Malware Analysis Report

2025-08-05 08:56

Sample ID 250108-jdll6aznex
Target JaffaCakes118_9339503bfbb68f6435a37e36057c137b
SHA256 ed27064284abd999686d18a64681781876fbb716587f2e8ce70f862565dc4599
Tags
discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed27064284abd999686d18a64681781876fbb716587f2e8ce70f862565dc4599

Threat Level: Known bad

The file JaffaCakes118_9339503bfbb68f6435a37e36057c137b was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware spyware stealer trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (53) files with added filename extension

Renames multiple (79) files with added filename extension

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-08 07:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-08 07:33

Reported

2025-01-08 07:35

Platform

win7-20240903-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (53) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation C:\Users\Admin\qkUckksw\decAAIck.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\ProgramData\niEwgwAQ\hiUYAsQk.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\decAAIck.exe = "C:\\Users\\Admin\\qkUckksw\\decAAIck.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hiUYAsQk.exe = "C:\\ProgramData\\niEwgwAQ\\hiUYAsQk.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\decAAIck.exe = "C:\\Users\\Admin\\qkUckksw\\decAAIck.exe" C:\Users\Admin\qkUckksw\decAAIck.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hiUYAsQk.exe = "C:\\ProgramData\\niEwgwAQ\\hiUYAsQk.exe" C:\ProgramData\niEwgwAQ\hiUYAsQk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\LCYUgQgM.exe = "C:\\Users\\Admin\\vUIosYgU\\LCYUgQgM.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rCwoQUsI.exe = "C:\\ProgramData\\jSUEcgEk\\rCwoQUsI.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\qkUckksw\decAAIck.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A
N/A N/A C:\Users\Admin\qkUckksw\decAAIck.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Users\Admin\qkUckksw\decAAIck.exe
PID 1260 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Users\Admin\qkUckksw\decAAIck.exe
PID 1260 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Users\Admin\qkUckksw\decAAIck.exe
PID 1260 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Users\Admin\qkUckksw\decAAIck.exe
PID 1260 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\ProgramData\niEwgwAQ\hiUYAsQk.exe
PID 1260 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\ProgramData\niEwgwAQ\hiUYAsQk.exe
PID 1260 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\ProgramData\niEwgwAQ\hiUYAsQk.exe
PID 1260 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\ProgramData\niEwgwAQ\hiUYAsQk.exe
PID 1260 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 1260 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 1260 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 1260 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 1260 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 1260 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 1260 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 1260 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 1260 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 1260 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 1260 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 1260 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2704 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
PID 2704 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
PID 2704 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
PID 2704 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
PID 1260 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2876 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2876 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2876 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2848 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
PID 2300 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
PID 2300 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
PID 2300 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
PID 2848 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2888 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2888 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2888 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe"

C:\Users\Admin\qkUckksw\decAAIck.exe

"C:\Users\Admin\qkUckksw\decAAIck.exe"

C:\ProgramData\niEwgwAQ\hiUYAsQk.exe

"C:\ProgramData\niEwgwAQ\hiUYAsQk.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LIQUMIMc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tQkcAscc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bMAQMUgo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DaYIIkQg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UIwcEocw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kiEMoswE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gsosIowQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YSooEMow.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jmoMMokw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RcoEYUwg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fAUUEggo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HiYsEUQQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qUQAUYsY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MUQMssco.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gCcEAEQE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UCQwcUks.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CyYsIwIw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HqUkUEsg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LaYgQYMs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VSEwUIwI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fgYMAkkI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OckgIkII.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GqwwYkcU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AiYocwQE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GsUMcgkc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZyIgYwAY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWAQQYYU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BoMEowwk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mGEgQsYE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MYoQAUcs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SUEMQcIo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oCkcMMAs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RMUAUsks.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VKEwYwIM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VIAEQEEM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hwYsQQYc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pakAIcEk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qIIUMgMY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sKooEEUo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YOQgIYQA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YgcIcMIM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TikkUgoo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PqYwYsgc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZcUcMEMU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\baIUMsQQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SSkswgcA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SaMYwQwY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WgAwYEAg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SiEYscQM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rGQQMIMA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VoYMkwos.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PQkYYEMc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\boUsggco.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RYQMwIAk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uEkYAIgM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sQYQUcUA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aYEUkokw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gawMIEkY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uYYwcMYI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nucgkEck.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HuQsckos.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rsYgoswA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZAUkowEc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CawgoEkE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QisQgQoA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cOEgMAQY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sOwMssww.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oCIoYsIw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TCkQMcog.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XosssYQE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hsYsQcQw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nCYAcYMI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LewQgoIU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yoMYkgcM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MKYIoIUU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sCQQAcwU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\beQkkYIM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\vUIosYgU\LCYUgQgM.exe

"C:\Users\Admin\vUIosYgU\LCYUgQgM.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 36

C:\ProgramData\jSUEcgEk\rCwoQUsI.exe

"C:\ProgramData\jSUEcgEk\rCwoQUsI.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 36

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dsgwgEAM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hKMYocoY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xCMEEggA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ycIEAgwU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YwgckIcA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KqwAQEsc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mAEMgMEI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JIgwMEAE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tCsIQssg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rEYQcgYs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NOswUcko.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\losUAIEU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gqoMYwIw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mIgsAAsc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YOMUkkIk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kwkMIsQk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bqcckwEg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xqwcMYEI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DgkgUIAU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fEIQAQwM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ueQQoocM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SEkIsEsk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OEcMscwI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mAksgMoA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NMcIogkg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWAgkcIo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DqcMcQAw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xWQAIMYg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yicUcgEA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OQUEgAcg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CQUUcgAk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CQAUUkUo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\buUkwAsA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\puogMkcQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PeooYMYk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dcswIIko.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SCsAQgYw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sQkwQUwY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ooocQUUc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\USEcIIUc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LAIkocEE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vkgwkAwM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dSwAMAsc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vGkgEAQY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 142.250.180.14:80 google.com tcp
GB 142.250.180.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/1260-0-0x0000000000400000-0x0000000000436000-memory.dmp

\Users\Admin\qkUckksw\decAAIck.exe

MD5 4a5bf537dcb09e0d5aff9ddd510e14cd
SHA1 09430ea4f178ca551f430c877e3199bdfd56840c
SHA256 c95ce65f2810d8e1b8dbfdc7924aa682bde6d7411df0ea614868dc2542709a5f
SHA512 0795b9be1247ea21f1f8845d3474414c2df07975b9b80840827baa2fadd3ae8a2a56e4df4d21fdd64cbef0620cc8aa1c5bd7db85327019d2aff634b84e14b3d1

memory/1260-12-0x00000000005B0000-0x00000000005E1000-memory.dmp

C:\ProgramData\niEwgwAQ\hiUYAsQk.exe

MD5 9720e2520e845839b39d084950aebe97
SHA1 7b083dea34b0a56daff40ea13fc046ef4e6d505d
SHA256 26b4167ae0f43ab5866e881994f6321a3dd4fa3d038e59a10bf199d820c36219
SHA512 f49fdbd9264b4f6e459cce84a2f733d91986fbbbb07cd0159bd798a194d61b4ac1972e4a4b807bec5e16508a60e772466368158cf07960945eb6972b23ef9f25

memory/1260-13-0x00000000005B0000-0x00000000005E1000-memory.dmp

memory/2520-31-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1260-29-0x00000000005B0000-0x00000000005E0000-memory.dmp

memory/1732-28-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZEwUIQgU.bat

MD5 10b6ae39bd58ce3c7c88e45ba4897ede
SHA1 01a2d78374e2be622e157704bb488fa0c76bd705
SHA256 5d6edff5cbd0c3644f3e80ee8b56709eb36cfa14f9e54ca0582876e877a05f27
SHA512 9d1588cccb64a6f919884fc5a0fda14c1e8fb692124254b944bc658dd527f43abf23ff4a60cabcd68d82ab86ce33d797a79f3099cb22e02392ea8ffbfd6db3fa

memory/2704-33-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2704-34-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1260-42-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LIQUMIMc.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

MD5 da2a3e52fb41d741eda2a8c6060447c2
SHA1 5beb278a9da74a7fceb212f55676cead6727976e
SHA256 a9a0f8fab82eeedc05fe5e22d42febd125145da26d8bf3283f5d8f1b6926b81b
SHA512 a2c2eab0f6fa31bce31cc149e30c36d32aa6c2ccd998010fd4e7467baaf5628c69c20f660844c870174c165bc3da77e2bdebe2c72aee1336437ab4c6741eaafe

C:\Users\Admin\AppData\Local\Temp\JGoAEAsE.bat

MD5 ce339da138966b54ed4a842070a32daa
SHA1 22ed7c9be269b66d4ddb8d22bb2833ac2dfbfde0
SHA256 e4f4875dbc3a7ae6a0793313ce5e7483e62f691d13fdd61b4ba70d56c2c1bafa
SHA512 37f8258abfe35afb2e2c48850a488433d1015a3faa859cb7e72cd9df057d296ed201bd00cb1ba4ab4ca003062a21719882b49184a2a7226c22f7996684f9e856

memory/2300-57-0x0000000000170000-0x00000000001A6000-memory.dmp

memory/2848-66-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zwkgYksc.bat

MD5 bf9fd243a97c4c14a4eb2655ce188454
SHA1 7c2c3c2963ed5162898e11c52992d71901783ed8
SHA256 771a6f86f768715015ae6da4b0f1266ba572c64902e01db8c78ae7d12fab4a4d
SHA512 49f022c5a69f29af1c235be656bc17853f9b4b385227716e729ccbefe1ad75ffab3c999ae9f4d0b3f52ead27f5c75e091f4c16a618155cb2f9968cfda6205264

memory/1776-80-0x0000000000400000-0x0000000000436000-memory.dmp

memory/928-79-0x0000000000160000-0x0000000000196000-memory.dmp

memory/2436-89-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jqcAcgsA.bat

MD5 39d6c0b8827e9b44e45fff7c254e2686
SHA1 b9d5c1a70ad7858643096bd9d647324ed0509a00
SHA256 4e170afa9c468707c98be136c64ee75c759b09b976548920329ce4f348e1b1f4
SHA512 d0b09b5de98a7d6715dcf331eddec5ccb9041687adb807f3be1f2e1bbf6d8169636e4dc91483285db19a57b7362e4ceb4bae3b102812c96a3156682e4118d04c

memory/2984-102-0x0000000000370000-0x00000000003A6000-memory.dmp

memory/1776-111-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qoQgYIoI.bat

MD5 794066569584c200732a4c5306af1343
SHA1 a53e2aecaed0abebd13e6501951d4e64e8f6c901
SHA256 4d4fec6a3bad9129c25a851b30cdea00f5798d722cf8cd4ae0c7dae590df0724
SHA512 b154a2360637a5fc1cf0e0e770dcd6ed8be29faf21bde6b2e4c721227e9e9cc56cf16369f6733bf7c259c136590c949caae86a227212854e52e7a2d57da4125a

memory/1684-124-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1500-133-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSgUYEUA.bat

MD5 b1c804dc29753aa76f9304bfc2fbc6f2
SHA1 ee42885515b3352b44bc78f917beb15b97ad1250
SHA256 661431b6c7df393201ea319c72f5dd3f33f460b7b9928d5b3ae52a3b2de6f540
SHA512 7a8c8a650864b9f0fe38f529bf83e41da1b14946ab5164d9b77fb819d2dfc41884dcf95f3a57c34228b66fb096388dd3191bad903668815da158debf206720c4

memory/1684-156-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aWgEYsAM.bat

MD5 73a5f068ebfeb0a75f6a4e67bf845d74
SHA1 52b8d6331483147e3ed845776883ec68f4fb05d6
SHA256 0c4746cb282617e7c0dafac800ce546e07acecc45ff9a0c3188ed4ec189feec8
SHA512 a46ca4aed56de0324b4d2e426a6ad3dcac84ef0ebcc6c927d3f765b4e63e8cd520515f2f9d64be931f8abee0f83463b85e1520f5b5a53c78d5a6f699d5433267

memory/2752-169-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2820-170-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1848-179-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\seUYYYkM.bat

MD5 152a5fa4ffbefd574ca297f27070ad1c
SHA1 4ce9ec72ada8e66c1cd8494519cea58c877d6e48
SHA256 f84c6a7abf3e50735bf3d0115fb210dcc938c2317ac60f071be1c7713031c1ed
SHA512 da3b777ee9e95a84de625b4f5c5587759dc94b06d01aa4ab6b62df99307d6b980c76d837c1d38f948418559a001742f24cfdd0be977cb1ccab0005fb5f39d597

memory/1244-192-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2820-201-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fwMsIUsk.bat

MD5 29acf4e3e0e1340170927acd09d9c486
SHA1 824ba67306d878c733c359d663cfbbff2558098a
SHA256 0eee7180923b830935c70a55c739575148fc31346abded83092d4c258d7d0a64
SHA512 0b0c47ea52e248fc6dfd2779f7c9634d17ef6132cd912fb0593141952c6ef0aebef37cfffc7df7eb4727f425b4000d238796cab988c82beba277d5d4a0f6d299

memory/2936-214-0x0000000000310000-0x0000000000346000-memory.dmp

memory/844-223-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hIEkcAkc.bat

MD5 3d3d3bd1fe674f4c0e9c08fde0253191
SHA1 78361f458c084dab0d1728d31bdfa61e31871bb0
SHA256 fe3ecf13567d8438e04cf496880434d1144908fd0aacc4d39f54c772442da695
SHA512 8fb909a88fe9142d5464a5318153f637b8502fe753a721fe1978440807752b1c5f5d4c08a27a4120155a3715bf71864f646350023be666ea0a5f10b1d2d74680

memory/1080-236-0x00000000001E0000-0x0000000000216000-memory.dmp

memory/2904-245-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pAwkoggU.bat

MD5 876d590eba326c7e86153331743f74b7
SHA1 ee9ba87e40d1c07787ce49491ada06745a6553e7
SHA256 66e736af3263da793851bb0be1b70c247bc6d5a7a2b385b6bb2c958a0d024b2c
SHA512 c85c491996e8c3b3b0e52d0224a36f667e8966cd2d8291f29d48a33a49172c519c7123ccc357561cf445a2249b6acf5d938e67b084dc214628357efc63b994b9

memory/648-260-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1044-269-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vmsookEs.bat

MD5 03e912fd901e7496a39504f084d81667
SHA1 c9141e9ea9888cf17ad4107241ec330277171938
SHA256 9dacef55afa900e0762120691ce0b2c9e1fcb8ab86c74c307d7f5ee58249eed3
SHA512 52fe5a77f77d045d48c2d470935273e85a79541373ebb2f134ec2db568b057b6ef839f755a5a7add5f09724723b9bbf49d1865e0ad1e22758a22e6b402939dd8

memory/1780-290-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iOUwIMIU.bat

MD5 885491fa35d996c41c496409dd25e214
SHA1 c5cb94e6f4f34daedf40ceeccf3376d816ce08f1
SHA256 5ddb797c61f21e62698b3ddd51756423e135e0f2669ae0e022408a51bf6f3723
SHA512 94c9f015672b8ef6a28a7393d8d03977e22505f6eb56a5fad6c9b4fabdf78d5f57e41d03e2b99a2bed2862c3f70fe6a8ac91553cfd33eabf96598b6aa5063bc6

memory/2792-303-0x0000000000160000-0x0000000000196000-memory.dmp

memory/2720-312-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kMsogcIw.bat

MD5 00712540743e0d859c14719f15107f38
SHA1 1ebb005044dd8673012e8548bd4d0dadd347ba20
SHA256 4fa5763c94e6f6d72262f917ada5248da4f8fe1335a382fb07657e6aaca521d3
SHA512 8734999b249fc937866bd44d4b560dacb306e5a176792d5d4e67b25b9a5c0f1480173798bd4b6f986f89c9243750f825c8c3168d2928b2ae5fcb25a0b26fe947

memory/1148-325-0x0000000000180000-0x00000000001B6000-memory.dmp

memory/1788-334-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qWUIUIIw.bat

MD5 b81c14f98769f450e82c6053f9933759
SHA1 3f4a90abe71741bcd6989a017db695857b6bd0a1
SHA256 ce41a2f13ed885890e267a71e8f2b34e77fe74af853e9b7f0a30125cb9d4584c
SHA512 4265e0655708ff5529aa5385f7dab7b7bd344f7c9a66630c6dc1d2ca3529709e3d217351bc3b6f6e6db74bf6679f477f46b4342a57c0444e24f01536160bea11

memory/2980-347-0x00000000000F0000-0x0000000000126000-memory.dmp

memory/2500-358-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CMgIkEwY.bat

MD5 56f171eecfb03f2a8e5bfc0694add906
SHA1 f81e58724f671911242f27b2f59a18b366295e7e
SHA256 6d9be84bcf574c6aa0ddba15c7f0a9277d4c88989e25db4fb1d9e0ddf2216834
SHA512 ef1bf26eba69cf3fa72eb760ad4b4f8c87233ae34be1626ac4377cd0e56d83275e279449f4d18fa1be62625959f3687a0c55f80982461af3a699b93ca9ae1e94

memory/1268-371-0x00000000001D0000-0x0000000000206000-memory.dmp

memory/2580-380-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kYYMowMk.bat

MD5 ed2e46d72cf9506c45da1238c9f2fbe2
SHA1 f8b6c0471d52bbb25e67a0911403557ed3fe9a5d
SHA256 821ca633360939aad6333ad1a74faebd27905f7d37f1b0cb1f810e17473c176c
SHA512 b0afe7fe982acdffdf8e170325e3f0a081cd1d42b73171510ecbfd400a657311074ef08f8c33f6ff5ac6fc09124df2d45a041347571e436c4ddd042674ad08e8

memory/1488-394-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3016-393-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1536-403-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DqMAwIok.bat

MD5 475724326953f94d14126f835e989b5f
SHA1 2d6dff58a1b80cd8f263407cd3233845cec3171d
SHA256 6148dcf86f8936f2e94c900f6b578cf7fb527f7c66739c5a12dfffb5bd43d62b
SHA512 57889bfc57abefd6c1acda8c744521dfa21601b028ddaf30b857dc4590a11301922a9e351c50f8cac80ebd7adc3acb0db94779d0ea9fba3a0ad7c475a708f382

memory/2728-416-0x0000000000160000-0x0000000000196000-memory.dmp

memory/1488-425-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xMckMksw.bat

MD5 770c50c107e2e67f82c0434e49666972
SHA1 977a409bb00bc503e577dd3b12de4d4f044a1396
SHA256 94e55a8f01ffd5508fd84a2e4149a40ac4b1a28d272d2411808dd62dafba98eb
SHA512 754a65050967463cd005bc27d5bcf78425349c43d78a843be5af95e20a8b3d036614b71513e1e99f30851f52f4fea807eb6d105bbb8093e1a7ab05a7027939cd

memory/2196-448-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hMcMEsIY.bat

MD5 d0351332b547371439938d17a099786d
SHA1 1309fc4ad562d1cb92e84b6caa93b0cca5d3a2f6
SHA256 3c32548570663ccc721b74fa943ed92c7501d1f32efb86e7d467e2dd14744f80
SHA512 94adea87c4ba9210330879231d810cf2075b0d53dcc9742d34d1a7de182a17cb889a0c1c20a7bafc65e999cd676a199bf4f3c52b35af3136de80d7640245a4a7

memory/2436-461-0x0000000000190000-0x00000000001C6000-memory.dmp

memory/2604-470-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZwYoksoM.bat

MD5 d842e87495056f24560c6323b6d3224c
SHA1 deba1696e70c633a230f313554e256fbd6dace66
SHA256 2a67c1367511424ccd00f897fbf580f72f3176cbcf9328d7d47f4b1cca10c9dc
SHA512 b5f7f60d5a9e60a60639b0d1051561c7636244f03896697f916f4733ca999f2bdb970d7fd99cf556897de4b6ad3ca38ada609164e11ecb3f42b8f1491571c314

memory/1676-489-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SsUAosIw.bat

MD5 de4d80f654497a165dce0b9cae608927
SHA1 7333b4384a7397747bb9afaea65746a58d033a8c
SHA256 ed9991602fc2e0bb92a10378b830e51459e37818e33fd1ec9c3b364a393d6519
SHA512 0a9ad5db44972fb009b018db25a3aed5d33a231aa829366b4e94810b3017bcb39628ca28f4e47d891aff99d99d1689f0a01b6b2f2581aae976376cf443630ccf

memory/2772-499-0x0000000000260000-0x0000000000296000-memory.dmp

memory/1664-508-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qmcsYMwM.bat

MD5 a7ea77c0ff548774e15577e08e91ff0e
SHA1 e62ef27ea31cb9268858581110e6317ad3b74cd6
SHA256 327bcd866849b1b0220b0ab9b7b66a860ef9955e186ff7588c192e70a6dfb8a8
SHA512 32f7ce04524288e497c756f163bc8427442b2844202b24ab90998be66fd6879e2b1e7dbe28b5270468f5836f136aa465e8553704baaf0f245c288ecc1c7eadf7

memory/2312-518-0x0000000000160000-0x0000000000196000-memory.dmp

memory/2216-529-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KOIoMIcA.bat

MD5 a4459d8766ede0306c7b0906a0aa2a5f
SHA1 f18008bd5c97da3ee5bd9795b42a4c8487abb755
SHA256 f04fa5747e10e09537d191493710c7ddee1eb2f8150c797ef18859084eb3c910
SHA512 451f3f2b879cede47b536510535b0e213aa3dd7fd9df44a5954946924e71775023de2dfcf6e9dd2f0070da84f0b5d0dea0b5deb3ea3ebaf3d93161b09e71c3ec

memory/2724-539-0x0000000000210000-0x0000000000246000-memory.dmp

memory/2724-540-0x0000000000210000-0x0000000000246000-memory.dmp

memory/2452-549-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\swQwEUkQ.bat

MD5 708daa3d335d7c9e73e8ece0ce938291
SHA1 f64168bd5f20d1bd8edea0df5bf4f6964fbc08cc
SHA256 1d8da51a6fc1e81c0544d0328cc832d4a3ad9133570677504cc96910243b17ab
SHA512 efab8efb33c5cc35938c33ed275a5a49f62adb86e7136b88dbbea0930a75e7f3651ff5d343e0c89c110f54eed6ddba0c27e14fd980607a08b5502cd23745d22a

memory/780-559-0x0000000000170000-0x00000000001A6000-memory.dmp

memory/2884-560-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1920-569-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BmckkgQU.bat

MD5 4d94718be4c0be7ed7489938f8f7383e
SHA1 59cff2f83f0258e4842e2c76e07b8e57eeec83a2
SHA256 1ca2cb77abf7f3231f70dd0e2d7b5214db5a721ac78cab8c9dc5710f078b17d3
SHA512 c9951ac77827ee04b2e5aee91c77d4aa4df4dbc9293093543cfc94eba04b9d234b48c4059f8459db0e28f063228cf95407a7b959a97f962966cd64a8c3ad276b

memory/1720-579-0x0000000000260000-0x0000000000296000-memory.dmp

memory/2884-588-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JaAQIgwU.bat

MD5 a59eea2bdcb82dd35a6c96e5f776fb39
SHA1 d1e3a168b156d97ab2b57b851aa4a44d54d37590
SHA256 ce3267be0663d1ac9668c6ffcad0346db49f8011c9dfe5010c7e14d9f71e58a1
SHA512 63898c6d622044a029e7582866c2a9d406a2ea46176d6b65f45f42dcc527c0dd2b3c501d4af6449d9fcf1d8438f90f741a2fc53a638138160503faa8fa56cda4

memory/1732-598-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1508-609-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fqcUYAME.bat

MD5 98a47ec892907856426720f9e18eb95c
SHA1 59af547707917c381cf36c984632bfea7660eb41
SHA256 0b63dc8aea6d32efcfcb01a381d1c03c900f0014212ad3f37493d625154beb1e
SHA512 26c2a22ca08d7a671f96a45b354c368768f0b7490b6403c5f089f72ba1b2a95398b9e53348faa9d85e1ae208149eaa16b1e158e63a61dcc71cf9572e75054040

memory/1796-627-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bUIwUsEw.bat

MD5 66a0227a5afd750fe4f8b773d5ec6248
SHA1 422ed23d9e28626486b6e42e4e102a47f4782411
SHA256 73050f4ea3a9925b1fcb8f4a4d38bf047dcbd4bb0b4d374aa44941ab68cac702
SHA512 0ea864fc1340716d4497e99f58f15fb12d50ed7f7ea2190f811cf9fde04e79ff3d562a9b3812242697915b7888cf1538745c4c83840b4502a4fdeaa11ca288cf

memory/2772-638-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2520-637-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1248-647-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uaQsoAEI.bat

MD5 4faf8ae210960afb1fb27203a4a261b4
SHA1 09b201b079e07fd0e7f90e656fb00a88b5b4239b
SHA256 d682083dd70df2a736923754826d39897ead48774f1ec877688d520621329087
SHA512 c2164c57ecb7b3b7ef261b3a765232b7eaa798f8b4d945be7ab533ef3abbf818b1025c15495557b4354711918d3b7e040cc8f7a18dff11c02618a97ffcb19609

memory/1036-657-0x0000000000170000-0x00000000001A6000-memory.dmp

memory/1288-666-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cEIu.exe

MD5 82c6afdf48c1fc05ad8dcbfc71d96286
SHA1 21fa93ef12a8580369e12255821407673f1f8265
SHA256 c1b76ce75752c4b588f6c35752bbc43c3d3e7d0291cef5222b09336b9981b439
SHA512 c777031b0f77817bb6c467955d9f3375881bee4bece1caccb874bb6d46ec50cab6bb1c41ddbbb005e8441cbecfa27ccb202a350e53c8ef24f8395039c6c22247

C:\Users\Admin\AppData\Local\Temp\iGcEMIsA.bat

MD5 79a58b31d442c8692f7382d94eabb2c9
SHA1 f5fff6a4883e8a360b08c7b74369eb5ac654116d
SHA256 515c5d1a1db98bea9ebbc18fe95d26a4b91f1d16722c47e0327aeb2e325e49a0
SHA512 8a9a57a276e67fd2f426e362e58a8baef9699f1e46a8ace723fd096950cc857384e0bd169aea8d6716443ddb86e8851e26e4f63103d8a08fd35d106b3a796f31

memory/3012-700-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UCQoQYwk.bat

MD5 07acac17d4580ace76a409b7351783f7
SHA1 358826da4b22348b276a02564ff3ad320fb9d6b8
SHA256 d8bc938f8c91d0d7913b5cb72ec0f9c60a7d31523ab2d6ab19da16ef1f2b5bd5
SHA512 75b9fce841491788cd5790abc6deba7ae0b23fa529b133f337ce4d3f65b50d0df34d161c53a9c9ea3310ba4ca3b59e916dbef33634a8e510b60927373179b499

memory/1932-710-0x0000000000430000-0x0000000000466000-memory.dmp

memory/2604-719-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\smwsQsIU.bat

MD5 9b2119b7cd6e744effc94e0c40850463
SHA1 0353d6e0c17e11d101209b815025c748b7478acc
SHA256 f7fe2a1e3a98d0263e658a737078bc19ea03c9384443c6452d0c3fe7049a4cd6
SHA512 643d2f5e08f0b5704856fec44accee99cfa340060a0f66bda23a57f1e77caa954ea82884c90955c1fc4dd136adbce227d6d5f4bd2cc78c2a258ad6e4b820cf98

memory/1864-729-0x0000000000270000-0x00000000002A6000-memory.dmp

memory/2372-738-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xIoIMIQA.bat

