Analysis Overview
SHA256
ed27064284abd999686d18a64681781876fbb716587f2e8ce70f862565dc4599
Threat Level: Known bad
The file JaffaCakes118_9339503bfbb68f6435a37e36057c137b was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
UAC bypass
Renames multiple (53) files with added filename extension
Renames multiple (79) files with added filename extension
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Program crash
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Modifies registry key
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-01-08 07:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-08 07:33
Reported
2025-01-08 07:35
Platform
win7-20240903-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (53) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\qkUckksw\decAAIck.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\qkUckksw\decAAIck.exe | N/A |
| N/A | N/A | C:\ProgramData\niEwgwAQ\hiUYAsQk.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\decAAIck.exe = "C:\\Users\\Admin\\qkUckksw\\decAAIck.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hiUYAsQk.exe = "C:\\ProgramData\\niEwgwAQ\\hiUYAsQk.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\decAAIck.exe = "C:\\Users\\Admin\\qkUckksw\\decAAIck.exe" | C:\Users\Admin\qkUckksw\decAAIck.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hiUYAsQk.exe = "C:\\ProgramData\\niEwgwAQ\\hiUYAsQk.exe" | C:\ProgramData\niEwgwAQ\hiUYAsQk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\LCYUgQgM.exe = "C:\\Users\\Admin\\vUIosYgU\\LCYUgQgM.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rCwoQUsI.exe = "C:\\ProgramData\\jSUEcgEk\\rCwoQUsI.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico | C:\Users\Admin\qkUckksw\decAAIck.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\vUIosYgU\LCYUgQgM.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\ProgramData\jSUEcgEk\rCwoQUsI.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\qkUckksw\decAAIck.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe"
C:\Users\Admin\qkUckksw\decAAIck.exe
"C:\Users\Admin\qkUckksw\decAAIck.exe"
C:\ProgramData\niEwgwAQ\hiUYAsQk.exe
"C:\ProgramData\niEwgwAQ\hiUYAsQk.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LIQUMIMc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tQkcAscc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bMAQMUgo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DaYIIkQg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UIwcEocw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kiEMoswE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gsosIowQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YSooEMow.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jmoMMokw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RcoEYUwg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fAUUEggo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HiYsEUQQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qUQAUYsY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MUQMssco.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gCcEAEQE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UCQwcUks.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CyYsIwIw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HqUkUEsg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LaYgQYMs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VSEwUIwI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fgYMAkkI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OckgIkII.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GqwwYkcU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AiYocwQE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GsUMcgkc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZyIgYwAY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWAQQYYU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BoMEowwk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mGEgQsYE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MYoQAUcs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SUEMQcIo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oCkcMMAs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RMUAUsks.