e2534ce214a5d8cc40e168328

memory/1720-669-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZWEcgsgE.bat

MD5 67b603bf924afb70dabf78bf6390d459
SHA1 794f0ed121bd489661f69a0ad3e3ab5678c9dc86
SHA256 090499092931a6f414b247a95c18da24ccf8378d6e9779193e2458026da05b8b
SHA512 f26686439238a3268dec0f098c6b2ad54263a6209a2b9bc00082560c4b658da22f71f7d96d392412e1d927dea534c9c2276489876ded6af7445ecaad03c09d2c

C:\Users\Admin\AppData\Local\Temp\AsEk.exe

MD5 46ed258b2d45d44dbd5f48b0a5e56042
SHA1 9207014971cc3565a3c77347f5040e42db563a37
SHA256 f37b6ca8122781cd16b932828321964730a1dd48eaca80067e523e4232679a43
SHA512 c2dd0f9429f15fe9115b9809c092d87a4d6ba87c4dc68ac024201d6ec68c9c34db7d1a102dc0df47850ad47b8d8014e698459f05df29c23f902fc02d3032d64f

C:\Users\Admin\AppData\Local\Temp\fOQAssEM.bat

MD5 bc79642cb58ece733cc57aae207830ef
SHA1 744ddfd88237a7c341568ca46804d0a03320dde7
SHA256 01ead35507d687542d68798e0da81cc4c00a1bdfd60bfbc99e5318de2ce5cf48
SHA512 323f47d02092ac4dafe8ac43488dc6f34412d6e8604ac573223c9190464a2fec6c6709faae84d88687d8cb02c34cf0442eb09334bb7577dcf7a7c8c61bc8f485

C:\Users\Admin\AppData\Local\Temp\diAcogQQ.bat

MD5 f2902e04b4824377750c19fa308a4244
SHA1 5a0e0989d68de969be1b6ddda361769e43c7f77e
SHA256 4dbe88a2cffec0afc5cecebe726855209b288e90631350a0f5cf34c137af408b
SHA512 74d5336d6c94cdf51a20e960c5d8c29814b5d02e59b81a1675a4078350db5e0eaafc304a4db9a45e5aae80c2cc030b3a85e2d6f052c1129821b0d9ac2f00653f

C:\Users\Admin\AppData\Local\Temp\KoEAMcQc.bat

MD5 65a38989eb68d504dc3659eb4e93ae15
SHA1 1995b2920ce4b4a86dc900dd37c92072ac389482
SHA256 5af4856eec703c68226971ec683492ee83775d89ee1c5559a06e1d6bede5fdc9
SHA512 fa66b879e5d6dd1940591944006a1c5ed9c9ac7a3e671f6b34a73abbdb9c6bd782e550c601dec333d141047f0032b56892bddd9a12640201264d06490416de4b

memory/3008-777-0x0000000077510000-0x000000007762F000-memory.dmp

memory/3008-778-0x0000000077630000-0x000000007772A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SAMcAMkc.bat

MD5 e08ff4cb0144b8f6df5bcfd96285f823
SHA1 fbe807420fafcfe2579d24afc91ed65d2bbf9bc8
SHA256 0ed8219fe9be5fc6dc46d0de5e78811b296940ff418a32965d1112fc24b47bc7
SHA512 c5ccc718591686d1024b02da18452640c8c41291a8aa607f01c33356d74c7d0732fb104dfdf88b514217fb8df3c82070858186e1a338458db557c1e49e62904d

C:\Users\Admin\AppData\Local\Temp\yoAMcsQo.bat

MD5 c63a90ef4b096412d56b744f480fd6a1
SHA1 b08191362da96082a330b026f2618105498813f2
SHA256 0781ab7edb6a6f8387c20a712238178f2ee471ca8191c344c6bb4f8c86207242
SHA512 382913bbc5b639bedebedebdae72cd2a4a62504fd7d39cdde2de54c4d1ef5242bc26548da09b4c491342bcfcb5d8065c1d7d6449379eb1afecf27188b9e2f9a9

C:\Users\Admin\AppData\Local\Temp\CeUoUEAg.bat

MD5 3c26d1ff5ecb08eca6145b7cdfbd8347
SHA1 e1a7289ae551810759f043f392f80c8d69d888b1
SHA256 51ec6b2df5daf42be3d4665637ea746e7961590881b92d502db83a087965de3c
SHA512 187643a47e190f67a8e58054c03d21893d903f2d522b08c9aaca2b896d7d1b3a9bd7be0635ac2ba83afd71d0174f02abcef4f56c400130cd1c6e668ede5a78c7

C:\Users\Admin\AppData\Local\Temp\oiwcUMYA.bat

MD5 d96c85cdf6153e41ddc75ab21bf560d2
SHA1 aeb27503317c1014a2824c264b18fdbdcc604933
SHA256 fcf14dbfddae004132318d02a5567029e71d694efd1a03eb7d0a8cb0229e1b77
SHA512 69ff362a18c2cc18a356a28896e9da11157dcf63285ffb8c9e35bcf63b66fd7028496643438a0ddf1d9ffb3c764681c188fb01d781d2e93e5089161921acb844

C:\Users\Admin\AppData\Local\Temp\fgUQscgE.bat

MD5 7a8f1a5d07bbd671eeb7f06c71c77339
SHA1 50b9d3a831bb1fc831f28fb1cafa164431885e98
SHA256 f0eed6c08ec10792762e8bed3d312b3b5898266adfab09ed0854c0e4d319d286
SHA512 a554b3d0a75c9d80459171c2fbc69332df5d23cf9372d8c88982a1ff684d9251c52f2390e3c6df907d99f80190b7e81a3d873113194eac84a7ed305eb1bafb09

C:\Users\Admin\AppData\Local\Temp\ZEMQYkgo.bat

MD5 d5b8b348058bc8e23b0197abb415e1c5
SHA1 ce9a9ccbdf6db45d49b605353579dc604cfc570f
SHA256 2fd103cc1f4f86025640cd9b5f383631cc79cfd0dfdd5ae7de1514808985dc83
SHA512 31e120b291ee5571dbfd895f7dd366b539e5e501ad94f9673ce6ac33adb86a1c891a454e909cea77ee5534a0c3d8faa4511d4c971385d6b70b9fd91cecb60ea1

C:\Users\Admin\AppData\Local\Temp\HSgkoEYc.bat

MD5 6338a46e1109cdcf877a7dda044d4d40
SHA1 bca0414f5e9eb43baa6ab2bea979bb846387d213
SHA256 75de0ce602ebedb0e404800b19afa6e8b75731ece4eaad53653041df7702a78b
SHA512 ee946a8db218d2819b77c12472fa998df5982213954958b99699b1aad05f972dae5e8466a254747aa450bf9b20e6d1c0afb93e4fe6042768aafed6b1dc22298b

C:\Users\Admin\AppData\Local\Temp\IAIMEcIs.bat

MD5 0b3f1ec89492d735d9783fb0e2d04e81
SHA1 59978b3aafcae20b53de13217133a59047a40feb
SHA256 815e5285c1a49041147a846c363ee110dbb882a5701f6a0b82b7657fbadf0718
SHA512 5fcd59bb40f3405e706904334f51d84e3c7ffc888a7a279d9e639465d7720856f4c3e925a03b8945b4fe53eb6b5b6c3e6e130e9efce0ec98ca7fed2e52f7ae88

C:\Users\Admin\AppData\Local\Temp\WsAgcMUQ.bat

MD5 c6bba8f08b92fff5d833b2285fdd366d
SHA1 175f4c77269c96c341ceb627cdc0bfd675c662b2
SHA256 55e6ec908d0029609d4baf31f2019570bc8740f901e1ba46189a92ea30aa383b
SHA512 a2274f797294c697472a2874a48c880222e9ad9a378f03ae74e4e3e201f4678bb0e29a736d8bfd55ff2299c89888fe9e6f73be9410bb9c70554a27600eca51dc

C:\Users\Admin\AppData\Local\Temp\aGAUkEEU.bat

MD5 e6ac083655a593a5afd2a206625f96e7
SHA1 729d52a8fe778f31c4d0e37e710c4eeb54ab94a8
SHA256 a01167719396324ae57a9a810d093aa9310ba4901bc6ddcecb77a7554a62b2c3
SHA512 5cf79cc53de372467272726cb0ab7b0f8e8c3c4f5491f95556f5153901b65a60d2770197ed48303096592d7df2251fd29a866cac6bf4b9e601bbfde6a49b664e

C:\Users\Admin\AppData\Local\Temp\wucIYQMo.bat

MD5 bf7371bc3db131f0965ff21c85d448e5
SHA1 6796b6993359aa613528ddde453e8fa833a8fed8
SHA256 d227a72588b0777eb92f67ecd37b8e0158e29650c07ee3e020abdd745e36d019
SHA512 aff53fadc4421f641ae33b7fe3fdda3bad0efde51c6d286e5786a1e712608b73fa7aab50097f86604f3efc2f0ebfdbbe302ede92ffe9cbc2dab9121ec81e3b0f

C:\Users\Admin\AppData\Local\Temp\jUEsUsUM.bat

MD5 29cf27e3d735fb5a2f1689d4046e5584
SHA1 2024da90486489d8ead75da71452e7ccd15da2f9
SHA256 9d285eb9d34605b9accf347dd20651f502e8a531a3ca6a409a0789e908de9577
SHA512 19214adeb3d1417bab5ec94c701a1135774b845949579c0010737a1e25239096be96309ba0bff73a34134648d094a1185be5287114a078d1e4b372db080feec8

C:\Users\Admin\AppData\Local\Temp\hUUAAEIA.bat

MD5 93e3abd51029c6e26f30e256f80a28ae
SHA1 5661bef7675f93597b3bf02db3de5e4fa62c7e42
SHA256 a8d09f96807688a78c47dafa7c4fc0ba6422d86521c166b84a416c3699dd52c0
SHA512 e65ed86a433508c5308532e2deeace8b97428116716f54ba88c7e896758b83e7fcdb4904f3eee3a4733bb4dba4f89a95523c4c282656242d928be4fe7122e0fc

C:\Users\Admin\AppData\Local\Temp\NUQYsAMk.bat

MD5 80301523c3266f1bf32d4574e1b6cc76
SHA1 0e8d8a3688bf28fa5bb447c58e1db27a99ed5002
SHA256 a431263233cdb840768d03c3db315d0760b89c8ee12a246a08a404ecd21ad91d
SHA512 199b6d37017a0564b3fb00cccd6617b7b88e9792b6c3529904b1ea4ff3aed27923624d2701a8e63835443266de69af77cf54a7a20133fbfe56a0f6ffd9bc5b6d

C:\Users\Admin\AppData\Local\Temp\XsAsAsUA.bat

MD5 bac0d9538cff8e7b0659a47208004e6c
SHA1 11c09497e8a3b87093543435496d78effa22c818
SHA256 5345890d1741c44e9fe439a53da8eb05af9032b9079128fcd2df67d11249159e
SHA512 2769274678756b2f658c526ef2d942f1103eaff3228d4418e785b1faf8f9156315a7011f82d7bc0845c64218a5371710cf88334965f07cdf41d26d3eec72fc0b

C:\Users\Admin\AppData\Local\Temp\MUsMooMA.bat

MD5 2e7c86a879c7ee91ed286bffc155f4e2
SHA1 8d8803d9d06b82ee0cc170a864d6120ef3ce59e3
SHA256 27152fed537dacfda81d0c480d106af73b38ba89d4f800c18109a2d28eff3394
SHA512 40a2473a55edd1bbe840277f96bc1e93266c833239a988da4bbf8a10c43686d1846fddd055ccac5ef4802770e1c8127ed2082710fb477538f0637b324ab9c515

C:\Users\Admin\AppData\Local\Temp\WMcsMIso.bat

MD5 72ab95dd5aa9e36c86435a98e0b27de5
SHA1 b2774a86c19357c376f25f9475e22742e19e7306
SHA256 065e5c3f947f0194bb83db23290ec3206f2ecdcdba66b5a69deeff990b10c4db
SHA512 5739e50a0c6b98aff0179a27b8bec737a44c179b4d7690fbdd40ac40843672fb093d21077270074c1c28ea50b349880c791383e1a13d5bd6456d45264991f1d8

C:\Users\Admin\AppData\Local\Temp\UCkEYYkE.bat

MD5 887ee8f850d6da240acea93f8f38141b
SHA1 3f20e486e4ae79f1a96525b420c06e3c44b2c06b
SHA256 62468c09fe776fc942add4172268f4772b4a86019a4011e4c6b2b121505ca300
SHA512 685bd152c3bbfe664b4d4e6f837c4f1aff9ef1e7c9cbe2e8769013e50ee2f81cb00237f489511473b5f38f482f20b6454a7f1b4a9bf95e0d2e6318c347565c89

C:\Users\Admin\AppData\Local\Temp\IKYogYIA.bat

MD5 f4a1d2525c3e73f8acf8e3d24addcb7b
SHA1 665efd838252edaedfe837cf85834b40b0c6bd1b
SHA256 1598548839475ec83e6be5c4fbea8a170ecabaa08728fc5346c06dcd45955db4
SHA512 de101c412f77dbe3cbe8710842b45db24eb9d20b578d41e14f91477aeb92b472ac089a1ebcff64711cd88592ad70fb74cee9fd986cccfd90057bf55185eaa0a1

C:\Users\Admin\AppData\Local\Temp\WUss.exe

MD5 6f9ce6c0de4ba04666855bb8e2a1213a
SHA1 962c3e1219dc8592d5d7386704b9f523039348b2
SHA256 80cdee82139475ae3709b8a5f2aaa7132c2aae4f55f329561eab30e3e686cf6a
SHA512 0f9456a287eb3fd861eb2d6f10cf149759d29313ee45db2f60d21a58e4ab0ab3ad4687fea467a1e659dba006cbba1613a65c6203c46321daebf85c4508888e7d

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 85710af4d7c792c55f303f9cfbefbd47
SHA1 b4267a64c8ef1764ddca54e183018f604b49907c
SHA256 63860848b850ec0616019d6d99781f76599363ba0d0c52a3817fe1ba7b27735f
SHA512 920666dc6c554125fe0c1b09d5553c4ec5a43d44972f4d3eb46bc05a663c64e92528eb0cc65717a82fc19bca8515456ea9cf7edcaa4e97f7ae769870c89b1e71

C:\Users\Admin\AppData\Local\Temp\aQgg.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\oQoE.exe

MD5 342388c6a45f56eebf1a2699e167008f
SHA1 19ea1fe4aaec03f299f2b206cfa69f2ffccfd67f
SHA256 b5fd296fc58de9a8c6e3e1bd8d5cfb2454de82c332cc1f139cfed7d784307a64
SHA512 4d302eb1c40fe2707af1a9017a9378150e86edd6e6d270a2565ac29d1d5a249d2972d80527a3aa78697762861239b45f2544a6fedcfa81e665b57098c433d131

C:\Users\Admin\AppData\Local\Temp\cQQI.exe

MD5 e548d5c96fa4ee0078caa9ab1844ac6b
SHA1 493caf5e18d3b888a45173fa12011d2b53e6ab5f
SHA256 e96aef3b9e5e366126b5470bc37801bdd031d0773137272a7951ddfb1e918bfe
SHA512 0ad5853eee4cddab97bbe97cf90fd32716e7912d21c97cd8d4b2bf5b74f892bbbdd14b8da8447a4bfd7d287dedf84401a3f1f704af0223dece96fcee6b067d86

C:\Users\Admin\AppData\Local\Temp\kgsQ.exe

MD5 1860e7f230f1db894903a77c7c852ab8
SHA1 2f0400b76afcfb4c6ea812de5199885a1fe5afa6
SHA256 a2e7d582b9fa873715f80dcd9af7ed73ecb82f43d9859bc6d3e81994ce9883c0
SHA512 5b0618adbd506dfcdf43f79ee2d93c89922f0b79957a3410bf46e43b77a342eae52e73bb13006fe899ce7857582902ffef7c8a54f313aeada8c46f024ca77c1c

C:\Users\Admin\AppData\Local\Temp\GOccIIIg.bat

MD5 348d0c1998acf25b668d1f140428e759
SHA1 9746dc4648bfd3a77fe8060bb99d9f18fb5a221e
SHA256 78dbaf6375a350da3ea9e009ce5c5ca796ea44a469626eeecf3c97f5a09f20b2
SHA512 7755c1692bddd52f7d7138198a0b7947632a5a6a32e7fd4a22cd6dd3a02c81c3f070f56ccd2c2dc0d3f872e171c99a62364ac9ab0d32b55b12144275490adc8e

C:\Users\Admin\AppData\Local\Temp\UYEq.exe

MD5 4954a367eaf59e84d652dd9f719bc2ac
SHA1 f44c98719b1f6c1a378360f403fad3a4514cf277
SHA256 e4ea7b40ebf0ae16f2d27694ca5346c9a29168534cbb8701845ba9e6c8990d0c
SHA512 19af6751366b87dcd0e563446a60c0c50295df053d87800ee1e49b416b1acc626b4516c7cab384d8d060d3544046117b34acd49b1070f46f150c02300faf9059

C:\Users\Admin\AppData\Local\Temp\Ikom.exe

MD5 f2d54543789bb890bf073dd81482659b
SHA1 9877dde5dcd9f0d8c16166a026e5fe52f68e9a81
SHA256 2897eb0ca0ceac43c3409d619271ac7683b9fcee1f9e1e8f134b81d880989ace
SHA512 abda125e2164d2ec8d52ef0c34985b4bc8337874c88c4c6db750f45434bab1726660b9823a151fbbd49adf112f633f321c02966894ed84af82fe54163f24a4ad

C:\Users\Admin\AppData\Local\Temp\gYcE.exe

MD5 54a1e72580a6e3816961c4a781ea3c8d
SHA1 6eaf4926742f4945608ec269dc5a253ea49c0e7a
SHA256 9752791b79a8d8d03559eac33284904c608820e3da67c2e5405dc83a731ba5c4
SHA512 ac1c7a2a62f262e9ba9b140fb61de1c1a60e51c6da1623a73d6aee36519c40247a338138773ba8157425ff42b9ffcdd3317998c25e49e8249df93128f3c3f25c

C:\Users\Admin\AppData\Local\Temp\OMcC.exe

MD5 d436948a284bc0fb9ecdd48ba3827920
SHA1 5aee5729ca15ef20a2b820c971f485770737609a
SHA256 b32757002dec69e8971290e3e18f8f7a74b0fa9c2c15bf9d1d82bb297a94870e
SHA512 d552f7075ec3ad69db0419bca9da3a796aeb1a953b33cb6f47d8d423d7085d773ec7cdadc7f115592422e61db779d572b5770419f8bc58964cc61c9568fc8043

C:\Users\Admin\AppData\Local\Temp\eIcW.exe

MD5 565a2e7af896197c44ef12e1903630b2
SHA1 a29f3c4b1aedc0a4bcd7a899a87de2d8254a6ad2
SHA256 e69a34f6bdf837b94aa16f475351f30215ddb0c613d43a06db46f6350ff678d9
SHA512 c77e871c3a3f47ddfe9f0032ee574e2632efd4a17ea6f77186eb95979605afa8f269d8e26de95530d2ce5f33ed775f17d7d90e22c00449b0609d3ddb06421756

C:\Users\Admin\AppData\Local\Temp\sQUi.exe

MD5 8b7cf87e6633ddbc66c298e6b2d22d63
SHA1 51b50fc131fb2a340e9894a1907f117be6ac08b7
SHA256 ce1e92fd82ee945ed4cca78c9ecbf7c815d347fd9a13afd39ab786c2dc0fab17
SHA512 7b34c049d4d9d85f76ca21e453923d948a2bc7a7be275e16f307e58b7fd5ae462a2a20bfc5137e3c32a8b96b66f14760ea983b8daaafefaa02ae6cdf51804fab

C:\Users\Admin\AppData\Local\Temp\TWYgUEAc.bat

MD5 b05d36fbb584630a2c3d2e2b94812faa
SHA1 710c7ad4ec18d5f4fe68b3acc46564c5b9fa96b3
SHA256 0f7e9557e48f2a140e1583f08306ffff32f2a1f4b180cb4f10ddfb1bfbfc63c3
SHA512 4d582eece6ee4c8c9839a9f29fee30965e1280f2aacff088bbe500c0f6081545f69361782e833c429f30067d1404fabe571bdef1bda9c01ecf43dfd9d80b7cb0

C:\Users\Admin\AppData\Local\Temp\CYIA.exe

MD5 538f290b20e8729ce14a3ce95cca1388
SHA1 a846d739a707167701813373a2c8a60ed501ddd3
SHA256 6c4ca40b5e072a88a2d9369b3beba22ca048c172aa6380340d89a97da655bb03
SHA512 59d6a482334854bca3a51a3b057326fe347d232ba1b48b528d52c284cc0ad84a0c1bd942b3d3e9c2036db7035043929bea8b788a0852f30dbd35269ebca901da

C:\Users\Admin\AppData\Local\Temp\MQQW.exe

MD5 1b7558ccae8da7afde0985fa5c0024bc
SHA1 e045539d7438dcb39dd421e43315df9b5d1ef591
SHA256 f1dcb6575c368cecf044fbebf892353f19dcc5ba4e49b22fc002e7a031c52dd7
SHA512 3cecb18c36ece9bff4c168dc674069c749a4f9cdfb1063844ae072fa754ef2bd05440f0353dd84f5cd95d3264dbdd50a09055e9a972c9ca6f6c935cab7bda32b

C:\Users\Admin\AppData\Local\Temp\AQkM.exe

MD5 e00edba6e655f8313d7a730cb1b2f034
SHA1 88a28d7ca57abd14c06dd82dea5a9572e7068b85
SHA256 f4eb8ed075a902d94444a58b5fe9a0b6e601e30a25d38c358d2f4bd6c425e356
SHA512 68a5395f0a2d59f69f1a55190dcf50b70d5d8de3656a5f635e36871f864736ffb01c66cc46133b9ecc398fbf3fd2cfc0f9cbf1afbe3b72993a2013cc17ad90c0

C:\Users\Admin\AppData\Local\Temp\aEcQ.exe

MD5 7481365c0c98811d0f6274cebcfa99c0
SHA1 cbb0f6db89dc8c6b60db31cc0786b93e7370d667
SHA256 bf1e2c50bccb9152a13591018c4d8078aa5151976071582eea7e35b8ab45461b
SHA512 dcf1ce01a56698ba6e5b8371461258165dc192dc49fd674d154d42d3b1a890a2c298390bfd2b4029b815dac083d368c452092048101c02a343751e1da38b90b4

C:\Users\Admin\AppData\Local\Temp\dEcoIIoE.bat

MD5 f83e66a7cb181ceb31e237f48ce40c9c
SHA1 d906b1df12fd82c6a1877f19a4d00fcecdfd5fa2
SHA256 174abb5d48426e07d8256067229d94a820e3a0781d415633a60e0576bd322bf4
SHA512 9d9426ef100a1a1860298f94c2557e2ddf36f88fa144358f48d36a4ee8d505e69ad33f150258c3e5b9d592245dbe84b9be144783681e3731607fde6f2e92ede1

C:\Users\Admin\AppData\Local\Temp\QAkc.exe

MD5 9bb657ff9550beb5b1c03ea28a1c25a7
SHA1 e71a02d1ec82cdf754f430af9971a1a32f83f0fb
SHA256 7b57a92bca032b1bab3ede6110dbf544cb9ed4fa46c16344a7f577c3993fa943
SHA512 85f4e3e94d1ee8c7018ef903a19110509cb064110abd47081b352a32fd3ecdb32d17d0260d8d8a162b9dbbc6df45a1beb7028999ec04e5462e25698286852d98

C:\Users\Admin\AppData\Local\Temp\KEcY.exe

MD5 1d390967b714ed27187133c87f5e5523
SHA1 1483f0478c88fcf0109b2991b75727eb59bcd9f5
SHA256 68e225648663495569876b46b36247af5305cf1484138ef26a51ccdd69798c74
SHA512 fa24c9cb6d45b8b7ab801e88ed2c3413306b250c0db51004b1934ed94d71abf12d3e4ff1df8cec4b819b61e7ed7fca6fb6283d236c601cd1fb22fa1a117a51c2