MD5 41bd0c4057f92efe347745aa5a71ec0a
SHA1 146d6c3361c6976953a1b28b1bf1896c03cb54fc
SHA256 1a5115e4d18b576c6153011d4b59973c07e7855f7acdaaf1d56ff65d8b950392
SHA512 c18be0d2bd09ea0f721c1e5af840efe9908e02b85425840b48307354df7861cb96d49b7d45f2eb814953987975434e4cbe6637f928128aa331216dbaffe70bdc

memory/2480-748-0x0000000000130000-0x0000000000166000-memory.dmp

memory/1096-757-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BmUUcIMs.bat

MD5 e0a972e5c4ae5b2b19089e88572fb2e1
SHA1 929bed632b346274edf66ed947ad179ed3730518
SHA256 948c3e43422e4b8a1edb813c198aa5ddd0cdf9e99d2bc506e1c9946b04eb847d
SHA512 a6ba965dd5039ca6733313357ec19a4098b3d6eb6343f217dfa3f73acc10b456cebeb4141248ba49d51bbbb389ab8ba3aca75d8fc9ee5713152ccc4d907de436

memory/2852-777-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TYoAkocE.bat

MD5 295b9ac41866bd3bdced10a21c87d5a3
SHA1 2d3e87425cf0bc2f6124463e7de83595f4137884
SHA256 15213baf6c1f890a0e52eca4280a35f8877748cebf717a0f40fc9efa1cc47e19
SHA512 bcb6dff8ef9945e07d905f2cdb058a2dd0e6bc6784b681d884a65f3b5a778775a9a747d6977dbe52170b53f2999cc3757578d20a2b42cb62731df04fbaa4c4c2

memory/1252-787-0x0000000000160000-0x0000000000196000-memory.dmp

memory/2536-796-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lYoEswkA.bat

MD5 ae5ae5e9c2ac729a6d97a58c5b3a140e
SHA1 d62fea8e71d30a50c6391d75b340d5a324c7c150
SHA256 11a6c0d80517bcd797d7e220cc0e961aee5c8aea116b0b724daf51867e17a945
SHA512 76ded60fc21e3088ebecda93c50ca9c5474bf335c8d71d61e6e59650fbf70df954025771ed7d0acfd697b3578b237cc1ce40399f4c9fd7db358abafbc0342833

memory/2804-806-0x0000000000190000-0x00000000001C6000-memory.dmp

memory/1688-815-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CaQUYkIc.bat

MD5 5804d9ae1e743dc6e6b09f9e0f4f2884
SHA1 a72fcdac42b9fde93fec828d5648c66cfecffcc6
SHA256 0bb63ba52e0a34e36364d4d5d19a858392019e53c3a100046eb4c27bf3488a04
SHA512 cbf7fe42450cb0f33fbdd8d13c4edc9b79b1d95097e3b269010a72138e28393d865585f63eb29d20bd1a20fdbe1f92c5132de7be300626946229f61eec6fb642

memory/1744-825-0x0000000000180000-0x00000000001B6000-memory.dmp

memory/1792-834-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iSskwgoo.bat

MD5 3c98211dc3a98bbc8aa27119704373f6
SHA1 f97a0f2fa20ad58446bb89fc316cb69eb23736b9
SHA256 5129aa8413e5ed5fa6704975031167a778652ab4f17ecedb3aba6119d546358b
SHA512 e0584680a9a31aa028f8f7a97ef11c22071b92f05d6479c1c98f22f8c0bdb41eb611888b16d4ebb106916aff796b140f879557756e278d70b5c727f9f58713ed

memory/2372-844-0x0000000000810000-0x0000000000846000-memory.dmp

memory/1872-855-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qwIQAoMw.bat

MD5 9efe8a9abeb8013f56b144294c317d95
SHA1 d970bd10095b7c42e63059e53f9976b2df4d285e
SHA256 8ad16fe8687c066c4eb5e39f04cca2652f1030f89924910a18646a4199c47ea6
SHA512 383898089d01575d1727179a8b7c32df2bf01d33a7189e07daac6a1688540e5b1a94662051ccb16265601147987ccee581e13b7a8e85a797964d9f94bf9c8c3d

memory/1060-865-0x0000000000160000-0x0000000000196000-memory.dmp

memory/1684-874-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OKssEIsA.bat

MD5 1d5c15827c070a635eeed5a0ea181cb2
SHA1 e039cf73c75995cebd2bb3ae435edb265fd62842
SHA256 ca2ce19c42eeeb61f03952a256045dda9e71421720aa81168ea13f7e25b78b8d
SHA512 6da2609ffe8db94a6bfcb29207896e48f5ea1a9301cf155b5576c38d701bc2ed8bfd6dec279e02cde5ba275fee00de4c8ba1854b2db58d7deac69307550b47a7

memory/2312-884-0x0000000000150000-0x0000000000186000-memory.dmp

memory/1768-893-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fasQEIcE.bat

MD5 596f16628f124c528ff6dace4214ed60
SHA1 831dc4928914984155877035d5b347806991534c
SHA256 7c324e155d8ef32062de2ff7b149c3bec3cc6f65c6187c02c6336fab9b67b8fa
SHA512 1dbac1c6f3b1e31c8c5ab69fda791b3f68aac4cac734031640bab595734c18f6ffec432fc370becbefcbe188d2c0e3d2efa88a0adcfcb2892f94c82ee3caac1e

memory/2496-904-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2780-903-0x0000000000120000-0x0000000000156000-memory.dmp

memory/3020-913-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nSUgQcoE.bat

MD5 9ee928181cbeaefd106735ea9ec69e60
SHA1 b9f211234f878144ec545fb8e9e45fa7d13f03e7
SHA256 be827e7d7351fde08fcb55d19365af068482b8dde3d2015aaeeef9a37d7fba53
SHA512 662e427fd23c33fd844fff0196e31a2b1c7ed91d2b74a35e521c024e9171a7f6d033a27de74aa10ec93fb6d141a59fb2257e84d846efbaf201c0b50c741e661a

memory/264-923-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2496-934-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\twwMkcsQ.bat

MD5 72540435588ed9921b4342554d385c82
SHA1 e3693d0b099e5367086f4d5e638aa6646a1fb0aa
SHA256 93d9a159ef6fa1d86307913547962185f634e285de6d282a1d514fd405d357fc
SHA512 93b2afa2dbf7eb8d32f59d273705eef71bdc40d574a457310d8055f11692356a441b7afe3b266fea466ec1c7881e645e1318f683377468ea08c9ee37d543ed4d

memory/684-944-0x0000000000160000-0x0000000000196000-memory.dmp

memory/2976-953-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pywkwYQo.bat

MD5 4a85f153843e10c0b72370593a399be3
SHA1 3091a5a7366db71f863da0f4a061e3c109625570
SHA256 4c9747554d372bd2b870e8e2f0267168e8fca314e32cdeb2e5d584d4cdb3cd00
SHA512 2e6bc3a5ec1300604cc671f118e227b6ecdf2d708f3b40951a60589e3d8e2a72a1591e98f11f1b193b0b96d4c6f45cdfdf1c8df0a4f69ff7c5f09ee7c8b6f1b5

memory/1728-963-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WeokIgcc.bat

MD5 267cf8ae594bc85ff5f73dd106b53f39
SHA1 bad2bed90531275a749a7c7ef564d12c5ff44267
SHA256 44f4c76ad86529fb31b63f075e4dd69f904f0f5cffd41c45518c7231e53d78f0
SHA512 93b1d3df64cc66948f3e78b5b290f19db70adaf84330369f52b60c0610c65b9b217cd8dbc39698b2d97392e22d7e5bc6e22e62f1ea44a7638d40e606eae5b163

C:\Users\Admin\AppData\Local\Temp\wWUcgwcE.bat

MD5 03b5d4c683c8c65d15c92078ef3696cb
SHA1 8f87bd937609bc3c1a3faed433f0132bd7e4e445
SHA256 164b827d22b02b2f32b4b75f99635338d008b904c330e5f4dd026913b14a4130
SHA512 049a5688e15724101c40033dec74a8ffc3c161c93dde8e3f336a78d2741227703efc5d1b5e9f0d48b985b4d2ac5415b2f4d2456589c3246fe917314414d45a33

C:\Users\Admin\AppData\Local\Temp\CCUsooYA.bat

MD5 b3c7e14461e07cc4f73a625dd86a5442
SHA1 aae844fd4a4aeb9400d3101d7e328f735d8bd5ab
SHA256 6eeb10a0da806bbd85b4f1e3c8da7153023bb18f6c8b81621e7ea9446163feda
SHA512 77c3bd35c4b7e14072c05f0da0c220781f19fa606122b420c11de19f2d5d698f54016a744447251f722473a44fe3f7c32f2667aa30a9bf177d9c65227e6d7018

C:\Users\Admin\AppData\Local\Temp\aaIMwAAk.bat

MD5 d5e21f8f3d9c99fe3ef60c1c8cbc2f69
SHA1 fa130970a4f83d10a968816194047378da66fa9f
SHA256 9c7ec751b39811759bbdd69b8d56d5dc9c354fb0281b0045991532ca1474c08b
SHA512 dcd7574a84388db702a0e4ef5f6ea9898dd1a97c4d3b6bfe18341d8559e0fc74be49c29ae01ccbaa2699dc34a64d7defd9b5a626c7eccd7db4720fd5fabeee55

C:\Users\Admin\AppData\Local\Temp\YqscUEQY.bat

MD5 de6c9d62a318c643c307a2f51aaa844a
SHA1 ead1e4aee66aabbfb7356ff43a08fdf3fdac2fce
SHA256 ab4e0f0751c0d2578493e8a0cfea3548e39a4e26a67e63d4b7afe338d23ff291
SHA512 d1c0e227818fea4083bd004078201f185befa25db46841889ae03a30b721644822a1bd6299e83d809bd94aa2e3a45eea3193fc2885b9f5f274a1ca735162527d

C:\Users\Admin\AppData\Local\Temp\rIkIookA.bat

MD5 1593452a8316a6d3f753af02ce619ff2
SHA1 2499d1b25dec5b006202077fc70793e405234f2e
SHA256 0e9731a9eb75b5666e5094b65b19e88070b2fec1f172f315ca0b0e97367317c5
SHA512 6eaa5f67d547f9ed45a2a87df483201b9df8d414488ed1210f55847cfb4363cd3885f8e46d66eb225f20f0f5a97ec583a8a6928af0bacf81d3e03b3a11393e42

C:\Users\Admin\AppData\Local\Temp\laIUkEww.bat

MD5 6850123334c3a10285a87255a70b41b3
SHA1 42c10da1d6304e52de3e09a28b018c29cdc68ea7
SHA256 f8caaf332c07c59444fec26ac0bb4f7a823d1ccfe6fa270b28e5ccab2d6218b3
SHA512 774160cab7cad79e6aa66d1a6e69f54e6bdfb7a7792b556f1fcc6f058b540091486eceafea5f089d385689c918e07db63ce58d578e67e712956cc7cd63b57b26

C:\Users\Admin\AppData\Local\Temp\esca.exe

MD5 e5f68924668ec65561c5e974ad039501
SHA1 4404c7af4c85ae56c9ff183246ab579d2c15b62d
SHA256 cc55a3c311746554f5e4cdf2782bb45ee0874f57f117d50eba73f1fefe036da0
SHA512 709965ff0b8efa1504461942d6daba47ec26f1f80c9b324ea84e77921ed3d594658c7bc2fff4b0acc579ffbbfc80dd419a45f4659dce49e484a924850bcad18b

C:\Users\Admin\AppData\Local\Temp\lEYQAcIo.bat

MD5 2cc337c24ef47cdd7aa7763f6f39d93d
SHA1 e0654e1b96b10cb7ebf83883b1b38b64394ee38a
SHA256 258b0fc5d5c43e6fb59049450165b6093429f71f3d371ae1568338d368242065
SHA512 e6aee9d712a097757c9cc50f96268b6b793c0257136ec37c3e83fe39481bc8c2380482565b7af0a86db402abc941e3d21b66a5fb7005952adf11f92b16cfcd22

C:\Users\Admin\AppData\Local\Temp\aMsG.exe

MD5 390a026838b3136227b75f028c36f859
SHA1 c65bca55059888ae43754f0435bc30030e6f0c90
SHA256 c909ef0ce5e6850a3f0b20e7739291eaddaa8979808023ee91550d3d21bc12a2
SHA512 096f111fc1ed99ae9c92ae1dd263b7d9e9f148d3aadaf2ce5106f3fec49ece8f5e1ea4512fde966a6807dfc962e1c2269dfb043629ac9f6d0044264b8324a3a9

C:\Users\Admin\AppData\Local\Temp\moIo.exe

MD5 3439c4eaafe892ceab7960d5dee343f5
SHA1 a6e39945a79615997a90b2fc09f1f7dee2918008
SHA256 749473b8619a03cfc68238a77dabcbdc486a812c2f6d17b1fad9bec7d4b9143e
SHA512 91740ed2ce3b7bf0059f938c34b32e799dc06401c643ab836912e789f85d66f7741ce67e85d88b3835c99be757b00037fc04f4b4dbf75909ea1770e58ec2ec0e

C:\Users\Admin\AppData\Local\Temp\IMUi.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\WMkI.exe

MD5 db86f4ffc9b42e3c1816027efb4f1579
SHA1 702a5ce1969950289c51f4e3bdd1e14cfbe9347f
SHA256 2abf92bf4cb4e5ca894932dfdf1dbecc801ef46dde0bb97d549733b91a071096
SHA512 db70beb93ed437b48d38d0ada43f0ee468ee8ec2914adbd46dcabb7183cbc7220137fdaea604afacb190c6ff37843caadc04ada8edd9ae2ba23d17f68ed6853b

C:\Users\Admin\AppData\Local\Temp\hUkQYoQE.bat

MD5 fabfb38b6e16cd45d36e8560a4d8d653
SHA1 9ae8b5f19e900f746d10dda3f8c0f3bb0a478b34
SHA256 96a9f64adf8c49ee166b570485218b75b2e8cb46cb18cbf14d71248a1c530f8c
SHA512 5c03183940a6008a64d10da18fd2340a9d0958ada126bd1bc116d860a6d95d2f0d9e5efcfbf0ca2af96f52014e5ce00a14deb7a246a5ee3e446df2ea2b0be706

C:\Users\Admin\AppData\Local\Temp\osAE.exe

MD5 518cd1544fc21889460953426f0a23d2
SHA1 51049ad409a7268079cc2e569973188b91a2e763
SHA256 ffadb731d6c917f32a2973c01a8b005f6f3ea3e4913c09441399a3ff64a37289
SHA512 9333a94cd58c6c4d7a600b515cbe2dc8d98da844df4eb42ff5ffaadfcc554c0672ed0ec9da2774c79210b8a880e6d07c5bf26b8ee15931046c5cdffcf9ff38b0

C:\Users\Admin\AppData\Local\Temp\uoUI.exe

MD5 59430cfb64fd968ec644b90066802a55
SHA1 08f0b06639373a5c3b38519868a6b37595bd12f8
SHA256 40eff092b48fa7daa4ba733cc9ce40ac9f923de26b2a1bbe78aaa37662ea9eb3
SHA512 96e4105205563a49f56bcfda7487680276664ec6cd7856b2eac6b7993455366068dfa555cebb9499f45694f68ebeed2a49c857bb48b92af5baf64a4e11d74587

C:\Users\Admin\AppData\Local\Temp\kwoI.exe

MD5 8af20fcaa70fc4a8a386b6e8e7926d7b
SHA1 e48bea0aad39eed24bf444a0be33012857032f22
SHA256 e03758b4db21db0e573c5260487f5bbea0f81a83cfa9e84ea11b49e0ecbaed35
SHA512 9798cd5f45f849159823086c358fe4cadc673cfe4edff17d4aaaaf68d9afa986b6b3a80fb11322171038906b9ada24e6e0f5b08eb52ab18ef934423bed3a0802

C:\Users\Admin\AppData\Local\Temp\IgcI.exe

MD5 66af8f4853f3be558ba3112660c7cfe9
SHA1 18fb4017747150a7406654ca5f3840d61ec3c867
SHA256 898c072fdca580824a05971167f3459eec71600188a6cde2795c941c0a583388
SHA512 9a713ec6efa28fdc979005c91186dcd50150496f174756e637ea1d72b5f48fa0a5be539099d664344e052894c65d9c301fb273d87a21a6ac7a04d3b898f365ad

C:\Users\Admin\AppData\Local\Temp\KckQ.exe

MD5 2b7710d3e07bb5bf6b1fd4b64ce17c00
SHA1 b3594ad34dae62034b7820a213dd16ee0ba50787
SHA256 bd9d923496c07cc9d89096da8f66500df25c6c3c867275e532eae72418b2b999
SHA512 aad2138078add5efdd25c092074e6ede3c5979b4e21e5da28495d3237ba501803b16007f6477a5d1cf6034ec910c4ca807c76d2eabd72aba846d56511dfb6653

C:\Users\Admin\AppData\Local\Temp\wwsW.exe

MD5 41fffbcd568c0ea57c00d006f5d6edc5
SHA1 b70836896843cdfc9ca186edac5450840ecd2d17
SHA256 7ec8dc260e1c37d9a5976c3afed6e50250cdb6e7e80a5a57d8afc186e0cb59c9
SHA512 34d13c883ecbdff6e1e4800503fd4cafc985f3764d5986f61ae089352e35a98df93d75a59136fdcfcce161983b69469fc2cf9edc42416ff47e04d6ef91666339

C:\Users\Admin\AppData\Local\Temp\lQsAMYko.bat

MD5 81f555c55e9fa36d3ae652535013a171
SHA1 e844d0c17bc457e25c6e14402915de67e662924f
SHA256 7a1c7903d2f7d98e65569a025b6ddfc04105fa6caa95953fcf11e6f986eae22d
SHA512 3b0d0fe0afa32e9d5c57c53d94b8f36ebc355481af3b23c9b903640a38908af989715851dd69c6cc07e5a0a7f6c28759dbcf29ca5345df2ffc3d0a2c4e4b0c78

C:\Users\Admin\AppData\Local\Temp\gQsu.exe

MD5 43656c695f5870860dde3e2d4e0103b4
SHA1 c209e41af44da7e5465e38f05757143522df8758
SHA256 b9124a6ded083dcd7c0b5d63ef9c61770d79e194a28ac85a54eecdf3601fe2ff
SHA512 ead9363f27701f0fd3a284370af641315bd76b8c42be9be4dfb309032a6c6c0113a71e1f973cd2f6f7fd0689d344ea3d4bd985c32854fbad0b8ae1d5145397a0

C:\Users\Admin\AppData\Local\Temp\McAI.exe

MD5 d70ec21bdd226b34e081afb6d08e87b9
SHA1 35bca489712ba7abf12f5059b4ab515bf69af092
SHA256 80aa0249593f55bca62059bfa8791b4fde88b96b3204c53950e6ed2e53f6830e
SHA512 0e4e2b7217a07561a6c871dc31971a8ea6bd0934ede2605ff293c13fb30053f44079d4e33ef9459d2ddec3c9fc7722dbc43a0840d94b9a984784b2faab5021f2

C:\Users\Admin\AppData\Local\Temp\ikYG.exe

MD5 a9f59ef765696024c55ca92db0c9950d
SHA1 1e0d1da4f2cb52b7c76856e999177441a5e4700b
SHA256 2b0951f68a8c22f3db11586e6379e45615d9d44b856cfdb557fbca2c60107411
SHA512 b1f9ae43b39b2d82667b567729a8dd0ccaf1448bc4153e0d4e59bed25486bddaa4f98fa58ac287eb50a4d6fa48dc037323ebb88838c584e45ac8e5566f5c50d3

C:\Users\Admin\AppData\Local\Temp\eIYE.exe

MD5 c8651033af3bf7273daf785e02431422
SHA1 a7cc7b6b954bdfd527781a8cc7a8e0d58143229b
SHA256 c7d7a11a5a2faf98dd86b23c4e5c014dce0d4b8ca442887556a3f9596e09bce0
SHA512 8dc03d76c00ada23aca01f7a194a28d7ccdea70915af60b8b6dc2786d8f1811233e19bd200015d705438632ae1076897abedbdaebc2370755e4970042dcce82e

C:\Users\Admin\AppData\Local\Temp\EkQE.exe

MD5 4b52dfecc5f5a4a471e2ee4ac8d4196a
SHA1 15fb7e388ffd43a5cd06a559bb6711f22bfad58e
SHA256 ecea445dbcce560c4ae6043d31da2a80f5f2067a34a13d282f6ca30605f8f17b
SHA512 7d6cc35dbc1b4033c07bf8150bbd1da5d1eab7aa41728d905633e2b8177fd70db84f091f1622ed9f686515e1cbcc0b9e56df26bdd3ec2dfe4c1054f725f47705

C:\Users\Admin\AppData\Local\Temp\QccS.exe

MD5 183e0d8478bf2de032da279713d10ab2
SHA1 4ad729adb94b5ff82f9371a05e6d8b526c3b4735
SHA256 a2b3102b828be800cc48ab8145e031e8c453aa5acd1e0fc92b97bad100053adf
SHA512 af42b538054b34a8e0ae45123616cf2063a38930d81e004745ba6dd10ce419a6c9972d5fee87cc23a2be7ceccfd1cd648a66596828785253eaddb21c4a7530a9

C:\Users\Admin\AppData\Local\Temp\cMsIkIsg.bat

MD5 1dd86e27de9e6225855a20eb1fa6bfbb
SHA1 c02980337b5fd2c10aaa87e1d25cbff0329e9c7e
SHA256 536c0fda6f5281638517a9bf6edfec43634883d5bde9a0f4bf0e212f3336ec04
SHA512 ccf6e7e5039b84b4845a7fe79e456285f9a94e4d5fc518f98925fae30456e1c253e5ab24391d1ee5851ec85c20ad8b65e8c8614318040d4b74d5a13ee85474ee

C:\Users\Admin\AppData\Local\Temp\acwc.exe

MD5 3805a2f0285acfe4b413932c3e0cfd20
SHA1 41e36f5bf7fd5b266e62410a4d840abd8180051f
SHA256 c492b76a7206eacb08e5a5627f57cd486f6a327f751be2f01cc733ec871ef89a
SHA512 84d7175a7243b96136a01f80d0c91897ad2047d4f2d3c4ff6346cbee69243a99b817fe21d5bd58f9f8e1b6e4b9ee00141b1809f50585ace609a74c2d53b9cdf0

C:\Users\Admin\AppData\Local\Temp\KYkS.exe

MD5 100a43aa04f127c46d46dc74fd0c89c1
SHA1 c3068bc7e1803eaae67f4e843f62461439f0fd2a
SHA256 df5d801da15ec1f10a28cdecae8a5d3bbf5b28ed9050381f47499ada9d4d526f
SHA512 925e7b48c25b659319bbdbb8b2caab77d6141aafe9a882b756fa70d0e5096553091fad56a1c9e9f156d74c109910e72d8a291b7690d4f5f33ad09f8c42130130

C:\Users\Admin\AppData\Local\Temp\sEMM.exe

MD5 75ff292dab335bb906f14a324fd7d0df
SHA1 e181a0acd975a8f3056526a737040a79b7338583
SHA256 b4c44fa1235be16cf97d50443dfd9a95a198387afce3b5c8a621c31c6b0bbd54
SHA512 ec08bd688eb376d044c63e9d4a162036a754d97db00d71de848068a95d98962860480cd7aa19999d6fad151dba33d7007d12f16c0476b3a65e54cd90c6dc1407

C:\Users\Admin\AppData\Local\Temp\Eksa.exe

MD5 768238c50dfe61af378e6400eb6e33df
SHA1 9e4ddd7d8e9f1807a21dcea487977b179bdfd9af
SHA256 597c405e1c578711f0fc89ee05a244003728ee656a7842867abecede0e190ae8
SHA512 15262a00bb5c11fd3074ace607882ce8b59272d3158d4d67fa567ba6c4a926d512626f6b0d211eee6b76517a6f19fad56028ce7079cfd7537701e30c75d9de76

C:\Users\Admin\AppData\Local\Temp\WcYE.exe

MD5 c4b941e614e8bd0959dedbb0598a109d
SHA1 5f337ade296a4308ac12d48f06890beb7332bae1
SHA256 05c1bdd6ada507e32fffdfa7565efa2895f08a2a3b3f12fb05d1c77c964838ee
SHA512 5488083e5f40f2b3ed94d0e47af2e8507e084e2f4e76cce165105a56f80c2ad98a4b89dad94ba4bbb57c59f051d0ccef7328b5f7fd581421fed55a33d4726879

C:\Users\Admin\AppData\Local\Temp\EQQG.exe

MD5 bfa66b0ac4f87e3aff9d3879d72e7453
SHA1 2317238def1d290219d54a173dd19a9a393ac694
SHA256 7a853c9767ce800276f8923fac093e03c08281b6f75bfddade5774f3c3d389a7
SHA512 25d047815ccb8c1f4aba45afc693f074c00b54fe6cfa7d3df6c01edfb1c76ec90c91e3168053d365721a374c8c96cb9227ab01c3388172c21caab2202e32d5e0

C:\Users\Admin\AppData\Local\Temp\sKEcMMwo.bat

MD5 2eedd94e8eaf0b20e437c5a1652bf2e4
SHA1 fe021c4caf693529939a1b4b479bcd97bf812a77
SHA256 4f37a5ce9bacffd4709fdb117d897a1de37d741bebf36568df8e09d8e2dce4ba
SHA512 f7fb4417834c12ed33c0abc63d1a03ce683e5308f90394050f5880e548f09d1009e57165c2cab4cccc24612a7d32afc719da6fa8733c57fe0b4e710b65a0eeff

C:\Users\Admin\AppData\Local\Temp\AoMM.exe

MD5 71f54498eadccf61f3fd3e75c92466aa
SHA1 45e1ee6aa0606398d7190c00ef8d7890e2cbdee5
SHA256 9db0f6cc786d446bae680f5c5272a02cb44d5ce82e9c6e7b2300cec337218214
SHA512 bcd747556d3bb33332907b778b8f3e8f965c7fe1d2f3383713d6450289a6982037eacebbcacc0317d01b2e87264de3215817a747e6aea85355f8d68650c8e485

C:\Users\Admin\AppData\Local\Temp\IwgA.exe

MD5 589b1fce0caf00f9252c48ae0fadc008
SHA1 3d38b3bd7fff787510a4f714c373cced1e3a06d8
SHA256 95c41210e8fd9d1be1da561a420663aca8a04275ef8545761898a291e8a2e35a
SHA512 17dbab886064384ead3f7477569d315f99e031ff5514ccc85745a01dedef4a0f716054af171a2f50605571af80471de90d764dd53274bb6f85607c0ebe6fef90

C:\Users\Admin\AppData\Local\Temp\AAIe.exe

MD5 9b78518332d9c36c70a2cf696da8cc61
SHA1 26b0be301904fe1644c6975adaada3164a358511
SHA256 e3bcad4b582d716652290ee76f444215f22fc8af1b401f0c7a042ebae10c8a40
SHA512 df5b46ab0c1d97ed5faf02ed681c8c4689fc786647b6ebb9992ebdd6316d1b926e526bea9ed62d41450140dcd91d9c2dbf357196e2ba8c8b3fed2ce9f6a087a1

C:\Users\Admin\AppData\Local\Temp\mMYY.exe

MD5 1e78ab1677a349408d88caf739c6401d
SHA1 1feae890d43203d0822cda94196d1c1641603a53
SHA256 b86a9e9c6522d170696584a63bb7374de92c38072f7d406685daf1081216144f
SHA512 f44c29d4a7a2449469e52f6fd173850e0965164afc0a4c6cbb305a31d474b6b572e66d2dea02658689c9ea21733087e3836b3afa77dd4278d9adddee06b4f4da