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VKEwYwIM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VIAEQEEM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hwYsQQYc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pakAIcEk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qIIUMgMY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sKooEEUo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YOQgIYQA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YgcIcMIM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TikkUgoo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PqYwYsgc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZcUcMEMU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\baIUMsQQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SSkswgcA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SaMYwQwY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WgAwYEAg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SiEYscQM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rGQQMIMA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VoYMkwos.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PQkYYEMc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\boUsggco.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RYQMwIAk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uEkYAIgM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sQYQUcUA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aYEUkokw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gawMIEkY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uYYwcMYI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nucgkEck.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HuQsckos.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rsYgoswA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZAUkowEc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CawgoEkE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QisQgQoA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cOEgMAQY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sOwMssww.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oCIoYsIw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TCkQMcog.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XosssYQE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hsYsQcQw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nCYAcYMI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LewQgoIU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yoMYkgcM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MKYIoIUU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sCQQAcwU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\beQkkYIM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\vUIosYgU\LCYUgQgM.exe
"C:\Users\Admin\vUIosYgU\LCYUgQgM.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 36
C:\ProgramData\jSUEcgEk\rCwoQUsI.exe
"C:\ProgramData\jSUEcgEk\rCwoQUsI.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 36
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dsgwgEAM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hKMYocoY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xCMEEggA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ycIEAgwU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YwgckIcA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KqwAQEsc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mAEMgMEI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JIgwMEAE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tCsIQssg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rEYQcgYs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NOswUcko.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\losUAIEU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gqoMYwIw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mIgsAAsc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YOMUkkIk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kwkMIsQk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bqcckwEg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xqwcMYEI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DgkgUIAU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fEIQAQwM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ueQQoocM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SEkIsEsk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OEcMscwI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mAksgMoA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NMcIogkg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWAgkcIo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DqcMcQAw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xWQAIMYg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yicUcgEA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OQUEgAcg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CQUUcgAk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CQAUUkUo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\buUkwAsA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\puogMkcQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PeooYMYk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dcswIIko.