C:\Users\Admin\AppData\Local\Temp\kkcy.exe

MD5 9500adad417663d1a76d892381e827dd
SHA1 21f3bae624bd5bf90f58395e6b9b60cd29e811b1
SHA256 3701dba57a78e6a46652536f62f7e6081181d3c02c2ddc48c5067e193769f101
SHA512 ea06e972ef7fe3c11de8945b761282ec01dbd684e961fba7e709bab864068104e6d0cd6fd5613de86d8d030a7ee7f02b5f1282bb6085805d579dbe38a736dec6

C:\Users\Admin\AppData\Local\Temp\MMIC.exe

MD5 d86baa36fe10f4948c162593b8129132
SHA1 61cf370483e7aff1c78b9942964caa73cfab664a
SHA256 ce7854ef004c2b40f1f48db7321c8958aa3b31942e4bddc431fc0ade10da68fa
SHA512 af4f5927100a9c4e7e6621f8ff1c676b829cfc862fda31b219277f1b1625f7fe6b9fd7a3b9e483e17e06612e8093c26063b13ad501fd92deecd9edab0c55a406

C:\Users\Admin\AppData\Local\Temp\psUAsAIQ.bat

MD5 df4589425c23da78b5328cb263356a68
SHA1 68ac133ec2988cffc5316fa1b28536acf235e105
SHA256 88238c768a9e31737c698a858ce80b3ee64b5103880d22c6e19bdd63258a80c7
SHA512 d1e105bf1a2f0a53c1e0f3095a6ad403a2c18fff46b6fd1a024d239c6721090d53e729e33d13f9f291bbd3d1ce4b25cc5e1fc05c1d7ff33ea9dcd399886c22b6

C:\Users\Admin\AppData\Local\Temp\qooI.exe

MD5 e43476cb9f421b594fea1950b4672453
SHA1 fa9bdef7db340982909f1d87189fc47c6cb59e38
SHA256 361ad399936eda98029dd7268231df55c9890ca81dcdde8a6e83afce9cd93475
SHA512 ab2ba889c6422261341af1350abe2a31f6a93eb54926e5c68f549215f1ac90cfa200ba7d38136a5765bb01de6a19650b425087f44440f59a3afb72db22083d48

C:\Users\Admin\AppData\Local\Temp\KUsw.exe

MD5 61f6f7da17d64593701a9c920f0cfe92
SHA1 8dee636d40ebd7b3781163fd60936841b9b1e54a
SHA256 2a943321f18901cea58b4145a902471a341e53563fb5b5535fb7ac5998b69e8c
SHA512 280a37bc71075c241d44932018b64d5754c9bee153b5dc5327eeaa6c82797d7d66c08c8232d3ae0a952dda3a80c295e5e0a400502c6c28402639e017cf7a65da

C:\Users\Admin\AppData\Local\Temp\CMEg.exe

MD5 ea04deb68adab5c8f878b59001eb9759
SHA1 e033dcd6d33e2c4072d324e0faef95e850dd2255
SHA256 66b6330661bed3a3410649cfc3b23e3aae94132bd1d0b71747d86a1ecc5115b5
SHA512 93ec9c924ea7c531abb184a349f05c294127ee82c8b4374e4b34b16130a1f5599ea58dc73db9f51271178b2b51e3dc0dda45fa6c786b0efdab283a8e06a09e79

C:\Users\Admin\AppData\Local\Temp\SsQi.exe

MD5 1e2cfe2e2b1a2e6e8eaec13fb5d0fb74
SHA1 773ed2094082a3c63695636250e6db6e5a00d782
SHA256 4ce816286192c58b88071290b6df28d3b1a89d06844f0383a45d03afcaa3cb9f
SHA512 ba9c599e2831792e26ecc9f17444d14e8d7bb251aa1870d32880c31e7bee2b2fb5343558d9b4efe1f958f0e1fbb2272e8feb47afc9b4731ae84c34e6ba0a7dd0

C:\Users\Admin\AppData\Local\Temp\uokY.exe

MD5 0d6ec00f57970f18c32d00e60c0b7ec7
SHA1 6d82188125641c0ad11e7fb66d6f24dbc0a50687
SHA256 2bf5922f79c89773d20de9e793e714f4d9dee45c386e6f18d790c07ba5cabb62
SHA512 ccf1dd9e83fe621db3c9c3a63539ebe352fdac8aa863561df2323d7bca824238ccaf2496a449bfc7edaf6ffdf63c9166aa8c975e67fa38c9d7e3ba8b5adefbe6

C:\Users\Admin\AppData\Local\Temp\eAgc.exe

MD5 dbbfb18a64755de3f7f0078937a05830
SHA1 b8f73bb1f4d406095bbb78387adcb6608763d55a
SHA256 a9927c9a76c3ea7f792b9dd8de9ba677fee58aa5c86be26f8fba1974fdd2d93f
SHA512 c64049265b7b876b05ce9c0d48727ef830c856d8a5740723dc504614dd1f3ceeb079550e0e75c4589ab89aab030f154a90bdc6b870880c3caa0a1e0eb4cab8e9

C:\Users\Admin\AppData\Local\Temp\DoAMowAc.bat

MD5 fc48ccbf8eaba915f64710405a6cb885
SHA1 fe8c0ca502f7700a5a68f3c7b16018d0b72177ff
SHA256 e1d17ecd5588732acbd2e33ef553ae458b1f4d14d03e89ec37f4d4689a98a6e9
SHA512 5684fc8e80b8b2bd189d259494b41a4fdfac47c480b302857044a240918c53d11f0c603acb28da514c107667b55b44c421fa2e73e96985d2914c95a7b63e3c1a

C:\Users\Admin\AppData\Local\Temp\uQYq.exe

MD5 a726de534bea68df0f3bf4999d0a3822
SHA1 657d397d10ed69437163fe8b8aa2bca6f792f3c7
SHA256 fa72a526836a1158dd4a47ebb4a73bf3c64fd60c7ad2ffe7338b09bd7dc8a00d
SHA512 fc98761e7e96e9f905e478e80c88c9bf3ee4abd0c72b1d5af2fe8f567d9bc6e579c853407931e35621885c92a3ecc5e9b401b0f0b5cfdc6b15fac81f8cc6b208

C:\Users\Admin\AppData\Local\Temp\sQsU.exe

MD5 8d9d601c3d6b58622577cdbdca733ab8
SHA1 f623b9db7e240b2544bb243829d85725feeaa473
SHA256 65eff5917ac594ba8238d36e5e3e239264300cd57d40b6f611495fdf1b4f7b18
SHA512 a9e3c9eff3ab5ba37c61a3a22cb98859a44ad58b43715ba36b2fd25a58151a95399d2f62f050558dc7b45c452dc668aff99a36ce33e3ad50dc45045d93d1da8a

C:\Users\Admin\AppData\Local\Temp\ioAe.exe

MD5 2ab3dddc42b2937b6c29efd3ad97f760
SHA1 59d5cf1e0af8e53fc31b2222e5bb30cdb03472a9
SHA256 c70504b40758c2ce94e450f8ab6c73b0f53b818a8ba1fa4c95531033bbf465b0
SHA512 753bbc43566116e191cc533cf8bd58b0db18aef6d664b5a4dbe7ec89b24ba4d257be2b0436118b7f49b52167c8836b693d4ae069f68e62c0507d4e9b36ce4743

C:\Users\Admin\AppData\Local\Temp\yssI.exe

MD5 f51698183463b1ba30cc5ea4593313ec
SHA1 96cff76358e3720b3135c4c6b955de215d8f975a
SHA256 a00db7d17be87b8f204dfad385e11dd64f8cf709476fdf0fb1b47c5860bf6d48
SHA512 c3e2772411b24c127a529e053cd3e17c46c8128ff7e93ef6602347c2361ebe7b70ebcd8902d5bbe11b745473201e24b891b092efa9a293364004037d612c2b3f

C:\Users\Admin\AppData\Local\Temp\ScAs.exe

MD5 e14edefc88c66bb0ace72499544ce563
SHA1 44cf54459561f92d62eaa5cb9ffcef1322eae5ec
SHA256 8aed382830848dfcdd5df2c267865c7160c7f7a44fdb5c175519ac1b854438b9
SHA512 e6f55a0e6a7fd221e8cbe2d604edf403d49b4a96acc8d005c93ce3f5ef08c24f0935edfa62abc56690aec285343e4e4c3e1a37b5e019329855b358456f398462

C:\Users\Admin\AppData\Local\Temp\zmkwEcIs.bat

MD5 190f3127c5bf74d3b313edcb1b23a234
SHA1 12e8a7f1d4e5b1b9f6e27afdbcdc8eb49f7a12f6
SHA256 1229f2b2b76b1b33596ddf486cf4892c4e38308c529a3f8908684eac0e5837cf
SHA512 63e13096f1a6bb2c05bd2f1359799a30a59cd57fa11be2873f7286469a5e520a53f1d1c88fc8445a48ab770b796475c08c3fc197088fec1e88acbaf5c930bfca

C:\Users\Admin\AppData\Local\Temp\qgEe.exe

MD5 528cad9a8831633a2f15926fd2996101
SHA1 b74fc22614442c01a41bfb8eb717df07131e053e
SHA256 876a5a3ed4fbc79e21138acd367d96151074fa068d09ae1333a7d3bc2e82a5a4
SHA512 122387fc505ba8d678767f03e257f87f88ad9a5c68d16b66f30f12d2c08f6609dd79e14c2912da7d725172f2d2efcfa8c342a95b04effd0b29506f7586d46d95

C:\Users\Admin\AppData\Local\Temp\cUcU.exe

MD5 d63d30d4fad9db626ff1b292cc7c1481
SHA1 5e4240131dff776bb73dba85f318211f987e0214
SHA256 35d7fcdd52d65a7ae2f287099dc1b0f32df3324b6aa0a67b4fc4fa29b239ae5e
SHA512 7c42563b6a417accb92f310d76b4800d2a5a80fca4482beb624890886b039d55b8211e41214e20e8e6dee82b51280237061d07c0696fac63fc368f815b51a8d2

C:\Users\Admin\AppData\Local\Temp\SosM.exe

MD5 60b915db9e9b0978e2e7335f761dd21f
SHA1 60093a6b5a94e0749f8d8e9daa3fbf55b8b5f13d
SHA256 1920a2a25474d99fe7dbef488fdbf78ea759f512c8c9db1f09591072bdee43ac
SHA512 4c16350dc8d48bf0ebdac031b9d8d84626060244e2d9377927221bd670ab7542ccf8e784b051352ef8617e0c39c3905da886be8311fa5bd8fa62325a36b7d4e8

C:\Users\Admin\AppData\Local\Temp\WcQK.exe

MD5 aa2d227b6d5ac50ecffaa361803a7b55
SHA1 c69fe01b750f6638baede0b52e127f3f1ef8b9d7
SHA256 c490e9bb594f27b8e9eee20c7c6068ff6f3be345f8488aa0e3539a5056ff27a0
SHA512 8251b4850cd21b1dc9e97c62db376758301d0dfd06590790eb28dae09bfd7d4abf3341f6274d4f155d05ed33d70ff1328c8ba20ec7b752faaa5832f5c8d02b9c

C:\Users\Admin\AppData\Local\Temp\ywga.exe

MD5 2e5c2aeabfc71ff1662570314ac9072e
SHA1 2cd1429e2a8a3507961f020d479209cc601f285a
SHA256 9ae7bcbec0d5ec9b6f4a9139b5331efb0622488815cc2420ae4586de7f09fad5
SHA512 44c34ba3ee1ec733a2ee7d740b33f41ab1c92f42e579d907635e4bd1c02f506d7459e764dc78b96e39fc4444a5a5178d621566aacc86dca4985f6973459da54a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 a607db31afe45e1af49faba84026c76d
SHA1 b0616e787f27fb11cff916aef2d3bc0263a76067
SHA256 4e7f22e04fb8bb025f5a62ebd972586ed94568967f2b21322e42cc39b158a26c
SHA512 c8f30c9a70534f2a2447dfb652e028ee035fccbb8991f255782bb6eb5b7614502645f05e95b859c5764b02d13b70788b7e7c3e12279b72ab8958116e18af5a92

C:\Users\Admin\AppData\Local\Temp\eIoG.exe

MD5 5736e0b08d4248acd0a7ae2302e892a7
SHA1 97014f47f8fe1c6df0aaf875e38c8f5d40df7cbf
SHA256 c9b93f61cf87b10d9f478dcc8aabd59b8324f980444714e7fe284560643467a8
SHA512 91604f78b2598c4a69df6e0e8c565aee6f0788ba518436752c963ea1572e46e9c3026c391cb05187693d325dd13a8328646182be2f79a970b7d3d75a8a7bf626

C:\Users\Admin\AppData\Local\Temp\CQMUEYsE.bat

MD5 d2710648565f339496daf92d3b08f870
SHA1 b3b69b1f744cbf891860686c6baac768c6b9c44b
SHA256 8e305a5e300aad62cfa5035205916080d6761d29985f871e690752ba7f5dfb72
SHA512 a879503f365cc1be144a4dc0bb0bf15fdd1c38e8ea50f07d8a269b393005f0cef961a7e4a5f1bbe5ec069ecde7a9236c49fd216eb065b960b4397f2321124d8b

C:\Users\Admin\AppData\Local\Temp\wUsw.exe

MD5 68f0e8c90e573a76861a43d235a94718
SHA1 492ae2c94faa82dd3940c1ed9571bc9dfdb0be74
SHA256 6d946839173e99814233c018c6e5253eb6cc204eb32d95319ce990eaf34814da
SHA512 10b02dd171d5b493195377f0c50c86528f3cb34bba3e429cb4ac22790a27b680c881903ca0142bb653f285e95c40c1343f039a17f47e9e8660de83a055cb94f0

C:\Users\Admin\AppData\Local\Temp\wooM.exe

MD5 acd49e3c95a673b44274b342a7c5cbe4
SHA1 e4fbd489db20c629192cb01ad9efbb9e35b4abe4
SHA256 f3d6774a3dacc3d680e232d40c3c21d3694e10155197195de1ca3d528ce91b27
SHA512 537ed6be02ab4e09a06d97d2a9f345107e982100e4ba853529ad28d88b10bf3ea93eec683127a43803ba730d693ddec990c23b6d2d0fe62d36745e1a1174e765

C:\Users\Admin\AppData\Local\Temp\gcAs.exe

MD5 75228084cc2fcf3a4406ecbb8f4b35e7
SHA1 320cda46ce2e6e8172f985773293cffe9fb20641
SHA256 09b1e41e2c5f1dd98220c30d2441d5b3a427f0fb7400e10e871f830e4ff82c3a
SHA512 afe97e66587fefd3181bc9364a16672b416c7b2b86355702d7aca7529a4982598377218711de401ae276922233391eae9a79112e98c3a3da79f111885d2cb516

C:\Users\Admin\AppData\Local\Temp\EwoE.exe

MD5 8b9fc46eff3e2853c0d33b7ea5abf25b
SHA1 6641bef83fc8043ed2e449f00ac9bc6b9f229fc2
SHA256 ea8eae655b09b1edb2f90a6cc6386a75b65e49bc5af5d5d10fb6a5868736ad2f
SHA512 97824bcdbc3cf04b1ba9180aaca00bd5b4de4e65b7eaee19f6fd4398c43817a3facc4d3fc7e68affefc8c09ff9c1ee7e2cc621f3a008ae27e262f8ceb12df6e2

C:\Users\Admin\AppData\Local\Temp\iIQYYAQw.bat

MD5 0aaca241ac99c0c0d2c19f92b8e4d7f1
SHA1 71386ae0925ae3df61777e72151463824ef71093
SHA256 d2bd9e823aa14ffb8776e624e65f90872da71487d148b6cf87124bfa061ec8cb
SHA512 eab724ea9108e2fb3730280dd5d761c8e97933e03016f4d6f4676f40373ba705f6745c3f9efad908db6fa41c0d2190d7aa75e49f45cc0fa393139c51a8047a0b

C:\Users\Admin\AppData\Local\Temp\EUQa.exe

MD5 038eee330475f5e5fbcec74675e4966b
SHA1 e5421d18e0b8482ac997a557cbb17538a8dcf769
SHA256 f0abc4f6cbd2a0498e46804a1a82c91d2e34eaf018668a306f7a8814384ed306
SHA512 386b92bbdf9425718e04eca466b6e22bbb146a66c7c878e0fead4570ca2aac18fe86f6e927564d5cecc0187f9f00b6a077e26f06faf53c4fa9f5d70e937d6877

C:\Users\Admin\AppData\Local\Temp\kAEi.exe

MD5 1aeecad607dd2d514403abb0550d59b1
SHA1 6282020547d963882b7cf50b38568938c39e94ee
SHA256 4aa00ae0c271a6bcfe0b62849ffda32d8da869dc29628ca4c7fd6e279447c1bd
SHA512 72639b419ebc5c46e81765726e7302ebb06ba1ef34666b003592300f1cc6831e0c56d6826f3a03f174bb683aea57ddc59f36963a08019ef457b39dd4c747842c

C:\Users\Admin\AppData\Local\Temp\GAca.exe

MD5 c22fc6042013b97fd5d59e292fa5f6ed
SHA1 3a25387eb454aa19b3bf0d106b6d90700dae565a
SHA256 aebe1ee5a242c99598892667c47b96e0e363a6516ff1bc17376a165b40cfcb41
SHA512 6d28fb5c6a1664ae2ec83d2733e87cad410dd6bebda3ce8fe9773343e0fff891c246efcf1ad70db39a5d55d17d9a50f89bd6b232d705718c8e66f4645e4707e5

C:\Users\Admin\AppData\Local\Temp\aYwq.exe

MD5 c3deb72c2fd5722190026b35ab22b7bf
SHA1 ae8dda081af881c45216aab722c29d52199c567d
SHA256 44228ee4a62670d75deac89b21d722c5fed148d32a2d7575e44918f2d45a79e8
SHA512 60b30aaaadf93eb3272f42c2880a34d93399bcc2d4b9b612b0aab51b19443a98fdbb3a6facf034dd60be08bcf24df8b213f9f1c9aeb666d9830406317054a58a

C:\Users\Admin\AppData\Local\Temp\UUoq.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\Oksg.exe

MD5 a92ae78f2bc5857966dc8fc5339cb93a
SHA1 7bddc4f88416ccec13d30246bd4c585652db59f7
SHA256 124cda5da322d957ceb712f5bf5ffaa95fb9518db49468c8272689c4558091d5
SHA512 5d21843a2f35414abeb7b49afde0a7d52dfc30fb7826e46ba1800afacaf155b52c29d2ecb1be0c7e06c012ae208e67d8ff1fa44883362d1ab2af37c203c3f929

C:\Users\Admin\AppData\Local\Temp\GOggQsQA.bat

MD5 88213580f8af36b97e7f6e4d94abc2d1
SHA1 7ffdbc7eed7d247e3bd291ec30247b0fa6ab1a17
SHA256 411628fc42bc999c42023f9fa672616683e44aaad94da350c5ea0517dada7161
SHA512 a3bbd47024615038057af8debfa267ff43d18f37c2c47c4dec4cc7245b0dac398d0752e512c91d9920827bf24c9062ea0880905a86ae162c3375a6c7c6897af0

C:\Users\Admin\AppData\Local\Temp\oEAi.exe

MD5 d13edb901459c0117ebc608dde421368
SHA1 c1c40c007a15b67a368391e99b960775dbfd5be0
SHA256 35957acad9053e6693fcea30ecf7e3235a23865fc402fd3d6b659b9125d61d1a
SHA512 9ead01064a9f085262ae0f78c2819ddebf35e9637d8fa6a8ce1c2dbeba3f4409ac64af0947ed218edeee59f53d2a37b9bfaf6652347a250b3f715e3a387d616a

C:\Users\Admin\AppData\Local\Temp\yIAu.exe

MD5 be9d46c9e7f997b62a84ae7ab5385d9a
SHA1 90c6db0b81970ce008a7fba3458f19ebe1c108f0
SHA256 0e66bb535a8f71bb98c8f1927578f547887052acd8f16f1aa34723ddf0aebb8a
SHA512 fbae9bf2d587ebb2111d2544dbe2c8878a0fab8f29cf0c4812fdaf25d1c39f3c92db4ca8c2af9e3bece2ec687bdf1271d339cc9f8f4cfaf67bc05e6379661632

C:\Users\Admin\AppData\Local\Temp\woUe.exe

MD5 c3970685b236948312a36c615023aa60
SHA1 c672c0b9ea7b4a405a141f419e276ac8548153ae
SHA256 b35515953655c0caac260e7300ae29a56644a315dae557687e13b68eea683753
SHA512 7119f3c08142c17dc19997f2b881a84f642b2df1901c559b07f5cb7a4fcdbc4c5c95c8e165f55cbfe85bc0c0511ea7803fbb8f97839fa7b25d6bdfc364d6057c

C:\Users\Admin\AppData\Local\Temp\AgEsUwEA.bat

MD5 76dc2ac55fede72125eb1ecd416431ec
SHA1 be418e23c1e6ce39f909846f89ed9374496a0978
SHA256 3c0c35097cb92270519fb2c71d53ee8e61982f7c1dcadf91a3456513277fed64
SHA512 8cce53dab0fd154fdedd5b6ce24d751bde13c60e2c94b345f1dff695fa3bf7358d9ccb1cef6c219bc829d16eb58537496691218d2069c42ee22b4b6fa062b82c

C:\Users\Admin\AppData\Local\Temp\viQcQUgA.bat

MD5 b31385b705229963b28417aae9aecf7c
SHA1 59f8c3fcaa2a189dcd88d157210a51b885199a7b
SHA256 9f90c54ecdbf98f6cc8601ebd943de92e7fd09737475fed05efe7d573292df95
SHA512 b8226e23a063a0a9f16a87354b7b5bdceee7bb28ec2fb33e6ea8bce7e8db92c36e08bb2c76d4a6c7afb4c66ed6a8ad17e4dd7f7f9b7efa983dd445df33b2b2e4

C:\Users\Admin\AppData\Local\Temp\dswgYUME.bat

MD5 64f4aae88031327f5d2d5332b638d24b
SHA1 469bcd7a0cb9daacb9bc44e91d8e1cfb32f3fc83
SHA256 8dba669361772705c28ed92d6b73f316b379547d40c8744e214937e927d77144
SHA512 0bf3274ecdf9c4d928e60c06ae6fbf0b4e4be7f54c35c7c5583c5cd98fc09b7a4229a80350e7d1f1542fe5b89a0df178b81faeb416d543e3779b10f2077b865b

C:\Users\Admin\AppData\Local\Temp\jUAsUAUU.bat

MD5 52a0aa1dbcb5b6af2bd13bf7f44ea4bf
SHA1 b0085d288496276b8b40f994993767aff1c9cff2
SHA256 76d73c5fd4ccb981e3a00de086262216367a8e16e5f5ee4930a7ed1d42b8dab7
SHA512 44e56a2b9ea504dbc4526d12242f509ba5f89b9f1a08c330686475e47173322380c589722daec2674915480d3782aa996abea3ac2a3c6afe4777dc540ed2103e

C:\Users\Admin\AppData\Local\Temp\RCAkAwMg.bat

MD5 7076ea1286856575ab8857857a64ea27
SHA1 3d706640cbbaf71479562f1388ffbc26d2b3d20b
SHA256 3417767e2d0f4750aa7faf53bd5c01dab0564867cb612791efe484f7b2af8d11
SHA512 c4a2bb9263242ca52e70b54d3b1d265c021838ac95e118ffb623fa226ef6d417536a5d684111773df7a0a0949df521c769504db2a9b943481582d249097c9391

C:\Users\Admin\AppData\Local\Temp\VqUAIgEE.bat

MD5 0592b016eb47a9d2d11737b44d8e8fca
SHA1 710b09bac07a40e463132371c1910ef808e01696
SHA256 e873557da68e1dd4bb52fb7a462f5422fbdfa873bce73c77636d4eafc5bf1909
SHA512 229c4ae828e7637ddcff9bfaaa8f42f95af2e5e47438eb1dcb7dad64d8a3e960e3ac50acb70dff3fa530d083577d52c7cf45d99d4fefdf6a9db18d7592e83ae9

C:\Users\Admin\AppData\Local\Temp\mCEcYcgs.bat

MD5 981e445bccbfc7950d31891ec10aef8d
SHA1 66a2756f1a938020269c5450f07b4194d30c5c8a
SHA256 e14d7cda5b3f1672554e7b66e9b230314f3f2a92d28d146f5e7937e350685738
SHA512 f347bdd505ada59263087cc13891eccd84622076726a5a78b23802bb5c04a3eb9f2e90ba9a6b1a4e108c244036893c601722431cdabfc8e5033d6c924e94104e