C:\Users\Admin\AppData\Local\Temp\MYQg.exe

MD5 b836788c3862d7d83020a9b1a5720abc
SHA1 d7e7b1b6f8a9f3f8566a61fd6e82d249dadf0029
SHA256 27b0c68f42c9278796b7a65358cd95548f28893d65f508ae99a8b1cd5c5aca63
SHA512 15ce260b821d2f7fd88076967f12ddcd96d96927aa26a1d57964916ca3a04cf7d4cd9ee38b931a9f6d313d68614f30d78a55c0ca9e11233482df600c58b15093

C:\Users\Admin\AppData\Local\Temp\wwcg.exe

MD5 bf0b04261033e939d154ee4db114f5e0
SHA1 56235d3602ae6dc62e5cdeff2af29b6a117e3c4b
SHA256 3de4a3360fd17132ee521b69751fa78f34eb389254f18efe2d5279b731fac25b
SHA512 3078aae9e6d91c68597e9d002e38468379282f744e93b41b1c1524dc1ed249dfdb8d10f7ca8bde2ad9b9bae6efd9d1638ec5a5975f9184077784262ae8553cbf

C:\Users\Admin\AppData\Local\Temp\mAIS.exe

MD5 463c5fe79f3cf2c7a8e944ffad9531c7
SHA1 c76ddd4ffd9205b549d6cf599c2f31291491e669
SHA256 fbdbb7e3367bd8a8d06c371573e35f14d6de5961cf30f388f852af08a084ffbe
SHA512 1aac26b93cc9f823f0acf9416e7b89c869ad4c4ed82b50cecebdae0bdd06e30b6a2c33478874057626adb43a6ccd776ee97efca98621f05179c6e1c5b2caecdb

C:\Users\Admin\AppData\Local\Temp\UQkcAEYY.bat

MD5 0504bcc65c16212af9bd478af9cbc533
SHA1 eadb0543fd18667bede0f13b3457b509f3d678f6
SHA256 6d7584dc225e098624d0fb4f8bf782bdba1199d12a21ea25aec4d9ca467b5a9c
SHA512 2e72f8ad2ab79af727352947a01863ca1213953aeae26bce74962a7ca775f92cf0cbe5e0fbd24ceac18df18f2246da9f20f665bb0ad9b6b94ff82405ef24a867

C:\Users\Admin\AppData\Local\Temp\EEoc.exe

MD5 6ec7d43fe2fd388e07dd50faec15d55d
SHA1 c6974f3ab0ac29352adf593fe2eae07524f42e21
SHA256 a73c5a820b30dc2bdc9a1eec1dcb18704ce7e2bffa615f578bdf5cd004d57fd3
SHA512 14f5db1ab374d455e4944a552dcb17d82d70efcbc03536222c0576589b56f4fa3b3b6762cf6c38176cc5d5143cc0c19a34c8212a7cda176d04ff8f0f065e6ae2

C:\Users\Admin\AppData\Local\Temp\UAwU.exe

MD5 7a9af08d11a560ca5dd57977bfdacf81
SHA1 9514189c5d8620e517efa9f1c9a34223d9f05641
SHA256 2dd35191383dbe7f61d1433406b543cea0692a2637a2bd90b9de37dcb13d449f
SHA512 9d8c2f22c151394b442f8caf130d29b0d580b481f47eea5f9d861344e9b062a060894cce09d4532ae0b00182c4407dc9403b5fa6509f4b717802f2405a8d3497

C:\Users\Admin\AppData\Local\Temp\qsco.exe

MD5 a26725fdbf682c9a5ba1b443d8d17071
SHA1 32b9bcd3c11517cbbf9693354bb375f25045375c
SHA256 dc39849aae9cf964ec97dcf9fbda59c576e5f4a443a1b6566db0c3653a2a778c
SHA512 04a807d24d6ffefeede30841b7bb5ea38aab890eb704b9b6705f17d2536b1dfa8c0541a67fa34eba7cec33b477023982df26a5407f53b1342a685c21546151d7

C:\Users\Admin\AppData\Local\Temp\WcwY.exe

MD5 112094eb4171f1fe1d2655bfa4dd0dd1
SHA1 9f37d80c65d6c004066d9fccf178ee53da3d9a57
SHA256 33b1d0b6e5c5dfd678838c4ac47e7054b9711ff8d73554a3aa10716fa4a0ee69
SHA512 a362885c8d8528e60892b17b8bf8b12b27c5cf78f47e4e04fc577a48e4a5a9d9e880dd31f96cf904d3a45a93a027dd2dbaea3e804ff5baf144f16419e54f8752

C:\Users\Admin\AppData\Local\Temp\IsYW.exe

MD5 4ef2ea041a0cce794d5eac4f953a8000
SHA1 f0dcea0b5fcfecb6f83a2400f9928a132acfb90c
SHA256 398ea47a23a6c6c0b4ad69720f33c7e80462d90163eb924da5f53a6d8300736e
SHA512 b39de0c9ed535f45bc3f4cd8334cbf1066a6d1b848983185720acc889fd1ff0b6ad08f4625b5c2056ed1ef8fabad6d30e1bbd80cb1df174d8ab3188357c212f7

C:\Users\Admin\AppData\Local\Temp\owYK.exe

MD5 9ac417cd41be3bfc7703bd9efd0b819f
SHA1 c3b4e9f555228c638d8a1860617878aad6949181
SHA256 1862819b2ff757999f060d1274ff426e03b2a574fd6a017a1ff0448ef3799300
SHA512 8574caf794ce4551a431b4fe827c0c643cd86377f38564b512f49a4c39ff4556bf295e1a225e064227144aeae185b19163d5319a50a1a95262776ac1f2aa206e

C:\Users\Admin\AppData\Local\Temp\gWwgQcMk.bat

MD5 79e917dee97279476ac4bf3661dfaeab
SHA1 e829463abf1f2b38383001706ac62d721b49ddc5
SHA256 37ccd4cf5390f1a9078990b1065d1ebbaa8b26e4e288155053f2302ccd7472d7
SHA512 b9c5170fff3538a3862dbfcb568271a1d154fe5d02f648a86d8d8af293ef9b27a05da7edfa36c5bd771837355c6cf5d6395bcbbdd591c207935141641a73c1a8

C:\Users\Admin\AppData\Local\Temp\SwYq.exe

MD5 23421c1f59e0c5ef37be6d286fa90af9
SHA1 baead67a81599ef322fc6cf8f1914b535073f661
SHA256 7ac02f3433e287ef1fc7b5133c94014cbef753a9e9d3303d7eb64289429cd950
SHA512 cbec251115c268349b44d64a2d35b099bb7eb83267334685fbc63b5491a89df72beb8a8093dbf102f001c3af5eaa204a765c58d46d47276151de634897365bba

C:\Users\Admin\AppData\Local\Temp\WEgw.exe

MD5 b8d6caf2709008eea81f69f9fe59cefd
SHA1 822ad5aa3d960c028d91a149199ef8f51792bda2
SHA256 73f5d91144c5bea1f0d2cc160c6bf82d3ffde91c034ca58818e593060f2101e4
SHA512 2f77b00a568436a4b9feffe230459372548a2cc999e31aa2dcbe9b3105210c06136fbf83813e49ccecd7da42782f83684cfd7e9c612422296ffc4bcf389a0067

C:\Users\Admin\AppData\Local\Temp\KEME.exe

MD5 990cc6ecc01e3da7995465e7ce64c722
SHA1 0c45c9f0ec94bff55201a1952d2e5e7479e28de7
SHA256 75434bf3104f5fcc628d43a7807fbea19fdd9ca55d79fd2b16d712ae3815e5c8
SHA512 ffbf45906b0e84f7ee29412691a7cc1184cf5e610802c2929f8d735687c30d1612346bee164937e43ccf5f16abb32fd71e569cc7097bb43aa29a0a6eeb02a655

C:\Users\Admin\AppData\Local\Temp\kUsE.exe

MD5 3ea21b564cee307ff1cfa062cc3595f6
SHA1 0de57819813a94ef33155f5f06b916d67ccc6917
SHA256 1c8cdeed30481ee601812cb0489e626f0e0def3637f5394a657aa13f30c17786
SHA512 d1ad1c1e6761c6cef83500b154e7f3c0d99ed1819a239a4da3915b88cdef071fe537699cdd8e8cfb1f7dfb8b4aed4dba404d9be45645719f4760901c53573f4e

C:\Users\Admin\AppData\Local\Temp\wkYk.exe

MD5 ec31e219f4d75f3c7a2f500a72533305
SHA1 3288751a8f60991d532f0bf43050c9c22c60d686
SHA256 cce40d274f42cf5c3c6ea9156488d2eae74017a89a1329f9865d25de0f920777
SHA512 cb933a2e0a33677abf828098d3af9b5b3760aa059fd2dc70f256c7f6b48a7dfe178046fe7904a88c33decffb17e9a88eabb7543f650f0751264704cad9de4d6b

C:\Users\Admin\AppData\Local\Temp\pAsgIsoI.bat

MD5 4d1d2ffdcbc68798d28fa05a92b6c4e9
SHA1 691d2a39c0cf72e72775a58e2415c7432ce25079
SHA256 c4ebc2191a6687433c1ab49975d05e33b8220c923d5f2f5028679c51bd766fbe
SHA512 6d720592c9815a8271d19fd962eb8d7520849fe269ae92ef1ce487f44d4146fe6566a9f21c7ec79f289ec68722fa3665277a64938b7073d03f88bf1d5970c7b9

C:\Users\Admin\AppData\Local\Temp\OggY.exe

MD5 edcaab92ef5746f75dd70f2de5b63955
SHA1 5832a4323d9609654a5e9a5c327f8c12f0598a02
SHA256 9da0fc5efa5d7222c1fb06657d6d9628e8216581c7e0ec28fd4cf7b2322b79bd
SHA512 02ac9688ddb2d5f018429ae4e53a2d9cec0bb25b235ed8ca531975e7226c265d7f34542f9278ce8308928f8aed29d8ffe540ccf82abb85f338de3a44e6a5eb09

C:\Users\Admin\AppData\Local\Temp\SMUu.exe

MD5 f2bbb26719b24cbf0ccfe63350949a4c
SHA1 b935bb056d5e7d63a9944779b4ef0c1228b01be5
SHA256 c822770dc1d045a50f02f2adcd389b80db3ddd618233a36a01983da2cb12c5c1
SHA512 e021d443b4011842277d85743fdf198a69e52c5644eae6e11f73f5d4a6223a3cf7c43b88a2e1b7dbc491293a1e5628ed7d52667cfd4f686399e8b1d1c2a4f3b5

C:\Users\Admin\AppData\Local\Temp\MkkO.exe

MD5 a833999310d144a71bc7e90dcd3c395d
SHA1 6201f7402f173a238d5fee22a5b4b0203184aba6
SHA256 46a56daee52467f8376dca69247ce27ebfcc123fc9c0e881aa96622d802be15e
SHA512 9813d3e0c9845eb0795890a92385bcb4d364e32e9d97f94abfc8e27e4d6710bbc79a8cd15c87b59d3f278c671747a71a697556609fa79a1b69bbd7d4f97043f4

C:\Users\Admin\AppData\Local\Temp\YYMo.exe

MD5 622c35457ae3735b333dbbc42730e59f
SHA1 24382daed56ccaebeea48501a94f54526cbf0e78
SHA256 e7e6baa0a1cc19bd474d050505325e13d4a0875cf6bf588d4276348f912745f7
SHA512 4d0ebb41cce2f359445330483243e8aeb0bc3e8c4dff4f28236627077bceb665d010275ef1654bcbae25ac1b72e3e2329d881f5790f934a3087ad91592b03992

C:\Users\Admin\AppData\Local\Temp\UMAa.exe

MD5 9cd97232563f3b0e1c42c6a15c1a88f9
SHA1 3f39930ba73b0ec7d7b6fc6f6f114a8831dd6fd4
SHA256 98f1b97004e6eae100d16299b77984912de523c3fa4c23b7d99702ac189a51aa
SHA512 b86dd76acde6ed1a9789ec525c63f93259d388ec59976bdc90c36d38065abc2be5473d3b191288d7c621963273eae89250ef1243fa71e2c584db4f2961d364ad

C:\Users\Admin\AppData\Local\Temp\XUQsgQoQ.bat

MD5 c49345a15a157a739f624241756f35e6
SHA1 25979c3fbaedd683ebd6a1de840275a48683e78c
SHA256 3cb8ea34ee7967ae419db5d787403af703fa311060ce8210b11975a6aa53addd
SHA512 7596e6b2e0ad15b534e3f51c5a45e03e2840762763d1f6d3df6e266d8234bc40b23b4f92321e0b30533157f4f7691190d13c4af929157b6685786cdde9e0c758

C:\Users\Admin\AppData\Local\Temp\YkYw.exe

MD5 893d2dea1afd7cba8ea7bda2cd450659
SHA1 4682924fb6c3e59b805551e72548112dd3eab72e
SHA256 ce9543be4d538164ca752e8e9d159a76cfc010246da62c4df6e4150f21f059fd
SHA512 e8d652ebc81acb6dfb7b044bba0259f8aa5bb1ceee2c2fc7d357d9ba96522e1fcc42a0e1222c77844167aea73ffc649e553b00cfaa4a32b1082a4f5ff6864059

C:\Users\Admin\AppData\Local\Temp\ccMO.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\eQge.exe

MD5 51bbc66d91dfc6bcd4081846726a7b09
SHA1 2d530fe24c769d5f12cc6fde8e8b3f480df34b80
SHA256 0dba5f66fbf9060a731cbd8d4195519431266b72588f4c087c49c68d634abb3c
SHA512 33babed9ff6087189a84dd7ee7c615557e3ae6d4ee48c14fcc4c2ddc45b39740f6d4d86e8c9dcb4fc40585bb99b9079c4da4624788041f09bf62e099e4337d30

C:\Users\Admin\AppData\Local\Temp\gAYA.exe

MD5 0b52499e921bb6066361ea20d6e190ae
SHA1 8bbb92c6b7dd049f0c26891a64a87400fbf914f1
SHA256 834c9a714b13de287fa384604fe47c1f9d7f01460718bfd7a133db5dfc23ccb7
SHA512 dc8f29716445fc8e3f7c56c6bac2b8e95233ec2181ed8a88283c382d030642754055ab383ef5fc43da659ec03a02941522df3e91ce0aadaeda4929708e02cc71

C:\Users\Admin\AppData\Local\Temp\uIME.exe

MD5 feb4a84db4597515444f4d4d55b777bd
SHA1 df35f4400c6bd8777501dac1a4baced4e6e810dd
SHA256 a2ccdedea46d37f248ca0baa9252c3340c95b7c7e74dea212018a0fb27431d47
SHA512 3ccedf20211459045c354fb8284a7b870be36f5c470ad4a0f016822e2a14855171f56689daf6767479c8d6f45ac4a1d8c7e8b5955211edaa2bd2af76a93e0d11

C:\Users\Admin\AppData\Local\Temp\lcMYoYoE.bat

MD5 337494434b69489752be99ac35e58248
SHA1 94af1d03b15053730bb675633bc955d2138343a9
SHA256 3a545dc742ec97185590688c3e217738e0dde17c1d0c091668321f6cbbfdd943
SHA512 29d4f6a83e33949be4a9bffeda597fdb8fab6b9dfb7cce9b4a220dbe2ddf3b8deb97b69ea91bbd95f0035de5b84e275ed62af4e443e8a9fe8e9183814ff6ee87

C:\Users\Admin\AppData\Local\Temp\nAIcUYcc.bat

MD5 6f057fca1727cef1553994884b0bf883
SHA1 37c7dc832c9f3f2b537a2fd6881b6cc1a4ac5194
SHA256 e3685ac2bd4bdc9e7eeeea6962c2e44dc1ae2d7315ea3763177aa8392e6b2341
SHA512 0abd4bb56fd29bbbeeea2ac6ab224813cdc57ee1fc3004e01dce24761daaff4da94fd93fe5ba3b4517a19629f02844106841c6a1cecd333fd6eae2b8d686e445

C:\Users\Admin\AppData\Local\Temp\wEwYMwAo.bat

MD5 6656d00327dfb97d7208df1ecb098f79
SHA1 a4a8171e49da814c387aa2110ed65caef7e3b4b6
SHA256 f14c6922b4775648e5ddfe8303d50e128a50283b485c7f43108abaebc80fcea3
SHA512 601f7e1a02b896bb471a9b1b1d9879b55d3e497704ca370132312332331ebff50f8afe8c431d0e61acbdd03e4b6c9c1a9b5705590c9c228b9f9088a3e964efc5

C:\Users\Admin\AppData\Local\Temp\AoAQQIco.bat

MD5 6d5c3d0ceb2a65c7ff5b55b41a9372f5
SHA1 fe7610726a2e5c983b41a23e522cb6624b9133a6
SHA256 90997de2d5fb686e5fa7a7a10d73eda41af2127661c827b6a6d928b24e5dcbc3
SHA512 4c0c1a555d230c6d84fe2dd25be0edff8d0eb917d63759f153bd122e2de3e06f253a291bcb16fcc45615361783b16924792b9f4c2949054ac6514d60c07bc52c

C:\Users\Admin\AppData\Local\Temp\gEscYYEM.bat

MD5 2bfc855bbec5d84f5b22c827ac5a5e02
SHA1 03539022a2f89210dfc95aace276cd6bb4d36f44
SHA256 ed81ad06fbf5ac0cc6c625dbb761250aceab1da26939ef95c02f07a37f8b4e7b
SHA512 33938c7b6c9d6701dd13dcad81e24c44a525eab8504c6b6f25ebaf75ff61f30276bb0db731a55a59b857f3ccec7b5f6cb6368e299c86885c6143a673fc596746

C:\Users\Admin\AppData\Local\Temp\mWMYkkUw.bat

MD5 06c718cfffe477de7bbc9726691c9941
SHA1 e748ef591d40c721ea72d0342e1dd2cacb8035c8
SHA256 05576fb6734bd944fcc5adbc8463fd88e3890087dfed0c6a39e7731b93c0b397
SHA512 5fad18eece8db2e90a0f2e61bf25098f68dd3605a1c4d5995bd2a381c4062c2e5bf49da40c42ad89aea18bb1077412fe39ff92dc6904706a8f7b4b56bbe0b426

C:\Users\Admin\AppData\Local\Temp\iessQgoM.bat

MD5 b4549a8a4f2e654c4cbbb14d4ec698c0
SHA1 c35fb3ca057974d7450047cd84732ae7a1d697b7
SHA256 367eef28be0f913767f19f90f3984d420d3f2306d5d861fa3c21f535167b668b
SHA512 374437e7994e3bd77b280126d1b85e4239401fa4e9103ff1207389c5449da5dd2f58d16136149894e0a5140238de1bee57c5e6b0fc9b340b2a50f7729917d3f9

C:\Users\Admin\AppData\Local\Temp\gOcMYgkw.bat

MD5 9be2e291d4c6366f11cc6d7d8ef7724c
SHA1 9a64de6dfe24900cd195c1e7cacc1d10713b81f2
SHA256 033350c4e5bf01987551873d7ed6fc469b680aed507da4740ed5389958d0f99e
SHA512 1f7c7d4a55fbcaa014c87dabe1d1203ef96091ea59dcc05e2b5d81c459fceb2504fa2ed4b2f28bb2da5d645f1eee6fb46b0934ff30033a4a4cfc6e83a40e6758

C:\Users\Admin\AppData\Local\Temp\BKsMkQIE.bat

MD5 a1158e696f128d616ff8764591e6cecc
SHA1 f26de799dedc38dac67940d59d0b866d185599f6
SHA256 e221b072e5353a4a63af636f2feb58449b7a1f9329e5d5b3265c9dc8b19d46d1
SHA512 aea44782895ac26e2533cf64fbd104046d6a33ed3ee3584fe95687b1acc974d1f5a016c24b0516347c41f38db4cff6f8644571e3227c265d14d93ceb718b4cb1

C:\Users\Admin\AppData\Local\Temp\ngUkQYQw.bat

MD5 eed956a25c8b72046719f74edf9bc63a
SHA1 b642c8e0c4bec87b1ed3531fed41f6cffc6bf3f9
SHA256 65e3ddce4f95dd857503e9a71e4c062b0a31486f0c32a1af7214c58d004340ce
SHA512 f6cd4c27f7de06ac84326dde1120fca27fa2144f6874dc7c2dcbb4e105feee88ffca5da0443436f7940b43df360bfceecc42ec0adc20bbfc0dbe688cd9e80c13

C:\Users\Admin\AppData\Local\Temp\veUUQcEA.bat

MD5 eabd195dc155faa65ca3a36a769ccebf
SHA1 2a904e0a8a1ccb7286beaf9c4f8d4fb70f00e9bc
SHA256 18bc2c708e0b550fec440fe6f7d717edccb6112ed50a488890aa3c3d8528878f
SHA512 54e4b5e89ccb431009162e85757e928611545f62d0ba3ff3fe9728453ba78163ea53b3d96ecb413783a9bb2a6a73f497c04f2b091d321b0eef873e93a9c4180e

C:\Users\Admin\AppData\Local\Temp\lMcgYQEA.bat

MD5 0aff085322a24b5a13c85182e4bb2d46
SHA1 04d2b12e56092a80620c712a290394abbdcf6501
SHA256 978a8632aed9c2dbdae25eeb63ba2af0115d43d0845dd94dfe81240fb94242bc
SHA512 462afbf3f45930ab18b669f87eac6441e3320beacec46efbc1c2053059b32e27b125f8ff57103025faf6fa770b7e593e4b24443e3c83225fa09414a044318167

C:\Users\Admin\AppData\Local\Temp\OQMgwEwY.bat

MD5 3d90005dfb5cc15eca940627432db036
SHA1 e0640cb81dfcc44a2c838fb4410bf91c25907701
SHA256 1a90be961c5b026cf1a5d0c5f64765466081d143b396e1a053e1a854972c5f6c
SHA512 759a118bb75c0c76f56e4147004c8093534f160ac119ee3408b8409fa40a6e8c8c4b73f02602d70e31018b65b08526115dcfa7135dfbb7c52ce3b44b982cc475

C:\Users\Admin\AppData\Local\Temp\kqAcokco.bat

MD5 64061a42dca7a3c98666241a02d65a4d
SHA1 31881d538f90da2f5f201125f4fc70b8364475a6
SHA256 fa44f13cd41fe2d9e5f5563f74e8bcf483bf21ae2e0f9e9589953755d265b30c
SHA512 8d663642ae140bfe9de3a71de3feb34edc867347afff9ce2527bcfcb454ede1411bc3d4749a625d8b64e275ed1e6a178856ec6de9b048185fa515df2d2e140d4

C:\Users\Admin\AppData\Local\Temp\egcg.exe

MD5 344092a34a403b64f34da5015bd8cc26
SHA1 7375c2867b0c6477be0b6d3e6788026c4c8ff4c9
SHA256 6e802cd9619f10ea11bf2f596c1757c15f1e6f45d13716e434847c8b4e4f15f0
SHA512 9d50692fe78a997401386c9f080db9846d966302cf580af80f7d55db9051763483f7a209e6a5102eaea1456e5ed825e218e3ec41694f48ace07120367e45c2bb

C:\Users\Admin\AppData\Local\Temp\GKMcIUoU.bat

MD5 0a686839b0fa113c01466b57db29bcf8
SHA1 1bfb1dba855e5693a0c46ab6aecf491ba655630a
SHA256 c84999593dd84ab4ea4c1b0e7ccb10b3c32818e1fb8bac931939d28063f50864
SHA512 df96dd7ec7c2dd3d2311a94076532a96eb5590cb370fdc8e96af671653fa44939917fd9e6f38e875075e78ffd5be0ac3d8628e006d3e4bf7696453cbcb45954e

C:\Users\Admin\AppData\Local\Temp\iUEQ.exe

MD5 af08d708536d9c9ef7ddf3746aeaa776
SHA1 ec5dc15d40c8f9a48dccc09b87f5066b697e2ae3
SHA256 06f8108e40636f710f437a60aa87529f85b16ca5f653163fdc77adccbda9c61e
SHA512 852306edecb8aa8f67a5b1e11416a5fde51c26fcc75e98d79e81c50adcc205a8c7a469cae8f9bd1d2590fdb2d7f01a0ac1130412dda4f39f150aad18c6090864

C:\Users\Admin\AppData\Local\Temp\WMAc.exe

MD5 067c297780f71e91d09b39e0eedbf4ac
SHA1 43f335642eb498fef85d89b2d304d066af687361
SHA256 e557e45ebd3692bbcbeaff3925fc9841d0b6f1c75deecfe54cb749b27ed03624
SHA512 747cb2f3302100e7d7d496e7b4b201e053ce7ef1f6b310cff3a189d6a346d198f8ac999dbae2e88d4752033b0b75feb6d9a7058aefebf5c96344b0b0ce707f52

C:\Users\Admin\AppData\Local\Temp\gUgY.exe

MD5 09e579604ea874d884ed2ee35a235130
SHA1 97c4f0e094d32d877108224c9efe8441ae234220
SHA256 e98f39423d653c9eb82365e8a207db33465c6384ac231d29eb429adb86fda6bd
SHA512 d2fe9d12d3a0c1ca89e7c243fab6c9a5f1ee8fa28aac27b804fb3e5c2d6cb3750a2a4e41ce89d52dc00814493f63eea62c1ce2038339ec7f8db8ee261676c549

C:\Users\Admin\AppData\Local\Temp\cEgU.exe

MD5 413ca1f063d060254ce96a97474bef25
SHA1 8477d82861e50379020b70d8f0a42cc30c4eb31b
SHA256 cea193ad5d3db043b643db06e4fd636688b2362ada35313366b2cf9883954802
SHA512 1352d975b46eba1ae622bd64028c1d25da62b01144cc7e2f8b3851d33492234942e522a89e18e3ed23d486d95ab88e999c0cce6ee7d6b4953700c43b0be20acc

C:\Users\Admin\AppData\Local\Temp\goMA.exe

MD5 7e4aa77c41e809e8e6365887d3172003
SHA1 43549a586afd47fcd97bd43bda0bc824eaf41812
SHA256 724f032ddc64d08e5c318bccf92f8a78cc718c3d5cfc0584eee8a914e981e208
SHA512 71246ffa3adebef7e4c52ad183bf6277dafb7ff14428c3c45b770cabdb665b0922a3834083aefa86094708a7f7e4b37ef1a29f20c4fd25a09011f297fb2ec07a

C:\Users\Admin\AppData\Local\Temp\UQwS.exe

MD5 8e8951710d5245ea18a44332faad46f1
SHA1 d516351451299bdb178dbc7e289a206753840270
SHA256 8087e9a80a15db9ae0d8e9dc0536540acd2415913acf5a73fc907aebe8f93ed8
SHA512 0ac1ab612ccf98fa7b476afe197d72d1409900f69e69cae28bcc17d4e084f8139f3935a6f5d7a2dbaba30452f035f414a82d04b4ed17d5bd0ce5097428e16be6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.exe

MD5 cb6e5de70cdfb63c5bef5cdfefa01013
SHA1 dac5b8ebf61685981651ad936922eb79184eb426
SHA256 3f3b687ccb9e848b1c250e32e60f0903b13380981a3bd510057ef3fb7529489c
SHA512 cfcaf6fb7d4c97f0c556590895891ff094bf32f6a28d3a3b0c418f8cd835e5f8e75d8de47c386915e5f5a4989e371dba3a5627884b65171f678eb318b23fd2d0

C:\Users\Admin\AppData\Local\Temp\OAgEgQcs.bat

MD5 b69a5ddc25822c1c433f56d136e1d196
SHA1 86af7d03537481f8cc56ba45edab7d469e3b78d9
SHA256 3dbda802bbb973add89fa2ff80a56acb6af73d3f75e6d6bb8d9d1c4fdc2a474b
SHA512 26073fed8d39fdb6916fea14779593da7814bebac090a16104f1c16103da97ce52da7dec4dd848277f138800598cb8e68cdeec994501fc15962da003439d19e9