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SCsAQgYw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sQkwQUwY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ooocQUUc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\USEcIIUc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LAIkocEE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vkgwkAwM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dSwAMAsc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vGkgEAQY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.180.14:80 | google.com | tcp |
| GB | 142.250.180.14:80 | google.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp |
Files
memory/1260-0-0x0000000000400000-0x0000000000436000-memory.dmp
\Users\Admin\qkUckksw\decAAIck.exe
| MD5 | 4a5bf537dcb09e0d5aff9ddd510e14cd |
| SHA1 | 09430ea4f178ca551f430c877e3199bdfd56840c |
| SHA256 | c95ce65f2810d8e1b8dbfdc7924aa682bde6d7411df0ea614868dc2542709a5f |
| SHA512 | 0795b9be1247ea21f1f8845d3474414c2df07975b9b80840827baa2fadd3ae8a2a56e4df4d21fdd64cbef0620cc8aa1c5bd7db85327019d2aff634b84e14b3d1 |
memory/1260-12-0x00000000005B0000-0x00000000005E1000-memory.dmp
C:\ProgramData\niEwgwAQ\hiUYAsQk.exe
| MD5 | 9720e2520e845839b39d084950aebe97 |
| SHA1 | 7b083dea34b0a56daff40ea13fc046ef4e6d505d |
| SHA256 | 26b4167ae0f43ab5866e881994f6321a3dd4fa3d038e59a10bf199d820c36219 |
| SHA512 | f49fdbd9264b4f6e459cce84a2f733d91986fbbbb07cd0159bd798a194d61b4ac1972e4a4b807bec5e16508a60e772466368158cf07960945eb6972b23ef9f25 |
memory/1260-13-0x00000000005B0000-0x00000000005E1000-memory.dmp
memory/2520-31-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1260-29-0x00000000005B0000-0x00000000005E0000-memory.dmp
memory/1732-28-0x0000000000400000-0x0000000000431000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ZEwUIQgU.bat
| MD5 | 10b6ae39bd58ce3c7c88e45ba4897ede |
| SHA1 | 01a2d78374e2be622e157704bb488fa0c76bd705 |
| SHA256 | 5d6edff5cbd0c3644f3e80ee8b56709eb36cfa14f9e54ca0582876e877a05f27 |
| SHA512 | 9d1588cccb64a6f919884fc5a0fda14c1e8fb692124254b944bc658dd527f43abf23ff4a60cabcd68d82ab86ce33d797a79f3099cb22e02392ea8ffbfd6db3fa |
memory/2704-33-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2704-34-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1260-42-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LIQUMIMc.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
| MD5 | da2a3e52fb41d741eda2a8c6060447c2 |
| SHA1 | 5beb278a9da74a7fceb212f55676cead6727976e |
| SHA256 | a9a0f8fab82eeedc05fe5e22d42febd125145da26d8bf3283f5d8f1b6926b81b |
| SHA512 | a2c2eab0f6fa31bce31cc149e30c36d32aa6c2ccd998010fd4e7467baaf5628c69c20f660844c870174c165bc3da77e2bdebe2c72aee1336437ab4c6741eaafe |
C:\Users\Admin\AppData\Local\Temp\JGoAEAsE.bat
| MD5 | ce339da138966b54ed4a842070a32daa |
| SHA1 | 22ed7c9be269b66d4ddb8d22bb2833ac2dfbfde0 |
| SHA256 | e4f4875dbc3a7ae6a0793313ce5e7483e62f691d13fdd61b4ba70d56c2c1bafa |
| SHA512 | 37f8258abfe35afb2e2c48850a488433d1015a3faa859cb7e72cd9df057d296ed201bd00cb1ba4ab4ca003062a21719882b49184a2a7226c22f7996684f9e856 |
memory/2300-57-0x0000000000170000-0x00000000001A6000-memory.dmp
memory/2848-66-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zwkgYksc.bat
| MD5 | bf9fd243a97c4c14a4eb2655ce188454 |
| SHA1 | 7c2c3c2963ed5162898e11c52992d71901783ed8 |
| SHA256 | 771a6f86f768715015ae6da4b0f1266ba572c64902e01db8c78ae7d12fab4a4d |
| SHA512 | 49f022c5a69f29af1c235be656bc17853f9b4b385227716e729ccbefe1ad75ffab3c999ae9f4d0b3f52ead27f5c75e091f4c16a618155cb2f9968cfda6205264 |
memory/1776-80-0x0000000000400000-0x0000000000436000-memory.dmp
memory/928-79-0x0000000000160000-0x0000000000196000-memory.dmp
memory/2436-89-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jqcAcgsA.bat
| MD5 | 39d6c0b8827e9b44e45fff7c254e2686 |
| SHA1 | b9d5c1a70ad7858643096bd9d647324ed0509a00 |
| SHA256 | 4e170afa9c468707c98be136c64ee75c759b09b976548920329ce4f348e1b1f4 |
| SHA512 | d0b09b5de98a7d6715dcf331eddec5ccb9041687adb807f3be1f2e1bbf6d8169636e4dc91483285db19a57b7362e4ceb4bae3b102812c96a3156682e4118d04c |