C:\Users\Admin\AppData\Local\Temp\YgoAYAMc.bat

MD5 a22ac19f32782cbfd67ab7d6f750d82c
SHA1 d3dff88f0f5da985978d09dd786836be2d420620
SHA256 b1c34d03303d9c9adac7dbf3993a246b265818d42a325e1078b7b981f5dd51a7
SHA512 222dd4a2f72188476157336105da69c2fb12519878957dbbc31f517930f1063c19213cab9c0e029072c8463409fb39ccd22eac978d5fc16e7488ea26de895273

C:\Users\Admin\AppData\Local\Temp\KGAQgMwg.bat

MD5 1842db709d57aec03a0e262931108e24
SHA1 079452f91c9f4e62c4e71478a8669f22319711f2
SHA256 8b1f9c670988c5090b1a7e2a69a4e364de960e2e63111324f920dde0718b9a6b
SHA512 d17dbdbe75631a84bc70ec7214073f09737f17f048471234f69273adf69c525f5d776f43f7ed1036537cda22476c0bffb7b1191c48cea8d7cc00fb423009787a

C:\Users\Admin\AppData\Local\Temp\yssoQIcY.bat

MD5 27515fac29ded756b0623063ab41a434
SHA1 73d866779e7ca291db2de88ae2d6b89e62277e1f
SHA256 466b0ff1afc5941e1c6afe91633f0dedc7f704514a1676c4abaa133da61a6ece
SHA512 d268b268bb2b1f39adcd6ebc91179703d2deb91ba2e0b7356246713b831c556c00f64a833162a7917137edb3ff5389fda11b18e68271db7f07f341c38e7bc916

C:\Users\Admin\AppData\Local\Temp\biIEoEMQ.bat

MD5 647868f659ddae0deb2bfbea3a9b48e7
SHA1 6fe40b265532585d1834657472bc7e3eb62b8093
SHA256 062b8d14088a1144627082a04174d21608d89dbe56978eb97c18e092f69348d9
SHA512 138ea2244732c3f88efcdf08fcc94efa982778f1d9e1f03c899b6e585beabee98bf95addfb7fbdc4f489070ebc5b4cd4ee71718811fb4f6649d5182b1f687a1f

C:\Users\Admin\AppData\Local\Temp\vssskskk.bat

MD5 1c85dce97938f4d5d3b1d88bf7565978
SHA1 93d3250d2f3469915dc2c953eec7953f4d700cc7
SHA256 aeff7cd5920e49d6744f87335e03eb59d6eb4d180c4777764fe1fa57f2ebeec4
SHA512 43a0c41db63e1685089887f7d06a1a45f63254d3de3963a9c407c0ddc1b2cae3ce11d5217bab68daabde768f810a164d070398b309cbf504271f0fd7b9582447

C:\Users\Admin\AppData\Local\Temp\WkAE.exe

MD5 f5af5a126d6c1d0453f3bd493d347f06
SHA1 c6941bf05fdf351151220fb7dba7a3e6bb329172
SHA256 9fd1c3585d96c3073320b26f1837dd93df4142655d0e903aa26f7c9fc00c3c03
SHA512 e7160699e91f9e10e647771db88e16c98054dac622ac8f0494df581f63db0cd7965c5934fd59f1d9b60552c32fd3463b162ecf596ebd72b6cb5a6a1b37ddd80f

C:\Users\Admin\AppData\Local\Temp\WcYk.exe

MD5 3d32c3b13e4981f290072fe65a25dcb5
SHA1 820beaf1a717a838ce6f96983a09b41409059788
SHA256 d7fa5be40a3b83b11af16c75aa68ef1ec58a5d81395b9bf144daf7c2208dadde
SHA512 9cf65d997474301637e306463ae0bc81abbf37591823d8dfea0f690425aeeecc4972bcf3a902427938f676ff7b9b9efbe61ed0bfca039d0921f8aedc2b252fc9

C:\Users\Admin\AppData\Local\Temp\UMwQ.exe

MD5 c86dde5b75e38935f51398059b54cb9a
SHA1 44326d923378f6088940ee8c03597fd29c7eb2fb
SHA256 656804cd148d5f91c101eaa9b0441c78b73751802203107ab5481c357a2270ed
SHA512 5a052d1f07c92b6d52845ceebb14d98c2f56a1605bcb82b00cf15c99f1d5579bdcd409830c43c2702d1585493cbf868b4794ff107f7430e00ebfa2ad17ba8b87

C:\Users\Admin\AppData\Local\Temp\gssE.exe

MD5 f90c156cce69e152364db69744c48b01
SHA1 2cf84d156a71b50ec041e3f16c46626805c8c9df
SHA256 c4a77587744551c0ce9edd84e76c35d8fd9ddf040873bc23607d6df216339d55
SHA512 344b108bf17d65f0880240b520a8d1196693b9f7e37f0eb62ea78b1fd154c2e69f2d6d1ffcd93c6fc2e45c14b579eb99d372ba2ecc735b81a369298f5566dd46

C:\Users\Admin\AppData\Local\Temp\tCEsEQsI.bat

MD5 2d484eb5af7a49d6724afd2f48081d3e
SHA1 dee03b08faf829dcae7c7918d232cf16ceab8fc2
SHA256 c550710a57f6c91f0a252ca599cf564c108c75c5ebbcfdb32262dfcc031df996
SHA512 90dfd0a4d2640fa704a68e492460c029b2fa33709f84749dfaba1ea52d55c3be74aa9213e1e5cb96e9d873865125a1356148e299a0b66c3f263b27402ca509ad

C:\Users\Admin\AppData\Local\Temp\EgwK.exe

MD5 c68f3c759c1908902061ff81d9be7fd7
SHA1 e97cf7b2507e6733d3af1be01d02d59710740740
SHA256 af6eed4294e3b83d38cf49ef63992d021f849781d7fc057abfec94c23eb56718
SHA512 fec3a76cf3c43dff10c11cbc2b1fcdeaa593d038690529499ab2f78f9eefd4e261edecd332750bd6acd412b6cdeb07c87a0d40b4dbbb7b41575c5bfdf0105f35

C:\Users\Admin\AppData\Local\Temp\IcgS.exe

MD5 b2fefcc6f6465a659bf5b746f04bf057
SHA1 8fc6681ea70d2a44a9c8bc60726aee805fc667ae
SHA256 ad2256277930593599d784bb6f5816da1683f33e404dd81658d5a70493ef4611
SHA512 373d504504eaddbeba6fc4fd40a51e67f3e36e846d0a4fd81de678c3cf1b029eab0e87665bbab65d62a928aaee0898fe22c432133a70426105d167134535eb5d

C:\Users\Admin\AppData\Local\Temp\mgwU.exe

MD5 e644f2b89543442344f10f3b90f4d085
SHA1 819f73fcbda643f888f616a027d274b4236151b5
SHA256 75554ea643e91f6fbf84b17349ded512b5c6dede6fe8b2e54b7ff907f0bfb366
SHA512 84397c4c59e487847148ec4b3b9fb4e6953ebdd70b960570ddc88c0d48d15379c8452826c054ed1682de0d7cd16b44cef64309cd832bee313b0bc6b327650538

C:\Users\Admin\AppData\Local\Temp\ookg.exe

MD5 fc47ea1c372b9e5aebed85ecfd4c48c7
SHA1 d662518ae0a220f50fc5eeafecccdbd5c9477ca6
SHA256 95717d57c6b3f13d06b40292ac497ac79cc1d252abe9ba853a629e51814ca85a
SHA512 45c28fd718543160b448ea76e87a9b4a4ac1604a264d483e809f2df8a06e99bc8beae21b1422bc33cfaf26c3896e3175b751891e277e9f2e3e632faf0860c490

C:\Users\Admin\AppData\Local\Temp\sQgm.exe

MD5 b75dadb073ebfcc9f3d061ef7ac38012
SHA1 355852b4d2d8970516107cb17f03c3480fe8bb0e
SHA256 a37e4a1f13c923bb9ba7d69ff31863c05f62cbd7414d396e588ef2378f17ca2e
SHA512 e59f406f1b1163b014efaebceb65b8e00c3dd1f77dc0f900da4f1fd4c52ac1fc3463c0220465e2d37eed0036b1e417dbdbb22d2046adcecd6c2aa379b31f6c3c

C:\Users\Admin\AppData\Local\Temp\soAs.exe

MD5 d6591e05b4506e13572c4b4032b0621b
SHA1 4d8394de14c7cb8a2f89bbe04ae8703af2af492c
SHA256 1074b379a03b85b28d89ef0f7c8fbffcefa6cdfeea9c7380ed074da58f469683
SHA512 e74b2b758c2862684a3a754e8f6e05a67b02a4a086d6518fea6f1c8df69556bc4ce9cda7b128188d54a2290a80039ca27c6dac613acbb54ec5a84e4b13a5b926

C:\Users\Admin\AppData\Local\Temp\GgIU.exe

MD5 00cf1718b8299740dfeffc032d7b5f4c
SHA1 317f39213a6aa5616754edfd96594df579d0f01d
SHA256 43ca23edcd80efb8ebe19ba72eb000fd6b7c11b071402260f50c78cf389c612b
SHA512 05d5aee47c1bf5245b51da42a32ce1af865ecad404527f733b888feb225e10cb541ccd28766eb3c1bfc73a9e015d726f64d1ed803b92e517c74f95d72d8f40ad

C:\Users\Admin\AppData\Local\Temp\LqMcIQQI.bat

MD5 b1ea0c46108885c162d43877dd774c96
SHA1 e55f14dc57b79ec4500a1381f401ff3a01b3ccc2
SHA256 644926085604140087263af53139b3b14a348e751bf97784eeb49bbbb0fb1f03
SHA512 35894682e7a0c83ab4c81b891df429d78f576651802ca1e3fd09ab065a81b6882ca590cd30135aa775ad8c72b677a1b3839f8f7da1bad583c3bdc471dad61d19

C:\Users\Admin\AppData\Local\Temp\aEsq.exe

MD5 ce64671fb1c510d9bbf3817d00581c87
SHA1 3b385be1f2b1ebfdc44ba1e925c6ecf340b3866c
SHA256 d26ca926347b2591e0904395c293a2052de9765a23af9c9b983d20fe1b9af7a7
SHA512 1a66858a35ea2550837848fca19bf2b97095bbe0a07f551f3e59a5ade8e2fabc81b8722c46d084b0e6246620ba661c2f484e4b8e8592a2a310ccf88cb91bb59e

C:\Users\Admin\AppData\Local\Temp\gcga.exe

MD5 55b4bda6e8b69fbb53d00a7792ca02b0
SHA1 850210be76b6ec06ed477dfe3be9b53943d29362
SHA256 1f6de4ed772d977335ee94a9fbecf516f5523d83a6f11688c14543f29b4d008f
SHA512 c3b3406645fa20b3be49eb196a353093cfb0c078819fa2570e1ada5a4fdbcffcfb4523622f0e56c2a76ebc0eb10c496b0c02327d6e08e2adf43250dba226dc47

C:\Users\Admin\AppData\Local\Temp\qcUW.exe

MD5 afedc6b7352b2032cc7c71f95bd2750c
SHA1 d12772002a9668d96acd9208e5a7d4e67e5138f7
SHA256 3235122c7f42c12ae105e9bfe7b9e12c2985eca25c21cf89ca29a6064dc3ff67
SHA512 e66a1c0c144ad092d587387a9f8d3a46fbdd3fe18c534a3807bacb86f2ee0ff36ae11cbe954d9402bb32052461ba5c835aaf5a5d8b659dd427810b34ec172fed

C:\Users\Admin\AppData\Local\Temp\oogC.exe

MD5 31d75d92807b4f62d560f46c9a7f1375
SHA1 50969ae4aaec1a5b80c643e724bfda9b765e0048
SHA256 68c685e5c44e8d09085199d8f5e38d43656ffe262fef40fc5c734a1f342b2709
SHA512 e33d280d74790af4273921311b633051fe415c8c5de441f4aff9c964b9ee3f3d43a73fd63a0529276cfe920befa8a6d51c6dba1a868a9b6a52d45a9e4e643783

C:\Users\Admin\AppData\Local\Temp\aGYAAkwk.bat

MD5 64746d324981851c06965f3e67bfe933
SHA1 6204ba6183a1f08dcb63c3e926662efc01df0665
SHA256 2209cd48d3a7544f3420ab68f5c0a6aa71c21059cfc52ef1caacb8b8f23d388d
SHA512 94278b0243f1b35cd15bd24ec5e2e6bfaead6dfc24633564a0f7eac4849001bb705b6e0c1dea1f0f42c5c6a578b157e30eecea387da2a53a68bd1d9e3d828f0f

C:\Users\Admin\AppData\Local\Temp\IQoI.exe

MD5 bb5efebfea66dc14fd1f3435dfb053cd
SHA1 481d1a4a1f1b266c4102b6b66b0ef331ee76ef07
SHA256 99ff7a08af463ba6ce28f2b6c158b1b03ac137adf8407375a3a076954a55f7a7
SHA512 95678d73caf794a2ad1466b15cd791148e0463d36dd490ea1f30c7e6f8093c5a5a518f3b4f8843cd145fe45305d79d3f91e4fad1d2c805faf82f7b6185c5497c

C:\Users\Admin\AppData\Local\Temp\uAIQ.exe

MD5 cbf3fdb5cbf83b5506d96ea147133eaf
SHA1 cbf642687aca267dc09661c9e2be399d785274f4
SHA256 5014985c8ecd0fa022fd60870a3340600415ac879516d2a8b50125a42ac15ddf
SHA512 1707c83ba4045674da2ebda1afcfb040579761fbfa70c8d4a931de161d31e7bf761b47a1568c82ff9181c5b338517b0f4deff7d1e3e23954ceca19c7b116ad60

C:\Users\Admin\AppData\Local\Temp\SYoc.exe

MD5 626a25114fb420208ee24b736b915da5
SHA1 d56c59d94587664019a2f09d4888f3e81f7765d5
SHA256 16cd821d5c263ccf6fc71e97b52728617b0029805ff5a118b0dec8d7405f5526
SHA512 8a9f09375bb1d535523d22ff8e24cbd7c067b7af268718f06136568c916599d4f7df017699aa6ea444367237c22198e79cb5b7888ba85891725a904bcba6be41

C:\Users\Admin\AppData\Local\Temp\EUwYMcAY.bat

MD5 a20c978bba7cf80c52da463edeae7ec2
SHA1 63124e0a4a0631bbc902869364cf6c1ba3160010
SHA256 4343f2035e0a4f2ff23a29b68bf6f5ccd4f9bdc54118b0590996e39e1ba524e3
SHA512 b1757be01fe3946f209210841d55eb51a23eedbe1e6a2061733e4df1a7364ebc2cc0d85a668b26e1cd7b319c15143ec5291ca09967e4fa2dc809acaeffebd82d

C:\Users\Admin\AppData\Local\Temp\KwAk.exe

MD5 118506c35bed71edffaaa68a3e897ed7
SHA1 233dfe1dd2e06bbab3329efbf090636dec3d3686
SHA256 0bd15dd871b3aaedfe26a6eb85935a301d149ff481ff3bd575b45a2b3f87f9ab
SHA512 90a018f192be1b91aabd4bf5e40e40fb5a89a7d9caf4fa87f37a5f997e39bf65ad76ed60387635dbaac61f554507b0f4f68b25884b5bcfe6b0156aa6800c2d8b

C:\Users\Admin\AppData\Local\Temp\sowk.exe

MD5 ba0aba832ee99e99f99f6b526b19bb9a
SHA1 9de4412beb6c1c6495d93aa5d6444835c8421c0c
SHA256 d64482cc133db67e0f2d4b893da61034327f92ee3bfb8862bb08a673535ef44f
SHA512 fb4c8bd5825017be71ff43066ab409cdae172ca580a9c088d77003508b2e51d64103d07c26b239547f9c3b43a5330a973ae99c236d60fb04d529c868baf45faf

C:\Users\Admin\AppData\Local\Temp\ssYU.exe

MD5 72afcf71aa9025221f2e962cebb6c40b
SHA1 0e7e1c22d0c3c0f5aa93f3b26c5f0aa5e1fb6154
SHA256 cec1c7f31099212fe1a4221ff677865e1382811152613582d6b82eb20af17372
SHA512 9ea7052d7b4639cbab812732d36a11bbac93d2b477fa97c78ca89e7bba3bb21d0c4462d3a479b99cd8754f2716e90ac9a9b660437a343478aaaba180084178d3

C:\Users\Admin\AppData\Local\Temp\Agki.exe

MD5 d3a7acb4d18a72c446847a313056e9d6
SHA1 c0536f3bc04e8d1af9f77a4b7973389e3a9a28da
SHA256 f25246936bf424e50f037e72e2949c74cd7bf5c0154dab208a8c0db1384de86c
SHA512 f7a965e127bf6e43410cd8936963eb32bb6e3c9b54b14212995474ae8df794d9767596f804fca580d34572bf90f8d77f0d3ccb4f9cd66941c804cd1531bfbd20

C:\Users\Admin\AppData\Local\Temp\SowAQIkU.bat

MD5 6a440e8ff8ed93371f35bc0dce63d6ef
SHA1 29bac4c03ee9fb388e27b32ffdad02aff5e70589
SHA256 3b328d5abf0a5f7091337edba7165d9f0aa0bb7bad2a7feb8e987f34fa67a6c1
SHA512 86956e24ca925c469487351ea4aad5252aed27803612418500311270bd322dfa5bac3a73c4c36231516a99d2331e5dc526e5a26cb567a62fc8e3a7d046a225be

C:\Users\Admin\AppData\Local\Temp\GYQk.exe

MD5 759e475508cb368a97cb7b137cfbe0ae
SHA1 a31e598cd7973118fabf36f32317a37077466f3f
SHA256 540dff06bc1fa346ac5a4575064e3c34406d7f9e13edcc506c7651995873f515
SHA512 b856e9c7ae0a77cfe64e68158c9a7dac5720ef6c8db198ede3aa54d93e3a48d972e338de114dc3f132a0e7e6863bad45b4a376d07884b6452166372e1d732b3d

C:\Users\Admin\AppData\Local\Temp\qukEsgUQ.bat

MD5 4b91b9ca0c57d6c707692d4154e1ffb2
SHA1 5240cb7e52239800b726fdcdd223e38f0ea03c8c
SHA256 78fea6bf14160d564cc809aea140cfccbf26c4c4106e6ababc2227a33dc5821a
SHA512 050d440c609ea90528b74998a45b85541d51b771407a5750a2f7b119d7a0309ea70e56f666926b8525ea437dc5ee66c1227093e5bf6fd58b8c57dc913c7cb56b

C:\Users\Admin\AppData\Local\Temp\AwIY.exe

MD5 2a74e45f3b09807d6f43bd63dc50e982
SHA1 d41ac7a7f7d82bab901aa56fe8ccb97e41edbc22
SHA256 b472af37db4f93fcd0cbc3e42f70bc6e728588f17848e7f513ef3394d0f1b00b
SHA512 56e6b0b17e560de0b7102e086204bed5d312fb8ad5cc05eb93c776d6f08963737d2b68eb580703d8314c2381fdbea487d09a526d94790b10f0cc1529ab1f69a8

C:\Users\Admin\AppData\Local\Temp\qEIe.exe

MD5 de4701e848c2e7a721d7bd998d909189
SHA1 3e91d83587d63801c770cf340f3b5f257111d6b7
SHA256 8160e4d7424a96f5323418feb52d07a007dc078ef42969e6574333bffdb09da7
SHA512 aec19383a4797967c5cbb6dff56896797289627771ef26da0b3abaf4ec0411505ca31f59e9faf72f38d66fa5c877a727309f74fd3bb894eab0787b7071b95493

C:\Users\Admin\AppData\Local\Temp\HQEgAksQ.bat

MD5 d3bf4f6924fbb84f14be3ba68da32b16
SHA1 851d519f55f7ee4edb600908f5e19f2d57b1ea08
SHA256 aedba9a9ca7b4d5930fd1a2a05c9958ffbb352898a4797627b232a869546a783
SHA512 ebec677855f2f9937c85b17ba99b009a4701f1a07a6fcd353c1ad4f29ed805551663885c0a002813848451d7350f89ef93b28edad4ed31d2b042173aaca2ff20

C:\Users\Admin\AppData\Roaming\StartPush.jpg.exe

MD5 e80183b0ae185a29f504db32e019a0e4
SHA1 bcad87eb5a13f274b57810233ec3156c3e5c90cf
SHA256 25097f86fad4725ab31cb6c9d47f0c10d56d8c16e0cc783ca59f3c502fba5d3c
SHA512 3036db1096c1d6fb5e119a24b30614ad6166952457be2429f7e3c2798feb4c76d489cdaee06dd76b41292470f35bcb0d2550ff670e06bd7d14361fc49dd35d57

C:\Users\Admin\AppData\Local\Temp\ywIQ.exe

MD5 94d154c6fae563cfe169f46b78a86ebb
SHA1 d7e4aec79fc3e749f600fbece8d67d6a2a66a437
SHA256 eeefa760bea421a528608649672d1f6a05027fd0f89f16af1fc2e6eeaa19c597
SHA512 3d4fc8ab8146fcc8e1415329e7bdce98fecb16ebb7fbd579e987d1a54f839734ee8d4b1101197eb94ff3ae398e14530a8dbf248b03fc33e2f09d400537da5c71

C:\Users\Admin\AppData\Local\Temp\WYoS.exe

MD5 be71a78cf4f69db7a35e4c9da8420f1e
SHA1 291ba9ec0c5e10d8762cdefedf7aa3d421dc2be4
SHA256 02279506be335a5e3b2c0e74b8ac90730fc03e0eada7aa819c2fb09b8a340abd
SHA512 170e3137c9cd2bae002a137ffed1b86879820d5ae88f1a17f70f611a439a9d45b24b8d63bd86490f18f078f13404abc1faccf6d5275bbec83b06ae1d395568d6

C:\Users\Admin\AppData\Local\Temp\pGUskUsQ.bat

MD5 9c42e2b777182af2b9b9b4af8b2e7bf1
SHA1 85d48c097fb30d0f825e91ca64da8bc581c383dd
SHA256 c8187cf3d10ac1348d725690a7aef6641529ec843edd5908e9af857edf60d1b7
SHA512 fdb01185c41f7852c362c6d7c487527d00f732ab5091b2d4e11bb8428aa61eeea7ad8eea9d7b81862c60406d4b84935735d3ce44a3e899e5956f44643cd41b45

C:\Users\Admin\AppData\Local\Temp\UcwI.exe

MD5 a91bf072d9f86b86b672240db4b84865
SHA1 8efeafdb0838a7e77942054434efa4efa5f795c2
SHA256 80bb550cd7e7fe8187d783ce640e54336e50537b4aae797a003a8d5d1c087777
SHA512 cfe4ba13a73ce8f04e07b2021db88d082ab0ddfccb1f24090ade69008d671fad64c3146d765fdbbe67a965bad8ba515ada16e8c622dfa89c5d872fd49231d45f

C:\Users\Admin\AppData\Local\Temp\kgAu.exe

MD5 d40530353c0f5d45c32a49be99e6c75d
SHA1 2812125a04916bfa9c365189c1c1b2f1b35f97e8
SHA256 fa814ad3d6cd769507f7804b10dc46dcf47f06952486719d183c94197f9cc3ae
SHA512 f29d64fe0202f15bf1006f14c8b2384251d2f3e0fab73b2cde4b047779533d91d6f1a13cf776c817af599d7b6619185b11bd1d46081ebd492f0047b8b7fa7e82

C:\Users\Admin\AppData\Local\Temp\UkUk.exe

MD5 f54c3a1b76fc6bcf6722a777b26e77ec
SHA1 04534e95d0bdd8121a0bfade936a83b707291c65
SHA256 424d9bfd8fb42640c94ee3fe898225d3e517c442f4a8d2bc0be911828fe759fe
SHA512 f9ebe2460f29feb7b3faa072ff82b3a9ec81c3207140c5104114ac2c42831db73b35a2d722a77fc1aaa709f31543c2bd4120de78b61ff09b4f0698a64ce5d2b9

C:\Users\Admin\AppData\Local\Temp\Osko.exe

MD5 5037407ee898f22e5152d64d231621b5
SHA1 81999c307f1ced174d533dea10321ddb079a2e31
SHA256 dfbe4335e6c126b8fbb0d4f1a0341e57ad62b3c8bd34173312ab3546319f0438
SHA512 8ddcc3b91bab580902a47ff886a11a692114bc3b4ad2b44fa20af78d0eb2a15d14b61784106914630ca6602c2726825377c3a66f87506734d3c57e721941c11e