C:\Users\Admin\AppData\Local\Temp\gogM.exe

MD5 348386a99b37fe3ea4614a13552ac81b
SHA1 35c5a9952133bbc043b9934eb26c20c4a876a1d8
SHA256 fedf83034e9af32cfac4938805a05bde6edfb652e2e7a507fe8f2e978358f520
SHA512 64054b288626f7dab0e251da5e594acd52f6d7f999552750b3240e3700964f5b9198f1c758a22c8c5c456606d77eacdfa2e064c922a3f3b9a3d23fe1acf37947

C:\Users\Admin\AppData\Local\Temp\QkQk.exe

MD5 7c6c07d81e96ac028112916f00c2f419
SHA1 09bb15ca75bf6183218a21f1c871226897b9bb6a
SHA256 b9e138c16e3e612821a7ce36988e3dd07c04c8b7b3e65272ee856f5cf5066c4c
SHA512 be2c020dc0c8e688393bf19fc7f706fbad63647d86055f0c2c09a0d83384301537dc15af72a339af31851e7db253436c125eda8e95d945d86403011ac720b2fd

C:\Users\Admin\AppData\Local\Temp\IEgA.exe

MD5 f762f0e45338c2e67dd848441d13e0ef
SHA1 b457128de426cd257660bfa5cccf242199c3a271
SHA256 0a441cbc148af72fda3bf2e63da01e7e664c663f4a3af284235cf5baa6c48cd8
SHA512 de4b4f72b7767b9a3ce8348e4c6daec2a36cacd3e51bca33542269e2d5e100e85a68c04cb678328f134c917ab781f35b3bfcdb8a5d04357302e5c03cf6602881

C:\Users\Admin\AppData\Local\Temp\EQMM.exe

MD5 b1b55ad344f85ebf585ebb7c994b420d
SHA1 021b9ce717aa3ec6ffeb4482b2544ecc5a6d67f7
SHA256 89049bbf31aa328707c50710ba24b34c5394771650ccb985083d7d2b295515dc
SHA512 812808fa722b8b9d52823c46fffafe6e60aee55db1b8498f83688e0e1519392ea070a48e9b78b7c1f55be4e4dc7233e021dc11b729136fc681ed43d9e061e03e

C:\Users\Admin\AppData\Local\Temp\gsIK.exe

MD5 c0b2743bd9d939eec6ca2ef603942676
SHA1 6eb4b1c34cade36f2db91aea5440b7adb49591d0
SHA256 0747ece47adb5818dd809986bd457b5af8676ee2119987b48e3d982807bd5d1f
SHA512 585bd4806e40460f44bbbf8ad7fe5c127b035f6783a87fb8d3bc85bcc0cb70c3f2ead64e23bddc549d8e35aeea6adcc9213478841bac96eb034f47cea74ef781

C:\Users\Admin\AppData\Local\Temp\kQwE.exe

MD5 9e358b3008ef4eecebc102d1a53adbbe
SHA1 3cb849e11a5ba9c4896177c9af09dab32720b212
SHA256 9eb1b40d4d584697ddad7519d0b1293fade9117087a022c3af6e532570cde4ae
SHA512 d71f316dc3bffde3cf8da63c64bfc1f80021328bdd1cf252b50cdc612a30dae2886e52f21172b3e0915056ff7a3b791ff468459003a5826de1df0d87dae1c058

C:\Users\Admin\AppData\Local\Temp\GIoa.exe

MD5 1c7f690c41aa2bb0fc015194b76e0cd5
SHA1 73a8229e507a43e7cb2447c3f48550285a300dd1
SHA256 493ad09d6199692b098781f8e14acb61e084a512e2728ebfb43a507237cd7bd3
SHA512 5883455dc55631d871162c1065b0daa142c7d4e6c17ac88b4448304aa578c0bd7b491f9b827f73ebf0daa4d31e5f124414e3838379989e6d5082948346bf3b97

memory/3004-2474-0x0000000077B60000-0x0000000077C7F000-memory.dmp

memory/3004-2478-0x0000000003DF0000-0x0000000003E42000-memory.dmp

memory/3004-2477-0x00000000004B0000-0x00000000004DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mkUS.exe

MD5 834f76bbdbae38013319495ad142a5ad
SHA1 aab7a24ee7f95a1904fb1933a8dbc91fe9a87533
SHA256 7a000556f400923a9e93492a18acf7c1fcee9ab71eb800c3fed62ea6a9ffe3e5
SHA512 1554f62b1d4d24035eee80a3ffc9975773c1ec25a71c5d88b90d320eb5dd511a0a6647a5ee224e1493a92d7d6c8058a96ca67505d19a655085dbb4a0e67af130

memory/3004-2476-0x00000000004B0000-0x00000000004E2000-memory.dmp

memory/3004-2475-0x0000000077A60000-0x0000000077B5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kgUO.exe

MD5 9d3dec80f5ce502f2c632d5e43b2fc8f
SHA1 749f8e7309c188e345e3c2f51695df7af2cb0631
SHA256 1a175ac191d5851208e04d08b1021b80073ce873c67608bdb2c84fba281821e2
SHA512 972068a29d2c748269c0ed69ed67a8beddaac6ab04222a2c31d92fcbc2f2f6595e52d8a682cac54dd268d8a3ce4d9cd8744d044444d919b4b2523b58976394a3

C:\Users\Admin\AppData\Local\Temp\GEos.exe

MD5 e29acd10ab8e254df7063a287d4e33b5
SHA1 9df718c17d8ab1a0aaf9a6822a9c1a35d3212e6c
SHA256 f7e01589befb34ed21c603b4c590056d360959a6c51878431fac17733d7a4946
SHA512 904c67a077b5103a2cd4fa6426b96855e8fd5f0a128957659a441b4ebc64c3be1079846f2789cf91cf9619964ce48f95072ecb49da17beb3eec10db192d34241

C:\Users\Admin\AppData\Local\Temp\RaIQMYws.bat

MD5 4a18b7538cea5d5b30e259da2867ee91
SHA1 c62882e97b60b89dd95429e362015a828433eb41
SHA256 bf7f7bc301db77721669b04585e60ae9e877b86437e81c410b9f910c852cca2e
SHA512 5549c5bdf1f765b6c13d7ed70d9e6b0cd0315e2ea48bd4a96104a50457f4d8a244b6b7c7a135b708bedf2e4808fb25387567d0ed0f36f7d9c0189151c4164bbc

C:\Users\Admin\AppData\Local\Temp\yoAu.exe

MD5 cfb67fcc004b1c0d4b6725a10b94438e
SHA1 30a990de8e46fa06938f31b37aa4bf441815f11a
SHA256 a68c4cde96c9378d096a7348e3026bb3b24d3f875a380d9ce984d331bbf7fb76
SHA512 b95513b9397908e355fe5f1c784b095a83c0cb5c0b7b7a5e50f70c60fa5692abe1d8c08855972eca54d2cfcc1eb4026f743bfb7fa4e83cddb098b575479e28ee

C:\Users\Admin\AppData\Local\Temp\eIcG.exe

MD5 f429385e41a6b694dbd2ce8618d07d68
SHA1 9084e53cdd6d2710a2ded50d60a25c84eb8585e4
SHA256 224abb9d15170a63728aef4e50167a74ae25cf2f30e686a90396d09e55c9e825
SHA512 6bb00ca3ab3ddaf81f16debb46da36031183d96d7c5b12ea9600046a188383703a19f9de7c81875598885b074b8b93e92c1acd9c8eba824976cefcc3a5041042

C:\Users\Admin\AppData\Local\Temp\McUk.exe

MD5 8eeeb2c5e7d31df9627536f092e1cbd3
SHA1 0c0bd70c6309e155a236982a4c38cf46c58ec26a
SHA256 3499fd5cf5711b7c5d418f351726f5c01025a6a6ea3980a4e4804ae2b6b31ac6
SHA512 83800399458ea7555e379f9e378830e56da226a92c9b58aba815ef22f5e08b32d0ee781f9c5c86130c3e8355456054033e04616b0a4a58a17e2a8f8634ee99d4

C:\Users\Admin\AppData\Local\Temp\Osgs.exe

MD5 4c7062ef190af12e8d2821102aaf5070
SHA1 32157de0486fe64a98979d9735fdca7b9135a345
SHA256 fd6194f1382a37b302a7e55a8a6f0531cd5dd67fdd640bf4429cd77373b7d427
SHA512 1f39eb0ab09bc5dabb46ca5882265cb60d99ea346fdd36b5c6a83f9b4b0f27fb009c9fb190fe9a018c183d4948c41a94e71c71212889ef56ca5a8cc6545d10fe

C:\Users\Admin\AppData\Local\Temp\EsYG.exe

MD5 966eae29474c74679afeedfed67d1d74
SHA1 be49fde3b4778b0673161dcc2e52fbeaa84f1c61
SHA256 fce9e910e3662e3af1b0a8161aebcbf770602aa66803613853ad46f2ec9139c1
SHA512 fef056a4efa9b8025de59287e2de2d31ce57c03a3ec7cfacbd308422b2269c3d428ca00699a86057dd97564d46a9c9516bb042d43ebb38ae384f3eec5fce67f2

C:\Users\Admin\AppData\Local\Temp\pCYIEgEM.bat

MD5 bfab29c6fbc6dbf770fe51b9b83ffb48
SHA1 c19b300533d9d9e5c2977b4b29627a1ded2285e6
SHA256 7fd5f8f400c57d2fd93046ed4847bfd4cbdbe567f2b6531da507330edca5c2aa
SHA512 5a78503c3244b69a6ac059d5eeed0057b9ec3f15bb28577adc094493c4b1f638e8412d67cf1da52efb7c9beac880b8308a112a0027d7ec53e5ec444f5cddadb1

C:\Users\Admin\AppData\Local\Temp\GoMU.exe

MD5 07153283e00bcb58b78a51dd92a11916
SHA1 69f5a341bd8fd9cb75e0d673468c1215dde09a5e
SHA256 09ed30fe67610f2ce6516c6d41f776c2653e2ea6c9c5109301cb64f0be6626dd
SHA512 b685657bbf7fc7260ad043787814aeb5a57472f625389862fc3bca71c1b478c07b39a25ceb56c4916ce257cc96f14e5c181e2ff83a1aa7e24ead55b1bea9b132

C:\Users\Admin\AppData\Local\Temp\iEoQ.exe

MD5 e598417e53d0eb5fb63b7b416453c35f
SHA1 36249e7df2dae39689e3fedaf823470ed33b5fb2
SHA256 db008e34755cedbc556c08b7db41fc331783b793ccb2d1ac3eafad430e3a6736
SHA512 b80e6c29d9186ad966d31727cb64ef0acdb6f98e6703448c0dac16b781738f56e4f04a5bb4f67edad1996370cfd8a5d9f82dea4f481408ab93aef5bc16deaea4

C:\Users\Admin\AppData\Local\Temp\BOcwAoMo.bat

MD5 636ede6172fe785241bd94360d555550
SHA1 a22ac78071d325484e0770f48338ca336ee4a4f5
SHA256 eb4e8a98338ca34e8d811b379144c4fdebb4193e68316e05272c9bb7c0492736
SHA512 fabd178e99f70fb690ce081e10a24da5da3e5414280f368455de2f445193fa87e14dcfce30ee340f031b06165cacb86799859bbbc45ad422a18c064274087f3a

C:\Users\Admin\AppData\Local\Temp\CkIA.exe

MD5 d38f9f1bb6fa28e5b92331dd09944718
SHA1 67f42740db6f89c1221e4f79735274727267e320
SHA256 736610604baec993107f223e814829a5713b207c8c26f72728767690cc4446ce
SHA512 1bd3fa6c0da251ef4350bf9ed9d55a3dd0cbb6cdb0a43f83f5a2c8b114cf4c907fe7993a2b66ff886fbb98a1548f37ff7ad3290da5fbd4770216cd79cbae7526

C:\Users\Admin\AppData\Local\Temp\soQI.exe

MD5 6a4379a7c67a6efc3d78730f8b2c90db
SHA1 e081cd298e46595719d0d1c042aadc25d47b4d0d
SHA256 026a7b55f6d87a1577152b383d2c193bc713838af61931a3d91cc1779602ef1d
SHA512 7720264f586b9c49ec8600dea45659087ecf7a5adb63de1d9b52cbed44262f4afc2f5ae106521d2fc796a416593bb164ceae6b7691a46a0bb4e40196ed77b41a

C:\Users\Admin\AppData\Local\Temp\KOIQoowc.bat

MD5 d19a38389f36a95078b691d495d0f1b4
SHA1 a6aa71b37099268d6e73ad83d5cc6ce200c92be2
SHA256 7777424943d80c8c87963e49f75735dc379ee3a24df8a8944b95f23dabcce01b
SHA512 1d2e989bc12f8d9fc175845c69cc11fa4ce44109fd04b829b344a3ba710a0ed16db45f35eebd5d5dc956194a5945d7ae453ee30f0803f08ca936ab1354937303

C:\Users\Admin\AppData\Local\Temp\iEUO.exe

MD5 fb28505cc6b01a388415ee04d8a3b4f1
SHA1 c423c5f0fd0605067f5fcf054d7f044a642a0af3
SHA256 c1471e8c0d698913632867fe4086363bd2b5a0db6c6646d97880d05c70487afd
SHA512 7817f72892d3e1df95804f03e8aafdf5774a295a36256f3f91e00f17f00927ae7dbed7b3df032f2d32f676fde30dbf7f8795bb34f32e07822d2fc108f5dd08fc

C:\Users\Admin\AppData\Local\Temp\EAgI.exe

MD5 641623ee4b300d663e854cfdddc14a5c
SHA1 868dfb8ddedaf0ba8459e006930b496fd6b0c53d
SHA256 4de2013371d9650ef5dbc39a3d2fce864a23da3cafa0300fc0263fd7e4649c9d
SHA512 5a1f1203f2c420b2fe971c072edfd2c1ccf3f2023d48d75d1fafa4f8ba787846221708a21e8b9d5edfa57677908cf27b6c9555cd0fb471e70d95c1d37315ebc4

C:\Users\Admin\AppData\Local\Temp\uGkUQgAU.bat

MD5 31c8aa2d9477b831fb634c39057be68d
SHA1 b2ea69e8d0b9bfac32c312bdbab0860667baf3cd
SHA256 78bc0a9cd9a8b0d6420a84f53af3a038447e7317ba71ed71aa77e50105a00b8a
SHA512 2e112c9554500134b0c47114def30209fafe556ccabe14f4c089a4a935d6821360c4378dc7e5c65ff74418543bab82ce58ddcfd14f434a4638a9085e3e05fb32

C:\Users\Admin\Desktop\MeasureRepair.xls.exe

MD5 42086999eaf611aecf72ed997ad0456d
SHA1 3b83ad2405c70aaba5b060fe5a0f622b4a274f4c
SHA256 8c1ec93b7f53f0b86e6d97c60b4807e7f5dddfa3a1fb777b058a349508b80e24
SHA512 2e4db99a2fc84852dc6694cff7ee2f3a8b35a1627c4bf0c54df3355a9ba1565beae4bcb778960d8a8fb48552f47430ac5dc731c4647467c9045477aeae8218fa

C:\Users\Admin\AppData\Local\Temp\WssG.exe

MD5 0b1b6cb7af2e2153499a8b3a0d021c2e
SHA1 2cd2c6b2984b1ad73bd2c87ae1d168e1e820f809
SHA256 6da2b9215c83ea229a6b9fef62cc138ad3066af49ddc3ca11fdd126b95c44d97
SHA512 ad52ebd098add254f74c7afa67cf1e276c58f0bae7a3b0e16d8f00f71a1df1c5c7a47ec8a57d09444ef39de1b4b774a5f5d84756305cccaec6a8129980c4f783

C:\Users\Admin\AppData\Local\Temp\YYYS.exe

MD5 204f4367de4a27f645b06d430790eaa5
SHA1 8021c2911f1413a838f7876e3a9096eb9c30211e
SHA256 a73d1bd2c9d539dd53e9593cf0960e85ab42b45d396f4cde059091c744e7f55c
SHA512 49213a2676e756db803f4e885209196093209a14ae0992ef2ec59950c8cdf722c00ecfe5529200cedf547ac4d5fe02b51ad58a5197b7d3e69ee99def7cc2ede9

C:\Users\Admin\AppData\Local\Temp\mEAG.exe

MD5 3bca39a8f1170b65a2a5ab39095f0c9e
SHA1 0c5864ef34bb9e53d0a4cccb023a840686df3fcf
SHA256 3530e1b5411eaa1ecd69c71ee2fb78aa152ea7ac6e715497dd5e4b8095f58467
SHA512 bb5d23af5bae552b9288e6e641162eae595805596e1d82740a82a550b6bb1c69cc7816d300cc7ec40951e00baf7ea9a2a39d8ac82825e4574bf6a95fa6245505

C:\Users\Admin\AppData\Local\Temp\IEAW.ico

MD5 97ff638c39767356fc81ae9ba75057e8
SHA1 92e201c9a4dc807643402f646cbb7e4433b7d713
SHA256 9367b951a0360e200345d9aa5e6895e090fc3b57ae0299c468a5b43c0c63a093
SHA512 167328960c8448b4df44606d378f050ca6c24969fbd7cc8dcfe9ddeb96ac7ccd89e507a215b4c1debff0d20a0a239d547f1e496635fa2f06afad067c30597c46

C:\Users\Admin\AppData\Local\Temp\wYIO.exe

MD5 59950e0cb73e5888420bc844a4e961b1
SHA1 535800f553a9981f78e0232aac2782b8edf2f754
SHA256 b32028e3bb43fdf7a0a72a52ff40b94d7f3a3afb98b234d8a8d55f6574cfd0df
SHA512 c56a962f07370c3ed9a151ddfb238144314a180c54c8277c5ea98546f74b61da123937a47d3ecb426151f9424c866551c4695a62096338b6e835a3329b98b2bc

C:\Users\Admin\AppData\Local\Temp\IQks.exe

MD5 79cd85a446f3cdeb22eee5adeece916e
SHA1 3a98d7e6583afa22c701e09fe2bc857f05f01e4d
SHA256 b4be1338c4499c51fca6ad15225eb9e0a1302264992d2f18dad60ca40feab6a1
SHA512 b71007e64756e2261f484f81d7f146fcd3ce0b66239f6a959ebe30938e1c7ddca313412ebb001402870fa2dfab15eb84d9922496039ae23970e117e406b191a3

C:\Users\Admin\AppData\Local\Temp\mwMa.ico

MD5 68eff758b02205fd81fa05edd176d441
SHA1 f17593c1cdd859301cea25274ebf8e97adf310e2
SHA256 37f472ca606725b24912ab009c20ce5e4d7521fca58c6353a80f4f816ffa17d5
SHA512 d2cbf62540845614cdc2168b9c11637e8ab6eb77e969f8f48735467668af77bc113b8ac08a06d6772081dde342358f7879429f3acc6984554a9b1341f596e03a

C:\Users\Admin\AppData\Local\Temp\yQUg.exe

MD5 d1e91620a7a3dd5ad4995af5c03bd823
SHA1 b34183b9f6811d37ab3e7871cdb9f39c99c4b571
SHA256 aae6679efb0fb2a551609cd164006c0c98d071177c8eda62766bcb9f01257249
SHA512 8de2a761fda83cd6418b488086e591bf7b92e51f8a5a43a3c5dfde9eeaac03ff1a91efdbe0ce7906ec666e6d679b9be5e682771818d0b9b8208d50627949cc39

C:\Users\Admin\AppData\Local\Temp\kUoEIUwI.bat

MD5 51af4da61ddf4732d093a0a7ce3445b8
SHA1 5e2d06f76a5398724576e7cc79d471c4e8d1361f
SHA256 857c5651f9934240b3384d81b265ef13c8272410185a1a919b825ad49dad645e
SHA512 e8b72134225ff61d042454823fccaec779543215367ac1b3ce7fa09c8d6c7ec6b24e14b56a8a888ebc7e694e1e232b9bc0591790033c79e021de8880a78ce94c

C:\Users\Admin\AppData\Local\Temp\MEsa.exe

MD5 dc2e6d9ace18700d368651a9b676f6ed
SHA1 a7313761636809136cc872c0dbf2febf7044e797
SHA256 7779a9115cdcdcdb2be45ad858e6687d676354166a9631e3814a744a4bc86528
SHA512 35c4ef6f41ab6d61dd27d2c884976f37fb7562d7bc4202d41737bc10317b75b44dc7a49f0e2cf9edbdd4ad98f36684d1814b9e93e4f73c028f4d2782d2e31fff

C:\Users\Admin\AppData\Local\Temp\MEAO.exe

MD5 27c907f6f2b6441f6b9730ee1448bee6
SHA1 f5fcd4a44e38ad362c89927ed16e03981a525de9
SHA256 04c17d4f3457d690c4f7c40600b66c24529b3cb93b48d7697089ae5d34e7196b
SHA512 ee93ea3b2d350a030510487925e68347b51e2df84b192cb05698edca3bc5cb40ced1e2a69df3247711894dd225c1cae752811dd522d08b030ac5fc6b1c12bcbf

C:\Users\Admin\AppData\Local\Temp\UAoI.exe

MD5 71c52dd282a8d57e905edb48a8877c03
SHA1 3aca10a7df659b396a76b1d7a1ce4f27285cc969
SHA256 83efa7f01d606660f1cb673dc89ee2c4fd327893ad938e02a89f9b0ffb58b4d9
SHA512 fd53654b260d6b5e01c409f7f9eb2cf75dd008ba530056cbc334bb6eb244113b66c0027c67d31c331dcf6f01c60631749613aa601ec0fc1a860a9d6bc1414a27

C:\Users\Admin\Pictures\UnblockStop.png.exe

MD5 004d41e3b167e632a061b77dab45531f
SHA1 94d8a3f8e3aa569f19011ce6d746d12182271bfc
SHA256 c7e8a9fdc0595d4eeb1624991adcb44e2537527d3a294f4461654b151269fade
SHA512 7ea933671c6db993ca7a93d78a8a52dfcf91fb98283b0e39a9c60f61f60be1c0da18207dbd6180c8b72a6ad14028b1a51e8b2046c84af18f0a2d24e7c67b0024

C:\Users\Admin\AppData\Local\Temp\hWEIEwsk.bat

MD5 99ea132e3a16f907184de577be51cdd9
SHA1 91c1961d27140f23538cb15166f66a3f094f1fea
SHA256 4da7da5f6889c01a885c459f6b238c55dfd366e54509bd259e9f3e5e482195dd
SHA512 aa1dc7bec0874c4fb03a894b3e1b83b752dde3ebe29c601879b913e07ef0ba8ce8480f1a0c81923cb9f2b8ff7ab9d414867b4c1f234f3ce8877e54876e732dec

C:\Users\Admin\AppData\Local\Temp\ekQY.exe

MD5 16fd7d4c6d7d69cb501cf9dd8ee80aba
SHA1 4a0b3808b306d836ae97f350270b3b008a78d5c4
SHA256 64577987a84e2a5c944d75a067f288cca26eb7b6b6e6f18c9f37a9f13bedf6f7
SHA512 2168bd07c5776a6b171d9cea73a850563ea7ba9819022747acf0b18b9c71e8dfe12ef058e8c7691c36226187f37ad42340e4593dfd054f6ca1f2600acc466daa

C:\Users\Admin\AppData\Local\Temp\EMgy.exe

MD5 2faf8fa77623ee222c493f58b22cb72f
SHA1 5e51fb82b362c47a3f6e5676936b910ad562c936
SHA256 4d8cd5f70c13918eb94d0b2e834fa9a5979e9a15a71977d2ba357ce3618b5e71
SHA512 347f1d0ebefb05abaa144cc0033dfab1c9ccf35fdc7ea67decd05f36e407e83913912367881a7f1cdc3838f5f15efda1542907fa81d013cf659dc5e02b18298f

C:\Users\Admin\AppData\Local\Temp\sogW.exe

MD5 5a3ce40392a7fe5aa37e3214802614bc
SHA1 11b21bcf3b5e81f935849fb5b8fc0e2ccd5d96d6
SHA256 6a96d8fdf70053b651b2255834e7765ee8020f6760a6cc01dc792b3db973bdba
SHA512 e7c7e746c4c20c730d1025180df86bd0c0912facb5cd17213aa0c594fa981551e4d6da5c2998e88d4d5d65cc2e0eaa6e59d85fc631f5a256ba75df07596758b9

C:\Users\Admin\AppData\Local\Temp\XqscIoIs.bat

MD5 35d5879598c037c464f2b959cc24ba06
SHA1 bfe23ee5194ec4c97d95976e011081a95802fbd7
SHA256 35001698439c23fbb98524cb02c746123008ca7e74f1d8dacac75087fc2ea84d
SHA512 72fe1626244d4c247dfa522ae24a667d4f38513df6e9670104ba9854d44696cdd7a7da540c9a1e24fc87e0cb9ef9140ef5abbe165a8acbfbaec1aa4a456a4b9b

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 9ea0b55cd6c0fb34b333c9cac31288c2
SHA1 237a7cc1197a5720cfeee0da1ea99eb3d4c7f5d3
SHA256 61525ee2a3aef176b8360525cb70fb572d58206f8ff602ad7a57b6ea7e462abb
SHA512 8e79be0c8aa9dc094cd0e34f7680291c02bc9eaec14b79ba71e4254938a9e0380dd72629471ec5015b794f436f6284379cba90eeb4332e6c27cfcfff1152cb97

C:\Users\Admin\AppData\Local\Temp\SUsK.exe

MD5 1f37580eb96421d4f3718b9374205c97
SHA1 488a081e7f85ab7f101a2daad0ae42237e1b2285
SHA256 e16745980862c814ee1334b931bd5d45a8d09f49fbb1a274cc90795c164dab3d
SHA512 90e24c177d1de67f0ace78d4ed61703f65231574399f108db59ed51557db3f5c5f5ca4a78ccf283ba395fb311214ef851cbf98dc60f212039ed0fa46a3762d26

C:\Users\Admin\AppData\Local\Temp\dagoYEMc.bat

MD5 f7e5b2a36620ce9382a72c998af755f5
SHA1 eccbad6466bd9ceb463e9c5ee73df4f96712eef7
SHA256 c1b4ed05397df5eebb4ea2e233ce45ce62e56b34d4b37d81f53059291ff741c2
SHA512 86b29764ff87625027744ba1319aa5fbad280ae32bce897e1f2006a0ab4c3e795169eb1b6263282b48b40acf28e6a0d5b0ad9aba8c822859032d9554e14e0f6b

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 477f7b4e0d4bf458fa8c87729946bbf1
SHA1 cb1a93b3a32f73de668b926487152ccbfbee6b92
SHA256 90276ff95175b74b41cedec0f824c5ac44b075f7c282505786f3127d9ae75222
SHA512 59dce0a87751b7972060080f0631cdce5ac10394c0dc3cbcd465d747eb3dfaa94b8f6f71f3eaa4476c19e317ce826eadbc351917396b87c759bf00a4c2d7ceb8

C:\Users\Admin\AppData\Local\Temp\EYAE.exe

MD5 aa46a56c96566fc27ad04588ffe8a361
SHA1 39c85f354974b5e6928460117959e1eab0da14a9
SHA256 4cb173b7ba54769e36f72225e2d6894e367ee8bb0b2fb9ef612b0ec10e15f42c
SHA512 e868bcc1ab50718fd2dcd002b9b5f5febcc0ccd694e66ceb3c3f1c7bd72acdfddf26028a1b7fc524e30957bd071f0f2746ebec20a97e05bee871db8b7fd9f575