memory/2984-102-0x0000000000370000-0x00000000003A6000-memory.dmp
memory/1776-111-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qoQgYIoI.bat
| MD5 | 794066569584c200732a4c5306af1343 |
| SHA1 | a53e2aecaed0abebd13e6501951d4e64e8f6c901 |
| SHA256 | 4d4fec6a3bad9129c25a851b30cdea00f5798d722cf8cd4ae0c7dae590df0724 |
| SHA512 | b154a2360637a5fc1cf0e0e770dcd6ed8be29faf21bde6b2e4c721227e9e9cc56cf16369f6733bf7c259c136590c949caae86a227212854e52e7a2d57da4125a |
memory/1684-124-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1500-133-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSgUYEUA.bat
| MD5 | b1c804dc29753aa76f9304bfc2fbc6f2 |
| SHA1 | ee42885515b3352b44bc78f917beb15b97ad1250 |
| SHA256 | 661431b6c7df393201ea319c72f5dd3f33f460b7b9928d5b3ae52a3b2de6f540 |
| SHA512 | 7a8c8a650864b9f0fe38f529bf83e41da1b14946ab5164d9b77fb819d2dfc41884dcf95f3a57c34228b66fb096388dd3191bad903668815da158debf206720c4 |
memory/1684-156-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aWgEYsAM.bat
| MD5 | 73a5f068ebfeb0a75f6a4e67bf845d74 |
| SHA1 | 52b8d6331483147e3ed845776883ec68f4fb05d6 |
| SHA256 | 0c4746cb282617e7c0dafac800ce546e07acecc45ff9a0c3188ed4ec189feec8 |
| SHA512 | a46ca4aed56de0324b4d2e426a6ad3dcac84ef0ebcc6c927d3f765b4e63e8cd520515f2f9d64be931f8abee0f83463b85e1520f5b5a53c78d5a6f699d5433267 |
memory/2752-169-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2820-170-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1848-179-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\seUYYYkM.bat
| MD5 | 152a5fa4ffbefd574ca297f27070ad1c |
| SHA1 | 4ce9ec72ada8e66c1cd8494519cea58c877d6e48 |
| SHA256 | f84c6a7abf3e50735bf3d0115fb210dcc938c2317ac60f071be1c7713031c1ed |
| SHA512 | da3b777ee9e95a84de625b4f5c5587759dc94b06d01aa4ab6b62df99307d6b980c76d837c1d38f948418559a001742f24cfdd0be977cb1ccab0005fb5f39d597 |
memory/1244-192-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2820-201-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fwMsIUsk.bat
| MD5 | 29acf4e3e0e1340170927acd09d9c486 |
| SHA1 | 824ba67306d878c733c359d663cfbbff2558098a |
| SHA256 | 0eee7180923b830935c70a55c739575148fc31346abded83092d4c258d7d0a64 |
| SHA512 | 0b0c47ea52e248fc6dfd2779f7c9634d17ef6132cd912fb0593141952c6ef0aebef37cfffc7df7eb4727f425b4000d238796cab988c82beba277d5d4a0f6d299 |
memory/2936-214-0x0000000000310000-0x0000000000346000-memory.dmp
memory/844-223-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hIEkcAkc.bat
| MD5 | 3d3d3bd1fe674f4c0e9c08fde0253191 |
| SHA1 | 78361f458c084dab0d1728d31bdfa61e31871bb0 |
| SHA256 | fe3ecf13567d8438e04cf496880434d1144908fd0aacc4d39f54c772442da695 |
| SHA512 | 8fb909a88fe9142d5464a5318153f637b8502fe753a721fe1978440807752b1c5f5d4c08a27a4120155a3715bf71864f646350023be666ea0a5f10b1d2d74680 |
memory/1080-236-0x00000000001E0000-0x0000000000216000-memory.dmp
memory/2904-245-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pAwkoggU.bat
| MD5 | 876d590eba326c7e86153331743f74b7 |
| SHA1 | ee9ba87e40d1c07787ce49491ada06745a6553e7 |
| SHA256 | 66e736af3263da793851bb0be1b70c247bc6d5a7a2b385b6bb2c958a0d024b2c |
| SHA512 | c85c491996e8c3b3b0e52d0224a36f667e8966cd2d8291f29d48a33a49172c519c7123ccc357561cf445a2249b6acf5d938e67b084dc214628357efc63b994b9 |
memory/648-260-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1044-269-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vmsookEs.bat
| MD5 | 03e912fd901e7496a39504f084d81667 |
| SHA1 | c9141e9ea9888cf17ad4107241ec330277171938 |
| SHA256 | 9dacef55afa900e0762120691ce0b2c9e1fcb8ab86c74c307d7f5ee58249eed3 |
| SHA512 | 52fe5a77f77d045d48c2d470935273e85a79541373ebb2f134ec2db568b057b6ef839f755a5a7add5f09724723b9bbf49d1865e0ad1e22758a22e6b402939dd8 |
memory/1780-290-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iOUwIMIU.bat
| MD5 | 885491fa35d996c41c496409dd25e214 |
| SHA1 | c5cb94e6f4f34daedf40ceeccf3376d816ce08f1 |
| SHA256 | 5ddb797c61f21e62698b3ddd51756423e135e0f2669ae0e022408a51bf6f3723 |
| SHA512 | 94c9f015672b8ef6a28a7393d8d03977e22505f6eb56a5fad6c9b4fabdf78d5f57e41d03e2b99a2bed2862c3f70fe6a8ac91553cfd33eabf96598b6aa5063bc6 |
memory/2792-303-0x0000000000160000-0x0000000000196000-memory.dmp
memory/2720-312-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kMsogcIw.bat
| MD5 | 00712540743e0d859c14719f15107f38 |
| SHA1 | 1ebb005044dd8673012e8548bd4d0dadd347ba20 |
| SHA256 | 4fa5763c94e6f6d72262f917ada5248da4f8fe1335a382fb07657e6aaca521d3 |