C:\Users\Admin\AppData\Local\Temp\UYYo.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\YUcg.exe

MD5 25390d871a58030da1e2ba97934319cc
SHA1 ac28451c6c7efb5a6223adcf764194849073534b
SHA256 3cf3529fb3ae965aacc18ff70e740c872b945c5fab9f1582213f711269f62c67
SHA512 5aa08d15df4565ff6ba0bd26d567261d84dacef91c99c53db53b812d0e178ac4c43e87c76ad96000870285f8f13069f4c6240a1c972e6095390885746849f157

C:\Users\Admin\AppData\Local\Temp\rsQEIEMo.bat

MD5 5ad2b64bcabf839955ce4c3cbb8dc90f
SHA1 2e2010a7f3ddf480c892435ab3c2fd9e69b2f3a6
SHA256 6f18c867ea93f9760375b4fae7bbe1b45d20b0def462c259796e2516ec99eddc
SHA512 a43307757fdafb36c6905bb2a2a2de05cf6d58be69d978f6875dba8ef249e4d6576acd3d19228f73a219176edb089c2b839bfd172f66178c1c12b36651d59514

C:\Users\Admin\Music\ConvertFromClose.mp3.exe

MD5 f6c2600ed83d76b35bf06319d38a63eb
SHA1 9ac61aff87c644bdda07ecfa9015e5e1b4e906ec
SHA256 cfbdc816b0f0541b3d13e0e6fc36cdee538772194d7b5555aa0bc15e897f4061
SHA512 28ef60065bff27cd8b983b1131fb240303cc53c33660a84232a38defec449ed62efee35aae1c03f1046cd641b9d9ee9c3db2e697fca9635d981e70884fc75b15

C:\Users\Admin\AppData\Local\Temp\ikwA.exe

MD5 472ccb7b92f7c72f1c3ba02071ed1bd7
SHA1 a0a8d9bde0c35e9acd33c348b23e262350e43e5c
SHA256 04ff9bcb00e848750a01a148c54bbb50d45e3f328ec07f451e8faac669b6e75d
SHA512 2480e05c4d3016848cc3064b8fc0ede40808cb4c654cd8db79ab6b11766501ed12ad40a49e8a8d32dc10c92e73d38f271f62c61292a7f435ef4dd81a719913c3

C:\Users\Admin\AppData\Local\Temp\oQQs.exe

MD5 3e1140df5cd102c25be7b685e5cb8195
SHA1 0030d1b1fc7ede6ac892c9434d0ef55a5cfb7944
SHA256 f073adca7518f920343dd2b58065537415dc0ece1edd1f9eaf25915213e9e459
SHA512 bbd7eb811cfe55bfcf77d161ad0b5c4927f3a01b26f0430098701375ab70519e9aaca94bc04ea3805f7fd23db6ea067566d8f1de1e2d5d930a0a4a601d13b00f

C:\Users\Admin\AppData\Local\Temp\YcIy.exe

MD5 8a2b2252e677c42ee3c6842a3393c5a0
SHA1 e5ceae4a976ea0300b5d327158e1118fbc0b1f95
SHA256 5d3e6796d1dfe49d24a92345a60af00a69dce34453a898b50305e667f8b1d369
SHA512 ec6c59f64a4fb56bc4554f43baa73cb22cfbdc0227c0c00b765bd87a5849d4b13dcd625e160540ad3b1bd60de386a308e82c2b2f0cd4f37439654bd97b6e1dbc

C:\Users\Admin\AppData\Local\Temp\HYMYYkAU.bat

MD5 a0ea7a824d6dfd8a72a66a8435586413
SHA1 1b6570ce965680144e0c8c3a547803b5a700e076
SHA256 d38a4571e0187562ec74cfaa666ca046d434d58ce851d02b6a6d7d750785315c
SHA512 6c92c032e5162ae602f6b7b0800b7eaa33b36a83b27518f3be8a7e68ea1c5c62588c26607f47e77d634073517ebbf3cf2360c26907608e14d731d5c08967bc91

C:\Users\Admin\AppData\Local\Temp\cIAc.exe

MD5 349b4266b04812ebf6fa8fae422869ce
SHA1 158d939ebe5f9aa1dbdbb85536fba70f73b64bb6
SHA256 2d4ab49a0d6b2a03670c55e2da81c68cf8e8d478c6e31b6420ceea47d0e69be8
SHA512 ba077763a640aa718d57461d1a40b365d4d477897c244af4f18f5e75edc9a78673c2073892f530856d5777246e0d343542c12eb73fd8c49eda6934a311241434

C:\Users\Admin\AppData\Local\Temp\CgcU.exe

MD5 da1025d06e5bf284029a5feaa726e408
SHA1 65bc70e7aee3fb4eb329d48c047dc1cbeab50214
SHA256 d997c47954b1947cb95b59aaa00bccfdd101a0073d73e4c0018f288ef949d8fe
SHA512 e399806ddccf107caf4640de2e556c25137355fe4a3c6e8e152df7be60a59769f92be4feec48e591c9915875ba9f2dd418071c3abd18be80d6e9a7906b7d7698

C:\Users\Admin\AppData\Local\Temp\MgkM.exe

MD5 bf3639516124eaca8ee1414b75e55f98
SHA1 f65a1004cfd74d838a0a9dddc2bcd2d1a768b331
SHA256 234a5ff6be7c6076437309e739359012e41231de224d74c39e168f0667c296a2
SHA512 508865ab8fe1fa35b752cd799e16b64e0670d4831a0634079fc3dac10ec3d0fc7bc9d18a0eae2f25002a3324ac5f07fdffdd8350305c2c5db6700dfc413b9800

C:\Users\Admin\AppData\Local\Temp\wQoU.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\AppData\Local\Temp\eYgY.exe

MD5 732a553cad9ac307e95e68e3eebf672f
SHA1 da273bc722666dbcfe1069dc3564c6bbe682017d
SHA256 6dae0c3d667cda89679f78ceae8903fc35095b5c7bce2a37a5339cc092f6c5f0
SHA512 5835342b93197fbbd9312790a1442f13317ebe0adda62b105592dd17a7b974ef7641fa7d04e67bb753a129dec6ee43c20678e88925253d732c6e8308ab9d423b

C:\Users\Admin\AppData\Local\Temp\KIIC.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\YUgssgkc.bat

MD5 6359627e2effb1d5ef8edcf30fa7d520
SHA1 e87bb93333be27fb08e9dcf0c45dd2f7ce5e4f2a
SHA256 7ba248171110f2fac13f3af9a111b77db92750f5eaf994fd23e88346dc3df491
SHA512 bea1dde483d16e479fc41ef457d7fd917dd1e01395384adb43c51600203578fd45ffe7f12efd314625931fc4662a4e924611a2b6774aa83226d176a6b12fb610

C:\Users\Admin\AppData\Local\Temp\wgQq.exe

MD5 732fd0f2b4d73f7de0680e88b46552b6
SHA1 f3f571f21ce32e0b08cc46966e0ea76e1cff45ec
SHA256 6f8f2fca73ece2e2c0d57806d44fa3e2f99719d6969c24d3170548b8ac677f56
SHA512 0b92cbf75ac0463f97e48c80e3d21973e10c79766a8c51ff4eef31a220de62c73870e937f115ee1847964e61c6b7fd06df0d2de7bf4d0fb24c152a794f85d6ba

C:\Users\Admin\AppData\Local\Temp\ekAY.exe

MD5 c47add5c60efaa6c567ad40fa3bd7f85
SHA1 3e9a5a220172041f3601f70c2ab76c43f553e5af
SHA256 b6f0988ae5307318b40036b7c9f50f5151437c681e8eaf00c14f7f2124a8660a
SHA512 fcc9b79e33a58c348120f8ed166f8fab538f4001d4bf6ba5196ffec7faab0eedc4eb3bbb26a5126214e19852fcbefa6353d974fb87e72d29989f7d23d378ebed

C:\Users\Admin\AppData\Local\Temp\iccA.exe

MD5 c7bdaf9c2e9e29ce38c469070fef434c
SHA1 e9664cef3872e991a99cb9a9fe6f9d1ff3fd3d14
SHA256 c3b734ccc75e38dc6751167adaf6f811f1e0179464b0feaa7f5ef9e0690a2a99
SHA512 f67dc2ec70a99595f4b8d5065aaee44f4044bfa22dc2a5733e0e0d3e41c847b493703e394ab1ef76d039e12eb03ec990e8bd53b37f4c17895d566814d4fee0f6

C:\Users\Admin\AppData\Local\Temp\ykgQ.exe

MD5 ef1e3cd3ca1362b4abe8aed4ddb1fddb
SHA1 d23bdd00d41adc3fb8c6c6ab01c0779aa7c36c84
SHA256 bc0766a53755b389880df2b94999bf037f27028e9d1ff6a68bdc4ae1d095105b
SHA512 8fd2a0c03659560fff3025275cc08460ca5b19bbc403a6c38314a24a2be89ce1814fc8d6f007d2e94c97eded3ec070bb54105b61bc2871650b9f2b61176a1c46

C:\Users\Admin\AppData\Local\Temp\OUUYscQU.bat

MD5 d8c9fc9eb4d54ed9f09bb5197a066955
SHA1 f989f4ee49e8617870a9093ab912c08db0696831
SHA256 0a5a87f326edc1aa1b9a8b35da4536223c275339c965d484567e37b0afc4aadb
SHA512 16401c68f424a549dcd50e8aea281f4ded837c81956078dd6558b39837d0fed282d4717ffbb5585a1bfee24635627cb3ef636b4508196c7c96bf9ea3176b8f26

C:\Users\Admin\AppData\Local\Temp\WYUQ.exe

MD5 6c5c2345654094cd1cb12f2b107f3131
SHA1 4f73eac837fea9cd71b7b28fa2f61a18f6296182
SHA256 3544398fee4d7d48d763940d722e1f646dcaba0108e097235595fcdcee48e4f9
SHA512 00a72b2214f00d84f8be6f5a60bbcaed7d8d9465a76e15b1d27d3c6a459c2a10cee539e07fcbc5f2a54c800239299576d367980940622201375fcee63140cfa3

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 2ef94b150bd7e08f80a023ebb258da21
SHA1 1844cce1d800443dbb7ae5584c3571c772d362ef
SHA256 99d289908881488dde576a6970bd8c6e9d96017814bd63869b59269344ad3882
SHA512 5bf6d23e78569f11bfbb73fae22bdac370e4ec73558d9a0cc851b14c89c21e2c8a34664e66db7dc7df84e2d0524c1f83bab6b1b68c367d0782b867744f418954

C:\Users\Admin\AppData\Local\Temp\KQsC.exe

MD5 e50f46c29affcd3a2d624dcb043065b9
SHA1 3db33d1e48d956fd14a95537bc90fc528c463dd2
SHA256 2ffde5e72de3ca3a3306799de62caac4fa3fb76d2cf81529f3d88d7349e476ec
SHA512 98c51e35c8dc330dde98be4c51b98ceff56cd510e933e75bfe767fa82d9bb38e17e54ea23f363a6473234e4527c9ffe94bc18ddfb7a2fb580f63d733cbac39ca

C:\Users\Admin\AppData\Local\Temp\mMEs.exe

MD5 2c7bf3072df98334345ea0b79cf08025
SHA1 510aebd2b41f46ebfa1ae0145603c27af60a48ea
SHA256 e4f0bf40dcc12ef9b7e45aa55c8c65e4f78255ce3bbe2b1278c27935a67088ac
SHA512 5ea027d82b654682a9dbb61e4d2f48f492e86de31281fd4e1e158965529ce873c2784bde7a0629b287d51d8bf13a76bacb6f402ce9f6910dbd4c58a4df495162

C:\Users\Admin\AppData\Local\Temp\QccG.exe

MD5 75d138ce28b19c6c783e93c2b07814a1
SHA1 b26c79451717363c927d1a017ebcc7a77dbeb5b2
SHA256 0cbca5d4222373b0934bb6db4a89c1fa625c5422322cbfb983e7b445227137ad
SHA512 704da4bf381fc95b71b047e1aed2cf6c8cd422ca4fd8fe274b8ffa7b61bae43bed362155a540920b5b925a1efb7dd6bda0266c7b8453bc62f69e50ef4b8ecbc3

C:\Users\Admin\AppData\Local\Temp\GWoYQAYE.bat

MD5 97df453ea6ee8c352f6f82fad0cfedc0
SHA1 fb2304ee3b3b22336cd6d51397c9e281198473a6
SHA256 334bb67a9a1e19ce2d177bdf16a333be4b94f71ec3a2f348b67d6aa810d98b07
SHA512 af05cdd004093813ed5120fdc7a355b1881191622cfb2331241a7167f94d98f2c10f4caccd8f0cf9ae6ce80a703e81ad7fe24991a25120f9ff83d56ef9468173

C:\Users\Admin\AppData\Local\Temp\WAEk.exe

MD5 92a252411fa413ff556c5ef296a0d1d5
SHA1 a394c8f4b2353c6c2e49fd4b95334d9f2027bbfd
SHA256 b356b3da7de841626ffae9f9f98ed7f2be226f4e46507eb595831a211eccc74e
SHA512 add34ff0dde4a916a3507ebbae908fec0859f64a3817a9a375f23e4df792002b4095c4cf53e5be4dc58eaac84276c025db5f183b3f0b3278a832a1b27bcde3f6

C:\Users\Admin\AppData\Local\Temp\Scco.exe

MD5 b4b02611fd4c6e28cdf8e52178522819
SHA1 a7f0bb9dedd26accbd3dcc308149b2ed40defd49
SHA256 630413fab57c5cad78db17d36ac3c067f2b92763fc790f03ca8f94616b0efddf
SHA512 ea4247aaa8d701763635dace68f5a442ae97339f4b73b2b2d462060106d3983a9c188efc0a9127e1942c692d46086fa5e1d737a35cdfc3353afe17fb4de11903

C:\Users\Admin\AppData\Local\Temp\MgcW.exe

MD5 0e33212ceb4fe010f9662c94fb7ac8d3
SHA1 3e352187ff60fbbfa9492746dd4a2f86aa968d8e
SHA256 cfb7796b35b1ef8756d4380cae6df89a0de157dd38ceac6011a520f795b5de51
SHA512 603d6123d310537b6bea867376f27aab8eb3154960708a0b8593c7b4065f897ab3236838e2db914303860091e4d6811ceb2ea4a30e583ec5a21ecd132c5a18df

C:\Users\Admin\AppData\Local\Temp\dqwwokkU.bat

MD5 30dea5d419dbccb5638b9c4717c68bb6
SHA1 4c84609fe765662af0a4e823bdc3c4a46266808e
SHA256 f516ab5d51948c3f9ee55ed248a820bd791de4e835d89b03bb0175fb7a2d6f7a
SHA512 2e8fac9d4c4b760ab2deb5633c146d88bdbf7f3490a7aad24002ed49d457f4e1ad3be7dfbbf06ebb026e8a24a42ebe8f2ba11e55a455b49ed1c5e9e2f22e032c

C:\Users\Admin\AppData\Local\Temp\KMcq.exe

MD5 baa8c8711705ea53578e6528bfa866df
SHA1 11b17b71a119664ba29c27fa32318054ca2b4c7c
SHA256 ffed88d7ec6f2ae7368bfd04d64bbd3fe0d98270f1ea01f12583d22affe864ae
SHA512 cd5725125b9ccda3c8c0aa3bef4d0aa28d4c63ff2049fc3796062837052a64502e666ff540f17ccb9e93f8bff82c793c15741be4359f978e9ea3a0c29bdce9d2

C:\Users\Admin\AppData\Local\Temp\AgYg.exe

MD5 a3c4b379fe1eeb918b8112c5e71083c9
SHA1 c7b8c47a9ed15524ab288e818b218257a737353a
SHA256 24a97abfe5898b56c23a14ef11351f2a429c5153c3c821aa9a6f364ad8864ffb
SHA512 97892f95a76714d5a263efe1d6ac90120795ca78c61bd6b3dcfd2aa9f5c22be145b7d6e8d2ad6cda3299a5e85e2b6b58344ab98eef9abed18a6f683ad73ec71a

C:\Users\Admin\AppData\Local\Temp\EMES.exe

MD5 df00c76db396aecda873c1ce4091b85e
SHA1 08ca9ceb9bc89d51e431d2c4c337c49f8640e909
SHA256 52bf5b10afbcef81e3b1a473609ecdd24b4adec03d4b926b293cbfbb3a9a9bf3
SHA512 b9b8e0c3384174df427876e9454fff006444add5d5f11e66e055b554581136d8d235e3ca758f6d3c79b9f14c68f14383c187292cb9119010e0449c279b1bee1c

C:\Users\Admin\AppData\Local\Temp\GAEu.exe

MD5 d6fad6c487349965ddc5d42c23818d0b
SHA1 4dc8e533b6bef24382ac28ddc38b47b5ceb4cd10
SHA256 456e3e9d042e5caff548effc29264ec37ef5109ea55d929627edee6f32788cd6
SHA512 287b381fe5d8ac9186b252b79d7f4520d2f30af02e6b2b39328fbcf90ec32c8de0a2d5019d4520d40ef4b8233ded66f8248927eca1b60086abd41aa0a493231b

C:\Users\Admin\AppData\Local\Temp\jCwUoows.bat

MD5 fe385a1b60e57987997035faa5405ed5
SHA1 a94d8d4da12838968876e887b733774f9ae063a2
SHA256 93e23da710d85b74ffa7ce74956f2c1420db92af2e45472ee6746422fe5d764b
SHA512 cd64236f6cef561ea748fc4b8362b7ac18ad7fb6ca3ef41a3a894f14e4b39740ef7cf22323a73ea8a8084a0cf17b23385ab80ea2a28e911476639222a84d8638

C:\Users\Admin\AppData\Local\Temp\MgUi.exe

MD5 b39e4e4d46277c13e710c38dbf4cfaca
SHA1 1a37df8aa18d20e92bbcbb63e0fd9d8f83bbf9e6
SHA256 6b2f6f58b927749b03f70e5a447c30307c673338a5c0bef19172038e7ae2c4e2
SHA512 ffa36036d89ee2e31c29e70d2d3462d8e0db7cfbf430f2d0ad075ac19c27ed56390d0bd1a29f8383917676ad1f25be22f3df938b07b71bd884b3bb235c345ec8

C:\Users\Admin\AppData\Local\Temp\OwAC.exe

MD5 432341548d7ddd220279a28c5410ba71
SHA1 b5bf63bab75ea4950c2fa8553309fdfbbd71cd1b
SHA256 fbe31b977a4af4c9af830312c6449c2d215ccaddf8c32d9b0e9e43f1de59c5dd
SHA512 4ae752a2599f4c00c9b34843e20f64979084c6eda5dafa81063d60a3395a9432d3d57f151cecfed36cb11dce7c0d432ab234a173ae0406495b2363cb7d7b1b94

C:\Users\Admin\AppData\Local\Temp\wgoy.exe

MD5 ab2afc800d13d728969418317fc38c13
SHA1 346776ce152219080708f2da1a858769f799e80e
SHA256 43f5ddd24ae471fd864b247962d5e4e8c595fabdefd6f1c9d990b51e1cb77e50
SHA512 c78801353309baeb593dad0abfa3de30869a0a16ead719d06ef5c4f3a9cb142c01dfafa8827336385fb308a4504f7a5bdaf237ddcdcd2424fc39f700247bfcf2

C:\Users\Admin\AppData\Local\Temp\dikkcAEw.bat

MD5 b672cbe375d1b1ca526670a4de9c4463
SHA1 0db9126f5b9d150c466197e328fd059c3815f95e
SHA256 5ce7c6f76b5ba9359708f26ffa2b87aca9102abd0ce177b957bf6c6b09557910
SHA512 536c798d69d0df12c7bf5229737f487078c9f1b659df1d0fd6628f80e14819585d2bc86c3be979d9e085d1845e9f7c0c7d951af9b331877984c28e6487eeed15

C:\Users\Admin\AppData\Local\Temp\ckMs.exe

MD5 1a7967414652a74a687412ec9de1958c
SHA1 8486a41c22565010a1225cb691a6e0d18e83de49
SHA256 a512f23c651dc9f2b1c2963506620d36732287889d2176372f50214b3f1f737d
SHA512 7b0edaf533d777dcff4acd99b9fd9486040cbd68fbc9e16ef0cf51b108b6cc2b3985826f92cf025a00028f209ebb1df6079767b9d6a0f0385e693865fd99280b

C:\Users\Admin\AppData\Local\Temp\WQgk.exe

MD5 1c27b0254b1f9c4aa3abe2a61dc20499
SHA1 4ccfe06e541861bb8315cad0df4930d68a2604e5
SHA256 c0c6acddc4f8d4cc9ba805db302101f12600b59dc21bae56b1fa7f7ff10583a6
SHA512 ebc54ea9d491f45dcd6dc2fb713353290a44cb60d7e6ef42048950dba9e39bdeb5cf0f4bbf6cdf940ad8d55da34e5c09461224254ea770fcc18e5f56651c3fcd

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 705ec27ce0743128785d03e5556a8fdf
SHA1 c93193c720b2e13f14bc078d39f1ea4b40406d50
SHA256 834ecfa2d923a26c943f22af45d1029a86691e887e1a96c3346dc7cba7b98a1f
SHA512 4bb3a9e8d945d8444419a4f55978fdd510c8d45b6c17d202d76f7b612904d4a530f55ae2ad07a42ae868b4307aebb473c905f52c87229b4bfdf8a9eb109cfa67

C:\Users\Admin\AppData\Local\Temp\zEwscAkA.bat

MD5 3869bb5de7423d3dcda9f7c3d095f111
SHA1 46e22f80c2435f4804a710f358a6d14fa8913542
SHA256 7d0860b6aeb5243f395910c65e864d0977e287f27875c07ce97f8d6ddd379998
SHA512 ac6c2af1a3cddc2970d6db1ac38176c76fa145032631f772a32c04225af2f3553cc3db42dcb1386b4aa19930137dee68a26999f88917571088f07473f78d01ea

C:\Users\Admin\AppData\Local\Temp\Qoku.exe

MD5 950fbb1ca4e6a6ce5fd6dd5e3bdff8e8
SHA1 cf6c12efbf4339c674abb9b7b38ae1260a4d0b01
SHA256 9a402b22ba3f94d1ff8edc6939a2f4b5340eee7017ece2e02a85f57478cd5678
SHA512 adf594d0d51afc0837a993d35b78233a0e6e8ec8da9ad0deed84496a2861362802706bae7247291c93ac597c38c38a6ad546cc1f84e91ef57c5be816bf1734fc

C:\Users\Admin\AppData\Local\Temp\MIQQ.exe

MD5 d9f4d1681f4b0ed3aa8d9c629f47c671
SHA1 1794605905f5b56d24ecf6f7f1312cb326a9471c
SHA256 0efefa22dd7020c99c3a04da918ba03c9242f44db1319c51ea7a7c11dd58fe40
SHA512 f0bb4e8b3ee5cf149f5a485ae9c65e54f5455d32711dbfcc15b8e64e72a1e1eaf48e6919488c5ac2436bcd81ab35bc99a01685b31a966f244e7ead4639b3122c

C:\Users\Admin\AppData\Local\Temp\sEEW.exe

MD5 e05a8e5a9af20c9d78b2c1e229a6397e
SHA1 4576816f69a79c48caa69d6cbcf2361554223691
SHA256 b5ff7b2f13cc1e20ae306ad95e032b2851676b9f0e5bdb9a546bf071ccecf8dc
SHA512 7c028249344e04f312d71b8d409fa05663725ef12099ec1ef4e752326f7c35f2477d302e3afd6c3865a199d64b8c2dcc3da67074de64169ad5e231128e8b95f8

C:\Users\Admin\AppData\Local\Temp\sIoG.exe

MD5 6a54e57ebcb7740d0a0649110f100a55
SHA1 57c5171e7757518b767a32596cb9ce827c2b68b7
SHA256 aa013a16ca40579dec0809596c5399040eecde7c80a18dea94dbd921233ed1f9
SHA512 dc4cda51ef0bc666201272048c7ba08a9728472b5a0b3364ee252093c98f18290249b5f55f3f802bd58e67a2e11c7b8aceaa34f30d6ca3352eaab4210c84807b