C:\Users\Admin\AppData\Local\Temp\DYUUYEAw.bat

MD5 483ea3164213938152e28aca20760790
SHA1 b3bbf11688243e6c1ea751c6bd948174ce52c3e1
SHA256 00920e7ffa1c82c27e2dad620bd14c2069552c66db3d84371ac3f1c0b8be0687
SHA512 05e78303461ac5eaf6ebf608072075f239028ddd137627f4ea21eb7db8c7eccee18944586dc436d54a78926b37fc4e4d3df57581793e0e6893b795e8aba3c214

C:\Users\Admin\AppData\Local\Temp\cAoC.exe

MD5 82dffa8489e0a0aa3ec48911a425da61
SHA1 477ebec1d01a97aa77bc45d1c60dba468dda0c5c
SHA256 68d274bfb6e011cc47a1d86bbfa4e09c0694f03412d06f80758edf5eb0f83d30
SHA512 8ba7dec463f9a97ca9bc5b2471ef63c4f26f770378a22ff67f5974c4fbbc2f8c36f74a7f0da0299736f22afecebffb6e99860e97959c37f8c8f3c7efe4a0f0e0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 f7ef500f1057f6707ec1c480cbdccc27
SHA1 9b27082bbcf426f1ca6c0f7930dab3e7a343ba87
SHA256 191f67cd2848eed3d5505ad057567123c85effb265d9590c5a9b0ab43ec98c9d
SHA512 8e10351c63d2ad9879e1be05730bafe1269db0dc1a5050aa11d033cbca821e34ef91b0713674a64cd13f2b4a9b573a0034ea548f2f032059bafe9a3ad371d29f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 790f211d2d5b19a9b7aace2db8ff6574
SHA1 8baa4a32f86d19ca05913aa5d301eed662b4caea
SHA256 b2887d4486f7249e0957cab3e9c1ce25725889eb8498a03612f8ed2ecdc968fe
SHA512 ecd5f74577138cd7986d9cd5035ddf8c4a7eef1237871a26585778f92e053e57acecc9e03a1993567d87abe01970f4e1cec26dec63db81caf5d56b055f87b784

C:\Users\Admin\AppData\Local\Temp\hmAUcoQg.bat

MD5 e2e560b4d56b12086c79a2df4ced782e
SHA1 c4ff3ad0b6e3560db94f2e6a743f97434d409910
SHA256 6781f2d6534cebed88991381c4c7e12b46f6474a1b3e8f4ffe500fce33646008
SHA512 cf0003fb6a93565d98b8f5503029366e7c9ed6b86c38b6453894b90c5aa445d0f8a30e9139e6106bed43787b38d08d3041ae6daf71e54edd4f2b20479a1be299

C:\Users\Admin\AppData\Local\Temp\QEEI.exe

MD5 6cc4ccea002c3ccb24d1e2586f261637
SHA1 7af974d09abd69aa3a25dbd9ad8f7f1623c8b441
SHA256 ef5eb07cb104b47e8a646ff377244267a499cd825df2fa676f76b18eeb081e0a
SHA512 5304f4e308e8d27ba9a83b4f47c13b36a0219cb8bd68a0e1593bb9f48899e052cc0de51baf9f32668fd439f857ef441a3b273d02d022197a1591de2ad5d6ce78

C:\Users\Admin\AppData\Local\Temp\sEYC.exe

MD5 7ed8d39ec179d8976f53d4548918913d
SHA1 afcc661ee9c1e7d35ebd034c15fa25ab8f48713d
SHA256 8bb4291f6730d7e2bd43c906572c7650abfaba8d14df820f757a29c12651900c
SHA512 f30811aecf270879061b476b128e1e5f6d9a395af12d320810c97f20d572e684e51169675c885ea4712a4cf05ec666df57f8bdf3a7924c8e3176e1ec8a314aa4

C:\Users\Admin\AppData\Local\Temp\QIsq.exe

MD5 597018507a71abbf4634afd4c6691212
SHA1 587776d416e57ff7017452c0d86c09ebefa9bd01
SHA256 88fd180c7d3c9fb0b492f42ccbcc75ef5b5a7e39914201cfa92f1b095512cb71
SHA512 b0bb2577943f3315bb23d5f7c7c83b8b4d7ca3c0721ed52cd9d5ef702d86907084a41395f9a8eeb30187db31679cbc5d6ec9bf3f46fb048343f94ed0d187d319

C:\Users\Admin\AppData\Local\Temp\iGwgYAYs.bat

MD5 d4e99041d81f5dacc52adb86665699c0
SHA1 cb943d75b9f1e08f1663785178b6551e6e07fed2
SHA256 1f192407d226037ae21357475f8eeac30464cef95018505bb4574861d80749fe
SHA512 2a8ac0f44a3a563bfa6f9bd0dd0a479afa262db6e44f196b1cbc77066f1bc5e543b2f57220f4070d00dcc7f83fd396c9d94425b453e42ca51ef93073aadbef49

C:\Users\Admin\AppData\Local\Temp\WUok.exe

MD5 a2f23621a721dab38010a676a045a4b3
SHA1 96430e295f5786df3ae02f6261fb067c959b56c1
SHA256 e7d1e0cf61fb52e9f0f1f78b7f9a6df2f1c6b8198469b38afb8086df8143ea60
SHA512 1276d49f9b514468c6efd419775cb01ed722665b18ffed10903f3c96a7508514f9d99771787899682db91aee6a1d56ea5db5b77ddfec3edce02a58638e701a16

C:\Users\Admin\AppData\Local\Temp\mckC.exe

MD5 7241b5b2e41b9a102cc9d21a3d92b7ba
SHA1 907b83fcb758e12c87a26ced975a793778570966
SHA256 700d3ba0cf6d8121648014cde059b17987d8427f94ba5ca8d862227e4462d993
SHA512 b3416693d8511734e043ad87aa90305e50eb14e2e41031dc4bc8897657524d6ecbaf2de0d9dc21859fd2a5cae4efc43b88fe1498baa7ba3893defae90a1388fa

C:\Users\Admin\AppData\Local\Temp\GwQo.exe

MD5 146dffec13b81422959799ec51969348
SHA1 26d9662f6e196f4417e825e9461830bdc17c6d2d
SHA256 61f100671f4e833e0eb4f4826443f10d9f4a10d428a620d704784bde48e934a0
SHA512 85c0aa8e099a893e24ad494d2d8e936a46df96ab0309c02d8a980cac182dde40d70da88799deee2dc476d33a8644da3a7823c42eff7e97870193371c33406ee0

C:\Users\Admin\AppData\Local\Temp\iEIkMMYE.bat

MD5 a5dfae12c595806055e4cfe27e4697c8
SHA1 fd042a9e9781e68d890f7e4a38d762a67878c354
SHA256 105857555b002e1ed98758b6a192fc605c1f207e341fb4398fc54b5bfb4a3910
SHA512 819e3913bd88ffcc65779fb67c7be55ed85cd75b3badfb1b7e962b7d7143c994d521484cf5972bb0e07a8c02bd8112132152dc010e7fb70e441d08c8a704d96a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 eca82887531c923a6a4a357bb3993ee9
SHA1 ed84a0deef584469ed0fb9563c07366c4b3a5461
SHA256 5f19253daba807960b3b1610ad9938f3e2f2798a614c50783bd916127409e2e2
SHA512 6ae7a6463439fc11a561b00bad09b7ac5fc5f40581951cdef9454040202144594ec3b1f69072eb3f1645da3e8348d444a5e0582f58bee85b40c3758b5e8855db

C:\Users\Admin\AppData\Local\Temp\aQIU.exe

MD5 64ffe6341b07dcba35fc8a4857ee6033
SHA1 a12e349344dedc332d61e21d87a9107b37aef3ec
SHA256 fadc3d1ce5dd32e0a3f0e6c267d785c86c43933cc3b6b1376b98bcd1be230fc2
SHA512 4e8162b8ff81acc022ffc2897c99e8fed5b3e4eb603f98f1288ee16738d3a767fcb1731862797f18101ab536d77747f0d828018c3af1d5fa8e27affcbb3092b6

C:\Users\Admin\AppData\Local\Temp\mYYw.exe

MD5 d5079beee28e93a36c3a99aa85e31127
SHA1 61077c0104a2ea7b1ea03835bf8d39e415836a2b
SHA256 536dcad252092811e576c3d8ed6327507c4daad9c06111916f3660601595eda7
SHA512 ddda40ecdfb32822e841ffef699b490dc94bb3376db8cb8e8ea8f14b99f56619dbd26df57aecb57e7ae6bdba7ea2750c72e659b1c072bb2b13d4697916f9992c

C:\Users\Admin\AppData\Local\Temp\msAm.exe

MD5 fb5ac2fa11b48b4e02d9652afb8b4a2f
SHA1 892b98094dd27706164a17514982d3e860ffd809
SHA256 5626ecf57d58ad997f4793bc416e32b4c30b337bae9e07f130b01751ceec0ba6
SHA512 9400da1815ab33b47f8bd3a91a796d608dcff929f46940bc73683dfd2c84d64ea66b2e8fe8e2fccfd731a9556e4b376753435416a0ef4788f473962bd242006f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 29f3e17545c12babbbdc744e7dea06cb
SHA1 c2130d17fabafd7ec248ab5ae8207db982c8a84c
SHA256 92aacfe72bed3a0db76b615c2070b10e9efc7860ab22b972c75124988ef376d2
SHA512 6b054c94c8416b9c6ed5d0721cd07a3cd69f32ac18cfcd82448ce7c11d56a90475875d69a1bc7fa6d9d2a5c7a0cf85501abaf169641a5bbbe355a20350e2f84b

C:\Users\Admin\AppData\Local\Temp\UmkksIUc.bat

MD5 b336ef5318c85f405ae5582d404c5f92
SHA1 d0d4efd919203a1ecffaa3140263793e06773fb4
SHA256 3cec1a9349ae525d274c33d3a3c87751b4ac2627020722ef5a76adfdf044cf75
SHA512 0ecaa22d89f7192bc7a3da8eef02ffb4960ea403075a7d1c8633ee67522f5a37368877d4f6edac55cd3f62196008d40c1e86febb038aa2488432369af5831bef

C:\Users\Admin\AppData\Local\Temp\CsEu.exe

MD5 7843a55f7216858e01997185f02763eb
SHA1 899d5435a8eda296f0ba7c35ccb736c958dbdff5
SHA256 0c9634aa094b23e631ed8665d2d840b9bc0c24da72a8c8650af95576c0ec6655
SHA512 85a3a231dcd4a9d47e86e0b167537e4eaff3709fd5dc8e02a59e5a6d305970c870024e5d1237b76eedd5c560d2edbdec103670744807ee165533a4ce9e734693

C:\Users\Admin\AppData\Local\Temp\KkgM.exe

MD5 3aa5e405c6623261edb61575c0a83172
SHA1 1b21a02537d16c575c72e03cce8cf76d535835f6
SHA256 5662232e2855120369b7de58863db13633a200f87cbba49bd4dab1b5720c0c1b
SHA512 695b56e100b7fdefd5d01bcc5ca6f1e28eda7edfc0be7f05f30059030278eff995f8dfaa1d146919841a184e4cc7bb4516525d4b84b5c70c7ce554c7942703d5

C:\Users\Admin\AppData\Local\Temp\OkEY.exe

MD5 e901cbb33e7103e2ed0ca73e26c260e5
SHA1 1dc355e8d4d44f4c59884e3a9cf02ac08a164c5d
SHA256 b44963727ecc8b810a04ae7e2633147e06175f78f41a9d54b3e119f8000bc78a
SHA512 a077278a4569c1d42c773b52edb047d0db1e120c7ef690de75ec935c105343b9d085f7e8efb04358ca6bf534867118e843520fc1dc5805358dbd145fe3d9a238

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 7261ce72bf59094529d57bdacb4c7259
SHA1 db6ccef84a2f9206d34d57e3efe6abed276719a6
SHA256 899e98a811bdb50d24e40a4f81a958e4999200fce4cd788721b0dfbba61b6a45
SHA512 781c8eb7a984b0f0df050a2b9bcf422b8762e53210a9202a1233e555b61e645fcc89bf0dfbffe94ba4ffd4f95c12d53d22d7c58ff1ead2fa6fe1f359c0d150ff

C:\Users\Admin\AppData\Local\Temp\cKEocIkk.bat

MD5 d60c4bb1d433fa5d8c9e64adde5b48a8
SHA1 d3a4609efe083b780d0c638701c58987a57577ec
SHA256 7c36755c431b71134ffc6e48bda7bb67780614c8cf7b0372e762d59811256bab
SHA512 0e231b2ef20a6067f70861d1e58fd7aaf4a75c3ef1c4fd28e6c1a2de33cb66d6e5c27fe372235292c1547d0358c5474c36571acadeef02778cb3d27664034cc5

C:\Users\Admin\AppData\Local\Temp\EIAI.exe

MD5 8a567810e64e4e8fcb34e858187957c8
SHA1 37bb84ee0231e97648028e1b423e289c9b1db824
SHA256 b2e3474c505607ea271564cd03fc9497fd23cb1359fda41890b6cb5d2eca210c
SHA512 cee2e09a4eb348937aceea20d34128f7bc390c10668a0e85ccc5940564ba33c7130fa01b1f95f4352c879b597734c15078ca1612ec8dd56f751eb323ab21c2fa

C:\Users\Admin\AppData\Local\Temp\usgu.exe

MD5 e5f317123a6f2d622afa07ef6a773c06
SHA1 31eff5eba1cb6f685ef3f214b72d10b4e2f20f9c
SHA256 954cc5d25bb5704af7e627bbbcf0564a0fc0f3a4a45d1a31afa0f36923d49772
SHA512 99ba899460ceee37546fa1a804772d32cb78f6b12edc55ab75cbbe2a73f25edc6df47b83d43169f8b998abf17b0fa2a2efab9f2950372c905cdc2b7b267f5feb

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 251e6adb87c3e85dcf64407cb66916a3
SHA1 3635ce73943885ff7047c84c78b92b5908ad38b8
SHA256 29bb92b9636c64cc486651e4dd501e83931ac95ea152111e5c8c7305fc63ccbd
SHA512 7942891f5530e68f0daad88409a671c736835388de59ba8ec3ec41b802b47d774a656b3fc1dddc4e7becabfad2eba2f6ae06ac08f2d8e16589e90fcebc38d9ab

C:\Users\Admin\AppData\Local\Temp\nIYAIYgs.bat

MD5 46cc4a585a095e9224a51b7ded5c047b
SHA1 10f5b690c41ec1f79ab88c95b8476be5fe9bde9c
SHA256 473166fa9c5b160a33f7ed89b57b76a4b00d6f08c52f838eb6707152e16558bf
SHA512 a94846d100bdac5af3f2434d93f603344ec5dd3eacda7e5507bfda2c54b79067df10a6b29ac2cbad24074773d1451fbac1341fd7ca346700fc292ca7e6ac4b5e

C:\Users\Admin\AppData\Local\Temp\KQwm.exe

MD5 b03be78740abcd37cc033b81f490af7c
SHA1 5572aed1163e0e12788ba00235f563345ca8ad03
SHA256 14d4086feb65999d35c079de4265d4a4eb9e81c9fedf38c201def0b1788a840d
SHA512 e79206fd982b0c6b713687d08e5af9b210c64154b19daae3a9f3e28711c6c1e4f21836153dd9c7f334287b18b822127a27e0862354825c6113d02180965fc20f

C:\Users\Admin\AppData\Local\Temp\sgEG.exe

MD5 5aed707cc06081caddd6735d588e43d7
SHA1 175a3200414d98734154a0b2a5986b302f70ebb9
SHA256 d7afb5a45c8ab9829d46dab473bdbd575973dbf439521da047793fad34516e33
SHA512 0a767089000aa90fb2122552f5098b6b6bb94c145ff05c7bc86da8d9d4a4e930985d9a1cd2cfd233ab29459514dc004ca13c9d3586160bac6bb54ecfbec2f308

C:\Users\Admin\AppData\Local\Temp\JqUEgAgU.bat

MD5 cd83eea1cdea44b6e925566df56203b4
SHA1 37bfec6ddc5a8d5a95c2a3181403e79d6469a02e
SHA256 5b002886fe2fa9c8ee0616b4dd32ab47e4eb08e1a0d916522af419377e0bf1de
SHA512 6df71d3009063b460528b0cb12e8e1a4c6ad398b99b6192bfee5b9430aeabbdf5b928623e737a3930736c445b3ca3b3b327ea1ce6680c52cc3fb0bfc9f73e846

C:\Users\Admin\AppData\Local\Temp\oocE.exe

MD5 daac6316c2bdf107734d7f39282a07eb
SHA1 31c39f7ce7ab52f653efd9051f791737ddf6a1bc
SHA256 00110634add484063d37e3e42da91af34b3e84fdf938731faf5199afba652be6
SHA512 679a1bd31bbf3a61cde18abfba42c0780b599a8e6795027d57fea7eff401ad9e1f1832f8aa0ceacd327ce3d7f7b742d3ac863ac5d90428077563d237c2c398b2

C:\Users\Admin\AppData\Local\Temp\cgYy.exe

MD5 1d790783869f38658e2f9c163443e36f
SHA1 7a796a2957b421c8503104cef32f5e21207a14eb
SHA256 fbaa08b0ddded7fb7bf46a2ec40053ae64e5e18913f344b38d47fb54f541d34b
SHA512 ea61001b811ff9857e35df3f79a02e098de81a04882f3bdb41675fae7249a87c5f651e89f1c9d5179fb59359b56cfcfeab688c72d747d54459898fa32e18ae3b

C:\Users\Admin\AppData\Local\Temp\yIYq.exe

MD5 e30d4d4b42c8fd7fae944584cf441af7
SHA1 ffa0a8b556668bfb82b490250f1432d68199206b
SHA256 3d6898275e3790b2cb7838c6216560b17b90f1dce47340514190e347efb5f748
SHA512 a99b2d76bf732e69ffc1c6164c1876ba03b159d91cd70c8080ed8bc8be95a692fec5528d649eda8a1edcecfc12c2018f9c37d685d2990dc19bbb6af169d7bc0e

C:\Users\Admin\AppData\Local\Temp\bqUIIEco.bat

MD5 6b2ee0d4f1b48fe0b160f456ec8c33b7
SHA1 5719e390649d06ee94f8809d8a299a77c1e4d6f4
SHA256 8f2378dcfa2b6b09ea787fa4a7eb907b13a8c7fa2106524888d9e5628f9d7c55
SHA512 a6299d6ab5f283cba2f6924ad934382b8704931fb2b44bc17f7a6fc995ad2d79f91c98ed882d4560eb4b2c70845bac38023ba6c7b0fbefc6c76c047b4106b8fe

C:\Users\Admin\AppData\Local\Temp\UgcW.exe

MD5 a27a2e6bd5ef1eb5c66aeb3d56a6a1ad
SHA1 0a99882cb2eecfac55091315bfac6e193609eda6
SHA256 2b657e0e668ad350deeb7ce7a11e942275ad224713a15f27af4979b6754b32d5
SHA512 e7449ac567b24f1d82116e8d4afeb02a46d9057fb0b8b00525d8f76b709cde85cb4fd00224f3932dded3ae5890cc45b60bba56a558ffa4d6653fdc92270ba543

C:\Users\Admin\AppData\Local\Temp\yYUk.exe

MD5 408506b97fcb4482e45b2d95b299af28
SHA1 aa155dd5a59c361c760dbd9fcd7aa0d99ef819af
SHA256 e08e0cf5f1dfe0dee292cac3dfe5e6cb3bf80211ebe7723ba6825a5b3ff36afd
SHA512 90c006587fbf61b4a0a251e2d54506717391b9148560dca85ce503fa65b68de8b1c07d5f08c709c0a4789f1b9df73e1d3aae1ab79e78f43526da95af1a1aa991

C:\Users\Admin\AppData\Local\Temp\rYEwEgQo.bat

MD5 ee17ad11007dc4e8082e8f706f9a8d1a
SHA1 9ecdcd1ec2ebdb1a2e2e489e503f46ba6e74e8f0
SHA256 599bd0c5f53d1c451ec2984614eaac55ba954cc50ca55567760b2017e2907655
SHA512 0fbc8ece131be7658e9d87d4e7605b1fd2f5b5eade711fcaa1c525b178ee5a5362facf78ec0467e00b8146badd2fe7a50887c565458973433c72a45c694b38d2

C:\Users\Admin\AppData\Local\Temp\gYIi.exe

MD5 207a3ece05d9773974a6afb2c3a87f74
SHA1 fdf2e8337878e7a253c0bbc08d0beb08f2c3c948
SHA256 a27ffc8476be0b2c81307dac5dd1ace396da058ddee20e3b26761b094f3f1784
SHA512 76a5a3980319d6ecfdbc5f519261d8a01b147afb22039bab89daf3d41ef4a0bad01cf69d28abc9ccd8c9b84737e3c20884d420d4014237d27ffd42a7352e4415

C:\Users\Admin\AppData\Local\Temp\akIa.exe

MD5 5c1a9a512c62caadd4295ae51f63b132
SHA1 bb11902dab68e473410360038258d14ba46205d3
SHA256 6e60aacab8c8a169c5b15b68ec9b913ade6026eed5eaed68888a43b92c5f22ab
SHA512 2f170f28856a3b1b85a968a725afe455ffba7acf4019b8c9b9d94575491f5c4a0dfc0e5ee2faf71f74510b81e1e6f2c3a2e11245eaa0bb4a4045766e93a807da

C:\Users\Admin\AppData\Local\Temp\SMkW.exe

MD5 014210e6b2dcb0fd195eb781a94cc771
SHA1 461d004af926efe12350d5d726064688a20de92b
SHA256 ce91847025619a44706d335f0d5632deac1431d039cbe190b800f98da6fd7d1b
SHA512 98358200b2929f132470d02e657b17eea7e3543d81a7e8a42c44cef3a0b7681ca1599b8ea4c0e8f9a6db110d95b677ce265c36679d44effb6c82e30c05c00777

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 19405cb603d78cd3fc0e962f3df00f61
SHA1 7a159213622ab186636506f0fb276137b0b9b514
SHA256 2f2d63cf951da663c7b83ac6e096e803837dfaf6f73ff83c723ec7be15b8011d
SHA512 2d871337a15fcb0c7d6ee8526df5bfb7825523a2aaf5f27df4a40278684b9cfdf500b93328def10713bcb5a6227203d493af4cdbaf0fb4168d0e064cf941f227

C:\Users\Admin\AppData\Local\Temp\CUwwksEQ.bat

MD5 705c2411d108398b5f4a6e5073e2e890
SHA1 5597a4323f25947420acd4420e4df035eda78e06
SHA256 cdae21c2505009fa82f450c41f9e607d0626a5d60a852df7ac8c77213830b6f3
SHA512 5db5712ddef16692de0f9d87f4f0141e991f45d16b6baf1f035ee28b80c5568ca0899ef4c18d3d20bdfc88722f09401452261df0ac2862fa6d5dd7208e3d87ea

C:\Users\Admin\AppData\Local\Temp\eAwG.exe

MD5 f79799e3006db2297e0e74bdcec00381
SHA1 1751afdb87db4c4475f3abab68e40de53346a37e
SHA256 7cd6b05b03adca3d46524b372e604756a8662a47d2ccb26f6a4fc112de0b7ff0
SHA512 cb70d00725e155e991d52f8b59dcb427af00754665b3b5c6b77af16e6f0876a92d5c2d5624153ff88fb39426ed28b332ac37af670065e042b3f25f794d48ce2f

C:\Users\Admin\AppData\Local\Temp\KMEi.exe

MD5 d7354a0e39b664428fbbf6cd3b3d6d16
SHA1 576c0e05a04c17edd54042b3e031e54e2f2f7aa5
SHA256 7cdb2dc7a7fc2d9cedc4729ea540e705deffbebbb86113b13afe84633a9fac06
SHA512 b7e344c3b8b4ea53331b6a90e6bb19304dd1b6435347e33db4a52da0b13f8bbf1f89df3aa3546710fb186139c64b28e62e958df76238f7d1d7631b0f43409928

C:\Users\Admin\AppData\Local\Temp\kcAIkkIc.bat

MD5 a9bc9d39944ad2b41bf39c02f1f8f837
SHA1 b159b88e83de4ee85ea905e32ca7fb4e4ed3398a
SHA256 775e3a8de011849d91176cf92468e3def1ff91dd78f4dbcaedf951209d69b747
SHA512 e66312a2205bc9376081919e1e85d1811c0a5c50fef4f1aa128a8759a446a801fde4fb6330fcdae0c6f061f33e746abf2714115ce2361cc0c0866577da81916a

C:\Users\Admin\AppData\Local\Temp\yoMkYssA.bat

MD5 3efb8bbec7bb18bbd35c2c3f67d7204b
SHA1 b1fa135e78abcbbd0be94683cdb099d61d4dc7b0
SHA256 7380f417a945ff3d56596f921de9e4d112511680308e2fc92c74de41431ef614
SHA512 dc72da8222f4c41b8932c32882acda206a26a5f81aca38bb3a79ed2941111c62b4362a855cd8c07fba70c14b04fc8b29601b29e19193e1c85fb547c8c8a45cf4

C:\Users\Admin\AppData\Local\Temp\mAge.exe

MD5 20e0402481aeb1ece8fe51119325970a
SHA1 9a2747ecf86ea3e4f44ca9f0a0182501cdc0b6be
SHA256 f86ebefccb0f748f0f1b1d9a8df100f96fdb179e0fdfcbca597b26cf55c22a7d
SHA512 1fa38f46ffe1d0b2d7a5e7c4acb834d02c01df2ae505005c1e91af1768203a7e98d3af17627c7b5bf9e8d32ab63a2c6c5e2788ba7818c6dd8449e7781e0c8e97

C:\Users\Admin\AppData\Local\Temp\MMMe.exe

MD5 e952fe4f2f30d418255e44e2676403be
SHA1 1950fcfdb00d8c8a00c7b25275906ece064cba4d
SHA256 6770c432a3ae578d2e44faa55b0cc23120b0a531a5aee221f39eb55cd76fcc1d
SHA512 d8b23834e30dec8ed091791da040d59c68d05e16bd3486135113047020aaf1517f587730c778a451669095a0d5913721cf39c3c02adfa36c729f43e5215b611d

C:\Users\Admin\AppData\Local\Temp\osgm.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Public\Music\Sample Music\Sleep Away.mp3.exe

MD5 e6040392ef6bf4e2dcbcc984dbe03ca5
SHA1 180e6444b7f78100d1f97eacc651298082c53e21
SHA256 c436669adafde15ddff43ed276eea3f7f4bbfde04a5a9981a8c3452882728103
SHA512 f662b95b3e7ba989b3aa98788361acc0c87bbd13c17da585c57c4ced019cf71a35e7eb7b6dd0ae4aef5faec6d15b08c2bff300b50d59099ced427c6bd9c10d7d

C:\Users\Admin\AppData\Local\Temp\kWkIossM.bat

MD5 0e5f899f545d744715cf6f162285860c
SHA1 3806fd3c5723cef632b963503c64f18be54d819f
SHA256 18936a1d06fd29a244f3279a294b966a589c487e3a7f3283b94057175f02ecf8
SHA512 1fa03120721e11708113ebf01edc23d57dddbafcbc0d2553551de1d5cc41a1c533f34aaa829fbb06c194cb6782782ae4045b4e883cd1f0388092a330eb46726c

C:\Users\Admin\AppData\Local\Temp\qcYQ.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\yEQe.exe