| SHA512 | 8734999b249fc937866bd44d4b560dacb306e5a176792d5d4e67b25b9a5c0f1480173798bd4b6f986f89c9243750f825c8c3168d2928b2ae5fcb25a0b26fe947 |
memory/1148-325-0x0000000000180000-0x00000000001B6000-memory.dmp
memory/1788-334-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qWUIUIIw.bat
| MD5 | b81c14f98769f450e82c6053f9933759 |
| SHA1 | 3f4a90abe71741bcd6989a017db695857b6bd0a1 |
| SHA256 | ce41a2f13ed885890e267a71e8f2b34e77fe74af853e9b7f0a30125cb9d4584c |
| SHA512 | 4265e0655708ff5529aa5385f7dab7b7bd344f7c9a66630c6dc1d2ca3529709e3d217351bc3b6f6e6db74bf6679f477f46b4342a57c0444e24f01536160bea11 |
memory/2980-347-0x00000000000F0000-0x0000000000126000-memory.dmp
memory/2500-358-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CMgIkEwY.bat
| MD5 | 56f171eecfb03f2a8e5bfc0694add906 |
| SHA1 | f81e58724f671911242f27b2f59a18b366295e7e |
| SHA256 | 6d9be84bcf574c6aa0ddba15c7f0a9277d4c88989e25db4fb1d9e0ddf2216834 |
| SHA512 | ef1bf26eba69cf3fa72eb760ad4b4f8c87233ae34be1626ac4377cd0e56d83275e279449f4d18fa1be62625959f3687a0c55f80982461af3a699b93ca9ae1e94 |
memory/1268-371-0x00000000001D0000-0x0000000000206000-memory.dmp
memory/2580-380-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kYYMowMk.bat
| MD5 | ed2e46d72cf9506c45da1238c9f2fbe2 |
| SHA1 | f8b6c0471d52bbb25e67a0911403557ed3fe9a5d |
| SHA256 | 821ca633360939aad6333ad1a74faebd27905f7d37f1b0cb1f810e17473c176c |
| SHA512 | b0afe7fe982acdffdf8e170325e3f0a081cd1d42b73171510ecbfd400a657311074ef08f8c33f6ff5ac6fc09124df2d45a041347571e436c4ddd042674ad08e8 |
memory/1488-394-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3016-393-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1536-403-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DqMAwIok.bat
| MD5 | 475724326953f94d14126f835e989b5f |
| SHA1 | 2d6dff58a1b80cd8f263407cd3233845cec3171d |
| SHA256 | 6148dcf86f8936f2e94c900f6b578cf7fb527f7c66739c5a12dfffb5bd43d62b |
| SHA512 | 57889bfc57abefd6c1acda8c744521dfa21601b028ddaf30b857dc4590a11301922a9e351c50f8cac80ebd7adc3acb0db94779d0ea9fba3a0ad7c475a708f382 |
memory/2728-416-0x0000000000160000-0x0000000000196000-memory.dmp
memory/1488-425-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xMckMksw.bat
| MD5 | 770c50c107e2e67f82c0434e49666972 |
| SHA1 | 977a409bb00bc503e577dd3b12de4d4f044a1396 |
| SHA256 | 94e55a8f01ffd5508fd84a2e4149a40ac4b1a28d272d2411808dd62dafba98eb |
| SHA512 | 754a65050967463cd005bc27d5bcf78425349c43d78a843be5af95e20a8b3d036614b71513e1e99f30851f52f4fea807eb6d105bbb8093e1a7ab05a7027939cd |
memory/2196-448-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hMcMEsIY.bat
| MD5 | d0351332b547371439938d17a099786d |
| SHA1 | 1309fc4ad562d1cb92e84b6caa93b0cca5d3a2f6 |
| SHA256 | 3c32548570663ccc721b74fa943ed92c7501d1f32efb86e7d467e2dd14744f80 |
| SHA512 | 94adea87c4ba9210330879231d810cf2075b0d53dcc9742d34d1a7de182a17cb889a0c1c20a7bafc65e999cd676a199bf4f3c52b35af3136de80d7640245a4a7 |
memory/2436-461-0x0000000000190000-0x00000000001C6000-memory.dmp
memory/2604-470-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ZwYoksoM.bat
| MD5 | d842e87495056f24560c6323b6d3224c |
| SHA1 | deba1696e70c633a230f313554e256fbd6dace66 |
| SHA256 | 2a67c1367511424ccd00f897fbf580f72f3176cbcf9328d7d47f4b1cca10c9dc |
| SHA512 | b5f7f60d5a9e60a60639b0d1051561c7636244f03896697f916f4733ca999f2bdb970d7fd99cf556897de4b6ad3ca38ada609164e11ecb3f42b8f1491571c314 |
memory/1676-489-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SsUAosIw.bat
| MD5 | de4d80f654497a165dce0b9cae608927 |
| SHA1 | 7333b4384a7397747bb9afaea65746a58d033a8c |
| SHA256 | ed9991602fc2e0bb92a10378b830e51459e37818e33fd1ec9c3b364a393d6519 |
| SHA512 | 0a9ad5db44972fb009b018db25a3aed5d33a231aa829366b4e94810b3017bcb39628ca28f4e47d891aff99d99d1689f0a01b6b2f2581aae976376cf443630ccf |
memory/2772-499-0x0000000000260000-0x0000000000296000-memory.dmp
memory/1664-508-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qmcsYMwM.bat
| MD5 | a7ea77c0ff548774e15577e08e91ff0e |
| SHA1 | e62ef27ea31cb9268858581110e6317ad3b74cd6 |
| SHA256 | 327bcd866849b1b0220b0ab9b7b66a860ef9955e186ff7588c192e70a6dfb8a8 |
| SHA512 | 32f7ce04524288e497c756f163bc8427442b2844202b24ab90998be66fd6879e2b1e7dbe28b5270468f5836f136aa465e8553704baaf0f245c288ecc1c7eadf7 |
memory/2312-518-0x0000000000160000-0x0000000000196000-memory.dmp
memory/2216-529-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KOIoMIcA.bat
| MD5 | a4459d8766ede0306c7b0906a0aa2a5f |
| SHA1 | f18008bd5c97da3ee5bd9795b42a4c8487abb755 |
| SHA256 | f04fa5747e10e09537d191493710c7ddee1eb2f8150c797ef18859084eb3c910 |