C:\Users\Admin\AppData\Local\Temp\eSggAgoc.bat

MD5 a4382399825726f17bca0038b0c1de15
SHA1 b2d564398922545e3217d27d7ea25287737caadb
SHA256 0da0a0747cfeec92a05b9bd596ea165b783faa69bb244d0bea9e8f923e5e8921
SHA512 e20dc67b424f63739474dca8e6bed3da8b67417b31939cf5b2fafa575ac2e8c4940e69925e01320809fd217a24224f18b0810ebe91d99ca2374f1285d9ab88cf

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 4f38c72347e0b50d1326fe3500a45460
SHA1 e9d4ec30e38b1016581e4085b9601d64f146d73a
SHA256 aa9aa36bde9003560d32020c06877da4a3f32e33e5f50c8cbb4260824ea233ad
SHA512 c9e97e8dc538f9d29256a415797a3bb9ab2b4296c65d03a8ceb1216ca3b07d6e923bf20ead20dfce4fa1da81f8b24545650a481135906924c88790ae242c2001

C:\Users\Admin\AppData\Local\Temp\Wsgs.exe

MD5 4a548c46da2aa9f1846d0c6a73c6067a
SHA1 9a435460174e08a521890ab62ecc32c4e62c5937
SHA256 677a5f888a47c992a7a93d08e9e75ab9337669b7d280acfdb76e44def1e43b54
SHA512 15d786177e7eb1e32367278d124f654e6a6631c896d9b7cc72adcafa12921b7e8da5723f9558d41e784a93735d0a35d32ca8cc6e99ec39d3e057064284a63b2e

C:\Users\Admin\AppData\Local\Temp\MEky.exe

MD5 7d4539177b1c211f732070a03f6482be
SHA1 88be15a916701485c6788fd4ce784c3c08d279e5
SHA256 18eeca665209f1beba3f230bc487279dbe8f522bd962a1ec15add76273ed24bb
SHA512 815c95a94f7d6725d98f1669b7afa1953ddc4cfb6dc949bab5815c0ac9f9374ffce096ea8ef848a0516619f23083d0e6103db5fcc03ec19fe7bf2c3507bd9cbe

C:\Users\Admin\AppData\Local\Temp\osAMYkUQ.bat

MD5 21f9142bfcf0392a67664172a61e8276
SHA1 8c7b01d7024ef06243a5d0e87bb20c8b236284a9
SHA256 ac2102a7fcac6b5717d7dfe4c13aad1b34605c52fe17e99673e4d6f105fef712
SHA512 6a8f4c35acb572bc0e1a9622a14b904faf6ececffa16b8739b9c3c50abd2f9f83dc7d40f7f8a74d5e7cdcf71e44ed0c19df0811ea1004b870b7fb361c762be85

C:\Users\Admin\AppData\Local\Temp\wkEK.exe

MD5 9634c82385be224e914f60680544e0c8
SHA1 a966254d0df2d8b1fb141ab6a6e1b74720115e81
SHA256 c0dd2155513f5f5d70a520487ccc9a4fd07430a8232cad0c379806db1d94fe37
SHA512 3783480dac70c88e40f7af668859d8c417bc4b30519bb117259a0a6121a25f56a7f13edd18c2f67a2a6e27371242c9b34fd0dde08ff03fcf0a20445c733854c5

C:\Users\Admin\AppData\Local\Temp\IcsY.exe

MD5 c1cfe3e4b53763d28ad639dce5ad5406
SHA1 a848131d005f074a9af45975f60bd290572489bc
SHA256 fb3f95749282ca676011a80c523dec2e570bba7f5e0a2950e91d2989cf32373d
SHA512 47f2355f7484af4427a8d0adc9877ab3a4b83276fbf53ff763afcd68c5aa9dc95779f7c3dea0dbb5cd8e885f3ee23e465d2b5a973f5e48252dfcea981382af83

C:\Users\Admin\AppData\Local\Temp\AgoA.exe

MD5 3a9c539a657a84177d10e23c45df3058
SHA1 2f25f2a8c890ca773a8d83765f46577b6294820f
SHA256 718073831abc4c45a5d613887a7539a8cb6124ac2dc85ca7114cb9650a028956
SHA512 1020738e1affd44dee8aa526e0cdf969a88663e8aa674463415f4e5db3b93b642ef72803b89eda02dbf047d7cd6a8166bf4a046882ff29543d61464550d59d3c

C:\Users\Admin\AppData\Local\Temp\ioUccIEQ.bat

MD5 f5d2d039a5130dae018d1e882ec0fef5
SHA1 8c21b4ecd0bae8c857aed7ff36970cd1f4c9c4a4
SHA256 259c8db4d98ceb399593ac68a8fc549fbd00292921c520defe37c561853d987d
SHA512 ed279ce2b1942c069f326bdb687afdb51f6e730c37c292b4581c8b1cd58097136014aa16e593bbd38d0ca2e5b39867b9364c98c160c4b5497f1a20518cf1c7d0

C:\Users\Admin\AppData\Local\Temp\MQMs.exe

MD5 93108b13dcfa9b601242625c7a9ea3cb
SHA1 3ea6b0c1aebbfdc3e67d9059e988f9c6c039b5f3
SHA256 918f870cef02eb4393d04641953c7defa038ed7279bc9800bf2801da4ba5bfd4
SHA512 00ee274102ed55c5e15edace6ffe7e38c0945a2de925215df14d8bcbd3ea056496ea495ddf32d1ad961f407d8d3de5320e0b0959f9df493220ec9496239919f4

C:\Users\Admin\AppData\Local\Temp\cIgQ.exe

MD5 0d3f48ff48a35b137dd1d37d75044208
SHA1 9622d2cecb1a7ab8299070170dded81bd819a943
SHA256 9c5fb6a66e80d7273aa04bf7c9a9fda13a9a8f7021ff26692985eab43db85026
SHA512 da2a0e4e24324593b328b020dde61e4f6ba8b4d001fbc2ea3d501773ca580b5181a89a32a8cfae3368e8c0eb80c9dbfa79c771a5f90edcb07bb5f7cba0e34814

C:\Users\Admin\AppData\Local\Temp\ocUk.exe

MD5 0eb509f13115c2e86474d7466177107e
SHA1 158c5555113f8e51769213a4f98b66515eeac4ce
SHA256 0580f686a24dc0a88d11a36a4a538b01d767d49e03d14efbea598c4a73b7b6d2
SHA512 250b5cc4d2f2e8a07a695457a0a637357b033425cca3d7e8123b89cc3c05ae8a5eb758c1d317e83be5a3e8e19fc056909ff0b1edfa2065e9ea92ad6475b9d4b9

C:\Users\Admin\AppData\Local\Temp\YUUQsMAI.bat

MD5 c4cb69c13d0f2d9d323a03dc0ce58480
SHA1 e5907729e1d04d311f627d8c7e4a39eed46da999
SHA256 891eb8b1ce1656410eb0d5460d476b558e7105c7268237a6c93af967b2ccc272
SHA512 6a690acc7e3bad17db0aa3140b6f9436194436d0042131611a4bd208992af2ee41b0a1a5d49842f9c2a02882788e94dff3eda3807964ede951c8ddddb1b5c4f3

C:\Users\Admin\AppData\Local\Temp\gIMW.exe

MD5 3559d7e9ff2781bef5149c60ae573aba
SHA1 e0be62c0ece9c5afd9f715680866d92fefc6a535
SHA256 013e11320149f89b8a6f5adee669800a2a4b216b5ebb44809eea9ac3f3361e53
SHA512 4cd4a3de0a519db67f62c264c5507b22ce47fb0543ec09811d45c9f788736c158f21614da8d71ef324bd402f5f3a3a1f1b3d09e276ebef1a97e794baf59a7111

C:\Users\Admin\AppData\Local\Temp\sowk.exe

MD5 cd23af4e32abbe44fc5c5468d96d041e
SHA1 4f125301a004178b8f64893d4a8a57a9242990ec
SHA256 97ccb5faa57d3530be5896b423e989865fd9082c77d6ae85694f46a01576831b
SHA512 e2e589baa76f7c83b7358febd86d1be8771e14a062a6c80dc24a4751969551d7ebbccc8e6edf0ae1b1c33ec38165ad3c590488835e02148ef59b901fa2092214

C:\Users\Admin\AppData\Local\Temp\EQsi.exe

MD5 0ac9bfa8c25c8ca7c29b0c3f700c8d02
SHA1 3433e21b0ada492e2ac047b32246e24b963f6c79
SHA256 108e856105fdc6ff2624da977f9fea542aad63441d864c60ca7cc0b22810b2bb
SHA512 9862ffbe26ee548eae320da9625052bdfc87e5c4197b8ec0f0c6add619ab88386f8a3b8a86eae22939bef6490c5bf58474d25044e69e7238290e57e406a8cf7a

C:\Users\Admin\AppData\Local\Temp\hkUEIUEk.bat

MD5 1dc8a8f2f0fcf8d83e9ec4c4e379c2b4
SHA1 b6b0ee5a44c962577a0d19d38e3292062d2df05a
SHA256 e4c93f2f8ed451da09f8305755b01af0ae28b66b38bf386d6673da4399e9e2df
SHA512 49142430923b6dbc9854af1d320cd58f805d7526095c9deefd5e7becee8062b4dd3273bb1d0f5b2b052287c3ba39697d8da4b1f31235525f97e95ae79219c494

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 d3bb19e998c9e6fd1af58c8c1215dc1c
SHA1 4c5b1a346b234b1c28bd4169a6bb3f2d6523930f
SHA256 baaf17da90268388cfbb528a36e8ea2b23415316d1ab844b9200094be3f87982
SHA512 5550af03ba1a1527a99ebba72d9534b53af8c39dc62337eb78b7a2dbc0e1245722eeb795dba91bbbce0ad88ab0d86e50fc9a8ef6537d5b7f6b373117729643c4

C:\Users\Admin\AppData\Local\Temp\sIsg.exe

MD5 38d3fbbab598951bcc82922d697cf68c
SHA1 53273b27f80b23d01c5d59ad9f454a565af1a9a6
SHA256 32105cfb11907b127336f1d77e5685d414dfc7b77480f5927ca988ce5592444b
SHA512 2d54543d4d21f45418f6511734c7c5dc4591984ba321bcecfc4d114ae94cb026de97d1ce406f60abe5eae923b4294cf4c2d05f94b1d35776425ff184a0c7eee6

C:\Users\Admin\AppData\Local\Temp\mkAk.exe

MD5 94171372bf0421a07c33f6dc01e7dba1
SHA1 b6b5ae834f1c7c2768eb35c7b807a794c8438d9a
SHA256 3ff334191542684305cbae6086069693f2f9a7110a5c6bbcc3d938c1f44b4aa7
SHA512 1c216a3640d9ebceae5e2338c255c8fd4c2d764afa0f57c1b3ece9c810cca1f165b818977002c1c65da97ae9f1f53cf2f880900f37e4529a2b389bdb222e6197

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 52c8627ae22441e96cc3a9f35adab79b
SHA1 0058f1824b674fdeb2a4844e60909bbb1d2a9ef2
SHA256 03f8348ae4d473f2f05f10b1bd501e40e15fccf32b3bcb4b2fd34e92b5ac3cb8
SHA512 e6ddbd30b9abcf77318210696f06af12964f7c9886fc571b9f07268f5a56e6ea8232d7623fa4a37b77e6b5427eb5294a6835929fccfa4b97666fcc45d1dc1795

C:\Users\Admin\AppData\Local\Temp\jUQgsoQI.bat

MD5 aaf3162942aa22291dacdab884d43504
SHA1 adcbb363c74290070047a220940135151197a358
SHA256 09470ef12a2521cf4d8bdf7ee0c91f0d87b5d7a58b20b47a7e180f4a0e0f0504
SHA512 856dad187109c7934d785972380ad9cd1835ed2db80dc8da78158685e2e2a8ba72d9f2797018d7b87b9629f35d96c895dab5cfad1f45e12355bf5ec8532e9d9d

C:\Users\Admin\AppData\Local\Temp\RGUsocwc.bat

MD5 a810db6b107a5ece64ae8ccb573d61b8
SHA1 cde6b4e9d3525185b932f7eddd5895e63c264340
SHA256 07c2cd4b27d3ef2cf865b25d27041e3bed1a89017e9d37d786405908d99b5844
SHA512 e13df7cc0b1258a7a17ec0a077c449c5931cc4a0c2c88ca3a7dcde6dff6b0bf01ec87dbe428d1c5f8c547879e5d7fe413991a7ed3b963eda5668b15bf7ecb86b

C:\Users\Admin\AppData\Local\Temp\acgY.exe

MD5 a73f3fb57bddfa9c65ec067c9689e7ec
SHA1 64e8cf5e0c5ea694f5eb495399480629935f5aff
SHA256 c360c4d1d2c43fee23c8f01325bf1e3ff445aded6658fe51c3d952aeeaa593ea
SHA512 d90add9c71a1ad66960ceeae728b5de0788ee6bc95a6fe032a1ba478518dc1c1cd9362ff6f244a457b5010a4fd13c9c6f14e076913deadff529d4729811a168b

C:\Users\Admin\AppData\Local\Temp\ywsu.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\gQYS.exe

MD5 7844973a5b3ed165917891a90140cdf8
SHA1 f3df0bd10a784a39d5ff0e448480ac796449436b
SHA256 15d90bf55af232ad2c548e83206d9234f4106a43abf2cea35b45f4021f07826b
SHA512 14eab0cbe72262d1bd2c2cd4d5f76ab97499b0a5fb8e9518bff64092c30631b4e7eba83143fa0840fa0ea42b108ba58a834d4792d8d6aab61f308fe11c79bfd4

C:\Users\Admin\AppData\Local\Temp\sowG.exe

MD5 a16e1e3170445413c97edebb889966e7
SHA1 94ae147faeade410dd3ec0358a146ad58410de18
SHA256 295d03be587d830da7fe05338b8f5ed305cdf6f9de459604f5d8acd7f6257143
SHA512 e881cae42e0379057dee338a207c48e18d312ae7fa750879011243ce55cbc06aaffee364d06f26ab51531feda4c35f74dc12d87a1f4d37776fbadc906f7392e3

C:\Users\Admin\AppData\Local\Temp\yAMQ.exe

MD5 588dfee1aef326cfdb9c0b681741fd8a
SHA1 863d9ec2036e0341a91f8dd4378ffe6f89a720b9
SHA256 049a52b095c6024f628bc48db4d4e7403de3794114f0bdb51e79334ce14a7007
SHA512 e484d26aa446497825ebd8562e7ac1bd5326350e6c486e1e9de1cc3524ed5d5cc9dd89e2269ec8bb21362e3239f1c5f5681fd42182642f89d3b6b9b014e45f2e

C:\Users\Admin\AppData\Local\Temp\cUsC.exe

MD5 79ee746e8e86a6b77950f321c2b6da7e
SHA1 f90e87f865a42a4016cd62c5c33f653f45311a80
SHA256 54c215f35ec779c4b4e2031187a7c7a2cec53837b81bd77baf89e71ceca5e7b4
SHA512 e43ca61dcd3836aa9fa002f3855571362eb410e944788fdfc8fe281909b931740dc1cc3be0f298b39a232d4f8de82650449fd7d28b87affc9871c0937e63efdd

C:\Users\Admin\AppData\Local\Temp\WIQYgogI.bat

MD5 5eb29b68dfeac94c100bf9baddaa9796
SHA1 8e7671a42195283dc2119d04d4a7f5bf2ba8ffbe
SHA256 85a8e59dff9551cf6135c12cd1a445c7980bc3552a342f97de879733989d9f38
SHA512 3e2b556e1078862fef2d6b6897044f0191067d7ff83144387f3ff794c48e5307dee3d3fdcff0f993e12254eb0d6dc42984010f7f4d8941992fcf78d1dcbc32a7

C:\Users\Admin\AppData\Local\Temp\MAws.exe

MD5 3ab51bd597973df945d4f125bf262f3f
SHA1 407ae1a5e2688ea21c263a9d23854bb2f3633776
SHA256 9b001df9084d80e62c3e9f3491a16f618513b76b8dfcb1c5a2d7d90ad04b10a3
SHA512 cc20ebbbfc3c1bb0facdbe0a05e464165026cf4516388bf9672b4cf2e2db4145a62e59129269bfd68bf0a74d4b5aee30accf976e108877c5a85f406c1854c570

C:\Users\Admin\AppData\Local\Temp\KAIC.exe

MD5 cf40afd4f05e9088d6ce4d8bc1bbf444
SHA1 083e46c8e401a0e3119b528479d4cb29787f5b33
SHA256 c7712d6175c8e059ed136032c448911ba0c1642fe3184a10a31d2f6e47e2e793
SHA512 05a3a6587bd094ac65baa586fbbc535655480e0cfe9106723e40b45bf240cb90936b2d16e14f15de331456247ad0a286a172aae5704fe8a29050822e14914898

C:\Users\Admin\AppData\Local\Temp\qssG.exe

MD5 09b82cab6080165ac7df81eaf5194565
SHA1 b4397674be8c1ba9e87302a445e0f31d23bbe841
SHA256 648378a361a151cd82f11961aee4ad5d44338d9bf323ef0e23e670a095726975
SHA512 ad09351a37fb8a37834bf43961d7e0868e6d63ec8e634b22f7391254e87ec07aba903e4f26224cf482e14747c8569b4e0f94a384d38c116de90d9e75dcf3d15e

C:\Users\Admin\AppData\Local\Temp\GMUUoMkU.bat

MD5 a7a6d0aab87f0e6c4683d3d962e5b5f2
SHA1 7fa337dde55fdf859df4dc77d054a99b771b0f57
SHA256 25839a7edf11f6aa1d25d6a513c45e7068a9865ec5670a46d3c3c4f4c41c4a84
SHA512 35688cf6fb90a42983f4379f5e136dbb761eda238ef9cf263031db9698feed820d2c2af1692961019f8af31c0237b38e0cbd76b49db50f993d7f175402d9659c

C:\Users\Admin\AppData\Local\Temp\EUkm.exe

MD5 793b51bb17ebd86217ccb0350838d3e0
SHA1 37a2c43fc85d211f5d3518f24236bfdcd6dea327
SHA256 1a972acffe56a19c489b0d45307a8a76a42568e8ddf091aaa2e9b86a725c93d4
SHA512 34837736902b0e6a7bff4dd7da102b4193c2704beb0957b141ed8ec513da7fb3d8a7d5e60a6bd4469a4ecd608803d0e270d76063a59b8cb62932ec0f093b3080

C:\Users\Admin\AppData\Local\Temp\AAow.exe

MD5 ae2eb76f226c5f4ea40d1033a3e7b5e5
SHA1 f25a07bcfd6838c7dadb6fe6d4268c89219dcc3b
SHA256 55e2c572686152d19d574b4916a68f01b0f1ad85abdbbabfc71a59523d90fde0
SHA512 1d26fba63d53b82eea715e40abb0597a04395bdec6a13df4e32570bc0edb9eafb24a089dc0e34b0be1e9283b94761ba61f53105c6e48765a7af75529be3e6083

C:\Users\Admin\AppData\Local\Temp\qIoO.exe

MD5 b6b6dd11bab05e313d3dd9609d723c0b
SHA1 f38f72faccfa7c2aa24721af80de10c7e583212a
SHA256 be19e4799f5758addc31bd95cc01a4f994a0f20676d376f6cf8d35cbe13e7fb4
SHA512 e2e8d15704a1440bbbd86494363dfea4c22cf4865016f962c9a9e8d678f340e457c8ec831adc53214c264b7cd97eed88c99e280a647f9d65492f961da4375fb7

C:\Users\Admin\AppData\Local\Temp\KkkEgYEQ.bat

MD5 40a89f07bb8972a919f683b0e789dcee
SHA1 7d51998d403a3a631c03f4aeab522ae599462197
SHA256 5438319febbd2d1da3649db8caf2213523dc3029d5cf84e7baa81d38cdb1539e
SHA512 d842926a789d74cd58c2d4a2a86ce595346f0d43ff111e30123a7dc972d27540e82494b1a796291fd45047be5925d8ee635f191cca6d5c06d7166be19096d762

C:\Users\Admin\AppData\Local\Temp\IWYQIYco.bat

MD5 62b56330bed543235d5d53ab1202ef80
SHA1 ee0e24baf9914718827ff624defc2eadc3e71413
SHA256 af689d11555839149395d5b178ec89d7c8bfe39fad7cbdf380a5495a2a3b72c2
SHA512 71063888ec231fd6c11b5cc13f5286448d7af62bafebfa49ae910bb86c968cd5037fcdf2d4683dc54cf57ac8f5ee74be25f3758462e723cd49c9bee7fb01798a

C:\Users\Admin\AppData\Local\Temp\tIsAokcs.bat

MD5 1585815371f6376b93457ded21854bed
SHA1 47a800f7f7d59bbd7d8ac504d88d65d173c8c565
SHA256 fc53004dad4dfef651a722b50bb5dcc0c6ee46e439c65159f5f5f868de9f6fce
SHA512 eb56af2c46243b4e43cddf7a3bc3ec907617171eed3289afb290d1e9eea08f07bba59b23571207fd90db2daa315002ae74d2f888520534076676961f6c1155b0

C:\Users\Admin\AppData\Local\Temp\tascQQsA.bat

MD5 cd61b00cc9dbaea7649f2950d13754fb
SHA1 dba407fd576073e52aabef2ffecc384c8da2cafc
SHA256 a93d389aa4c082805a27c39366d51a36fffb38970e3a4777e864f4ae0e3fc1ba
SHA512 7d30ee61b28426286177319b1281a9d54113ea10d03ab5df5e4a915c2b25f2f2c7155646e91c3995435c5832668fffa08892304ee95bac6ec2fa63bdbfdf4e98

C:\Users\Admin\AppData\Local\Temp\FokYsIoI.bat

MD5 dca11d7f82fb304a86a71ca5660c86d0
SHA1 6843206e62c98f4b5f5288476cbc3a8573b20e2b
SHA256 1daa9e27ff97782f5a58fa8b0be163e67d86454caf33b9bb56c983fd61d593f6
SHA512 d6d24093793f8f5b39b54c45b51b27e1bf47ee1d1ab2be0ea2b063bc56b5df99d22328e888048ec45b73da4b580a597cffadf64f34f53e22262d276ce38d1e09

C:\Users\Admin\AppData\Local\Temp\YsEQEYcM.bat

MD5 ae9bc033f1c4d66df623d6b317de63ba
SHA1 8cf729df05b8b03e2c1f9a2a207c26b20e879be2
SHA256 26b793a88cdfd316d8ee36fc1ed311dfa991eb13f81074f4d60a95467e336eb4
SHA512 e521f9832c6a8f5ffa2db1752a8b9d2d420f1326cbe49455e7160d5239089d7e975d0019f18e8e0757b8616c42c5a452e0d583aaf2ae03e427d85ae255a887c7

C:\Users\Admin\AppData\Local\Temp\uuMIgAwA.bat

MD5 f82e060d669e02d9e148a765707d7917
SHA1 0006a00ba232e07f95028ee1e9f7161e5034a30a
SHA256 3cb12fc77921c0a48ce6b1d3677b79f8d112f55e30e36cb7fe088e87d89858e6
SHA512 afde173fd60255f36f0b653bd44bf56ac19dde3c620aa3486730018acc34088b9a9e782cbad49a728129f4d9e9727d0744b6e56c2761a7b910cb931050368455

memory/3008-4335-0x0000000077510000-0x000000007762F000-memory.dmp

memory/3008-4336-0x0000000077630000-0x000000007772A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sAQwAccE.bat

MD5 46f57ca4cae4f36214eeb6e4004ec3e2
SHA1 0d797b90c9f70d8bb3706fc516259b21e6e7878e
SHA256 d9621961d1fe72d648e232950287fccd9ba54785da6e00502024175fbc61955e
SHA512 54e6904e37c8dbc7d00ea8d886a421d09debd4a189adf1d5897ba083dc087df219076f46586f15b273a93d0edb5b41aaae72316311cd7c188fc1c68c3926049c

C:\Users\Admin\AppData\Local\Temp\OKgwkMwE.bat

MD5 b2f71f472fb0d92a55d55d001613eecd
SHA1 fb486fe1ef73a8068b013cdb7ae99f1cf2c46ff9
SHA256 269d2dfb5d99c1a6394b70df5236bdc9931b19819607b0d2ba8d604cad69b8a4
SHA512 07839c362565d08f78dc1b723582f83f4ac3ac35ec50c80da14ca069bbf119d44db356589057184ce9f89334e40893b3cacd0893f67e52799664372cca1b2075