MD5 a088ac15fc5d19cae644e1c66900d2c0
SHA1 b51dfb669bfdfb7c01bddaa047d073879feedfe1
SHA256 e76d1e14dd454ff50887939f561e377788c020f7405f5dccc706b906cc3ecb1f
SHA512 023530a3262eae6108275736b0ada9273002a231dd4a352e09e4c1c4adfa8b14322bffd8c7076c1282e47ae6c6133f643638374d39f3c31167b781066da4b8e0

C:\Users\Admin\AppData\Local\Temp\uUIc.exe

MD5 d7c741edfe7d02773d37437c7d5e2860
SHA1 8735b80f8bd555f6b3b5700e2297e52c9c4e4cdb
SHA256 ecba5639d54254674c65c250ba575ffbb3bbb3d72c7411f329ff283eb0e818c7
SHA512 52d8449e077204557d206f50457da36f5ce8edd3424ec45e6c864443e6d55a64b231a7b7f23cbdb422cae2d6b21a5daa56466deef701a37e3a27b1062244f11a

C:\Users\Admin\AppData\Local\Temp\Agkg.exe

MD5 e0a92ff4cc7221709c651e20d5aec3a6
SHA1 77376c2cc9a23d0b166fa6a2300808e4af3b6699
SHA256 1e40a508cafef9a5abe2ba223537e2976e8f069a762db3a9e33e3fca0dbda21d
SHA512 3c9257ed89bb68ead6288593906dce42a605d71015fcc2e7940e11ada2286fa9527f4ca037fb1935b09698c67d9e36aab7c9207445df9ef1c957d87865cfe15f

C:\Users\Admin\AppData\Local\Temp\PyQAwQQU.bat

MD5 511eae997410eb5926d4014aa78e2cdf
SHA1 eb76e79cdd47adce427a3a64ff2a485dcb113aff
SHA256 2d902f6f155e186aff8c5573a22ea8d52e7077c8e92c0bdad407b69ec7b51312
SHA512 722589e5e1eda10f8bcaa875344295cb6d773ad0a7b8d1042f0f0dcb3c5552918adc8a1824d111fcecb06d6a28dd2cdbaa2c6cf8ce7b6c55d3c1cc80ea487610

C:\Users\Admin\AppData\Local\Temp\qAEw.exe

MD5 490604cba0c16c2f1189162e1d69fe69
SHA1 6b09c911fb610257ba6a8b019d5a1967d2b0dfa2
SHA256 09d6567558a33782b7583a2ca77d3a64b7a0427769e20c51b98acb25de766aca
SHA512 d2bcbcf513f171902f03e8d330067bc220ad3924249011066a650ae091f41bec1dd974ec9e1efaac852f450a8d8a50281351c1b8e3b1977f57ce500d91406296

C:\Users\Admin\AppData\Local\Temp\YEkA.exe

MD5 68cb473b78cb5c5f725fa533a73d1bf0
SHA1 46f1dc1e9ea71a550d17cd1f66fb00a5a3b319c5
SHA256 dbb82865c81d60c50bd1573bf90061d32124f17134dee660bc9e6c37a12fa748
SHA512 93cda1331378adc24be67bd24f492b0ed6360264bbff22d2df5b6324335fdeedcf6a8e3492dce1cbf6a47a3831320eaca12a8a10c17167afb0fd531e91696b61

C:\Users\Admin\AppData\Local\Temp\QAQg.exe

MD5 2ecbd19150c3721a88dba4d0c8851dfc
SHA1 55d615fb9e538058d17bc8f864733e4ff53b7b46
SHA256 721440497fc9ad2ce760a05615e6ac3263d1bc928dd52c64304bb9813f4c51de
SHA512 8380c627e4f2be0e304fbb505336140792ca480dd287dc365d7d355ecb732f9c73d4d6c137a03ee44a78fe8ad8754389e890a93313e58c72e16003ac927b61b4

C:\Users\Admin\AppData\Local\Temp\Iocy.exe

MD5 0cc4bc07d604178baa9d1f103c06395e
SHA1 d0750f7d27b335cbc42c465c1248212153393f16
SHA256 b7c1f284a2f8cce0242d6c11e47f771ee6272ddefe330509166cd9d5e44899e3
SHA512 c9e569b2e0beb67c6439d98e8b674443f34a1fa2e74a5bc6d1be2eb43e0d50901669049fd0e50dbec2c1a1933d2d6373f0d533d50201945f3fd681d040dd613a

C:\Users\Admin\AppData\Local\Temp\SwoU.exe

MD5 2d6157ebaa5b24ee438975bfd7371b67
SHA1 88c95664ba0dab1f5ebb217d0ef1970fd5d50b17
SHA256 cc881e5dc0e9e7f3ada49a6027745d159d15e5fb1d92434aae3bbe69d1e5614a
SHA512 70383fb7c0cef01ed4bce55b33e7730780d8f1bd9d85d0bfa5d7e6c7facfc9fbc0cf8075e58907f98b0ff723fa4d64c6a7505f340a16fd3bf667c28e004d2c78

C:\Users\Admin\AppData\Local\Temp\FUksEkEY.bat

MD5 38abd3c6d1421678dda8cda14cf3af23
SHA1 8405bd8e3ffb58ea6cbcb18ec0da9ce6cb35abb6
SHA256 4891d2fd4afaf9cb32fbd4c506143efb0361b82283429da10e0d6fd7b54c35a0
SHA512 b875d2643248410650f17376de440107d85c4b5b01f7af0c463f6e9f74e33f5848c7b7e4a8a88c18d9e091abcd5dcdc53a0031e96e87435903c8f1679e90f37e

C:\Users\Admin\AppData\Local\Temp\vEIEgwMA.bat

MD5 3d03e5c4005c9e939c8dc11040e4386b
SHA1 6eac21b82b2847a6ff5681fd475fac0a2ed43652
SHA256 b7eeb27febf732b17c26526d84b34752e952d73b4a7c1e912c5efa2cb7866154
SHA512 b6c23f42777d13c88e90870bf4d499cba2b62e0fed7943445eaf2a28c9e01d82a14a10df89167629a957519c8647ab8762942273d350942a756627f224f79e0b

C:\Users\Admin\AppData\Local\Temp\JWYsokoo.bat

MD5 47c344247724648998c83e9dbe47369f
SHA1 1b336b03072b6ce45992d5e3389f4a514e6ee762
SHA256 914ab088c0218f4f0d2d391ee687c955606a701a1bf569c8320fef20cf0db4c0
SHA512 89fca8b80a7e3b4f99ff790f89f914f6f5ec3f5ff813ae59e2e5a75b5c015a094988d3f1fecad06efa1b3b3f6c59d1156b1616546cea0db496179f0fc7bd721d

C:\Users\Admin\AppData\Local\Temp\gccAUksM.bat

MD5 0998f09a89f79ce2dd2108dfd3c34831
SHA1 d956137d5399dad3152d8f9d3fce68212dadc7c8
SHA256 34070b06c82f0e8f7fa727f75476b16ea96b9aa72b71382bf80aa6a4e4da1677
SHA512 2954499772d0a0cef3d3375bd1086f097113737720223bc0f2e75f6a68e277e5f908b64b32df21da2ceb220a226cbbf0b3698f48e3355ab4a6822b33147d1da9

C:\Users\Admin\AppData\Local\Temp\aWYQMQUU.bat

MD5 cc2323b640414ef2504f81162e49554a
SHA1 275ae6a91b93eec34101a63270a6361623cb2960
SHA256 766f9c9d9e5e1788730f09e4d2801c784f5e868bd29ff99f32721a1563d1e034
SHA512 e5f3766fc003f4d54257215db531a4e05a6df14a27d4fcf425582a093c7dc77c5fe26f22eb1c25d55723b81ffd7f15f64bae260b5b4aa3939fbf168617387ee8

C:\Users\Admin\AppData\Local\Temp\MEYcoooc.bat

MD5 b7b5a2a9a62d6c491cf8f47ddb8252d0
SHA1 d50307b8125ef82b70c87b4adcedc055e9c29849
SHA256 acc899319aa590a7ae47ccac52303afd342df2eee07edd3bc7b95f3c4edaf9cd
SHA512 befdc7468f1cd82867b1887ef254c0e4c0cfa19161ab2f573ea0d4414d5706ca8d05aa4bdb956e287eaf4ed3e83508eb627b5d6f41274a35c1ab8e7f0eb57e33

C:\Users\Admin\AppData\Local\Temp\IwUskMog.bat

MD5 cfdfdd2a4221634dea4d4591e39591f8
SHA1 55b4ffa5502848474ab76951975dd355b7b74e40
SHA256 2e4e673bba67bebed4a7a16f230bf2b9658e448dc2b1993c399d0cc413b1441e
SHA512 a44bd1c83c8040b43d668fe8b2a7254a5b7974eee3cc116532fe3f1f78794c78b749b008526165b6292a72977959b10ea1061543c06016b4676e922074b3b553

C:\Users\Admin\AppData\Local\Temp\PYQoockg.bat

MD5 bfda9611ed2065945b24e8ba18af4970
SHA1 ca161e40e3f845a1702a716c0172fd0993568757
SHA256 0a1d536888be46b01ecd757aad4bb094f38b0831e43a5db2b373340de3b76812
SHA512 c54c193654bded37c4c4bf2367fb75528cd614fa01b825c8d6c935957ba6a1a195ee920b058a39c950256e6381eb52f4b3e9f718fb58da055b5ef08a178c3775

C:\Users\Admin\AppData\Local\Temp\zoIkgoUI.bat

MD5 1fd43b12a156e62d7e5395b02a056151
SHA1 b0acf37ffeecedac9651173c8f4185b4144148d6
SHA256 0547073e5578ec7eba97de9e1d621d603a2da6d967e7b42d79bf0d383a0bbafb
SHA512 e66ad66ea5174fa32d2b7914a56afdefe11de4641d7a0b5043e104abcb6327d2aff2c583e7cf3b5601502b2a180273ec5c3ef5d943a8c749e0db5f03ea347242

C:\Users\Admin\AppData\Local\Temp\HMogwscc.bat

MD5 2b43af5937074eae208e7b06ca521a9b
SHA1 1c527d55f70d7d9dc76d2dfed2a082212d818442
SHA256 411fc73090c8f63ccccb0a202ef612f28af782855e761d827e9166896b9c152a
SHA512 e6ab598e527f12b120ff984372ecd52c67e5c3af617ab2194201ecc0d75c1469dbe1483d798ffc3cefceaf3adb0e3218235bb9195d9f011695d15cdcab6ff12b

C:\Users\Admin\AppData\Local\Temp\vwoQAwYE.bat

MD5 29da63f3f0ddd1b1e6cb958dadb906bf
SHA1 6399c45eda8985a24bdc6f781b71513e12af23a0
SHA256 cf5ca43fa4545866cfd21bd3c7856fb6bb8ab4ba3e38e6a1597753c19d56b557
SHA512 de70e997da4bbf64b1ff2648fc57a43d3c89df3df14b30bf3739649feda4242e182a18aa4974d202933d72f3ce82ae944df5dda6b9b19f35406af7395bb16e37

C:\Users\Admin\AppData\Local\Temp\umEIwEgc.bat

MD5 38099de4404fda86a7e225ab4db16d61
SHA1 2f8c486b9f15e13084b2ccd60f687f81fcb0d23f
SHA256 20a1408128e55ccd83a51c33bec2db4fb89c4beb471dbbf6caa67e8d0412431c
SHA512 faf1cdab1a73eb453eb2794b837f51d409fc6817d1fcb12df98eeb403ccb8c15af0ef11de3eca4b1a114888caf76170ac159151153b0f2fc5e8a786efe6b8efe

C:\Users\Admin\AppData\Local\Temp\euwEAAcA.bat

MD5 de395ca4bac3f4d60a406786caa8ed3e
SHA1 c56aa2d32deb32f15166ca4dc6a4694e5287c405
SHA256 6f5d153d83243477fb548bea1ebe89587f515c51cd155cb4550d00e4e68f97a2
SHA512 965b29ef6feee315b2ffafd4b6b465ae034ae2b879ffa9b2a5293a8936278ac84146097e3e373221d7143283e4768c4b3661e2e8f1db56af6475c9ac4873306e

C:\Users\Admin\AppData\Local\Temp\YWAIUEso.bat

MD5 dde282b8b6f08dfd5fa59db83ccdf339
SHA1 611d900f4d7bd90b855eee6fcc86e059b8e041c2
SHA256 9ba04819c4fac0dc88b87d934792bf46628934776c388e01f91bc2a76e7746ff
SHA512 411f68e5118d95be8379406334a7dddd2ea47236294f09f7ed2a65b903b3c497ec8055203902533b142aaeede425b88739f6257d1317724d5f8dd51c3ff0ed51

C:\Users\Admin\AppData\Local\Temp\YgoUYIgo.bat

MD5 6771b7ad5a9532d54e1d242a3074546a
SHA1 da6218ec16926f6003640ba19086a4c17e318fb9
SHA256 15970a0eda6fa43b4dca66a8becc5c1949a152801666266cd616e8fdf4060216
SHA512 4422c59e0024f27de4c3e6373337206eb31299a55deaa60c24aad068f1390c405c88d7d84ebe318db9c159e9664faaaa4ab4a4db2f0958f5a3005a05c745f634

C:\Users\Admin\AppData\Local\Temp\XqQsAQcw.bat

MD5 fddb65b0b6b9a7e7cd62e58d83d277c5
SHA1 e98f2ec5d92eaa2e86607c8a5ac29238cff8741b
SHA256 8a81a88c0a79b6f030bd7340cbd9ac1cebf2b7f84143d063df3cc9fd1dc50217
SHA512 5d17af7cd2cb89ce074c764f4ec94f03277592dc2f76e90704ec47b3ecc3839dcc3366059743cd9961d78ed72e2a656aad427c5edb9b5fb22e08ad0cbc327516

C:\Users\Admin\AppData\Local\Temp\RGwIcYcg.bat

MD5 7e169205c059fe263fcc35e2cdb3f683
SHA1 7b1906cbf3f60892c159390b47af7c234a3807f9
SHA256 73a762f3ddb7db4764a7ee4665d0f69f71cb93d34df68bf01ac4eccc7ab0ab2c
SHA512 17689e607aed5e7fb0e4875786e466d40d055e7746b843d6a7576eb7a275421b8861e86e19430413a2ede1f7ecdbf4fc3ad3c56f68b73657f6c4982568b6fbd5

C:\Users\Admin\AppData\Local\Temp\pWYkEckI.bat

MD5 45744e47461f2811ea3163637a536436
SHA1 953adf13a88c92979570fe18a3f552b1e4c8c184
SHA256 0e1aebd93ccbbea4bf97d4aa2dc1a449c759b1cacdefb25313ec2eaf7232a104
SHA512 1bca7ac7ae59efaf6582ee5d7a870eb1c33d12d8dc0e6b3b0737c370e3128d4b4df4f19a9608383d3a0267f545370a268c3f0489ebea00a2fe9682f70e32e34e

C:\Users\Admin\AppData\Local\Temp\jgYcIAIg.bat

MD5 9edafb8c40c3f6d98e4f20575cc848e8
SHA1 2d834213e7204923d87d50e959bf980f5fd77dac
SHA256 2bdaafd848a1a7871086c79dcd5174bcbf31701431be752639a1ee7ccde2620d
SHA512 13c00a90a9229bd811f76296c56a96f323fbba789946d65c053c82964e248d297afe2ea398f6a7899591825485be4e84aae023c3798cf5b1d294d4d547e2c669

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-08 07:33

Reported

2025-01-08 07:35

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A

Renames multiple (79) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\hYkwoAgk\QGEsEUgU.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QGEsEUgU.exe = "C:\\Users\\Admin\\hYkwoAgk\\QGEsEUgU.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eWIgIMYQ.exe = "C:\\ProgramData\\IuQMgYwg\\eWIgIMYQ.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eWIgIMYQ.exe = "C:\\ProgramData\\IuQMgYwg\\eWIgIMYQ.exe" C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QGEsEUgU.exe = "C:\\Users\\Admin\\hYkwoAgk\\QGEsEUgU.exe" C:\Users\Admin\hYkwoAgk\QGEsEUgU.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A
N/A N/A C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Users\Admin\hYkwoAgk\QGEsEUgU.exe
PID 2024 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Users\Admin\hYkwoAgk\QGEsEUgU.exe
PID 2024 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Users\Admin\hYkwoAgk\QGEsEUgU.exe
PID 2024 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe
PID 2024 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe
PID 2024 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe
PID 2024 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 1372 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
PID 2008 wrote to memory of 1372 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
PID 2008 wrote to memory of 1372 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
PID 2024 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2024 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2024 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2024 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2024 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2024 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2024 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2024 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2024 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2024 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1720 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1720 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3692 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
PID 3692 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
PID 3692 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
PID 1372 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 1372 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 1372 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 1372 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 1372 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 1372 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 1372 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 1372 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 1372 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 1372 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 3240 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3240 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3240 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2120 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe
PID 4156 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
PID 4156 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
PID 4156 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
PID 2120 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe"

C:\Users\Admin\hYkwoAgk\QGEsEUgU.exe

"C:\Users\Admin\hYkwoAgk\QGEsEUgU.exe"

C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe

"C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CKEcYUoY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iqIsMYQw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcwAAgYw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fukcYUYQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tiwosEkI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tgUIgggY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEEEQwAk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QwIgIcgY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amsQsYEE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aqwEQUss.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rekwMUMU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZsYAcskI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TugUkcMk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JckUIUQI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AcAEwcUY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UuwAIUIM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgMsIEkY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWUgAYcg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYckwwYg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bkYwYgsc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lwEYsEso.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uQUIIgcY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkMEQQwU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asoYccYk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RyMYUEgo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XuMUMYsI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgcsYAMk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwoEgIIs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SSMEcccQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqUYggUQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OcsUQckE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQYMcYsg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKsYQkMg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LaAAsgsE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQIMMAoU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGIIQkAY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGEoswEg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSMYsEAo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pyEgwIok.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMYooQMA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWkMYwAg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bKIAwIwI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amQAcAQw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AWgckUcA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGowQQIw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tSscsMcg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZeAowgQA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOIIoQkw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XeAEgMYE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmcsoQcA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IksIQkgw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MioMYQAw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgMcEIIk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCEsAcAQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcYcwIcI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YwUcYkUE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YaUIIkcE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OmQwMAAo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ouwskMsA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zGAYAwEk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fugAgkIc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TggEMQkY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\maMIskUQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USocYMEY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKUoUgIQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMoEoooY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZagYwYQA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hWggUgYA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vwMMogwc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqwkwAUM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\soQccMIs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmUYAwIw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eucYkIUg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hosoogEo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSMkMkEw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jmkQoIMY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bGsUsYwA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWcggkUs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gaYAgckM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scwEwsUQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgsIgIwI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIIAocYQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkUMsoQE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCoQowYw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkIIwEok.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQUMIgUg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qCIkcMMY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAkAgMMM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAgsMIEI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoYUIUIw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIogkUYI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKgMowIA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQgsgUYo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WuosEsws.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GiQsUIco.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIsUwsUA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tGAEskgo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XUwAYwIE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcQsMcck.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWcMAssg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OogAEkAM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WMEIgMkQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv pF75mgUsAECvbR2Mr3onpA.0.2

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rGogwMEE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\noEscwkM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqoUcUkw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DyAMMQMU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qccAUUIs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aUgMEMgU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSIMoMso.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SEUQgYsM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dksQoQwU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwwkEMAc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGEIMwsg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQckIsQE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DGswsMss.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BsQUMcso.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKIwwUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WaoAkUQw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KSscsUQQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQMAsYEk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZmgYEAks.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PioAEkMw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rcQwYEAg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcUkkgEc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISAIEQEU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScsQAEgE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eigcEwQg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgcgEowg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RkMkIYEQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSwMQEEM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqEIgMwM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\muUEUEgY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.180.14:80 google.com tcp
GB 142.250.180.14:80 google.com tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 14.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp

Files

memory/2024-0-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\hYkwoAgk\QGEsEUgU.exe

MD5 e4d2b36a6e50199c73d50e8da790862d
SHA1 5b4435eded4081877ec34088cd6b2f766f7d7d68
SHA256 2dffae656151451b2dd47664fd08f3873215a120342a51738468c89fd06f94ee
SHA512 a2bbaa8106dcb7f45a730511a2166f1cc7d5802e172c2992e8801c447972021d14a9c288a42266df323eeb7cc82c47d836bfbefe0ce0c2a5f305b0781a1a775a

C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe

MD5 3f6bc21a09cefa8715633403d1053e3d
SHA1 efdeb8c0ac2c8982e9bd6471b739d23fe6b64f10
SHA256 7baec492af21b6894acd6d0ac7b3c80e093a6cd74a7126fe53b74bffae4e0a3a
SHA512 c5b702e6f5d80b4f0396f24bed9bea428aa2a0204d0ada2348b477ff94b5757db6f46c2f0b7b25f973634c28e46e197421ce64c7866cf1db0230ce17c18aeb6a

memory/4292-15-0x0000000000400000-0x0000000000431000-memory.dmp

memory/816-7-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1372-16-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2024-20-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b

MD5 da2a3e52fb41d741eda2a8c6060447c2
SHA1 5beb278a9da74a7fceb212f55676cead6727976e
SHA256 a9a0f8fab82eeedc05fe5e22d42febd125145da26d8bf3283f5d8f1b6926b81b
SHA512 a2c2eab0f6fa31bce31cc149e30c36d32aa6c2ccd998010fd4e7467baaf5628c69c20f660844c870174c165bc3da77e2bdebe2c72aee1336437ab4c6741eaafe

C:\Users\Admin\AppData\Local\Temp\CKEcYUoY.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/1372-32-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/2120-44-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1584-55-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1592-59-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1592-68-0x0000000000400000-0x0000000000436000-memory.dmp

memory/780-80-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4928-91-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4496-102-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2572-115-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3868-116-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3868-127-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1200-138-0x0000000000400000-0x0000000000436000-memory.dmp

memory/780-149-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3420-162-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3464-173-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3392-184-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4804-196-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3592-208-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2564-219-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3944-220-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3944-231-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\hYkwoAgk\QGEsEUgU.inf

MD5 f934e3ede4fdf357c61e61ae098d53db
SHA1 80111d63d674404d0aac2380a7125c781f0b0488
SHA256 b33f5b68480f8229dc563667fbe5f4efb0925a37bfeea6dd0f7e255855191d82
SHA512 e0bb0f9125ff5f6dd8d713102844b140de95a1c3afef05754b98206c23589757ab0a37ac84800bb3f7270f411d15fba670f96a3997bbe26e471d9caf8a6898c9

C:\ProgramData\IuQMgYwg\eWIgIMYQ.inf

MD5 63368bb5c55545cd9eb12e136bfb3188
SHA1 e0eacfca360a84dc035528ae304753fe20b2ac87
SHA256 06256e0871ea1905eecef2bc107f872e7fd36f9c4ba936097059f43c38fea622
SHA512 462654de9d8fd432769607165fff92056986ac9e846eaaa3263a6db2fd166549b9f7746ec72e097c8da9303253bc30cd8e4fe5c973600fe5e1fb96db93fa9fef

memory/3844-246-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3508-255-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4788-256-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4788-264-0x0000000000400000-0x0000000000436000-memory.dmp

memory/316-265-0x0000000000400000-0x0000000000436000-memory.dmp

memory/316-274-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1044-283-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1700-285-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1700-292-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3844-300-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3880-310-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5012-318-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3024-326-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4108-336-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4156-344-0x0000000000400000-0x0000000000436000-memory.dmp

memory/632-352-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4260-361-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4380-370-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4912-378-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4928-386-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2144-396-0x0000000000400000-0x0000000000436000-memory.dmp

memory/640-404-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2864-412-0x0000000000400000-0x0000000000436000-memory.dmp

memory/184-420-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2104-430-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1280-438-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2132-446-0x0000000000400000-0x0000000000436000-memory.dmp

memory/652-455-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3084-464-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2452-472-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2768-473-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2768-482-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1936-483-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1936-492-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3196-500-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1020-508-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4984-518-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3464-526-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4444-534-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1720-536-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1720-545-0x0000000000400000-0x0000000000436000-memory.dmp

memory/736-553-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2988-561-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3712-570-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5060-579-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1340-587-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2832-595-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2364-605-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2512-613-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1724-614-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1724-622-0x0000000000400000-0x0000000000436000-memory.dmp

memory/912-623-0x0000000000400000-0x0000000000436000-memory.dmp

memory/912-633-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4684-634-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4684-642-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2180-643-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2180-651-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3024-659-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1972-669-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1596-677-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1208-682-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4788-686-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1208-694-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GIcS.exe

MD5 8498f79d10bef5f5b8483da9cb3f6c7b
SHA1 0fa5b69a0700c137964552d3d5d9473cf899503c
SHA256 6b0b32170f1be67c0a7fd9f8886e117615a8774f33db3e1360cb455bff19e744
SHA512 a89ebeff1384085ca1bb9eb6f043744fb9d102f33d7f9895ce055b5023af617479d1838ecc3238e4d6938229701860121ce93a39e3efe51fe5da1621bb7369b9

memory/1484-719-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KMkW.exe

MD5 4af0833cbf6f8765e8c5588dd38937dd
SHA1 54daa5483609cdad467373ab894f81e4049ceb9d
SHA256 b5db9a7d6de4e2003aa3021b1869588b5837c5cf911e0e9e2a42fa0e6c3d839a
SHA512 358646b2486ebeb3624aba1d4a2dbf205c4113d5af8173706b0a79331b53b4470832386c61198fd6b49028ba2e029ac9f6bb76665a1edf94a0a5d70dccd082ad

C:\Users\Admin\AppData\Local\Temp\OkMy.exe

MD5 8ce37dd66cc4d946580ca055c429df6d
SHA1 5331c645ed86dc36ea439a1b978deb142ea45a85
SHA256 ac3897acce33dcbd511e79181f5027fba47bf15e8608ec928f3c1b160e2d889e
SHA512 a367c38e9d05f0c1f92d497709e95e899b6f023c819d2f555cfce0c9e5ba31236f79f606b2fb5c64f1a1e38364f338c32aff6fcdea311208e514d9c0afc87058

memory/2116-755-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SAYM.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\CIME.exe

MD5 8aad468d85f89da120ffca89d742adb6
SHA1 50055f343b3b20d4785b87c14058a9d57e0b7096
SHA256 163ee985b02323476afcc054bb518dc02e84524f188e49f33978859c896b98f2
SHA512 f9fa146a982d2b71efefa0a34b01665f2d9d661f90e2461c7d91f14dd410c9f738f5ee614f2eef13137e3b31b0748365e969a4586eaa390f31e05daad22c40a6

C:\Users\Admin\AppData\Local\Temp\gsoW.exe

MD5 8838bd04490ae4e937e06cae1f3308bc
SHA1 53b8d4b390e23dbd21861b5e03e48d11ec3baefb
SHA256 75910c232d57e11691086136804ffe08a403ada57f33591b7c7e73fee796dfe5
SHA512 8a988360f3b574ac340119b724d4585d7827ea8ee70ef99e08e1f8343318628b7e543cf8179a6bb76d3315b87342f6581021b915f2f07d4bc6cfc053b990e644

C:\Users\Admin\AppData\Local\Temp\YgIY.exe

MD5 25814e943ee13b9e4fed66d109519d75
SHA1 0cf02d42f54bcc7837eae91af27443ef6e2b4167
SHA256 7ec6fba69166e115c9bbaac15ed8feab89a15b190c6a058d882536e67df52613
SHA512 41601cceaa55e401be88a5f69dcdc4c21795a1e6f46081346362c680e971ea722428891d5ffc50ef72253a41b6ca387c7876a1e5104431cc50fcb5e9ced055e5