| SHA512 | 451f3f2b879cede47b536510535b0e213aa3dd7fd9df44a5954946924e71775023de2dfcf6e9dd2f0070da84f0b5d0dea0b5deb3ea3ebaf3d93161b09e71c3ec |
memory/2724-539-0x0000000000210000-0x0000000000246000-memory.dmp
memory/2724-540-0x0000000000210000-0x0000000000246000-memory.dmp
memory/2452-549-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\swQwEUkQ.bat
| MD5 | 708daa3d335d7c9e73e8ece0ce938291 |
| SHA1 | f64168bd5f20d1bd8edea0df5bf4f6964fbc08cc |
| SHA256 | 1d8da51a6fc1e81c0544d0328cc832d4a3ad9133570677504cc96910243b17ab |
| SHA512 | efab8efb33c5cc35938c33ed275a5a49f62adb86e7136b88dbbea0930a75e7f3651ff5d343e0c89c110f54eed6ddba0c27e14fd980607a08b5502cd23745d22a |
memory/780-559-0x0000000000170000-0x00000000001A6000-memory.dmp
memory/2884-560-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1920-569-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BmckkgQU.bat
| MD5 | 4d94718be4c0be7ed7489938f8f7383e |
| SHA1 | 59cff2f83f0258e4842e2c76e07b8e57eeec83a2 |
| SHA256 | 1ca2cb77abf7f3231f70dd0e2d7b5214db5a721ac78cab8c9dc5710f078b17d3 |
| SHA512 | c9951ac77827ee04b2e5aee91c77d4aa4df4dbc9293093543cfc94eba04b9d234b48c4059f8459db0e28f063228cf95407a7b959a97f962966cd64a8c3ad276b |
memory/1720-579-0x0000000000260000-0x0000000000296000-memory.dmp
memory/2884-588-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JaAQIgwU.bat
| MD5 | a59eea2bdcb82dd35a6c96e5f776fb39 |
| SHA1 | d1e3a168b156d97ab2b57b851aa4a44d54d37590 |
| SHA256 | ce3267be0663d1ac9668c6ffcad0346db49f8011c9dfe5010c7e14d9f71e58a1 |
| SHA512 | 63898c6d622044a029e7582866c2a9d406a2ea46176d6b65f45f42dcc527c0dd2b3c501d4af6449d9fcf1d8438f90f741a2fc53a638138160503faa8fa56cda4 |
memory/1732-598-0x0000000000400000-0x0000000000431000-memory.dmp
memory/1508-609-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fqcUYAME.bat
| MD5 | 98a47ec892907856426720f9e18eb95c |
| SHA1 | 59af547707917c381cf36c984632bfea7660eb41 |
| SHA256 | 0b63dc8aea6d32efcfcb01a381d1c03c900f0014212ad3f37493d625154beb1e |
| SHA512 | 26c2a22ca08d7a671f96a45b354c368768f0b7490b6403c5f089f72ba1b2a95398b9e53348faa9d85e1ae208149eaa16b1e158e63a61dcc71cf9572e75054040 |
memory/1796-627-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bUIwUsEw.bat
| MD5 | 66a0227a5afd750fe4f8b773d5ec6248 |
| SHA1 | 422ed23d9e28626486b6e42e4e102a47f4782411 |
| SHA256 | 73050f4ea3a9925b1fcb8f4a4d38bf047dcbd4bb0b4d374aa44941ab68cac702 |
| SHA512 | 0ea864fc1340716d4497e99f58f15fb12d50ed7f7ea2190f811cf9fde04e79ff3d562a9b3812242697915b7888cf1538745c4c83840b4502a4fdeaa11ca288cf |
memory/2772-638-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2520-637-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1248-647-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uaQsoAEI.bat
| MD5 | 4faf8ae210960afb1fb27203a4a261b4 |
| SHA1 | 09b201b079e07fd0e7f90e656fb00a88b5b4239b |
| SHA256 | d682083dd70df2a736923754826d39897ead48774f1ec877688d520621329087 |
| SHA512 | c2164c57ecb7b3b7ef261b3a765232b7eaa798f8b4d945be7ab533ef3abbf818b1025c15495557b4354711918d3b7e040cc8f7a18dff11c02618a97ffcb19609 |
memory/1036-657-0x0000000000170000-0x00000000001A6000-memory.dmp
memory/1288-666-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cEIu.exe
| MD5 | 82c6afdf48c1fc05ad8dcbfc71d96286 |
| SHA1 | 21fa93ef12a8580369e12255821407673f1f8265 |
| SHA256 | c1b76ce75752c4b588f6c35752bbc43c3d3e7d0291cef5222b09336b9981b439 |
| SHA512 | c777031b0f77817bb6c467955d9f3375881bee4bece1caccb874bb6d46ec50cab6bb1c41ddbbb005e8441cbecfa27ccb202a350e53c8ef24f8395039c6c22247 |
C:\Users\Admin\AppData\Local\Temp\iGcEMIsA.bat
| MD5 | 79a58b31d442c8692f7382d94eabb2c9 |
| SHA1 | f5fff6a4883e8a360b08c7b74369eb5ac654116d |
| SHA256 | 515c5d1a1db98bea9ebbc18fe95d26a4b91f1d16722c47e0327aeb2e325e49a0 |
| SHA512 | 8a9a57a276e67fd2f426e362e58a8baef9699f1e46a8ace723fd096950cc857384e0bd169aea8d6716443ddb86e8851e26e4f63103d8a08fd35d106b3a796f31 |
memory/3012-700-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UCQoQYwk.bat
| MD5 | 07acac17d4580ace76a409b7351783f7 |
| SHA1 | 358826da4b22348b276a02564ff3ad320fb9d6b8 |
| SHA256 | d8bc938f8c91d0d7913b5cb72ec0f9c60a7d31523ab2d6ab19da16ef1f2b5bd5 |
| SHA512 | 75b9fce841491788cd5790abc6deba7ae0b23fa529b133f337ce4d3f65b50d0df34d161c53a9c9ea3310ba4ca3b59e916dbef33634a8e510b60927373179b499 |
memory/1932-710-0x0000000000430000-0x0000000000466000-memory.dmp
memory/2604-719-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\smwsQsIU.bat
| MD5 | 9b2119b7cd6e744effc94e0c40850463 |