C:\Users\Admin\AppData\Local\Temp\nKAckEME.bat

MD5 ae3bc6d3a260c8e753a5f8270194c379
SHA1 a6c3254268f1adcf58032a7fd05623252d770aaa
SHA256 6d2e67e1342fa6bbfb754bd780fb5a397c10d55aaf6f13d5c43aea750f5ceed8
SHA512 b686215a41c37fd10885ba7c15cbb629bbfdf538309e16a02cb94b7f84507608bc2733ac2607ed1a765192dc4cf86d16bf529343924a33bbc2beb5a19ecf020a

C:\Users\Admin\AppData\Local\Temp\dAoAYgAw.bat

MD5 12e79f7adb3513d3eb25572b29d62a76
SHA1 7a91919bdfc75848b30e8087e955f537f261d9cc
SHA256 6035ba3bfeaf712e57a952e9b61716cfd8ea8b28953ae750ac25fc53eeee88e9
SHA512 424cf8ab9c9fd66c55eb6cf47ad7d5ac37866044a0e2cd91df6eba70c11f25b7c605f605a0f4fe644f394282be76cf5446a826b1ba5eeb2203d562c1f5e5e636

C:\Users\Admin\AppData\Local\Temp\PMMIMIcA.bat

MD5 4d0cd5cf3158c2d75ac6ebe65eef1053
SHA1 cd82c60b139757f48d89860e6ed37ed7c215f49f
SHA256 4143212f8f09858444355a294654c37e16cf24eb1169028d182e6159683903c0
SHA512 d956d245ea2731d56ec47e9ab73e94f2a99ec716a3207b6deff4de7df1928a4ca8babd7573e967158cb005d672829c7e899ef27a498454a6380921e7523e9790

C:\Users\Admin\AppData\Local\Temp\LmAEscMo.bat

MD5 413410ae93bea61989b44a68f277f41d
SHA1 eed9a46607c6c0ce179351ea423062796b20546d
SHA256 73780fd1a6e8e6e6b0e4fcd3b433c9da20676f6a613e6c08ad6d65019fc49453
SHA512 22b656258b2cd69e7e4a7081b4a55d09c232a47d02f48810fca88f578291d0e3610101065fe6a0143e9a398fa35c739b65d97c63a6d9db26dd11a083138f5753

C:\Users\Admin\AppData\Local\Temp\gEAYwUEY.bat

MD5 14dfb74241b94dfae826d1b4d169bb97
SHA1 6e4f694e21a6cb48d70df3958124142c109be747
SHA256 5737b405c65b429b311936939e5a25d67a6ee8255c9bec33e44a67380ddf6c76
SHA512 1d685a983c154c82f0ac2a87995586e1387d36ac7cbe1a240622d7256f272dba1176ed3ec99b44727533f6fde72df68856bd79ba475798901d82bce6375ee88a

C:\Users\Admin\AppData\Local\Temp\YawQEwkA.bat

MD5 9b90562c11da04929fcfe623620bd3fb
SHA1 7ad7dee4770d7d875e0abff2463356d7e2a2a523
SHA256 549761f1c4c1a9083146c8b3dcdee7a42f8fa0f8da9adf38a6c628150cea6893
SHA512 4027d28c101620b650f10fa40f3cef833231693fb7735205ee8261543d088a0c4ad2caccb2bd0c842fb137c0156438f8ef09a97b7af2d73fc4b0bc52274f7358

C:\Users\Admin\AppData\Local\Temp\QsoEkEAM.bat

MD5 392606be70f4edae903cb3080b544cb0
SHA1 43cfe8f4400c0cca91c99db23823d00ad697a956
SHA256 3e58db73166624f945882607c8bfcf15b9025d2fe583c62dafa4844e3ecd9f48
SHA512 d8b365b10b187e75908dc7dbba51ce1cec9183bc26cd04a6d372151a43c3403686ddfff06497f155c5291c0802a6eefc52859aeae09db6aed00f34299855121b

C:\Users\Admin\AppData\Local\Temp\jAcYwEwE.bat

MD5 5a9eb7efb3dcdc0fbdbbcfffcf2bcd43
SHA1 398dc96ffaaaf1cf6edb89c46c945f04d31a863b
SHA256 7d61225a3e41da226fbc8f49011beccedbc181eab95c2804dd15215f40ad231a
SHA512 1952b5a36471ad0ab72a25e1927a1e39d9758cd95bfd028e85f1126cbe9e21bac7891c03c4931ad394cf66b2d65f60d6814d7e71a639ac1cdc8cd730a7f7e6ad

C:\Users\Admin\AppData\Local\Temp\ZogUIAUw.bat

MD5 73b22f6feac4a1884ba64da3baef34c8
SHA1 29444eb95112018ce55063961b3d4b5e8f1b059b
SHA256 9a95a39cb8b6b4ffeaa7b65f3906bf7639f07751dc60ed980cc3fec581ce49c1
SHA512 ec5d3569dfd67cf945a4cbfb9c0d6851dc0a256ea26114e10c960c0558a814290ad3307dd5d516582237a862d6a486c6a00d875e07e81d6ec725a94c9cbe4b13

C:\Users\Admin\AppData\Local\Temp\nmwQgEAQ.bat

MD5 03bc13463dff64645f2529d5fe1d0ff5
SHA1 8da7c504a448a58c029097869d6a40770ee8af45
SHA256 bb2f6f82f3cb52a7d1a5a16bd480a497c6ee1b99bedb471af49e82385e22282e
SHA512 3f5352ff1387cd777a969e14450e739aa58c7d4d212f5ec239d7e4e693a6e1e2e02a5effb9989b372222d24060081fd0fd839c5eabb885ed801dfc82c621019b

C:\Users\Admin\AppData\Local\Temp\uIYYAoYg.bat

MD5 dc1bfdaf7a3d0b6968803254afd2101e
SHA1 82ca306db79dc0039b047d47ea262e938c4a3ebe
SHA256 c5d550a2186ba7695febc248749e77a50fa79b8ed71d3a7a94b1f34374bc3de5
SHA512 8e069c2c98533fccb25870793679bd634bded1130cc4a73fc43c049204045493714754b911b3e55f09365fcfb450d3c76e9775ff632d9e08744ae0f73e7a8d30

C:\Users\Admin\AppData\Local\Temp\UMoIYcko.bat

MD5 b9b1cac54a5d80aa403eb60e10145bf8
SHA1 544be5386bace712df4e03b42a1c039c0bbae071
SHA256 885f286bafe01257a6edf9aa521f5d6d7f1f6950ba0db574d322b6b3fd21cfce
SHA512 b39d529a3d2720631b586f4b38b881350161ed1c5ae3ab4fdcaff2a0ba036337e779fc319e832fc7d1b7c8c2207ed013219209be38d501d47b2da0d9d84b28b0

C:\Users\Admin\AppData\Local\Temp\EksgMIcg.bat

MD5 ae28f90aa9c873d705c514b7882b5297
SHA1 dfee5eedc79d98dc294633692649dc1e34aee07c
SHA256 4915cee6c17b900fb659e3c1a63bb1a46f0a969650d5e9047439e30e57efbc0c
SHA512 0e73a8936cb27a1f30f82788b32284e5d66ec6bbd918d3b86de856639aa0b4b736703e7a470a0131663efe1a4491d61c0ddc16abfb7b86a61002d4588f4da014

C:\Users\Admin\AppData\Local\Temp\puQkYQog.bat

MD5 60de585187f0701c22d7b8049284b5f7
SHA1 55620099b1872b23caca6a21718a4f1dddf068df
SHA256 6cd55139569d571c958e00212f79536cf47fb08dce8e73b8481f0deaa1426c9d
SHA512 b4f2b529698a93d44f4ad103a06f786f3c54f21363e660124683fe43e0a9b7a05be946bb8ed385f9ee09cccd444a5c78d4a54c0a554e24732a5b1a47d3d4bfee

C:\Users\Admin\AppData\Local\Temp\puQAQEEw.bat

MD5 b3d9ebb645e3563a15d6e428aa01471c
SHA1 8136ce156de0e853c6c8051ce9e268e85b7ff18b
SHA256 c04109348ce9c938484a9339d327d11d9cac1ba44a66bfd959381974f2680277
SHA512 df960eaab3b978c535794de00d40f68b6860540ede46abf10ebb604ac676c87bb412c9d966cb3541a9071ad35c6c1e50f8eff9804943613b9e7892624239b744

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 02:30

Reported

2024-10-18 02:33

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (80) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\ProgramData\NcYMskEE\KeQMowMs.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KeQMowMs.exe = "C:\\ProgramData\\NcYMskEE\\KeQMowMs.exe" C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pAQgQQgU.exe = "C:\\Users\\Admin\\fOIgMYgk\\pAQgQQgU.exe" C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KeQMowMs.exe = "C:\\ProgramData\\NcYMskEE\\KeQMowMs.exe" C:\ProgramData\NcYMskEE\KeQMowMs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EqIcsAoM.exe = "C:\\Users\\Admin\\sGkYkgcw\\EqIcsAoM.exe" C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lawQAkkM.exe = "C:\\ProgramData\\XOYIggoU\\lawQAkkM.exe" C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pAQgQQgU.exe = "C:\\Users\\Admin\\fOIgMYgk\\pAQgQQgU.exe" C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\XOYIggoU\lawQAkkM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A
N/A N/A C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 560 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe
PID 560 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe
PID 560 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe
PID 560 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\ProgramData\NcYMskEE\KeQMowMs.exe
PID 560 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\ProgramData\NcYMskEE\KeQMowMs.exe
PID 560 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\ProgramData\NcYMskEE\KeQMowMs.exe
PID 560 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 560 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 560 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 332 wrote to memory of 1428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
PID 332 wrote to memory of 1428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
PID 332 wrote to memory of 1428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
PID 560 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 560 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 560 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 560 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 560 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 560 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 560 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 560 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 560 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 560 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 560 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 560 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4168 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4168 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4168 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1428 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1428 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1428 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 1188 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
PID 2796 wrote to memory of 1188 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
PID 2796 wrote to memory of 1188 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
PID 1428 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1428 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1428 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1428 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1428 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1428 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1428 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1428 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1428 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1428 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1428 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1428 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2576 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2576 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1188 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1188 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1188 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 2384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4724 wrote to memory of 2384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4724 wrote to memory of 2384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1188 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\System32\Conhost.exe
PID 1188 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\System32\Conhost.exe
PID 1188 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\System32\Conhost.exe
PID 1188 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\System32\Conhost.exe
PID 1188 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\System32\Conhost.exe
PID 1188 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\System32\Conhost.exe
PID 1188 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1188 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1188 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1188 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe"

C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe

"C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe"

C:\ProgramData\NcYMskEE\KeQMowMs.exe

"C:\ProgramData\NcYMskEE\KeQMowMs.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYYIMAMQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BekcUcws.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmIoIcQc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQMMoUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YksYAEEY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OmIcAswE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dyIMQEgY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psskMUYE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWcQgokM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGMQYwIg.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYwYIYkE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEIooEwQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYcMUksc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BeAEIokc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSQQAIkQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYcIUYcI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCUcEAgs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIEkYccs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ByIIEEUI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCokEEEo.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQYEkkMQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uaQsIwoE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIgQcUAA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAAUUkcQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYUUkoYw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAYkkooE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMYMgYQs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWYUgkIk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UskkYYkM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQoUoEII.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe 25de4b785844f03fda3918e399084898 bOv4goY3W0ai0jLffGy+6g.0.1.0.0.0

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQkkYUcI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAEIEwIA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqokcIUA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\liwocAcw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REAcgIkM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgcMkQYA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAQswwUs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWscgEEI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CaQkQQgw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dKYksYkI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BogwgUoA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKoAgEgQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGUUwMAk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsYEMUAI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QIYosYMg.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCIMwYMU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiIYAEMY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWoYYgoQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heQoIswo.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DEsMEkAc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCUIAsIU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awAsIUoc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kuMwEcYQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiIkcgoQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LigAYIMk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DqYsYwgs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGIUwMws.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OYcgwEoQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQQscccw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEwooooY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSUkIAgA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGkcIAQw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vugUQEgw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYgMAEEA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uygMkkYI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUUcoQAU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOEEUoQo.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCoAAsEQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\teMIkIMg.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGkwgAEE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mMQQcAkA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQcgkEwg.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YsMsUUgk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCwQUUII.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKMskgQA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqoUgsEY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PUYsAwEk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIAEMQYs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQkMQwwQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIEMgwgw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BucIsckM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwkkkAIw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jkwEsAss.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAcsQkMU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\coMQYEwc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MaQsQUYQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMEIEAEw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuckEUkw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nOkAgAsM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LssIYMMI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fgcYEosM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yaswMIMM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKIMUsoA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gIkswMok.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XqAIEUkM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGwQMgoE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XooIMMYs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uqEEQUwc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\sGkYkgcw\EqIcsAoM.exe

"C:\Users\Admin\sGkYkgcw\EqIcsAoM.exe"

C:\ProgramData\XOYIggoU\lawQAkkM.exe

"C:\ProgramData\XOYIggoU\lawQAkkM.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5068 -ip 5068

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mOIMwwoo.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 540 -ip 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 220

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWwQsUwQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWwYggsw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NsgcUEQU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkQsgYUM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCkAAowU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqosEMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.179.238:80 google.com tcp
GB 142.250.179.238:80 google.com tcp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/560-0-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4228-6-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe

MD5 e8671b59931a45aaf27573d8c0233027
SHA1 b89e67381632befaac806af7ef047499f6b82c11
SHA256 31c37366ad0f804444a90cf7f704f110c2230d6b4e79a3fc647fac175a7716ce
SHA512 219f859cec23ae9b287423ba14cc3063fadf57213a4418cbb691294e247138cd2b70c77830873abd54726e66c2d1257f6d88e0f2f63f9de4c5f5606935417e72

C:\ProgramData\NcYMskEE\KeQMowMs.exe

MD5 b3b42f97c37fe68e8c04eff1d3885037
SHA1 5997adcbc7a05feaeba5cc332dc83d9867ef24b9
SHA256 b6d0444bee9eb4a35e782b492e3a6659ff3eb7a8d5d4ee3df81e14be96751854
SHA512 a86db95a7c8e4a414e8ec8a87b47bb752643ccf797c8f1409faacc2a347beea5e9d72b26bdeeb8fb52859d50e8498b6171658ea61f4a5e6d1ae6ea69d0842cc2

memory/2396-14-0x0000000000400000-0x0000000000431000-memory.dmp

memory/560-19-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JYYIMAMQ.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118

MD5 59be91b17983f2d8de110d2534075292
SHA1 184ce4f6b89530f58a9952fffdce4ce254447937
SHA256 f9b54f0a6c4a21daea6f41263e8df267367f5b491094bea56179a9c3b4ebd65a
SHA512 6c37049c71557a3bee37a8380912733b009f68844818f3d2586802ad437c82c32ac51f170056add421976b24e0e074ce619d3987195ce693f28eff657c028c74

memory/1188-28-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/1428-33-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1188-44-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2384-55-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3256-66-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4260-80-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1236-79-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1236-91-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5096-92-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5096-103-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1528-104-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1528-115-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3788-118-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3788-129-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4176-130-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4176-141-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3908-152-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2760-155-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2760-166-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4208-177-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1028-189-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2720-201-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1948-205-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1948-213-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2760-214-0x0000000000400000-0x0000000000433000-memory.dmp

C:\ProgramData\NcYMskEE\KeQMowMs.inf

MD5 d550859a3d648bd8a5637635c061e620
SHA1 62010b48c3bda5fa92b8235a33b650cbf71d7ebb
SHA256 470f1c5e5ba87d948131125870680f200b0722627c1bddeee7856aec56926a91
SHA512 8c326bd5ebf41d252cd558dd650b2afea41d4a47dd628716598ec0e06ec46c4e8a41feb672f35caf74a1b1ea91af2831ebfd92fc471d0dddf6c69febabc18529

memory/2760-229-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3536-230-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3536-241-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4724-252-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1964-263-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1940-268-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4040-272-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1940-280-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3724-290-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4528-298-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3184-306-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3292-314-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4960-324-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4172-332-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2720-341-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1600-340-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2720-349-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2636-359-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4540-367-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4248-368-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4248-376-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5116-386-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4044-394-0x0000000000400000-0x0000000000433000-memory.dmp

memory/208-402-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4456-410-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4172-420-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3172-428-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2348-436-0x0000000000400000-0x0000000000433000-memory.dmp

memory/832-444-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4712-454-0x0000000000400000-0x0000000000433000-memory.dmp

memory/396-455-0x0000000000400000-0x0000000000433000-memory.dmp

memory/396-463-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3860-471-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2020-472-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2020-482-0x0000000000400000-0x0000000000433000-memory.dmp

memory/208-490-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4292-498-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4564-506-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2640-507-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2640-516-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3664-525-0x0000000000400000-0x0000000000433000-memory.dmp

memory/512-533-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3640-541-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4640-551-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1380-559-0x0000000000400000-0x0000000000433000-memory.dmp

memory/440-561-0x0000000000400000-0x0000000000433000-memory.dmp

memory/440-568-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4148-578-0x0000000000400000-0x0000000000433000-memory.dmp

memory/220-586-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1644-594-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2972-604-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2284-605-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2284-613-0x0000000000400000-0x0000000000433000-memory.dmp

memory/336-621-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3188-622-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3188-631-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4176-640-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4420-648-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3624-649-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3624-657-0x0000000000400000-0x0000000000433000-memory.dmp

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

MD5 9955667933e798747af2fcc35b6504eb
SHA1 22beb84701d936418fd01430cdb821f90611cd0b
SHA256 f2af14e223b98bc58fe9934835995ac3def73b26357adfe994053930175bf36e
SHA512 42bb8345780a2d01aa83fe3bdfe24ebc11296c4bb899086b56be1a308eb4a3e9a2ecf2351afce6f1a80efaf757a6c20eb9e9b27f27d815517756f0bea3d59ff5

memory/3572-681-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4604-682-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iEoo.exe

MD5 065930a7cf8c5cd739c3dd86d05a944f
SHA1 a67fb8950aeae32ade26795c896fc895814465bf
SHA256 6a33024a14b2b9d007ae2ca15ce16f78f369bb575204d9a03f669506383527bb
SHA512 62e5cc70f7be49b9f0a6420f117678d66dcde69719357e1fda0500fa97116e952e479c3866e0ceb9b84438d67d08cb40bbdd90355792f5ed71ef7a21e4402e0e

C:\Users\Admin\AppData\Local\Temp\CwsU.exe

MD5 14234e96d6a779d2a5459eeb9db8f1ec
SHA1 d51782be12fd4f7ff124c6fdd37b2795b7c73655
SHA256 d212fd6937f6a88f98bce5eaeae6b5a04f9bf60dccbe803e33c76b7f0748dad4
SHA512 e3e8e2ff24b463e783b36d07f2cbc16bf2f2802d0ecd201d9ce21c6b6c5983a63a983050f873b8da9607d782ff1e8cd8757aaa3dda7c52319ff6c0e4022fe59c

memory/1496-715-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3572-719-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sEkO.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\ekYg.exe

MD5 681e3683853feff7d06eaae559765c5d
SHA1 889a2b59e4f920d1ae37380bcd196cea1c79ea1f
SHA256 2a5dd73d503aff81665dd4f901a165fbbe8b15bbcafd165f23c1ec01729a0736
SHA512 07a35e8edfcbd17195ac27cf20f06224aad60adad828022f36b88fb4c8b8b88766e370b3380a5c67cb565e84a05e15f9d2b4ed0348b518f9b90d87c482723568

C:\Users\Admin\AppData\Local\Temp\kEoO.exe

MD5 db259022841c4ef62acd74269dbbfd4f
SHA1 63672fde1b61d4ae5f6801808c00fcf803f249ce
SHA256 583a5fb48fe7fd47c88052817c55e81ad42f46388d2133c91093c5d2d10aa1c1
SHA512 fa1901609f91fd70881f0bfe9cb075465cf5f574c1b8596253012a0a0efb316b6ed925c1f5497f9e11f32b657e4dacbe26ddedc96171f341c87e545fbacf48a1

C:\Users\Admin\AppData\Local\Temp\qIEu.exe

MD5 026e300943aae16966fbd8f255f0ddd6
SHA1 1f140486bbd86144dbe1b540ebabee10c1f3ff7e
SHA256 f858517e83e97c59e9a2d230fdedcace4c99ea56ead6a3e61f11a2a76a1af7b0
SHA512 ff6b20987c05c7bb0c179895fea20c9555e0f2af257da4a46e79ba8fd2f5b3d906a995069c1529bc07f911e969ad1ffab6c3a5093d026d66d96a2cf2ffa542fb

C:\Users\Admin\AppData\Local\Temp\coIq.exe

MD5 83cab8d892d51481c2f08c68b4330c16
SHA1 b5d1e700c9579a0e5d58c1ca2f87d3b5b84e75b4
SHA256 3712a089bb939b0a4db781c0fce71e0f9f1dc4b76367f639de2a43e2cc509232
SHA512 11c144ae8153a15c189fe0f020df458aec1b2cb7bb7ee28563bc6302b3ea4de5678f554e70cfa5d0749e3e9291c8c6a5dcc9022ee0e202cc9eb2c1f68f834639

memory/1496-782-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ekoq.exe

MD5 9040b41d8cdc8fe62d3f9d89957fe4a7
SHA1 7a0501b31a42ba9bded12ff42dd0a8b443df4eed
SHA256 071f2ec4890e4e4d46ee32f76cd41a31e8e4b1dfa5b71bb119d746796f0e5276
SHA512 cf605a37a5a8dea41e86e2ea58b2be1baae268267ec3bbf4ef206a1a55113a63fdbcf14c186dfffd6baf64af7f9fb4701f585e3ed39a50b7a7b4107258ed6371

C:\Users\Admin\AppData\Local\Temp\EEsA.exe

MD5 547d998bb6c42c5a5ef5d2573d63e1c8
SHA1 4f317bba70d51e98ed051d6d1e728fe0521cbc91
SHA256 1623af7a0f43c9ba43b5609b0c9886bc7a833d76d6edc4cc01fbb791a042a98a
SHA512 fd40e08d94e55afa82f35e006d2712adc2b971fc2d1ae8cb0c83f0d3d352c90a859c1706dba1bf730966d89221676b6d92ca1bc97bf965dd1b1d92b86145e755

C:\Users\Admin\AppData\Local\Temp\Oswg.exe

MD5 7a0f75db68ef54ac764ed3fbc5662d4b
SHA1 837164112c7b8b82284dd18a91f1d5fe12367b7a
SHA256 b3ab99af8afe7fe4ada17ae296e1e26fa2d157504d4a39ce17f9d30463d3f72c
SHA512 411696fa976e4a44a16f3a2b46dca989f023f4215e94aea0258c18eb05dedb6a5bcdd9acc0314fb105247cf52c0764cf71b26cfa615c76b067155cfa2db1a318

memory/2520-834-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Skki.exe

MD5 14618c40a708abd05d783457cff9ace6
SHA1 2d0ba4de43fe5559cdda2fc794e437cba2df7f21
SHA256 7c6e0bd7c004c5bb283427de520941496dcaa351e93c0cad7a5be5e0c9d740ce
SHA512 05b49960fced728e781ab4f5ccf16faa0cb5112978bfa2ffbe570f7a597b9437d6ecf99366f6243f9f4042fcd96e23a1c01f1ed875320a1338297c08e1084571

C:\Users\Admin\AppData\Local\Temp\AQcq.exe

MD5 453eefa33c430db087d6a9e58be24cdf
SHA1 db08507909c73aec1dcfa0ec47448922513a5c63
SHA256 d1224b2b4974c47cb4e83f390b8885375b23631745b66b27e968a74f30e49e46
SHA512 8d5341d8b56b15be97e0097d432f10cc40110c49ea56d69748b6848003c310155736aa5fed7bbd5a02485c76bb2dfd6839f0847cf771b3fa7a5d4d53a9e27cb2

C:\Users\Admin\AppData\Local\Temp\WUYo.exe

MD5 649a3771f0ca92f479dd6eff2873c8bc
SHA1 6831d2837893030662c7103007f17a39f25226a6
SHA256 5b716b9302df0783f76024b01308231232a802697a64023c85c345100f0fc56b
SHA512 7a78cf0aa1afbd63956ebf8b38e01c8c5f53cdb962ee362dd0e7a5a50a9403a6c37d3e58584dff04ebd604742847e6096f421160133068be080245ae45e1cca6

memory/4172-884-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IkMO.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\ugYc.exe