C:\Users\Admin\AppData\Local\Temp\IUgE.exe

MD5 8f8d3766fcb7d762a766317533a8828c
SHA1 1b3cdb0e5418c95346a321d4917691ab055f84df
SHA256 95e0ffb914153e512bfd494b308a0a82d785b111403ec4bee51afbd6e6ae6920
SHA512 e9ab20739716038a20c299389a6d5218b9e6a8cd237edf514f762dab8b40a2093183380b00200da4acb726ac015a20f6811878b6e5fd4c3f978213910473d2d5

C:\Users\Admin\AppData\Local\Temp\SEEI.exe

MD5 232ddc565e4b12cefbb13443330ba628
SHA1 99ee56f9db5c9633849d247da64a79e330a5bb77
SHA256 11769078fdff1078422bbb6787477aa79cc299f6bc3fb352e6dcd8defb9cb3d5
SHA512 f8e6d7347892817e00b9a17d8a4a8289807ec92c6e38c64fc2594e6e1b096a99f5a7883d2a97b44c4f668f673ca55010332feb818dad33424c70574707d0f0d5

memory/4792-833-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WAoC.exe

MD5 cc30efbbbe29127dfc6913a257a387da
SHA1 52f0eb838bbb19cf615c556f4a1ccdbf26294b8c
SHA256 a8f0f7797c750509742dcee5dc7fc0d7d3b191dcf15131a1c5fb6450f367064a
SHA512 ae8c8138e8ecdcc39ae608d4ae661072a37e89b8ce49424e307c3d2e7b91850333404dc25109755fc68818f0d4e6f71bc5b18c3f93c6445ec82d1b8599a6fc82

memory/1488-848-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iIQO.exe

MD5 61e3cd7cafcd9e00514725fa579b109e
SHA1 0bc8a4a1fa0df0204170e2d92f686a00afeb926f
SHA256 95942a800c09e4c03c24e0a456976de62ab1893bbe32e6c316d64c24766666d2
SHA512 17d9d5b2801854c271f4e90c8ada038360aa271f67fa952558a7882ee6e2428484a47a1732b789ee103939ea8e57ee579c2fe64f3320264ab6558fa10d27aa6f

memory/1488-871-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csQS.exe

MD5 567de8b7dd27098abbbd2f80e2e70b87
SHA1 4d5edcaabcf4f403b8cbfb73f9bf1a0c68221f15
SHA256 3f0d9da03b0ef5ccd43af051908dc92e6348f700c5dc7c89d1e98204e5c5e8b0
SHA512 52a390dfc38fb69c0fc8b1918965c86a3ee39c5c1d0766444bf9f61af345584635d35b0c35e2aee8e2eb61191b571ae99f2edec0ec9fa44f4368c505e14548dc

C:\Users\Admin\AppData\Local\Temp\iAMc.exe

MD5 d5fb0098ea68a12bcf58d6978c1ab659
SHA1 9d3917b75fc08a2ba92fe1ed93976d64b40070fc
SHA256 2c85c1c73e072cb5283961bac36da9a5752f663e6403f1d9708b5201a13560af
SHA512 6848b916ca3d4756ab9584c0407e15570276ab54470d6525cfa34d109366c8f02c8b5cb5c7f2a3fb36aa825efd4ce5af33a44d340208a8f6df4c7bf466d6205c

C:\Users\Admin\AppData\Local\Temp\UIAu.exe

MD5 1aec0c602ea34c652c509953cc786d63
SHA1 66000b0810e85b33f720e956d4e23a3c1a4ea1a6
SHA256 a19e6825a87742698ca45242d56ef784d4a3f2de504d2cdba113aebd3965cf9a
SHA512 f7892c47dbf8685aadd6a2bba1b3af25a8e646a9b19a493b759f668eeefa38db0464c923e80e13bd1fd8ffc83cd9f33e44b583026f382777441d1ac2ac280023

C:\Users\Admin\AppData\Local\Temp\iwca.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\wIki.exe

MD5 1a31b27e906a3c3414370bb92630f655
SHA1 e9616b637c70b33c684a9070365c5b2d3ce1a212
SHA256 cd7ab9737ca4f8b0e581dc4a25c984d1adfdedf98c87643f6a636bae1e423226
SHA512 bd8bdcdb7dc5d18be07f04d8bad876b4ef78959b7db905a24f72673868e295af681d84574b5cac80be47a0471bd1942954105861789eaab0f74db37dcf00856a

memory/396-936-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3844-937-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mQcg.exe

MD5 73ed7e6d08a13cbe937fb05d64713a0a
SHA1 42e08b43086f66dc85012dc83cc50ccd6ad7fed0
SHA256 327856569b6d26669966d60ce0b17336b64a2a5f2cf1d4e8e4d711b7a163349e
SHA512 bcb877622eb9a5cd0a0057c5b9e0d46ce314706dc568ea6e650f703a324423ac2d913cd09ca35faf40c5f89991b36565fc09405d3c64c1d47882b277163cf01a

C:\Users\Admin\AppData\Local\Temp\koEW.exe

MD5 8785397cde97c0914ebb36fe2738de3d
SHA1 ba8623dc40b75828e980cb290a5f6fa7c845d711
SHA256 77ff5905a4f9990db64655a53c973a3b0af40be097591b63fc0a6476cdfba5d1
SHA512 f0a69bc82dd35474467d1b6035f76f2275d75f40c48ed370fe65ff43b60b224c2b9e5ad466975fa007189e75280ef42ed142875304d1a9ad45906fbfd57c4f50

C:\Users\Admin\AppData\Local\Temp\OMsw.exe

MD5 66eedeb17da6147dae34f47e1a0584a4
SHA1 1c253ae2bdc802931338d6cd199b9f3dbbab5d55
SHA256 87fd37c2c73c24cbf810c354e7f6cc9697df3b73cfd241af86cc20ac16563831
SHA512 e31bc3d683cb4b056741b5e134be3c16bbcad677171f1a1083afe3c4c62bea736e0138bc82e867419023390d340c8b262789e8cbffc96cdcab3f72db99b14be2

C:\Users\Admin\AppData\Local\Temp\OgwO.exe

MD5 44bb96d8ac8c8d4ffdd453a1b7e64066
SHA1 98e7e3f2b33802b06ef56ee850de428558c63549
SHA256 13c5b4bfb43ad74f86dd8678d455a5464576c69afd4c77d036ad8d2a0740247c
SHA512 4180baa0aed9a10c80b90cf0c3dc9a4d6105aa209222a417636136a9e59c910ecbe879426929636fb1f21a1c2d4bec3f0a0ace6cfbbe472b72d1c76b75f22af9

C:\Users\Admin\AppData\Local\Temp\MAoO.exe

MD5 f5ae0d63067b959842eaf3bebab2e4b1
SHA1 1943f40310e385391e64dd93da08758a6f22e758
SHA256 7c2c4b61e2ad82046a388230c0992c805507fa0a07e43bffbea42b0be23f0768
SHA512 8c1a88aaeea1099dea20a88a89efb8e1cbc84d6baf005fffd2a3e568b282064bf761fc37b455c9ee2af0671ff93c5597d5ea43b98e9d21dd3129e5c125be44ee

C:\Users\Admin\AppData\Local\Temp\MAMk.exe

MD5 88f456e3ee95676bbeba3a59a26497d0
SHA1 3a37e1eaedf112b5494d3c094034e29ca9dbbc98
SHA256 d81458a01535f5581833ceec79e35ca095b5e05b2f2021524edf5431c86300ed
SHA512 7cea712f3fc0ad6fe2d9778791c71d9ee73c6c1c4bec4fc644f405ce54d3d60d2bfdb8b017715954c412b195dd769484e553de2765c028e45669e535ac3004b8

C:\Users\Admin\AppData\Local\Temp\KkMO.exe

MD5 52bc2c162537381e3e616ea7fa54ba82
SHA1 0502dae01bd2fdddeb53f9ba53b753da359fbd04
SHA256 028c0a6c9db1b8c29ef73d838f776cbbd2f9894108170a91c9124546a863c332
SHA512 3a2d59a3c1606ccf6721e72f223ff1dc1b8622ed796b58f609e9120d3a7057507f8ef047f886c344ae3187f089d2643d1801e0c4721836ba0796793370ca785c

C:\Users\Admin\AppData\Local\Temp\yAkC.exe

MD5 714caed2ede6197e7c0bb7dc04b2a726
SHA1 90e467ed88762ed2788aa07f3b374a4dd23c70b2
SHA256 f682d8cd244014260f230597a6c7c99d97d7857e60e3d3b761639b41ce3d8a50
SHA512 898c0334649d9b7011991913e2a423875b36b80e126cee6d2333515e9cfb3b872618526d5a58a2d3b8601ec01540744d50dc59da340502b995cdd42ce4dec86e

C:\Users\Admin\AppData\Local\Temp\Akwa.exe

MD5 7f20cc9d0a8cef586d36b38b7a1946f6
SHA1 9e7aa4bb3a0b848ad5941743dd17fc1bc2cc362a
SHA256 5b457cb84456420a6edc0b7bd9f138d237637a456fc691e8e0089b7e7343740b
SHA512 b04808f55c83aab07641402a2fe7fa29d9cbae128225ba55bce98d66d5ac7e365a42a55e57f55239a8e59dc9504727e06684d9b2084f67890bd9b7c926756f19

C:\Users\Admin\AppData\Local\Temp\gYwy.exe

MD5 861f67545a96c570a7ffd76c557ab6ff
SHA1 345ab2cf90c70b84c8bb5eeacc0bd81293efe291
SHA256 e080c15ce0fc9ec86af0785edd584c304b8ee0f08e129ca937d151a85f6c7e23
SHA512 48bddb52b51ecb808b79d784f677d6f4a6854728590bf7547eec48b9aa300877688302fe2a45f65ba51872635c4109589e558633baeebf9dc7505bb92d5de904

C:\Users\Admin\AppData\Local\Temp\swwY.exe

MD5 a8da40eaadd68662e6f2ce6f67d4fe12
SHA1 9bd7e391244fb9dd9e32a8a2a74a8aab67751515
SHA256 0613822a8f9724ad231deb4209267f7738a391be8375ff30244e9ae3f5c5d013
SHA512 b046eabad052378f4e6703b2ce461582fe166f71c4389ea0ade4d3e63652ae2dde452cc1d5334a6811f42a2454715996f6671354fc9f657c23889559d4176450

C:\Users\Admin\AppData\Local\Temp\KUsq.exe

MD5 4cd564fbc47aba6e8e71d0ed044f1e42
SHA1 a81c636623b89fc41ce773190dc7dce31aacf2e6
SHA256 483a11593c0641ac8aa3595c112d7cd30a08e78a9f4c8ce500987d0f8eb170af
SHA512 678fa1ec5e70659e422e141d94cd2a4229d1f347db7c52298e176d551afd6be9135ecc8745dcfdcf90aed941a6017f2d8b2e4aa173b75216250d31d988251255

C:\Users\Admin\AppData\Local\Temp\mQco.exe

MD5 6c6791329e80bbaa22eb44bdb9fc4243
SHA1 8a1f0513266dbff440c125093a2e5c0217ea8476
SHA256 13805b1c71c7535ddf30b0e8adadaca52130a88adf0e2d1ffa95f64b32e55c96
SHA512 4fd05ff006fccbcbedcfae53777f7cac62462d1852fc3749567b9f58e4a50c7af2439037e025428a6756b6355fe78c9f5689bf2cefb1f9483cb6a67d3b3e0d50

C:\Users\Admin\AppData\Local\Temp\ugcy.exe

MD5 23f685912896533707a04b0535601b90
SHA1 d9f699dedd4d80abd3d1282e253a02b214db7018
SHA256 95d488bcb578eb170c4e89392be8764d6d673c116ac1d8ad6c5010ff177baf6b
SHA512 bd7a871c774c00a4e5afa08297993addb89658916c4c2edcc6d378d89dae58e7f20762041c62bf8ee497447a9c4ec46dbd6d6a5d3d70b0d9d42640ecb3815a45

C:\Users\Admin\AppData\Local\Temp\IkEU.exe

MD5 2bf98f336fcd0e5b3d7f7ad41c58f701
SHA1 cbbe57c7dbd76cb36439c9aedd9d3b699e2440c9
SHA256 8b9c0f5717a39d8faed6cf7b059ff8d034e1099710a460cca537be5aa725650b
SHA512 1dfef10bbdadfb57c49718605aee87466762dcaed099537913c7e8a98682e32cacdc8b79a1044b300e17e9e513b67835033840b1b0902c638898a2975a0cf425

C:\Users\Admin\AppData\Local\Temp\gcYY.exe

MD5 c96fd27679a66ab3f636a026ee95b0f9
SHA1 bcd58006dbb3e47e4e99576cd44d7633042e0f8f
SHA256 5716d0926e06d88fb142529d55d5fe3fa0dc091b142acf5cdac280eaa13695a8
SHA512 85c449ace7b66d6bf247ee3e0fb7eb311e081812f726b32c0f0a7a419bb464522f7774008e94ffd9523f25bc0b72d4e3155053ba00f9db7f25c0e8689c02882b

C:\Users\Admin\AppData\Local\Temp\iMIw.exe

MD5 5a8622d1201ffd0e3be41730bbf25f79
SHA1 81a2938833469a8c6e6c1f3a424195fe37514b92
SHA256 de9b3a5fc87e7fb624edab9ec1ce7dfcdfb0abf76e6ac8bfe7436282910ffbce
SHA512 35d19a4d73bfbfc434cc6dd5ec9ba1812125f30ba1513f6159ccdf9ece8c0b3eab723cab3715f585b6eb9e5a0a29c940cd0858ea96f97702066383cd1af3d844

C:\Users\Admin\AppData\Local\Temp\qEAu.exe

MD5 c652792878ba6da5e7e21d28e1562172
SHA1 aa6b0ba2fb762332416e10027b3436a9e2b1e3ae
SHA256 db36f4b8ca9a56afcb86d34435371fd95203bf56c946d866dc771566a85de6e6
SHA512 756c59b6889ea54ed85dd5b7a426cdfdae22f367709b46a6553db82b61e918c8e56e27a72baeeb6cdfd5bc0453801060440f38a5daf51093403c8767613b3a7b

C:\Users\Admin\AppData\Local\Temp\yoEO.exe

MD5 acfec7b83ccf930ef82cd1fd40092466
SHA1 7b3b39435358f411a2b0f385f992766f7f0b23ee
SHA256 a8a38b1482bbac48cee29919f2270907fdf47b79c64fdad302e92c2e35793b5b
SHA512 4d3e8f317d5f24fcef5559326505eb3d38820eca3b66887ed77831e002c75b043533b1561714c0f45d71be03dc0d1bff22458eea6ef15d83b30b40318a7209ab

C:\Users\Admin\AppData\Local\Temp\wIoy.exe

MD5 c29c4dc2e80d8121486742305b755542
SHA1 3c92bf8cd8be89f479ba90aa584c4bcbfa381d1f
SHA256 cd36fca128c96fd8e27dda42a131675b8536be4ef7fa35b0dfeb2dbaa261c3f2
SHA512 b959dbc5de5be714666015df13c5138119da7fda1a24cbe8032bcefc598dbb3174cfad364e9f2f9a774516a0b4676ada38f302d3c495d850c93db66fc6ff5341

C:\Users\Admin\AppData\Local\Temp\WwoI.exe

MD5 76842849cf5183e5067b469df02acaee
SHA1 fc40e83a4be18ce56754dd124349a2684506e352
SHA256 52279e267609f835564bbf9ee534390796ea21949946c52231f21934188779c4
SHA512 31a68cd390051153a8c537a52f89014fed0bf50b523991f3aae6d121f3f9741d703acff0f7b9a68e66a20846ac32b753e882810e1f1ca0171ad5e5502b0d607a

C:\Users\Admin\AppData\Local\Temp\OwAy.exe

MD5 014868377528953e00c23dce62529e2e
SHA1 8eb124efb1410711bdfd0da4fca1ba181801d8dd
SHA256 fecb1d88bdb31f1a7890b09712fb789c6fb80437135ada02920fcba1bcba4caa
SHA512 e5888e65ea6d39c14c078906cbb3b0e5fa5cb22528e2e921c5ebe88da9c4d8ffee366008e8c760c4f486ba06cbc0005b355688a6ee3633d5bff19c6d2107e55e

C:\Users\Admin\AppData\Local\Temp\WIEy.exe

MD5 cb1340fd37a378b2cf5edac959636490
SHA1 9d6ee4eb415754423818a961852923aa7e3cf7bd
SHA256 f36f2c2fb258c66ff0c0aee703dfa00200672c661341ca7d845e1a6ed7f8c37e
SHA512 9e2cb0f312b9df6cdc999d2727eda6469adf159b46c3714a4743c314cc47def66a54bd3d1dccb7ea44c3a1306a87b7e78bf3258a60fed80b6a33ab1c522e3c8d

C:\Users\Admin\AppData\Local\Temp\CsIg.exe

MD5 0675e7a58a324f2741c29bac2a7ee04a
SHA1 17636ba04f59f4c7c4d83fe7ff5ae594f125dc09
SHA256 50451fa1e13f0634e090c0d87b7c2382cdb76c9a6cb7f5b72ed9453b298d88bc
SHA512 b341c05bc91e4a4fe19e77b70225acb103490750be28ce7d5a34369edd42000331d392f192220f3ff48dde30e0497b86b345dafc2a44222c09b3949dc490328f

C:\Users\Admin\AppData\Local\Temp\qwkc.exe

MD5 2a932303bdb8c2766130493230d8c2a9
SHA1 99ce38378f141b7622d9a29132bacb8fea20b6de
SHA256 a1a6d1ef474d6be0ef57d9bfaba65c3c207214807f63986e3aa6ecba10dac1fa
SHA512 af3d0a7aa3bcc62c03d03989f791a15549570af91c66ad0d185694fc1bdd75aef897d4dae537ada1fb461a77658bdf5f28f1433eb212c26fbf2c6b1682b88f68

C:\Users\Admin\AppData\Local\Temp\GoIU.exe

MD5 d3688ee656a53e4a9b3243029501d886
SHA1 9a236700b6b0ba6765469ac511b0714b10caf95a
SHA256 a405639b672d1cf16e17a7fd68c279e5013343b3379f267f82b3bc59744d8805
SHA512 adfe30d5d78f1bdf3d4b022678c1d698deb1fc6ddab237b7c4f8fd4f3aad04cec3cdc9bcbc1457f18376d61ac4be6d3eac91bef14be1f73e3d0f6d636929b0c1

C:\Users\Admin\AppData\Local\Temp\ekEg.exe

MD5 ccbf48a615999b65e164c6b38baaf014
SHA1 2a86120f8eb33e7ae35841e1972d2053fe0974a7
SHA256 66771f08894e43f1ab28ded3eb82fa1b8c9e8c1c9da13edb9710da5037cd3940
SHA512 ec4b239714720ee8ac89f3bafcc439e64f31e11c4836f3df4365df40632a34fd4013fcbbc3654925e73edf63412f61e27317b47ab4647a77f4498ed43338a0ea

C:\Users\Admin\AppData\Local\Temp\ecoq.exe

MD5 33d686212bf6ef8bd663d30c45968728
SHA1 ee5a52cd7a16678ebff40d25c2ddca59862ef4db
SHA256 742be0c979fd78464c5308d856b4a530262471184266f4f8a7f526275730df2d
SHA512 a5651fa340829f96aa5cb224e7313946c75edc13faf0a7e06f43a933adae4e4d9fb7bd4ae7222afefcc93d613c1b964343cbaa1f83eb8e54bfc4df862cec7684

C:\Users\Admin\AppData\Local\Temp\YkkI.exe

MD5 672ed90add5c96c457940472567c189e
SHA1 1d6744d275c9e2d31457f471b5e8d48fa5631cd2
SHA256 a276ec84965a97b4ee8f0583cef8b1e5e2935906b7d2b194277e1b4ca91222d5
SHA512 adfee78d3f54569ed1024baf681e8dbe0807f450b4ce137bbd0aa0eab1a197356834dbcce2b712e826de6c773f1efaeb0ca985ba94318eb4c201d1459e0ab968

C:\Users\Admin\AppData\Local\Temp\yoEi.exe

MD5 b52e0d031c9146627c2fa77d863a5f30
SHA1 d12790bffc79c251d794e4850f1df0d753ac600f
SHA256 fca06cc9fb1af96deed9fddb00d1ce35d8aba6649312799b084d18b0f1abd065
SHA512 3edb0e9f05253f6df155cf2de44af97d403d8aac09b27076a28db6a7eeb1d7a9beb1d057092229fa27c8ca320dfbe04580a8627c73a49ca5c13a6dfb0da5f56e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe

MD5 835a6570790697990cd71da53265db45
SHA1 ae7d88a0ad77fcbf7ed2b7df4858eeb73a4d31c1
SHA256 4db1d8b35ba46e4ba2d4e0994e6526aa947939780ba480d16adcab19d9dd82a3
SHA512 45f8741c7ba72b502515dca664bb333e153b8821699f4adb8a1b49e64d82da1aa008d311dcbea63fb27959d7c2fcdf165218b93dfe36cdfba203cbff81ca6d3a

C:\Users\Admin\AppData\Local\Temp\awgS.exe

MD5 30f990c590928feb5a77237576db1a30
SHA1 88efb0cd1e24f0d104aa7dc68a7effda43cabfc0
SHA256 2b70b01c3f94d45d5b87b054ac673239e45b89613ea25442d164f65ced8cbe10
SHA512 b81a54f1370db0e8487cb63a142eadf9fb17ec90a6a575c871cefe4a10b3188e88e7ac2f595c1d87f4f30d0e1e2591523514842d1fbfd5631346e97ae04b8378

C:\Users\Admin\AppData\Local\Temp\Qwsm.exe

MD5 c3045b511dd6ab414986979548786db4
SHA1 625b4fcf9dda7722f64f9f4e5913241c77d05e89
SHA256 af58d2325f7f33899a0bbc31107ac91e27367ee41bc3dc8156365711a7e5a6c9
SHA512 3e846c3419a71516cd3d18a58811ca6a21084fc6b5b695d4d56d840b8eb7fe89b98dd9a4a9cd843169b3e5d05c9591fabd91c569c70b229038afb096619cc398

C:\Users\Admin\AppData\Local\Temp\wEkS.exe

MD5 7497b080df0c7999312fcbf2d94249b7
SHA1 475193e5e0e4dbddc58271e1c2c2138f2e19a431
SHA256 028690e728dd6306ebe8f37540c09621436e12bb3c2e4664e16105b495e0eaf0
SHA512 ff8869b916ee993f02eef93b419cd3a942aca420a876cc13c882c754ac811b948714c54876a0c04fd5a7a39233afa9e1b4fffd4220cc3658f3cd6fbc96a3714a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.exe

MD5 ece5155ab9724f02cc633b8cc5f09ac3
SHA1 1205989b3d6576fe4c2fcc3b259b8495713540f2
SHA256 ad85de6cfee098e535c2c3c8ae68a58c857a73714d4a2b9612959963fe17031c
SHA512 d477249d1072e40363d68deab0100410679046dc1b6488fc8e00ca3f6a356e9ef8920f409640ad4541795c5f151b97e8f34146d7a5ebddffffb9956f4bf24785

C:\Users\Admin\AppData\Local\Temp\QUME.exe

MD5 e2146fff43be30062f414ae965fbbd1f
SHA1 0fb75ea07f26721ea5fc1c2ab6436eba085cef0d
SHA256 6df32081a229f01d0dac9c6c776f0f85aff423db670b78c26953b3520415bbac
SHA512 62d4f9938e32ca261afef3e37e8fc6f68f3546d4ec00265802a6925eba0feb380a98210dca39380f3b744d214ed441e8e25ea323b5257b2952ea78b8e70e9f52

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

MD5 ee57e3e1226f18d0398fd532cae35049
SHA1 81b31617c55b1a108fa0d25d83a8c46a05b493bf
SHA256 b668bc3b74b2538ac17a0255ae0b32d4337db42be80ea32f5c02f91be19d3d77
SHA512 ea1192999331d426e79022744004671208a214aaa959a9b685241c29ec94d3d3f46fc344c707c567af4397a2c9b8175cb8842043dfd771d9fc12a3f62e3579f0

C:\Users\Admin\AppData\Local\Temp\qQIO.exe

MD5 a8acf6a27e878a0c11ac193277a1ad5a
SHA1 8a6d9070a85a01f8b6e38fef49145f3886656018
SHA256 1b54a7c05b096a5f969a6a0e632d0fb17adf082e7ba7600106a1b8f88542173d
SHA512 2344098be101937c2e8b968dbc2aa8670e574bf6df083040401db6e555091858d79511fe51a3e49a11380f71500322c282bec85e7db534c73d8ee82afba169d5

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

MD5 4f4c839e17a3d1a865683de9c3fb3c86
SHA1 921859d46c90dbc22916ebc3af00a02fd13177c1
SHA256 c96b0db1336827d471d6a4c081162fd74ab270e189bd7ddd78beab9c5a428f78
SHA512 5e6bc4f85001024fe6a7d824837d1a6687b258b82ba89304bae971a73dc57e5687654ea4e51883c065c3df18e8d3296436eef90ad0cd76c7f5b322315120324a

C:\Users\Admin\AppData\Local\Temp\cMkU.exe

MD5 f7e42e93e7d9549a12fce8899ed5ef07
SHA1 f10adda6aab17873a0f97a0dea124ad4da728afd
SHA256 edf553dfeb76a8ddbbc8b3b47073e9638159772b758110c6a47a47abb89a09f9
SHA512 15d9f27251dd2f800ea559806afeab2b0fc56b0180d4866f3d93997312cf22a144925203b591c91b11375bb4872dbf7fc45275627609acfeb91008ec21f88f7e

C:\Users\Admin\AppData\Local\Temp\Ekow.exe

MD5 cd70c30576567d77384e65af0ac2846c
SHA1 c8b01766df82df51579352bcc1a2d1cfc80a7a94
SHA256 9e90861606e1f66326242003ddddc615d5c213f205d9e839442d5629d43b0b29
SHA512 7a7649a5d08f508a901f65c81420fadcff718f2c7497777650cbde0bb16d87f5106327b50b5b99b54c58280c7b7b7b299a558ea511478d5509e362749cc387f4

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe

MD5 364ceb6bb17a0477b91d3824a21a67bd
SHA1 f8306ab5780a8ad37c42daf40d95477838c4d60f
SHA256 08c70c5fc0f5f40408c26ecd187015640cee76cd61a5423897d1700447b70f7f
SHA512 242e0f6b8e29b9624706a09d31d56e44eaf019ea6884bac5eb3c6743a46af41df5c321072988c6baa3093e39df2d0142782fd5afa5dbd3f40cd599df0069dff6

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

MD5 31185533a15b89780526b6cf689bc18c
SHA1 c82cc0153f0fb7187ff7c27e30ca32f35f413958
SHA256 762100bba9e22111f8f8e73c604107e2adc9ed88385321c01578e7e76607394b
SHA512 59e7fefa5e77392add9c8ecd19ceae0050c6a42498049e2eaeee1e7f85a04beb91aa53c096cf86bb4c0ba5f8559839ce6572eec18fe2a6f48ecf07f4d468ca50

C:\Users\Admin\AppData\Local\Temp\EcsI.exe

MD5 9005a0310ff3bd157790e4d76ce386be
SHA1 c7490224dc7d52ac695c494330ec0884851e3a41
SHA256 965a327fbb4faf95706c68e9b562b57ab580797a03d155c09db0a5e16f9fd46a
SHA512 e20b625f07db1ad22117a0a11890b02e5fa6991b282613ba018563e124f08afcad36228dde198e26c3f9f2fc6510aa54529eddbad54cdfcbf86831c227bfbd22