| SHA1 | 0353d6e0c17e11d101209b815025c748b7478acc |
| SHA256 | f7fe2a1e3a98d0263e658a737078bc19ea03c9384443c6452d0c3fe7049a4cd6 |
| SHA512 | 643d2f5e08f0b5704856fec44accee99cfa340060a0f66bda23a57f1e77caa954ea82884c90955c1fc4dd136adbce227d6d5f4bd2cc78c2a258ad6e4b820cf98 |
memory/1864-729-0x0000000000270000-0x00000000002A6000-memory.dmp
memory/2372-738-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xIoIMIQA.bat
| MD5 | 41bd0c4057f92efe347745aa5a71ec0a |
| SHA1 | 146d6c3361c6976953a1b28b1bf1896c03cb54fc |
| SHA256 | 1a5115e4d18b576c6153011d4b59973c07e7855f7acdaaf1d56ff65d8b950392 |
| SHA512 | c18be0d2bd09ea0f721c1e5af840efe9908e02b85425840b48307354df7861cb96d49b7d45f2eb814953987975434e4cbe6637f928128aa331216dbaffe70bdc |
memory/2480-748-0x0000000000130000-0x0000000000166000-memory.dmp
memory/1096-757-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BmUUcIMs.bat
| MD5 | e0a972e5c4ae5b2b19089e88572fb2e1 |
| SHA1 | 929bed632b346274edf66ed947ad179ed3730518 |
| SHA256 | 948c3e43422e4b8a1edb813c198aa5ddd0cdf9e99d2bc506e1c9946b04eb847d |
| SHA512 | a6ba965dd5039ca6733313357ec19a4098b3d6eb6343f217dfa3f73acc10b456cebeb4141248ba49d51bbbb389ab8ba3aca75d8fc9ee5713152ccc4d907de436 |
memory/2852-777-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TYoAkocE.bat
| MD5 | 295b9ac41866bd3bdced10a21c87d5a3 |
| SHA1 | 2d3e87425cf0bc2f6124463e7de83595f4137884 |
| SHA256 | 15213baf6c1f890a0e52eca4280a35f8877748cebf717a0f40fc9efa1cc47e19 |
| SHA512 | bcb6dff8ef9945e07d905f2cdb058a2dd0e6bc6784b681d884a65f3b5a778775a9a747d6977dbe52170b53f2999cc3757578d20a2b42cb62731df04fbaa4c4c2 |
memory/1252-787-0x0000000000160000-0x0000000000196000-memory.dmp
memory/2536-796-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lYoEswkA.bat
| MD5 | ae5ae5e9c2ac729a6d97a58c5b3a140e |
| SHA1 | d62fea8e71d30a50c6391d75b340d5a324c7c150 |
| SHA256 | 11a6c0d80517bcd797d7e220cc0e961aee5c8aea116b0b724daf51867e17a945 |
| SHA512 | 76ded60fc21e3088ebecda93c50ca9c5474bf335c8d71d61e6e59650fbf70df954025771ed7d0acfd697b3578b237cc1ce40399f4c9fd7db358abafbc0342833 |
memory/2804-806-0x0000000000190000-0x00000000001C6000-memory.dmp
memory/1688-815-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CaQUYkIc.bat
| MD5 | 5804d9ae1e743dc6e6b09f9e0f4f2884 |
| SHA1 | a72fcdac42b9fde93fec828d5648c66cfecffcc6 |
| SHA256 | 0bb63ba52e0a34e36364d4d5d19a858392019e53c3a100046eb4c27bf3488a04 |
| SHA512 | cbf7fe42450cb0f33fbdd8d13c4edc9b79b1d95097e3b269010a72138e28393d865585f63eb29d20bd1a20fdbe1f92c5132de7be300626946229f61eec6fb642 |
memory/1744-825-0x0000000000180000-0x00000000001B6000-memory.dmp
memory/1792-834-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iSskwgoo.bat
| MD5 | 3c98211dc3a98bbc8aa27119704373f6 |
| SHA1 | f97a0f2fa20ad58446bb89fc316cb69eb23736b9 |
| SHA256 | 5129aa8413e5ed5fa6704975031167a778652ab4f17ecedb3aba6119d546358b |
| SHA512 | e0584680a9a31aa028f8f7a97ef11c22071b92f05d6479c1c98f22f8c0bdb41eb611888b16d4ebb106916aff796b140f879557756e278d70b5c727f9f58713ed |
memory/2372-844-0x0000000000810000-0x0000000000846000-memory.dmp
memory/1872-855-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qwIQAoMw.bat
| MD5 | 9efe8a9abeb8013f56b144294c317d95 |
| SHA1 | d970bd10095b7c42e63059e53f9976b2df4d285e |
| SHA256 | 8ad16fe8687c066c4eb5e39f04cca2652f1030f89924910a18646a4199c47ea6 |
| SHA512 | 383898089d01575d1727179a8b7c32df2bf01d33a7189e07daac6a1688540e5b1a94662051ccb16265601147987ccee581e13b7a8e85a797964d9f94bf9c8c3d |
memory/1060-865-0x0000000000160000-0x0000000000196000-memory.dmp
memory/1684-874-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OKssEIsA.bat
| MD5 | 1d5c15827c070a635eeed5a0ea181cb2 |
| SHA1 | e039cf73c75995cebd2bb3ae435edb265fd62842 |
| SHA256 | ca2ce19c42eeeb61f03952a256045dda9e71421720aa81168ea13f7e25b78b8d |
| SHA512 | 6da2609ffe8db94a6bfcb29207896e48f5ea1a9301cf155b5576c38d701bc2ed8bfd6dec279e02cde5ba275fee00de4c8ba1854b2db58d7deac69307550b47a7 |
memory/2312-884-0x0000000000150000-0x0000000000186000-memory.dmp
memory/1768-893-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fasQEIcE.bat
| MD5 | 596f16628f124c528ff6dace4214ed60 |
| SHA1 | 831dc4928914984155877035d5b347806991534c |
| SHA256 | 7c324e155d8ef32062de2ff7b149c3bec3cc6f65c6187c02c6336fab9b67b8fa |
| SHA512 | 1dbac1c6f3b1e31c8c5ab69fda791b3f68aac4cac734031640bab595734c18f6ffec432fc370becbefcbe188d2c0e3d2efa88a0adcfcb2892f94c82ee3caac1e |
memory/2496-904-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2780-903-0x0000000000120000-0x0000000000156000-memory.dmp