MD5 fd3eabb9b4dc3488cd38868fd0c2ad1a
SHA1 9e60b4e94bdc2f041743dfd2bf2395e1d6486352
SHA256 a4fdd007e6f09f5742f7def61b5cdf43277e4ed8e0e3bc356c9638f2cd582113
SHA512 144cdd45cd521b532214a63bbe8d66df6c437eef8c3026cc919007eaa29801c7cf6acaebbce51e6af60a4f596122156038cfc3283b23be2d64fbe7eeb5b59866

C:\Users\Admin\AppData\Local\Temp\isIk.exe

MD5 f7526f545a245e0e8bb10eaa77a56601
SHA1 adeff66e0b01c5b51c22bc2cf1db1f21dabaa726
SHA256 7574a31e5c65f6223041b74d400b4c9ebb43e17eeba9703e4b91dddf22c3d43f
SHA512 98652f51b3deed1f2f9348cc5ce2fe907191b66d3191f3f2cb22e6675eb7ca5e7032979a5875642cf88ad2307a6f71010e446b4b9e0b2aa1b2ef43c4d3323988

C:\Users\Admin\AppData\Local\Temp\WUYK.exe

MD5 5add5a60ec4546749d0d75dc480af017
SHA1 3b10fde7b31d9c9baef5623f361b3232056949ae
SHA256 1bb06ed2fd9665317b76c91d65ae5dbc93df48342a5efdb8eeb0fa09fe982685
SHA512 713e44d740b504156bd7b3064f413288379f6dd10b7dc0dcadfaa983d86091646441e18317a105621a4c59b2418218c5fc14e45ceabf299a144831bf35b51e74

C:\Users\Admin\AppData\Local\Temp\gcso.exe

MD5 8b77229c873568cf0ff389b89e29a362
SHA1 c28dd8cd71dadc799ad6d1c2cd4684d137a89c26
SHA256 e9f28e9405fc1dd7202015ba1a705aa1454f36921f797b22853f193298d23ec8
SHA512 011370827747175438e9e2f8800a1544c8dee628e7bb80f1a68c23941d1dadf84f91025166d42eea8ac724c3915d8b849e0605758d9d103920f76fe83fcac02f

C:\Users\Admin\AppData\Local\Temp\AoYM.exe

MD5 e3d67ab57446e68e5b932dd9f8feae58
SHA1 43d3e0a8ff327532e7b3d92b94c960674f27dda9
SHA256 9c37f37acc3f4c741e89c498cdba849ad77e10bd196b0d0c4637806b7c617a77
SHA512 7c9e4e963f0c9453675bf8749110b2300766ff7998b1e988ca73d105bab8896558507f14f2e27218718f7eefa5d3fcd828ba1d0352b26c466016b4a483826dfe

C:\Users\Admin\AppData\Local\Temp\igwY.exe

MD5 61de332645fa6960aba1046a1ac1d928
SHA1 f73ae6293a25e6a5c194de40b41578981da135da
SHA256 601813981622d7c1989e673b18e31ae3472d56af331587f2f3460c664668106c
SHA512 35a863a9f648454f1b8cd8b1068a47c45456bd0c5e3dfc37be5a1c95c83aee96ac17d05ddcb6f3f5ba40aef94e7bd90c912d7e07d74eb9da16a48986c5c9d142

C:\Users\Admin\AppData\Local\Temp\gEIy.exe

MD5 dc7f22de3fb639c1893ad4461dc098b7
SHA1 c6fff42fbac2da8149b11f30dd7a2b3af7f4a149
SHA256 7ed1b8f77235758624510b8285f1f4f51855ef372d8687fc34fbbfc7c768b5d0
SHA512 b23aaa15cfe32183e27959fd6215cd067e44a3879a649e7a0a67ead68c0b278c79d0ec787a3f27e6d4f59959374d3ab27defeb4b60f8153e4aa6f2d48756ee0a

C:\Users\Admin\AppData\Local\Temp\IkoM.exe

MD5 6eeca4347203d76683100ac88a2128ad
SHA1 da24864b44449b007e183ca2f73304d2eed19268
SHA256 3df85afcb323030e9477f14420e4862547f0e94c08a5e2c32c42ecfe148f80d0
SHA512 c7550fb1ac9949cafb07ec00b4e7b9c64035b8882f8c35dbc600ceea8c814acb47e43573405c3263fe35306535686c6160de4a08bb105d9a4bb2c86fb89c3e02

C:\Users\Admin\AppData\Local\Temp\cgwA.exe

MD5 494f3055de1142d10413ca33efa1aabc
SHA1 bb8f29f908c3de34867a913669af5843746fbc47
SHA256 4aeade84a165a1bf388daabf5164f699995555761c3330652dfd74de64a86854
SHA512 ca8dedbf5935ab7038422f5f0661b735cfae65ccf3562b6c27960494369c1195b52e3b8beb939dd8c50ee9cdf714acbd0136270e62aa9a0ee4df79fea2e0ff4d

C:\Users\Admin\AppData\Local\Temp\OYQa.exe

MD5 6b29ea1d02d1358073f904a85e2039fe
SHA1 07288c6dd39f5a008d1b26cc679e148b386d4df9
SHA256 c8c941e41161b1b0dadcf2e0f3b8e4d5233c7e22b31754f3a58b49100d4a552c
SHA512 f33aff877c30578e468e30260445c911de69d2be9e76f278c35ca9ed6bdd995414c65a997074e2428af26ec439f8d573fd579e412d6fddb21822f34be886e539

C:\Users\Admin\AppData\Local\Temp\iMEa.exe

MD5 563abd70f3979694bd3706c6b2cd524f
SHA1 74f46a1fd005a4844e4c7f779e4b80d2ad5a6c37
SHA256 3a459510710f13aa8727b843844c909a7c7e68d183fbc27576c4a360811befd9
SHA512 c12b40546bb2d0c9d957e75252d07e72d2daf5adecdf509a7427bb8d5f9458475889e3167e7891285e31ef7bb3d2fbeb7c64d81af6e3d1aadd03186208a2a219

C:\Users\Admin\AppData\Local\Temp\EocO.exe

MD5 1bfbe13dbb7107c6b57d6e9c3d55e66c
SHA1 b91624376cdb59b067fb49444d7925c578937006
SHA256 9fda914107272859c6b6c98e1eddc3ea04426360042d5cb25b5890f8268c773e
SHA512 510569142adb19edfa5ea7c6ddf0ba6a48e245c4085082c19e98a69ff25c7a252e053767c7b9acdd748402f0752943546a5182673d1379e155e66b7f1c83247e

C:\Users\Admin\AppData\Local\Temp\gIoE.exe

MD5 b99db219ede67bc3507ef1b11f8bdcab
SHA1 b35af2c45e52ef7c4e71a40d5aff4436c7aa3e43
SHA256 e779e950ba1b34b6fe83877f3bc5815713fc1b7b94a05ad4e1365f5db7181e34
SHA512 508b412dd505a6c05b99f4fa554449ecc012699e27fcbd8884739bc910a062372184235f663da5da0ad50fe28654df8fd1bf5fc351b886fac58849c436c13fbd

C:\Users\Admin\AppData\Local\Temp\Ccsy.exe

MD5 01af251f96d2e316b7c2378202eebdf2
SHA1 d8795a490d5c7ad95d3aaa21e229c426a06604e5
SHA256 4537b151707039681a180b9f2af5c43e0590866e112213d95c74551d22d24fc8
SHA512 c5fe737bc24244dffa810623fe086c3a8f9a0fe235cbc42d4df65b3890b78fa2beda91d1a81ad7cad6f4800e404f20ef6ee3e43059416871ca080386cf490c2e

C:\Users\Admin\AppData\Local\Temp\oUgs.exe

MD5 63ac6ebe3d1a40d67da1293bfd5b807f
SHA1 4aa7354d6e073c7123a34b72ad4df37bae90f35e
SHA256 0501665f6f81219f9c7a612e420e5006af952f90770bc843c7eb9b0c09a8d01d
SHA512 296f78b63a47b8001b8de23e70d8a551e5063ea86b4103659ad176aecda89018c61fc193dd13af21542ef9794422c67cb0e8a7cc646564cc246f8df882573a9a

C:\Users\Admin\AppData\Local\Temp\mIUi.exe

MD5 b6234379ddb54c9cf5dbd222d7654814
SHA1 ba492d4706dba8e04ca29c447dc1d9aaf717fc76
SHA256 2504bab1713683aaaf6510bd8adc67f1a2b10e54640875efe438078b7157b885
SHA512 4656ce88e5dce040b66fa91f49ac1724e5f93a74988f535c7153e39b2ebbd5fd6dcc1409cc1458b30964cea46e357d741c2b494e628419c46b133895e6b2f6e1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe

MD5 0742ab1c6943fcc074535985ffd2f662
SHA1 dc511ca477ad2d6db1f32d27947260cb1c33dd63
SHA256 d1639726cfe77264d5bdedcb7e8498e88ea212ac39084d72a36129c0f91da81f
SHA512 0354ad8048177bacd5d5430dfe3602ef3d9258d0fd337cb99a124625456c21c41a612c710f0b8ce1689c46174a635d80ab40929c8b66ec8d3af1e56e1a2e4d13

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe

MD5 04ab38dadfa1467caf1f364b1228e2da
SHA1 0323a2b3905f07ab137f4a9992938f885ee8d8e4
SHA256 73cc3cb02aadf962e3942351762d6f7e352b48bd353495833bf8d6e4392ce3e6
SHA512 9f25aa779b582966040ad6cac279a5dec38bf4c9c7ccbceebf1a62d1302574d07ef80240b360f876e79301849735f1172c0dd4570ad498ae373831445645beee

C:\Users\Admin\AppData\Local\Temp\UMUs.exe

MD5 4057ed871472a3c0b8b0bc51b6943620
SHA1 0c55fa8099646a2beb289b506530f10af44fb507
SHA256 4d5276d28ed7b584666bc13032bdffd54259156da02fbd604b0194330bb31f02
SHA512 7672742cb585a6bb4ca18dafcd93cc21008055a6c92af1949c6be872ffd314062fca22145bf088b42c7bcefd30446857e9f8914c9dbcbe659d6e03b699d0d5c8

C:\Users\Admin\AppData\Local\Temp\UEMk.exe

MD5 401c3aaa487fcc6c45448bed6ff6c461
SHA1 a2391cbfa59eb3bb430c5dab6cd7402cc05cca70
SHA256 263d19e25d921346bc9ec4950e446e3bd425b099fde201c0ac27fb91ff046255
SHA512 fdd0477f795ee5538181a35ffaa55062ada73ee7593a740cb079eed07c362377dd4e4b40312ee0122f4ed644c3100b31c824cc04d1402f2fd458054507e1af0d

C:\Users\Admin\AppData\Local\Temp\UIMI.exe

MD5 00ed73f09512cd738f6b289ba3d53b8c
SHA1 22e78b2da8b0fd68360707ac7a0c347ca0d14cc3
SHA256 f141483612b55349ed6ab12948cb7093437798937db2f0e699ec4299142c8971
SHA512 47b9fe302caf53d270981da7b25c11cac3f3ff180b41656ff8e724a2ae8d6823beb818eab50b76df1bff6d797d7797b76af92457b19ba49f9e5179574e551058

C:\Users\Admin\AppData\Local\Temp\eswY.exe

MD5 aeaebe8b6e811154b46f240e2d13a70b
SHA1 c76b9e0d46027a10fc4a593c2b351acee5dc4ad0
SHA256 b5f3a1d277717e2e52bcba68fcfbebb6748a275dd428f8371cfb76c8e47c097c
SHA512 6957523ed7d99738a4563049393591f19cc17023daf47fb44f86fefa4dd277e6326fe7cccb05c28972443c82fa9905704b2d4416d70861b7fa0aec0c0eecacb2

C:\Users\Admin\AppData\Local\Temp\IEEY.exe

MD5 1f4478a6e13bc3b0b551dd5a18d93562
SHA1 b92394f3f16a360d4f1caa3c0469bca439c46201
SHA256 aea9e76cb65afae8253b6b53ab0a2320ae3196b2e6458e9a16edaf75095bece3
SHA512 0ababa406f53cef7e1602457f87ab7407e41f77ef127ef40b278958d1ea7ea23a8c00b10a65fae854f307d2156fabdb460a75f98d9c00380e59992ed17169a6e

C:\Users\Admin\AppData\Local\Temp\qMYU.exe

MD5 b957e2fbe2eb03e5dd4eb51d125f2bd8
SHA1 2ab593a3e21e9c374db9435d23780ac004888f4c
SHA256 65a9ede774410ddff239420d72582e305d97f46f55fab7eba6adaf184b682d30
SHA512 e42df4ef4e6c8f82323cb2eb0e84f9161e57e1839a4a6e164c869cd5a836bb9e235743965fe477dda1950e7c998098b044ed0376c761010ba31dd7985b74965d

C:\Users\Admin\AppData\Local\Temp\UIwS.exe

MD5 48aee9f006946d06779f9c65ab43b681
SHA1 6f63a1289698243a7f77dad654cbe6ea80f99e18
SHA256 f93fe507b957478951318a133c2a8790125d87d5db7a2b2c6879676718f7a135
SHA512 522cdb1e4a52efa54e58ae5b3b991aab7fe87f6bcfe46adc77727c2b5fe4f8f658abea656d5a7b502959757c71f9886ba6d63a1c310104c6d7ee77e934366318

C:\Users\Admin\AppData\Local\Temp\KkQK.exe

MD5 c9dcd87e0bc7338e0411b086fb907345
SHA1 1fb9bf0d6c0dbb59380b2ed82144601581ca1590
SHA256 b2440d5c82b05789480103884b8537d0ff717b64c193f01e97dfb4e78a6b72f0
SHA512 163f3a5a868e834bd2f57e175fa6c65e26404babbea67282743ceae54c916c8151b3a1f8dcce87c19b365d3a61f4e5dff7ce7d1aad8a84cafe4911ae060e2558

C:\Users\Admin\AppData\Local\Temp\UIUQ.exe

MD5 21902bfe197942a9fa0825e37cb9da39
SHA1 4966addbf2570d55a05a09e39cac7322138f6874
SHA256 c936f54bb3028f637cfafdc64dbce843855fdc8381b8bd872591f512d6829c83
SHA512 1ebc4e552c11c82ef497b2cff8e4d8959d9b3edcaa960e254ee0dd04f11cbab9fa98f82000cca1489fbff44ccee7b658c1117172034b76a0097fb52d99d8fffe

C:\Users\Admin\AppData\Local\Temp\qswk.exe

MD5 1b188323b152e2e6830a06837ba5a2b3
SHA1 90549b5a20026270a21d551242ebcaec9b9e6a67
SHA256 c3e1243f1db176c2286f96d28bf77d24870dd421c6babc4a713698cb5bdd0a79
SHA512 04cc70e0ec2275446401f30e82bdd68f2be54e63bdb872b216e654351280ef12a8b654094ea2cb09d53be6e8861ae3e369fd3e15b63a5ff4b996ce9607100940

C:\Users\Admin\AppData\Local\Temp\GUQy.exe

MD5 24a34d44ee24168b7eab2f13a45c8125
SHA1 90405b71ca684f21ed10467a6fcd68eba9ed66ca
SHA256 18400687fc1c1276f8fcbb92adb6dbdfc2da7ca232984995f93ad41f155d6254
SHA512 75a0d82353f43a1162b634c0949fa635f1f37974a6ff802b5a15b3523cd571a3e3fc276ff9694b1f41a143fea870163a3a0d27f435eaf4bf83d22e3f739b70af

C:\Users\Admin\AppData\Local\Temp\ycEU.exe

MD5 02f1f989ee8e8ad082140240edf7affe
SHA1 d79d775ca22fa0f686b89275296f5f3dd4c68dfa
SHA256 f16b76e70fe9d77a3e55b60d35d90f9ca61d8d4d0d641683a1acb1ad93bf651c
SHA512 92c70d3c3cd19118575cc09c6e3ee4a889e2968687328ab0af5acbb42e2665dfb052eb0f21d7889e93483895aa647f81d77625cb89bdf31f1a09da68ff6cf39d

C:\Users\Admin\AppData\Local\Temp\ukwE.exe

MD5 73dd9349677d14873df0d37816b0b07f
SHA1 93d786762bfc34d61e16a32d0398784e6de0b731
SHA256 134385916575b3a8ebe93c76341c86f4e99c5b39e4f3107170ec0ba6975f45ca
SHA512 6c56c8846268fc72fd73560fcd802e03b139c892df412c849de0bf56dd8a0d8bf673205dd27d4c11b8dd3eee05d82117dd48d1f2a12c03279169ae104c9b284d

C:\Users\Admin\AppData\Local\Temp\KUow.exe

MD5 d71ddb695c88d9fe4b7eece17c40ad58
SHA1 cdf4cfb0fa7fd1c88f56bb1a473eac524daa71f8
SHA256 d59fb52eda27a600079b2c2891724078f03f61433c664a9f0a2ae8cdb72729aa
SHA512 759ed4d8bafec25b85eba5d7e4cf44f1c15291b6c1f031802537d32b281ba65f30e78ce74f526edb31f7deb67ceda471c1a7ffe544ad0e7d9503bc5f071a3acd

C:\Users\Admin\AppData\Local\Temp\MAEg.exe

MD5 05796176cf24237b434875ee5e44ca0a
SHA1 b046797b30f45a160b88078ab8eee9a17199d77e
SHA256 84597697d7e5a860620544226506e12dbfb614f94cd85192e5d131a5417b554d
SHA512 66c865ecefd6b2593756b214e21cfb7465493c72a3bec0aa1de1e3c3c583850341fa41ebd056d1b150802f8ef04c086dfb8f31e0ba414af7c541e782f5814ab0

C:\Users\Admin\AppData\Local\Temp\qgYO.exe

MD5 0f905b150fc267682af3d4d21b1c2ab4
SHA1 bca931869d62a7ec525278693b26e88bf594420b
SHA256 cd47e034e5b479f05a7c27cea275c6b998915b42268921725412406636f53172
SHA512 ff6e3429744896aca23eea5b3f6c5ed0f50899ae44448aef41a9dcdb1fadf1a00359799726772410de2338f50f3e782b1f9ef86331ce586502dd3f34e72d87d6

C:\Users\Admin\AppData\Local\Temp\ucQO.exe

MD5 07cc69acd35f744c612d1fae1953de36
SHA1 d39e155d746a3b200af62537ec7383c4919a3012
SHA256 1c7820abf2cfee3f6230a037f6fd3dfabfb2d8d1278c00e7edb18b4854effb22
SHA512 4d29b7c9712a99d0b94f7c96b2e84ab3d29938c264450c4d01a75685b712af46ed6f3337c07bed001c9c617da7a70a38cd3417b0a262a37ae703dde584f299f1

C:\Users\Admin\AppData\Local\Temp\AoQu.exe

MD5 97ab133ebfce7530537fef5e702efa24
SHA1 67a36a27402e7ab0e5b65a4780343d91ba9e1b81
SHA256 fcc5793e322018f14adbdb6c40e893ba5aaf00e2160a02957a68ebe6c54cbaec
SHA512 ca81cb5dde9bdbe38b8aaaddd73fe61af2aa2f59e5ec256525c5963efede921736822bd2335be2505268b9a03a09fa5bf62b4a3be27d78028b70b730970f0d3a

C:\Users\Admin\AppData\Local\Temp\MoYy.exe

MD5 3762b48af981a1a81401c6c00237326a
SHA1 9ecbf1778562cb2d2a5f93f690537e6aa244a58a
SHA256 26cf12f013abf31fae6bd0ddbc53f731efc4edc0d879042ae3c04eb1f0e224aa
SHA512 bccbfc803086d806cca5dd2e1f0b049897924f6eb740161680f3fe59b80ccc3ad3b3aebabc5eb859e5392e6283a9ce6efd7b596584bccd1e43b5e94bdcefa2f1

C:\Users\Admin\AppData\Local\Temp\QoMo.exe

MD5 9b6426345e0c207db8221000a3297843
SHA1 c8e6e8922ef3581b4228aeabb09d6fafcf835733
SHA256 0a044b1a38a4ff3f38b385e8dfa37c71dc7fad3add6ae97b27b81c2a8aa288b8
SHA512 971d361625a821453e2c35d9a725ac06b66c5af6d4bff7b32b08b79f6be2e2974fa8f048eaba6644d237289e1fd28f831379bc2d5ebd2c71397ceedbda30e31d

C:\Users\Admin\AppData\Local\Temp\OsMo.exe

MD5 3a09e036765f5a12d0b2e625091e11c0
SHA1 85dbf14ff06dfa193d5a61773289ea1a3382f62c
SHA256 fb838cc211ea8b54dd08906cc924898b63cf8cb29f299b0810313a38511539b0
SHA512 80c986859e83c7eb8e656ad8095d4a47053c4d9e805838144e6a5a62b66d7dca3f83a822eb6a4dcf1be4e1429f879d921fe43309547ab1c44b19b2096e9f9f31

C:\Users\Admin\AppData\Local\Temp\QQMe.exe

MD5 cbc35c8307eda8916c2001087ec7e158
SHA1 9f5783ff8b39f25b1f214c257a835ccda1545244
SHA256 f821f4a842ac74f93bdcebb1ea848e780055b6b5c7c7db5c2243ac399c545310
SHA512 658e797269f49c10ded3b09d6b9bd3675cdfeaaec21c8a360c656137accb4fa1ba5c77eb00d6890f578a9aac045eae3812559851fb05515aeb5743daf2cd970a

C:\Users\Admin\AppData\Local\Temp\GcgO.exe

MD5 a5e60f48466cadc8fcd1b4275245b514
SHA1 576fa715957d4060dd6dcd8b75a7f0101da6de96
SHA256 b756ccdec9d9701cf73e7821503e3389335427d56b5c035e14cc80c0814c109c
SHA512 22cbb31705faac10c8aa256977a0c65f355404a009da8021985c449a29d9897460c68879918e1739641e8a4298089dc6bea3104cf987dfedf427bfabb6c06353

C:\Users\Admin\AppData\Local\Temp\ygYY.exe

MD5 b1f5c4b4841fdfda35628b6932f158dd
SHA1 c3b59218ef448174c990052fe91b9fc04301d7cb
SHA256 fb1e96683a701d487dc65df90b69b665277893c6b68d820f938cf1e4e957f090
SHA512 0d8284b5a0d7e1ff7072bfb7bb271dd1e126aaecfa690cd4beb06292a4b1f5cdb35407452e3d82a5780663d35382b300e0344a847d699b4102f7cea5ba389d0f

C:\Users\Admin\AppData\Local\Temp\moIc.exe

MD5 9e1045ca2579e5d9fd815b14ac88e050
SHA1 ff4a866bfb1a82a9122e2d8b72b1a1cc0ac159be
SHA256 05d053e861a3ddea788d546600a48991cb4f347dc9986aebe7c7f56f7e7a4b9d
SHA512 e84b7cbc2f84cf0acce952c879ad9063e2031accba191c22af8d3d0b5d1c053c556d39ed92eace6efdeb1cd176ad79da44aa7329a1704d67b62520c7a05e9c27

C:\Users\Admin\AppData\Local\Temp\QUkw.exe

MD5 f7f6a421186c3207a9d6740a869c85dd
SHA1 58cd921b1d9df3b291ff5b7a3769b88ae0536e70
SHA256 f6192305cc920ab281abb4912a6b2d23cddf5e2b64eb5bcc3708cbb8d83b86cc
SHA512 aa73a7b9d3b962d0d91f9b1e89cb1603cb755bd3e5eeb9709733fdbf4301434d7c2de5fe7f2d891601044d4aad32dd4f2ff9835280e1e775730ccd2df773eb06

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe

MD5 69f514034c3f34164752980196e639cb
SHA1 d4e76f18ce54db3e5a88b7932ac1b4edd93ddf4d
SHA256 b270b0cc4c6e3d89151ba4857a394bd91d97794a5b1e13b301535bd4ecb3562d
SHA512 a196b698d01546cc8c0dd61295dd68067cc1d426fb6a76ed5b77f1e99945f927259a4fb659979e417db0944c296dc9532ecc928fab5c4c6b2e9c02e68039b236