C:\Users\Admin\AppData\Local\Temp\kAsk.exe

MD5 93edbe15989a619c95eae82f7225cb92
SHA1 35a1efaf5ebf48a9d94aaa888e01fc8ebd8fe4c6
SHA256 9f2cf7f4b890856015434f548b49749456815d211d3958aef7d6a82c5529b696
SHA512 5e868e299df421f0cfd922e90274da4634d9f4b3c25524f27e5a0ce805aa596b49b5cf0cb8945e874918ac40421a154b5dc1dae2327b711d4bd0f5768d2bc1b0

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

MD5 1ed391b918ef23ac713ca8d458efda18
SHA1 d435eab830b86fde364fd56d73bfaa020d152b68
SHA256 3e0219232a42674ec7f0bc6f82294fd1b5ff09ac175383b987776eba4b7e16ee
SHA512 373ddd98e822e033ef2cd56ace60800b23a04a6ce10d2e51df35fcb9004b5687e697f29db16afbb2bb0218ebeab60f9ebb027774253e1e781c81f5872461d98b

C:\Users\Admin\AppData\Local\Temp\AAgg.exe

MD5 81873592beae7eeebafe66785cf54843
SHA1 31221321b8df38aec2df8e5074ed32051a460151
SHA256 b6b77fc84f33fe9838825477f030c09aba247edabb730959ab2a24c494619742
SHA512 68463e4282c5922cf3fc398a98547eb2d09a0cab5ee7ad2a97f27982beb48db6719f35297d68ae01f149ceba3e122ea8aa5b232cb0e99c4da9f04866decd3025

C:\Users\Admin\AppData\Local\Temp\Uccw.exe

MD5 4d53f3ba434e8edfe4f92a16fed7cb3c
SHA1 edfc5439257b5da11e8a478f4919f254a4c54014
SHA256 b834a11a7c43e26ac3c6a8e342d2f471a7890a7ef50a1c69d9513228548f0817
SHA512 f54b609949c5b23080cfa09244ef4b882ecdc1af86af69d03c85274885b603dd8835d6445ae0aeb2b285de3822f80276cde450921776231199311bd40bc18e04

C:\Users\Admin\AppData\Local\Temp\mQUG.exe

MD5 65b4faa560e75ed8bd4e2f75ed8cd92d
SHA1 ea919305524663de658b6b9128f0377a8a001b3a
SHA256 bfa5d34ba94682301bcd82c7914c1282eebb4eb8b5867e039e58087322e33ab8
SHA512 6945455c6926df0c177ac9383e2b18deca35143b1127ef38a88826503772db3013980d8a24cf0874a7583919922dc72548490653d04654a834fe433bb7ddcb14

C:\Users\Admin\AppData\Local\Temp\OMcu.exe

MD5 3a61f3922eea5035735baaf39cad162b
SHA1 2955591bf3c17f3c814bfb774da8416329b36b84
SHA256 68df81790e444b57477fd8fee4a52d8e28b4a5901ba340590982295e6768a6e1
SHA512 60df78855cc11cdc3699bda1b1115f3eb78ca7a32c4e7b86a16a60b75804092e30dbe7c15c6ef4b17bd9256b2f8398b3daa32fc58489326b7233ada604c5eadb

C:\Users\Admin\AppData\Local\Temp\yYAc.exe

MD5 481fb915337273f7a3d03b126c48f74c
SHA1 66a2efa57602022ceeb5ed8022e0944742cecc7c
SHA256 d31019d1ffd50df5522f1c8ac6cdd9fae193e48353babd6c19ffdf4c71725429
SHA512 36f74f69c9648b6a3536fe44ea154b70e9f9d73ce6f33edd18ffcea13fede3cf5787d0a9706a2621d46703830fe90317172043522c1d7ae380a6bad2968bdd49

C:\Users\Admin\AppData\Local\Temp\EMgm.exe

MD5 0bfa79e2de454048e0a7e70c1c1ade57
SHA1 4b2216963a7402d5b328cd5b21f4562ae40f16b8
SHA256 5e84ca810728ddafd894d19b0e3276dff26bff2ce5aae87eee2c1950d80d2750
SHA512 97049f6ef445d0b778c5989fa9ef71ab7de50ce8ef67a9eed34df73bbd2026b4760e77d8f0ef0dfb34ea2b17f4284876bb143b7c53d893851ae1f7601cd013d8

C:\Users\Admin\AppData\Local\Temp\eMAK.exe

MD5 a9c5b2443abe0e783f3e652a69df546d
SHA1 85f5cf32e4e13f9f12dd6f310e6786db872718e8
SHA256 838bb96e1d8970c7f6a0e15a4f6e3912e385aca3338ce5dc92d19fecc6d13146
SHA512 902fa7ad07e5ba0bc5d3e5ccd20b8f8190ad1d43f36c15622cb4b4293094b6b2683b08e4fb99600079d83fc656934cd305608084a3b00a8fd94f24874d46298c

C:\Users\Admin\AppData\Local\Temp\GYYu.exe

MD5 07eb7d5506755b16013591d4d89ed82a
SHA1 b93439f63300b999d6f55da77f50930a11271d0b
SHA256 1a01a7895e1554d1d8ad3e4252c91d92a1f50fc9fc62fc561f45a2d79aa95ff1
SHA512 31569984a68929bfb8311348e0de39fa8318329ba0bf1c19456e0e7aa6013d0775359005fd2f6d86e8a9aa10d3796f3fea806aafd4bfa10203fd5d9d0df2409c

C:\Users\Admin\AppData\Local\Temp\UQMe.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\cMEk.exe

MD5 20fff97947754cf49aa537a0faadc3ee
SHA1 3212630dd51ff69862e982541c7453449b6d4c1e
SHA256 1adcb2196705b7143d7704ec962de14461012855bb49f05761c313fb7ac0e14a
SHA512 0dcd11c25484022361ffe14b481014c748f5c0c8ee2e6b4bc3f498460c2c11e3bb84d81a7c6062a9c3940f61ce35088edb61c9d480306db232d5ad7045ce0a60

C:\Users\Admin\AppData\Local\Temp\SkEG.exe

MD5 99d8d1fd9979ae7cfa42e4efe9986808
SHA1 0c111b118b5b4ce72e85e13881eb004cf76cbbc7
SHA256 2e826c3630d13fb8a7f8776dfe4cf1963c4b80304bd54ac81fc930ea731c3bd5
SHA512 7e17d06eded2b8b98735a3ca165644cc969327281c9c03a11938f4969aad30e547e1473c2054a6bbd3dcad5c99f864e56856fdbd4bb5199606da7ba7fd6563e4

C:\Users\Admin\AppData\Local\Temp\icMO.exe

MD5 a68ac59a1e19ef5a07fa37682414fa4f
SHA1 8dbae27dd3c17441a9edf9f3351dc44838257ce4
SHA256 6117c57984049be6b29bc5d8f52d0b699b7bdaed342d0ef465bc61e5c4f61f92
SHA512 901cf79305d2ff775ad6f55494fa29d5b6a83be0ee97fefbafee7fc1d33d5d54d98678bcef5c649c1b3bf1a572fca135d8a83a68956b703153029de7ccd2eef2

C:\Users\Admin\AppData\Local\Temp\mgII.exe

MD5 32d7f5d912e6b7f4d9bf57d6adc6d850
SHA1 a9d18e7b36d241802c49ebacd63df60f2848acdc
SHA256 641b7cee28421e75b45a8ee1980dd382988f080deca23edddf4f353cb11bbe13
SHA512 c8da18a54690ec3923af90a0902db4314deffa818ccae74be2ffe0069e8f5f1b4ce183825fc073c4cc068ad6844be2a5714c9e1e1dd6fab83f1e6597f054d1e4

C:\Users\Admin\AppData\Local\Temp\iYUm.exe

MD5 6caf710d277332afa335486ab9bc9363
SHA1 a8d15231b702afbb44b179987f75d4cdc1b6a7d5
SHA256 0cb205b1be83d4b41609ef5508eece83617bde21b8c28d2279c0fb2acb99dffe
SHA512 3461c465184b0050a350996dab9cf19d0fffb4a914cd983faa5840aae1c5e63789665f5bbfbf8574d21bec3b2b1cd558f5f7f3e142e79bf6353191bb6f7d0058

C:\Users\Admin\AppData\Local\Temp\IkIM.exe

MD5 e1463531d1a801a6f17101c7cba3a818
SHA1 b8a61c1149153cc30f5da4c82dfd14ba58cc1de1
SHA256 cd67c5703acc0258a1947d6a0629a1ebbda1d9f2c297988c70440a374375b90a
SHA512 65672948ad178f8dc51b164b124f82364e764d11b17fecfd7dab841fec4427b15730937e8b58925f6354c1362a169ca1da771434a64ec680029d4aa0ae3c3a43

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe

MD5 60e7148e99be4b71e6cb03756b9e60db
SHA1 a39c83da2a81ff18069f1dcdc6df9c9842933c31
SHA256 3063fd909af8a1c28fcf17e9d2ec1c16f48d46a3aaec982436db73a6c7666e32
SHA512 73b89bc9cc1c9b21710cfc008a1f34cb9ed1a123fea81000100d0ee3162668cdf9728f560c297fd74dc14244e16b20c0ee8fe83103910eabfc25f9d1b0edc652

C:\Users\Admin\AppData\Local\Temp\AUUK.exe

MD5 b511b2efed8598739131301dce4efd86
SHA1 fdc5392c76f96d6f476c4fe36b5195957f26ee3b
SHA256 35d031a2063b26b05bb2ff3cbd9eceeb1f00e984be86a78f57f52a9010ddd74d
SHA512 cd39a2d99d207dfaa49f2d1869baefde3bad0bae5d96ba4d062d807b0366a8e82af087ff098edfe5c7401b8366498c3f4546198e9e4b84a74ab77a7e059bffce

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

MD5 52d583fc3ff98e8a46ce2980fc8c5903
SHA1 4bc763209a0dab414802e309d873cfbda61e7ea0
SHA256 b1e81012a6e5cb6641dbc7be844f935cde54292ff4d6c7f51fa7103246ec4e27
SHA512 e910daceefc573bdcdc2dba2c8a47b658d10aa4b9612681fa80c08e84dbec9b49dec0face5bb19f88e4afa93a7e5e3d281a853a252c55ded38237ff88526b1b4

C:\Users\Admin\AppData\Local\Temp\uMss.exe

MD5 7669e42befdcb90bd6f296c735de75c3
SHA1 8dc40be2eb6b7f49718f5ed8cc89447514cb98f8
SHA256 62f0246de1d5a378ea8448cb7ccfc6fba60a5a3609efd7b8fc8f30988b5b5060
SHA512 62ff6e189816c1ddcde45b1d546af673027a4fe2b8a50832c2b3cccb4cd074a793965fb0d7a927bb0034bce12556302d2b789f4ae62ddb8a594553a4dae24022

C:\Users\Admin\AppData\Local\Temp\SEIU.exe

MD5 237bed7561a684504470ac8690424003
SHA1 aded780f0b42c9ca1ee196736b2631262c0a6aa0
SHA256 421c1005b18500715dd6970699f7b6f8815575559c428b6addef5b5188bc0d94
SHA512 5511b3360f9e7aa33d951a7d0d359cff0ea0b2b11e980de2f21fb038c4ed0bd493daeee95620a982b0a1afb1c63a199ad26ff9fcef0d0d4a51e969015af3dd88

C:\Users\Admin\AppData\Local\Temp\AEUy.exe

MD5 de9c73ea18ad303a172ff1401f4600c7
SHA1 d9e01a2b63bb226480f2a87556b5c3be02eacd74
SHA256 e523268ec30d7b4561a07505b7600f2fabffec7080586c7261e53e2c249e9a41
SHA512 0b11ace35e79c861366cc7f55c4c63a9525f4a6de6f7abe33c11b5d7440fcb32b62a85f6ecf322fd3f271b46f39a4b87d61b4f685781a577443456ba5122f040

C:\Users\Admin\AppData\Local\Temp\awAy.exe

MD5 610dd5f3818afa98bf7a972bd3deb3f8
SHA1 16f119aa758628845d7b62e80bd946cb48d062d0
SHA256 f978d59d852863faa1e2f73e8f86bd56ae2fc2ccfcb61e3546008a587cb3ab25
SHA512 66e84db37e6eb8cd0a3673c46c8ba6364ec87d97151b1e7e16b36be70972d78a364cc95ab26919dad30fd2f192cd85f6a02afe9a0a1451065d1e0ec3bd1c6ae5

C:\Users\Admin\AppData\Local\Temp\eUAs.exe

MD5 a03f51a87bc148a610a6379ad178c1de
SHA1 4694dd918990ea7a71f7d48a1519ed2da2cd4f16
SHA256 e05f6888c43d4d054e051472adce880c22d20f5e3f0c447745aa2b8e6eea915f
SHA512 47fa8692f4b8eeab550d2d3dfb0221d190633521454beee25c2a5e2bfa370ded4551fd1fa11ea13507a01571baa6ccd80de06a25104eece63ffc813a45e10689

C:\Users\Admin\AppData\Local\Temp\KMgw.exe

MD5 663b6540ec61de5911257b9809e66b4d
SHA1 f48e436688b1c08301afaceb04e4e4075f44899e
SHA256 3dc28464bee95ee8b4a018d2ddb88be76b932dd680c0c8d1d3c01692bf4a1cd4
SHA512 af0ef51d8f7684413d8370f6c962d134750bf2df45aa9719e51aef3afdc3d82baa64149b66d738171496c3f87f6a7a57b180ac019a2db343dc198c28dfb428d9

C:\Users\Admin\AppData\Local\Temp\CQYS.exe

MD5 6a2a9376e1f8934c098c3d8c997ee3b0
SHA1 868e2a39d596e587ea1bfae6e475bf26e6915d5b
SHA256 6d74177db579b9af574a6cd002c63294251aaa2a83c9fd67deacdfd1d88ec5f0
SHA512 de6d82842644373e0916e6af87deb3b1be4308585193d34ad0048c83e24f5787808b25b00d14f50a1bf296769039229709b516cfebb5c9d1dee91ae3581133f3

C:\Users\Admin\AppData\Local\Temp\MEQY.ico

MD5 d07076334c046eb9c4fdf5ec067b2f99
SHA1 5d411403fed6aec47f892c4eaa1bafcde56c4ea9
SHA256 a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86
SHA512 2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

C:\Users\Admin\AppData\Local\Temp\iIcI.exe

MD5 b216fdfc5883d667b758fdb98c087511
SHA1 764833cca2e71be51c78253638562f8fb42aad6c
SHA256 89fcdee668273102d9d6a7b374828763738516ae7f3f5dcae14682e191f02c02
SHA512 230b89478b6b828b8e0d3ab349d6edc1e810fa3b767823b740dee0cfe1f62162e6a5a1152ecbb44f9b2a478df4f5d92d89afc4134d184e37d37edb83e741597b

C:\Users\Admin\AppData\Local\Temp\Wwcm.exe

MD5 09bb1a6eb5034d0c1bd2b96024cfd45f
SHA1 0c9d77c388ea9c906d9542e3747b27cc572d69ef
SHA256 02f4c78a9f818ed0027b08191dc04da8b7047d5ae25d370f4920fb15fc6870aa
SHA512 cfe9cb9d4587ab4cb8f1d1780b30265f49f8cb285fc5daa802f3b40178d1f4153276c12f5a4e66a20dabbec823dc17ef4c80395675133e0ad1235f13c4705047

C:\Users\Admin\AppData\Local\Temp\QoQG.exe

MD5 e4201bf5184e20370a6b387bb5ca2b6d
SHA1 7806aabf43dcc427025f891ce4510f8a257f9957
SHA256 ae4732c54aee8829003801ed708f24969a187b486330eb7a1b45dd74a6b44772
SHA512 e8d66fcc7e1ec463cd68e571e3be342ef9133b3a58cd5aea34dd454c30b2d0454661aa6cd33b0bfb1924421763d584e8336155547b78e0cd18f7e7c3e9055abf

C:\Users\Admin\AppData\Local\Temp\MQEy.exe

MD5 73a5d4a39529f679bd0719d09f641b7f
SHA1 6134de8a655f2911ac9991d75d20216bc80313df
SHA256 2b020f5c23b5e3a2b2e975b3d4de10c28f1a8bca24175bd84915adcea0ce07ef
SHA512 81720d21c67226a0ecdfed7e9e94963985fdec6b055f87f8d66d0bff770cc52d4bc44c21f36aa6425f4d9f0c575e42e98f4c6bde33ed1c54cdea45f1d604d74d

C:\Users\Admin\AppData\Local\Temp\GoQC.exe

MD5 1e156ea1dfa00c33c48561d609b71bc1
SHA1 4a77b851bfa3d226976987c9138c39c7e6b7009e
SHA256 ac45cc8bb888f55ed735b184632f85bbadecfbe5dbdd34544bbcb433e5eb86c5
SHA512 03836373af2dd8ee5b8d3f6a90593a9f5f3e8ab25407af6bd52112b473d01fa9750cc3601a501683c89a07ec4816b2faad70276c9a38d3e6997d7a64fb070416

C:\Users\Admin\AppData\Local\Temp\EUMM.exe

MD5 a3f93ed56eb3c89a7ac91189a7b9d298
SHA1 3587663315bbfdabd91f6983152d1ac374d7e23b
SHA256 8ecc2d70f13ab663fddfb1df4c5c6bf9d3e5666c42ddd63f3bbac19417e6f517
SHA512 b075241e3e2f0498197d4c46a3ea4bb8183f5aa03f27a252d6796fccc7ae20eaa323a755c9cb5e98f7b325cfee16b095a8ff003a32752b8e03c01a069e644f13

C:\Users\Admin\AppData\Local\Temp\ysoS.exe

MD5 573a2ff469bd2b94d8850e1df99de989
SHA1 46f893cac0dd1cd90eb8b215f98db466d8dfa886
SHA256 88a4f116747c98c4bb13b7dec9ba5d4c87eda71bc25351586370dcb150d10e0d
SHA512 1ef2dd15d55c79313e19c45f3fd359b41b2b19ff951d22ee0aaaf5440670d80d436394c8e6942ae2490ffc0fc60699c37c06b55875259e5baf0de7d514e2a870

C:\Users\Admin\Music\CheckpointRegister.bmp.exe

MD5 44de22927d69595c9731aa4868f0fe49
SHA1 c158331d59cddfec056c73d05b99f4b5065a1089
SHA256 34d0f93ce372992d2c53c9e0a8eddaa59c99384a9758b8823287304be0a59bfa
SHA512 746d70b95b5699a681711e8b4e6424ffa0f2204b1f137ae4e710111b38a90ddff5db3598e5bb5086c04507632cfdf14e32667677262022c81d11936732481c29

C:\Users\Admin\AppData\Local\Temp\QAIa.exe

MD5 76ba2857aa93c8210c0618ff3a4b0926
SHA1 b317f75ca88f5d414fadb54b13d8eb21b76f6dd0
SHA256 5393fb3f4dcc4ceea79cb501da2c9c318ea6ec50b8c6b61cbce2f4494b4d7a42
SHA512 800849f6b2b1d9e20b2a036effe4822b8d85208030adb687dd7ffdca33a694dba8f40187adf62b2c6dfe7b36a17b9d0bfd994d95706eb94c5a1f1388746d432c

C:\Users\Admin\AppData\Local\Temp\Woss.exe

MD5 0fc5ed1be193cdaf4a17a733c2759e18
SHA1 a3b68f4d0e90fa4012122731d11ac121d453d917
SHA256 1fd28a886421fa9e3593152a1fc14fb7446404eb00dc662bf0d7dd936441c053
SHA512 287c1deaa4de99d82f17399f847fc2ebeb7b197b797c1532989c523f91280c8b8945bf1448adb847c8c00a58631f2d5ed3c1ecd1988f16425991091877a04305

C:\Users\Admin\AppData\Local\Temp\uUAU.ico

MD5 7ebb1c3b3f5ee39434e36aeb4c07ee8b
SHA1 7b4e7562e3a12b37862e0d5ecf94581ec130658f
SHA256 be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742
SHA512 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

C:\Users\Admin\AppData\Local\Temp\yMok.exe

MD5 3b342f0d3fba4d369aa3f3329e102582
SHA1 14b69bb839cffc4c16efbc88cab790b0b0c48656
SHA256 86ac7809f209c235b6ce3f7f8133b871591c36a1c5c74a18ccc1f7b433515810
SHA512 872381acc187389a609a9ba718b8979ae4794aca9760a65a1b9d0a8d9c52ae2588134e71b5c1136b4db9e9646958d60a38f1f33fc319481d4c7351864923113e

C:\Users\Admin\AppData\Local\Temp\QAMS.exe

MD5 744fddbb9e4b1a1fa7f00406e421cac9
SHA1 2e9351b4341f5e21e43b857457da36e3ea1c670c
SHA256 059573cd478e46cd760de70bd08b9cb5418fdd9a77fd4bd02222289d2538b50b
SHA512 fa23fe011e34cf119b91f257b66971b68bea424c73df8b47b7d4e8c08f4ab4bee464f846c92c743e16f9d0b24457db0b32a42d3a90931e117bbcb5fa530ccbcd

C:\Users\Admin\AppData\Local\Temp\CoUe.exe

MD5 492d3faeac28acd9e3a5926e224b9f5b
SHA1 7121fa4ce47a4913eb58832d79668cc176516608
SHA256 144466a42a90c9118e2aff96f7e877ba584e5123a3c5de2569744db2bd6490b0
SHA512 20b105f642766c81bf56dcf8d3f4716ba8454648a51d9ce6f6f1de229d10c246db1c10114daa370a30622a86dbd7ba5136df11f11e96ebcb4b5cad51b381f0e3

C:\Users\Admin\AppData\Local\Temp\uUwC.exe

MD5 9697b0cc89ba8bf4785b2e73c8f087c5
SHA1 830f80d248e493833f385653b29cca5e64bdd0ca
SHA256 be61162dd0ac700b688849b20333620643b5e33b7e239dbed89d410c91c5347d
SHA512 e36a85bb9584810e2c0ecf6aa1355a84b02dc002b3ec12f1f6363821c1ceed0b765f330fb83db7e2448563e7ef5ca6d1f46ccaf22bed1d23bf1ae7c43b1afec8

C:\Users\Admin\AppData\Local\Temp\ugIY.exe

MD5 46c838b9f1b557efa27ea3deec2ac20c
SHA1 877e85537a5f888479b139189b6a8425ddcf0bb5
SHA256 3131c78ef5ab30a2190baa788d16223d9ab3511d1d3ee617e587f69479686ddb
SHA512 8c11a95efa938d55520345bee2a82a5395e7b0e59366af505f2c2d0c63739c0ad05b046f765dd1bd2d030dd4725958554e3832d90903a0e2fc3f49c939c68465

C:\Users\Admin\AppData\Local\Temp\KYoY.exe

MD5 949bfb4aaa4b9ea67f7446dcf64ad902
SHA1 5d40e585499f99f5a7bd73242fc7c4bf306c2123
SHA256 b63c8e8745ffdc37f34e3dac5f22699ea5d2d27d61e62d24c11bb85fe3072ab3
SHA512 e66a5be0b3c6b00c2896989644e3e1ef7f4d5ac5b831df2026737855d1c56e54481c11520aeaaa189688c6bfdeda7d54c4c6b7c0019628070b910d868ca8f211

C:\Users\Admin\Pictures\RestartRedo.png.exe

MD5 77b79abb6cc62852fd5eea3106327918
SHA1 921dcde76ea7090fe6c793eff5c0c22c65466ce5
SHA256 3622586ae7e29b6ecd5a77d70e7deccb392cf7563e400a3740069778c3414af0
SHA512 507bccedbb1007a26923e8c68d3173c2c23f67f24052465bb2498e30f2c29871e9b4409070b481e5b3cfc87ff42ee8e5ec7dfbf5e8b55480c44b237f0b9e782f

C:\Users\Admin\AppData\Local\Temp\wEkU.exe

MD5 f4468fa1c222ee1f05f134df83cb39be
SHA1 0694b3e0df5374699947b3b04bd381708a2930e3
SHA256 8a75dd2e28defaee0edba40cfa7b0ea7f4498302f438ba1698a23c777cf4db77
SHA512 7d332d615fa5ec171924b0f2dc3dcccfcaebc19c2ce46c93a47107f64f951781190afe89c8b769372a2a9ac591f31c929a3b9b4ea4ef6bf602f78fc130d37264

C:\Users\Admin\AppData\Local\Temp\KYAg.exe

MD5 8dfa0d025f018e8c28db314fa925b971
SHA1 1283499f984b14d8398dc6f75d778a82701a97fb
SHA256 eaa2fb691406d5b8e8b29d158749e09a470ea836764a9fc7795d581ae344b240
SHA512 10a742693cab8313d1dc8dcb4e516d5014b33d29bae479afa3098ae5fce7b6ed4b56bbfbfed253baecdf662e862220fca9b4e5cd71648342484cd0f6c767954b

C:\Users\Admin\AppData\Local\Temp\kAYk.exe

MD5 7fc2a6e9059482375939ab4d1e0b84bb
SHA1 64c802baf36e003ad083fe2b41e956d0a32ad9b2
SHA256 1a94d18748fdc13cb655a19fec1791c3fd65c2c056b137bc7e10ce991724bc89
SHA512 f91fa69e1418dff42d661c2f63214c56641bdaa8d1a7559f0d10d80f471f3298861de78ff9171de4d7c1a0b4c3a6de8cefc6ab31efabf5d3adadb152612755d1

C:\Users\Admin\AppData\Local\Temp\Wkka.exe

MD5 febc1e22b1075bebcbb51c567ca452f9
SHA1 3d825ab0380d4ed574956bbf9c1213aa1541324a
SHA256 8b0244961fb6dfa982ee29e2333c46f9b5627135d4cc55ffd7d3c96b6a925270
SHA512 c3f3b839ec20ecf1aff8a6929bb509f9bee92e666be66fcba5dd53cda9c971d72f67e134104f1884d72258d2f5c6adc67f293044dec2a343d75cd6b95ddd4fd0

C:\Users\Admin\AppData\Local\Temp\ocEu.exe

MD5 8e8194aa9b9770ad8859e36404865831
SHA1 72d7c99a8622782b06a2662518b1ea510bf9b617
SHA256 7a608eca7f7d4f4518b0469ecc820eb0cd2955c1486727c241f53e66f9138694
SHA512 01672f8967f140af4886802531880c2c2aba90f98231eaa925a30a12b402587f472fbf3203c7664c820042f0d344e0b34220651a58e98e25c9ab0405b81dd78b

C:\Users\Admin\AppData\Local\Temp\qEQk.exe

MD5 0de626068f6b4afb6e932d96121d5463
SHA1 963a8df7f49b9be37c8a943901b5628ebaa48c00
SHA256 45aa146c7821c177d00a1ef25d927d216bb9c7514f482e722507a26dd2de3b9a
SHA512 82524275c4f2296776d942525cd22feb52bf46c9094571ace12dc9d7a18bf1328e4b3eb295277c7e17dfe03edbadadeefaa49b9bfe3707fe3644c01b80c944d5

C:\Users\Admin\AppData\Local\Temp\UoEg.exe

MD5 d09159b12d24a169c0acb5ce1e82ec9f
SHA1 61d75a87f9d5229ece954f5a5b32b86ee3721e82
SHA256 30a264bca024f32440282537a01058e66a9c63a1961cf44cc461da261dc3b1bc
SHA512 331741db9aef830e579c57c406f45e355c9712f6d544d771508f78693d084631eb764f160e8c5b3447366a0f567db88346edbec599c75d2db20222f85e583ea9