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

MD5 6c20ddac8cb367819e35fe1c74082e7f
SHA1 183db1ce2143d4007469f236f6abf767d26bcff7
SHA256 8b1a474bbc2e16995ae61cfe7160cdc8c9b1f2773dd9164bdc3c3fe0de79e61e
SHA512 cf5c0ed350fd75635f8729ad167ad0094ecfd3a9f5c191b2a24b17e2558fcf4459c279da6728e05061c2e94582a9a894a205c850439b81acf477751cef9daced

C:\Users\Admin\AppData\Local\Temp\aMAy.exe

MD5 e5ac02240f28db4a1e57dff23aeb9e98
SHA1 eae5f2b3bd45ffcfdf859275244ec5dbbed3a8b3
SHA256 75686bf46dc0b0e8d08998a252e5b3619300f6fe271c4b298785d03e73d5e572
SHA512 e3493d9cf81c616b544fe868675947ca67d3b7a91ba6b943eb7fd41ffbc7617cf3a1021ec5488db746092bb3e6338375cbe204f65827a24eefbf0263e79b6220

C:\Users\Admin\AppData\Local\Temp\cAMC.exe

MD5 9b21122710c710c7d33f8381819e8020
SHA1 720c42d711c1549386cee59bee16196b01a1fcf8
SHA256 71cf32530de5bdaf1942bd02327fd542b1f9a7776377c4c95d40c21c661c54cb
SHA512 0c5f1359396925a3ef95e55fb35d0cebc7cdbe45e514a3e9e065ebb484107ecbcc74a50d21d4af3dc3c0445aa292045971acf0ed797422cb1d54fbd74060e96f

C:\Users\Admin\AppData\Local\Temp\wAow.exe

MD5 36ae05a3f0721d42ce55cba9359de92a
SHA1 493583aceb4a4ca967039dc6d215cb2d9aedb10f
SHA256 b7ace65299a18890cd350b24f20fa343ef267509af0157378ee54711301eeb32
SHA512 81b103e345057fa67653becc05d01c7267d99f1e57edcfb7c142546e015a8babced3f4a1bf20ea5694aa477578d4d87cedc65b67f80b2af72c8a1516bed968f2

C:\Users\Admin\AppData\Local\Temp\msYo.exe

MD5 4b0882d2f1533aa73ba9084d35e3d3ff
SHA1 d08b7f4501aea99e71ad4208dfe9f4a94ce5145f
SHA256 ebda289c099ffb29b9e520f520a08d282a39279d3c7513003abdf29c8f46c42a
SHA512 1aff3eb2b0c861d074fd0b7667a914179da1a716b457c2bdcff8a20a936b35212d9d13a3768c7c6c24199b4aad881adfcd4ce5983b5e2395c922dced4f58c2e2

C:\Users\Admin\AppData\Local\Temp\gMIA.exe

MD5 653f7d726d057ad2764a2a9ea9e99287
SHA1 77c72356c024a5346df052a8dc737dc6051482d5
SHA256 1c67e2e887e05d01c57cbb8b57e1af768fa15818265dd3dbf062614d9ad2a0d2
SHA512 73e09e4c6981b439ab16b7e70e72a16654593db4234463f93889a09796627cd4578b70c077f5dc16aab5dc401e4dd3aee4c9789f8bc1909cd5aedfef175a2a8f

C:\Users\Admin\AppData\Local\Temp\mkYm.exe

MD5 274dc56da6b626e1e8931d4ab3725719
SHA1 7ac2d9daf1f0738e7f0dab970459aa8d18d2de98
SHA256 263fc37c67fc2ee514849c96c86f7453f7320fbc27004bad583051a11cf4685a
SHA512 98aac6a54d07d1a29e0dd32721d6680325806a7d90f349fabc2e7b4e8f9262c59ce49c3f08eec9d759393d61fd5fcca495e5f8f8e94c605d9de18ff011c44c05

C:\Users\Admin\AppData\Local\Temp\woMY.exe

MD5 a80b6ff40fd6a3f79cf6ab4399a4d4d2
SHA1 c61816b841fc06eea8abfab9a608fa4665390c8b
SHA256 f11372979ef5e2367471116fb7cb102e2a2d123505e582655acfcf5d1604c7a0
SHA512 452bd01c366b47d6633dd3068146cf2d91326b412c74d0218d831dfb953f1bce497f3825624253bb19c32bbb1130572cf6d75dc50c00a8820351cdfef9314e9a

C:\Users\Admin\AppData\Local\Temp\YAwO.exe

MD5 751243c16cc5fbc7685663a727df4e07
SHA1 01fcaf9eee574624b0dacadcf2995c43323e7e2c
SHA256 895e413d3d30c9b9bc5f77e023121e16091e02fd0b7ddcca4967698576b60f9a
SHA512 075a98c6cceb4806bdad946154e1c619850c7f0688b509382419adeeda1d1277f3b6641bba4aa4e6c92f312e5c14e54c4ec21d98003ec1aaec7b9de1babd5cf4

C:\Users\Admin\AppData\Local\Temp\qAcs.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\mMEO.exe

MD5 94eb64168f3b5a1396b6a13f40dc0a53
SHA1 42742abd451a58ae57b9b9c1e50461968eecfd1c
SHA256 1422d2ba08981b5f9c7a370c8e6370e4d6d892bf4348c68247c70c519f6bc26d
SHA512 d13165410480647a45fb548bcd2872ebe5e8673ee59c8ba2a46dbb0d8d8f29a7d4542746026c4a2d9cdcb1179099bbb3afceb62d6af85a1d634c7e2dd770d695

C:\Users\Admin\AppData\Local\Temp\ycQe.exe

MD5 75812fe3b4cbf54646bb2d93c5bb1608
SHA1 0d6dc377b13ab3af8375ae2010d40a64ed2119c3
SHA256 567e37d4a320b65d5fb2f3d3fd8bbc0ab4eec04648898169edc035034a5c6210
SHA512 b9c62a14362a17589e27440134acf85d4ddbb5f37cf640f8afceb17e31f72a5ae2faff7fc28e9e27925a366b2a6ddb6f17eb38bba8ea14ca9047a0196cf6e25a

C:\Users\Admin\AppData\Local\Temp\akUY.exe

MD5 8a691268d5bb2a302a39a7e591e5d9cc
SHA1 6d5945f896f33b1cd4ce4b48780ce0006e3dab45
SHA256 29ac5cc9f9cf1929ea0e4fb21a388c17220f5ca1141659fc382401d5389012a9
SHA512 9143a91818adc5fdcf0371f94062a716c9d2f47bf9d06c83b2ba8b496f885d2ad8a4a0f546bb94cd10f2238073962e0b0ae235973acc423c74e55451cb190000

C:\Users\Admin\AppData\Local\Temp\ugIw.exe

MD5 35708af9a3c36f619e46fa0e4d35bf5e
SHA1 98d1880e38b85922196fb94990ad5e5db85d0f24
SHA256 474620fd4498cb417c3f073bff2bd6eba0f9f1aca544a6644904215c1b95d835
SHA512 9c2f3a5f450d10f22e2e0faef1e97d710f3785a1a15d73cf1e1a4e036b4f25115824eae250f084b945be1d93b30ce987770fa4808b43c17ec496b24662faa042

C:\Users\Admin\AppData\Local\Temp\YIEc.exe

MD5 3b69c9250264ee2eb405dad9836c1fe7
SHA1 47360b65122975c07e863057c17676a6517b4d93
SHA256 1f1099799a7967abf0df147cffa4f0e9efbe5a4592d1198167485d11be274ea0
SHA512 2ed7ee258282d5a130ea0d18b8e8612bde1e694028370adb1deceaf4f5e8da6ea5ab1ff5e8c1c5f724399cf7c1499327d9c80e0612da5fbd0a3835bb847bd6e0

C:\Users\Admin\AppData\Local\Temp\IgMq.exe

MD5 ce42f878d2c8fbc4a6cbeeef81410915
SHA1 7c3e137c92f943ffbebf7ac798790eeaada12a51
SHA256 6189753d6b2ef8a4ce107066a03c04e3580427183703917c48cf4057912af772
SHA512 310622fb3c54ec3184cc5bd7d193d90fa5c5ea489fb407dc95aad538f4c4825590a50a47d40ab50d93b1460a8b0b55e361908801805a74cc8e86250d917c3ada

C:\Users\Admin\AppData\Local\Temp\askg.exe

MD5 101d80b11fe13af688d56e1a6e19359c
SHA1 cd8c92ee14f1af7e6cc3e60c9481390974f03c41
SHA256 fde8d6814aed5f281733660dca33d18586f6a64c707f23b717f6b53273d59fda
SHA512 5b510393683656935ced6b9a9870d121e6b4a60ef4628f547d036a093d86eef6adb2a6b39aa0bf21957fba0da99418e2923c5043858f18b5741876ae9f695823

C:\Users\Admin\AppData\Local\Temp\QEwS.exe

MD5 e79c78fd2cd83d4f4e7777cb017db03e
SHA1 dd24f471a63360025372386237a55f7155b777f6
SHA256 54d02670171d5a3aa3e40923a752c3bb74610a9e0a7f534cb386ae2b3581891f
SHA512 4221dc99557ccf83a90c00fb17bd2598773e12af63234afbb3168279f4e7e01c344d1c39878240d565bae5035da2011eb5f6e4720d14b909e1361eab9793da39

C:\Users\Admin\AppData\Local\Temp\YEQE.exe

MD5 c062564ef0dfcb4debdbc9e51b922bb7
SHA1 7d500a889793392ac8297aef2ffe4c623211833b
SHA256 5fb49aecca152abde0d55adbdc739241d365e176c984f2cdbfcf5bd5220cc2a9
SHA512 e3e8bc7f7b9f7e3cbee0d215030dd6326fe9ed870bcd38fb3f3a983a70818167b46de648d2b5d50e1e32a475f14d8797d1cb6c59fd1c256fbbcd8ec86311d7f1

C:\Users\Admin\AppData\Local\Temp\SoMO.exe

MD5 82cf9af68d2dbb7507c5240050bbe220
SHA1 19bf50c8aed7db7d7493eb59420b9591c1e8d1fa
SHA256 b0712f7a232af18d2628dfe9f890b32d6e02f32712e77e21402b796b3e7b73ef
SHA512 15677bd97f15a0a0e56ce8186931c0750bbf8c36079269e26028fb00adb82119fa788ea3162782f909612dc25054fdfbf82fb052563f54ace4798af577c941cb

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

MD5 c4eaf7f60afd4c362f7313e13bada026
SHA1 c8785f6f5e6bc8c0e783835a84d7c50751fc5727
SHA256 0a141da533ae16f95b8621296922d768dfb734a7b0ff2796f6bfb7915a084cc5
SHA512 fd305a225576ecbedaa925add7d50a3ac4c025cb545226c5da67e02e1be6664d68ca7c3971469d9592ce8d1312d8aaad795b41c99a9d4ad632cef263b2047a32

C:\Users\Admin\AppData\Local\Temp\OwkS.exe

MD5 0a048428f546c7636967168641795a53
SHA1 42170964d0da14da15b46c922a30f7cee89381ee
SHA256 7c2dfd90847bb09687546d13f0e2872c68dd0a71409fe551197bb12730d43ffa
SHA512 acb915b495bf54f1a1f71be98f98361f6bd2c26d8957dff3e1f1e5ded38c23437b62294cb91f5c9f76ad841b15d335ee9a5b61950ca552b47792c2e15203d027

C:\Users\Admin\AppData\Local\Temp\eoEk.exe

MD5 ee83853c19bc64d61baa02e1c43e5e7b
SHA1 7e3ecb9367572af1c304f9df7d088e7e7d7b9ba4
SHA256 4dd6686f17b12bf4212f3f67a9923d1d68f7c7957a9172cb43877162a01ae2ad
SHA512 be0bd6199d92b9957394be697ce722f69de15a4b2d91c9f7d3c385295479cd7a8c7871f661fce1d93e4469da2fbcf76fe62f11053f01db48ed65d005d28c62fb

C:\Users\Admin\AppData\Local\Temp\GIcW.exe

MD5 ed17246d915c0e6987b6aabf9600093e
SHA1 d12367f94cfa8f1b457104d0fecb0c0fc6aa1491
SHA256 6717475088faf1da846b861a19e1ea457c2f595f2d92ef133f8324aa99b66935
SHA512 347fc29162ec758973b569eb9e642fb6cfdb4a7cd9bfd45f7e226e76f43a59eaae64808ffc0acb6d737d4b39e4f35edfd93990fe5e244caeec57971a7087b7c7

C:\Users\Admin\AppData\Roaming\ExpandGroup.mpg.exe

MD5 d4def941ab512453fdc2dd85bc5c8712
SHA1 ff648c145f8612bf5354b59f433624fda6fb0bf8
SHA256 6543ca077be1f8c134ff0fe042345cfc998ae3aeb7f194f5989faa19ba47d1b4
SHA512 47d932ea0fd22b7864dbd7c5e2ad104b24a3cca2feb9a4600b1ed637e816d8fba6586e59021b12e6025cfe5a3c0fcb6e4cfaa141498d38084a29a52a2ff7b7f6

C:\Users\Admin\AppData\Local\Temp\QssS.exe

MD5 9be614ccb835abfc33a29d95194a0f0e
SHA1 95bded175ab4e25aaa590b2f8506af4ac0dc8a7e
SHA256 336864896745aa5708f16d3b18ea8d40cb15929cc42ff75950e7cd4b7024d500
SHA512 576ffd32cb11250cc11e97e812edfc927fd4a94fa7176bd35abca488674502f9c3963ba7ea5c20cbcd5311bb080dfca522ec59fe0d0a150247a055dc73ba1356

C:\Users\Admin\AppData\Local\Temp\owMe.exe

MD5 320eecf329629676fcad53e121b870c0
SHA1 fbe7baa756beb0e0b3dc329b1421bbc7cfdaa9bc
SHA256 22c20c5332a21605ea9ae40225d846c9eb6665b9e920566246d104d0ed96bce0
SHA512 3fe22ebd480170b4ac715a242d0cca03081c86560b5e721dd764d4deee1807c5afedac745bedd899c046fe5ab517c76735d7f68d6cde4680e07572c7b6cf9e67

C:\Users\Admin\AppData\Local\Temp\QcQu.exe

MD5 d7f9e1f2125366e7fae64ff313e11909
SHA1 fa9eb0815c1931e00ddea2835fb50fee78d14f75
SHA256 2d516a142d956e85764a7e876ff654139e2389091967c04c23c4e0ca7293cd1a
SHA512 2b7910e6127c01db69138f812fe6315a26aafedbc3c07b1d6bf8aba262cca980bdd32c1d07f6d33684b255ee16e5dc8a766430306a67ceeb3f508a5b0e445852

C:\Users\Admin\AppData\Local\Temp\OIIa.exe

MD5 5d5801c3bbb38f93b79cc02a94309e6d
SHA1 9ee5d08e9d1b19b8fb444e79bb9d081e2d6c99c0
SHA256 c953aeae6c262bdd837398e7dd38ce1e0c6659c90b390752e972e11cd100f07b
SHA512 b0cae707b8c42dde92b39546b244df19506209b0806ea9df1e5e81a8ab704133dde3c94b06dc78bda7f09d41378f4cef4dca59eaff95001599d03607220d9d70

C:\Users\Admin\AppData\Local\Temp\mcAW.exe

MD5 20f604daf1fe5c70a62ae28ccc211cf4
SHA1 757cc458eed6c1ebbfcce5043e4e5f9f59f578c2
SHA256 ea73c412484605fd640e258eab77a40292dd204ed74cea0abfc6ec0eec272bb1
SHA512 370fa5139cdebe9f6805fde1ad2ff79c5b83135319a92e6fb13290cf34b56e5b1f35bff6474e2a417ad64a71fa163e8d5c0985f87a77c44bf2c8bcfc3eccc4d4

C:\Users\Admin\AppData\Local\Temp\CEIc.exe

MD5 20c3b872002b4d2866404dbe151c7d60
SHA1 686bc59acc9de8ed6d8dc8d739045cd58b584929
SHA256 fb74402d8130c09260a6d1c880a10a89660d7157a6672862a24b484566967152
SHA512 7347988ff0f6cebbd5c54cdf304672614ca5d64585c17d54587ffe47ade18eb5389705cace1f92f3c2c879d0ffe10d3ae8da0577495449f3e295c9410d22031a

C:\Users\Admin\AppData\Local\Temp\oQsk.exe

MD5 90aa105ba7a56986fc818d6af89ce530
SHA1 2dd79c51b139fd5b68d120caf0a8d7ba930c2b68
SHA256 3749a89d8a1d30fa26ed84d33d42144239e0e0f72e9887a6b6b533cfac7fa979
SHA512 f83abad2b0b9b8dcb9031bcacf48387d24e7f3b62d17e013e2a42c319a015eb7832db6c1d59bc557106928a9329cc4b3ac407bb328488c60ded21d8a176e87e1

C:\Users\Admin\Downloads\ConvertReset.mp3.exe

MD5 d78cfe83202a55e419aa79b38aaa6917
SHA1 00bab913e84ce917c1c3bf7d632ec47edf54626f
SHA256 4482a03e95396f91ab4cadddb573b1e03fb0a242b3f2c892647ced081be2ce39
SHA512 c93214ee00ad49597137551bb1f6a6a8921ae95c89228e3b692cfe169864228dd31212da659351c500fd40be70418264abb6a7fb748598c58346ec2a1b6b00ec

C:\Users\Admin\AppData\Local\Temp\acIc.exe

MD5 80ee39246f8b89deee1225942ff0386d
SHA1 16c0b0150ac9969160de1647763547b947b40116
SHA256 8622e18dd866fdb245feb943fdbb548af8217bb5e6c911d4f6650d7f2bb9ae2d
SHA512 ca5d2b4e414c8e13fa3c2be7082c037d1c74dd1052cc49ed1db46b4de47ceb3b210b2982fefe309efd959b9c3f812ad4a4527216014ab5fe15b2f7b79da0fe77

C:\Users\Admin\AppData\Local\Temp\cgom.ico

MD5 7ebb1c3b3f5ee39434e36aeb4c07ee8b
SHA1 7b4e7562e3a12b37862e0d5ecf94581ec130658f
SHA256 be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742
SHA512 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

C:\Users\Admin\Downloads\JoinResolve.bmp.exe

MD5 fafcb065d1022b49fe190f6a777ee694
SHA1 a39a6be6fb3c87a8c855a00cee0b2b43099324ee
SHA256 83d017621a843edf914c60f25d99351adabfb97bee779f59818518d5683a488d
SHA512 a4b0ef1a2a3635c1fce37e7017de5cb046f4907b6b7cb13b221f6e86f8a0a85be2ede7ff87cd2a93aec00a255dfdfb4aa50128718a5f593b6ba8c49cbdf12704

C:\Users\Admin\AppData\Local\Temp\OEQI.exe

MD5 4a073916c4245ae038477823ef44fd62
SHA1 8900522fe5ac29bd5547ba85235dbc516e79f6e7
SHA256 7dbdaf8acf67fc1fba0fd984dd2f48d7ec75753829afd7dae99322d480ae50dc
SHA512 ce39a4a55f4177c15b359742fdb63b8ee1141641c2dd1b599b6ee15f8a82b567bd9ea041f39c03676c06ddd6a30ab848728333ce628d58be50cff29c0b95d340

C:\Users\Admin\AppData\Local\Temp\okQs.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\Music\SendSwitch.wma.exe

MD5 4fbb6883aa9f866a7efb2874fda8d7b2
SHA1 b5a4e0dd24dbaa115a432bfb04fc613fcf7478cb
SHA256 5997e0c88dfae85d12ce72a50a4417138a2dec0e622c3a4c6ab1484b51eb5f08
SHA512 f33c1e7aad408dbd92c2bbd315bb4ce29d9db981f96fe5aae2e13b3058e47dce508d9ae0c0f11ca53d57158878ce1a1dd1b220f2976a2cdba38daf02f9d11265

C:\Users\Admin\AppData\Local\Temp\iIIg.exe

MD5 8ad9ca28cb6afafe29b1a2083241e513
SHA1 7dc6dcea2896b04be1b8ac15dcdc032c07823a9b
SHA256 b5ec73fa1d78a2a4ff2021c4dc13711ed7d3a0c6dbea107e9aa815a1854a003a
SHA512 8f5f7deaa8b639a9774a303dd02ef3ea64022f5dbea1eef14aca9025efedc3f1bb0fd1a6fb74a707db7d0a2accba9f0d1c6759e92a1b7e9a6d1bad4f5389854c

C:\Users\Admin\AppData\Local\Temp\iQcC.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\EgsG.exe

MD5 485880657867703d087d29bf0741109f
SHA1 4a09adf8a22ed7647129dd51a8c5497261369ee9
SHA256 3129820a3318fc3688861ad1d0ad67800b48dd107a80fe90c65a9ad3f4231ebe
SHA512 33a379199f215409b7d7d9c58bb9c3b0f037eded156025a38e39c02d2ab2434c98ab2ba69231916383631820713568e98f02a43a71f59c9d226ab124b79b1f42

C:\Users\Admin\AppData\Local\Temp\UMQa.exe

MD5 d7de16e36aa4ad06725bf62249c2f357
SHA1 660cdd0ce6808831178c40a51ea2e8f07f9c7530
SHA256 91c4501bfe0c61cef7db6f4669cff506992ca3bab64f0be7c4663742eafd6909
SHA512 fcd0a21edbc5add92b2893368da585d9a7ab499aac60de4efbec0437f4698be8a744d8abd3dade0a421fe8f54b7743d40f2e25cb9817ca635b5bd3d2699b4129

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 91a9f7bc23700b54edde82f550d4ad58
SHA1 5d768f7ed5d1fb021903d2f0cc131824d8dbaf23
SHA256 6c876bf4b47085976b0ca0f3d51f6b332265177c6e0e614ea69b8c353c30fb72
SHA512 4ff58525019f155cd197d04a3a92c51d72611a01645fd423eec488822b12732622f59f495de405feb76a01b77769c7f62e8921bdb7788eab2ba2f12eff69eefd

C:\Users\Admin\AppData\Local\Temp\esoK.exe

MD5 870c45ee1be0b6e4876228c89421c592
SHA1 21098d39d21a123879fcd5ae5b4a5aad2c17f1f3
SHA256 0f46e200268c4df18d8448aec54907ae7789597aa6e3b858d9ad951ea8ae286e
SHA512 cc31200506e05e7553fb3decc9950c92964833bb33b82137df9f71e9ff9db8eee704dc5ee31f7bfa3f82abd43f9133fe22c7366c8ce5587dba6f522237c4ad95

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 b35b0f9a5a494c1bc7acfcb9b06d2339
SHA1 3e8529ecd6eedef8b70d129152587afce1139e07
SHA256 81784d5552380afd5e21e61cdffe06a2a637a67866cec7ef7a6ca78d6f9197d4
SHA512 e14fd784db07c03da421bf04543c8604f832a22c98aa5117520112939ae40758b57126182f5a29d26c60fdacd1356e09b7ed31296d2ca0001c437a4f8c684c3e

C:\Users\Admin\AppData\Local\Temp\CEIa.exe

MD5 df92f85e688d96daa617cb81c67fd6cf
SHA1 dc28be73e747e8005a20d4e21cb22ed269dfa71b
SHA256 db9e31c8c5c992043de139d929178d11e5f38f675e4ae397f4d249a0a9478285
SHA512 8bd91cadbc11987c461c6c4d6a962bba491345e03f88cf1c084f9833571be55435aa4249096e61800aa3b91fd7fa5d7a67b9f91b3c3a4d055aa63631c668abf4

C:\Users\Admin\AppData\Local\Temp\wYkc.exe

MD5 5c82b21f25d3871220e23b6467c84f85
SHA1 0929cc50071bda7ac93a98ac1775b254e6904a82
SHA256 8944c47a056019cacccebf372743345d84a1bd7471c3bac39b3e5156e96c9c01
SHA512 9741f0786f9c3e33538f43a1590773b72b9aa6934a32227696cbb7d3905618f2474f70859dd610113994304112db31e40b4ad3d7a0109da48a95dcccd6fc8099

C:\Users\Admin\AppData\Local\Temp\QQAw.exe

MD5 6111992069039b534bb1c6b9cb3f8ebb
SHA1 7682b7ff0ccb85afa7693b80cec2b56364c04416
SHA256 3c532b6589f8613a4e31c561193c4f21bb85bcf2721cb779d63499e0be96f7c9
SHA512 67bde63217d51f4efa245bcb9331f57240bed2c58e163110466a968ac752f12a1638883501b3982662cc741285486a7783f22b2cb9da33b13048f137868448a8