memory/3020-913-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nSUgQcoE.bat
| MD5 | 9ee928181cbeaefd106735ea9ec69e60 |
| SHA1 | b9f211234f878144ec545fb8e9e45fa7d13f03e7 |
| SHA256 | be827e7d7351fde08fcb55d19365af068482b8dde3d2015aaeeef9a37d7fba53 |
| SHA512 | 662e427fd23c33fd844fff0196e31a2b1c7ed91d2b74a35e521c024e9171a7f6d033a27de74aa10ec93fb6d141a59fb2257e84d846efbaf201c0b50c741e661a |
memory/264-923-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2496-934-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\twwMkcsQ.bat
| MD5 | 72540435588ed9921b4342554d385c82 |
| SHA1 | e3693d0b099e5367086f4d5e638aa6646a1fb0aa |
| SHA256 | 93d9a159ef6fa1d86307913547962185f634e285de6d282a1d514fd405d357fc |
| SHA512 | 93b2afa2dbf7eb8d32f59d273705eef71bdc40d574a457310d8055f11692356a441b7afe3b266fea466ec1c7881e645e1318f683377468ea08c9ee37d543ed4d |
memory/684-944-0x0000000000160000-0x0000000000196000-memory.dmp
memory/2976-953-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pywkwYQo.bat
| MD5 | 4a85f153843e10c0b72370593a399be3 |
| SHA1 | 3091a5a7366db71f863da0f4a061e3c109625570 |
| SHA256 | 4c9747554d372bd2b870e8e2f0267168e8fca314e32cdeb2e5d584d4cdb3cd00 |
| SHA512 | 2e6bc3a5ec1300604cc671f118e227b6ecdf2d708f3b40951a60589e3d8e2a72a1591e98f11f1b193b0b96d4c6f45cdfdf1c8df0a4f69ff7c5f09ee7c8b6f1b5 |
memory/1728-963-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WeokIgcc.bat
| MD5 | 267cf8ae594bc85ff5f73dd106b53f39 |
| SHA1 | bad2bed90531275a749a7c7ef564d12c5ff44267 |
| SHA256 | 44f4c76ad86529fb31b63f075e4dd69f904f0f5cffd41c45518c7231e53d78f0 |
| SHA512 | 93b1d3df64cc66948f3e78b5b290f19db70adaf84330369f52b60c0610c65b9b217cd8dbc39698b2d97392e22d7e5bc6e22e62f1ea44a7638d40e606eae5b163 |
C:\Users\Admin\AppData\Local\Temp\wWUcgwcE.bat
| MD5 | 03b5d4c683c8c65d15c92078ef3696cb |
| SHA1 | 8f87bd937609bc3c1a3faed433f0132bd7e4e445 |
| SHA256 | 164b827d22b02b2f32b4b75f99635338d008b904c330e5f4dd026913b14a4130 |
| SHA512 | 049a5688e15724101c40033dec74a8ffc3c161c93dde8e3f336a78d2741227703efc5d1b5e9f0d48b985b4d2ac5415b2f4d2456589c3246fe917314414d45a33 |
C:\Users\Admin\AppData\Local\Temp\CCUsooYA.bat
| MD5 | b3c7e14461e07cc4f73a625dd86a5442 |
| SHA1 | aae844fd4a4aeb9400d3101d7e328f735d8bd5ab |
| SHA256 | 6eeb10a0da806bbd85b4f1e3c8da7153023bb18f6c8b81621e7ea9446163feda |
| SHA512 | 77c3bd35c4b7e14072c05f0da0c220781f19fa606122b420c11de19f2d5d698f54016a744447251f722473a44fe3f7c32f2667aa30a9bf177d9c65227e6d7018 |
C:\Users\Admin\AppData\Local\Temp\aaIMwAAk.bat
| MD5 | d5e21f8f3d9c99fe3ef60c1c8cbc2f69 |
| SHA1 | fa130970a4f83d10a968816194047378da66fa9f |
| SHA256 | 9c7ec751b39811759bbdd69b8d56d5dc9c354fb0281b0045991532ca1474c08b |
| SHA512 | dcd7574a84388db702a0e4ef5f6ea9898dd1a97c4d3b6bfe18341d8559e0fc74be49c29ae01ccbaa2699dc34a64d7defd9b5a626c7eccd7db4720fd5fabeee55 |
C:\Users\Admin\AppData\Local\Temp\YqscUEQY.bat
| MD5 | de6c9d62a318c643c307a2f51aaa844a |
| SHA1 | ead1e4aee66aabbfb7356ff43a08fdf3fdac2fce |
| SHA256 | ab4e0f0751c0d2578493e8a0cfea3548e39a4e26a67e63d4b7afe338d23ff291 |
| SHA512 | d1c0e227818fea4083bd004078201f185befa25db46841889ae03a30b721644822a1bd6299e83d809bd94aa2e3a45eea3193fc2885b9f5f274a1ca735162527d |
C:\Users\Admin\AppData\Local\Temp\rIkIookA.bat
| MD5 | 1593452a8316a6d3f753af02ce619ff2 |
| SHA1 | 2499d1b25dec5b006202077fc70793e405234f2e |
| SHA256 | 0e9731a9eb75b5666e5094b65b19e88070b2fec1f172f315ca0b0e97367317c5 |
| SHA512 | 6eaa5f67d547f9ed45a2a87df483201b9df8d414488ed1210f55847cfb4363cd3885f8e46d66eb225f20f0f5a97ec583a8a6928af0bacf81d3e03b3a11393e42 |
C:\Users\Admin\AppData\Local\Temp\laIUkEww.bat
| MD5 | 6850123334c3a10285a87255a70b41b3 |
| SHA1 | 42c10da1d6304e52de3e09a28b018c29cdc68ea7 |
| SHA256 | f8caaf332c07c59444fec26ac0bb4f7a823d1ccfe6fa270b28e5ccab2d6218b3 |
| SHA512 | 774160cab7cad79e6aa66d1a6e69f54e6bdfb7a7792b556f1fcc6f058b540091486eceafea5f089d385689c918e07db63ce58d578e67e712956cc7cd63b57b26 |
C:\Users\Admin\AppData\Local\Temp\esca.exe
| MD5 | e5f68924668ec65561c5e974ad039501 |
| SHA1 | 4404c7af4c85ae56c9ff183246ab579d2c15b62d |
| SHA256 | cc55a3c311746554f5e4cdf2782bb45ee0874f57f117d50eba73f1fefe036da0 |
| SHA512 | 709965ff0b8efa1504461942d6daba47ec26f1f80c9b324ea84e77921ed3d594658c7bc2fff4b0acc579ffbbfc80dd419a45f4659dce49e484a924850bcad18b |
C:\Users\Admin\AppData\Local\Temp\lEYQAcIo.bat
| MD5 | 2cc337c24ef47cdd7aa7763f6f39d93d |
| SHA1 | e0654e1b96b10cb7ebf83883b1b38b64394ee38a |
| SHA256 | 258b0fc5d5c43e6fb59049450165b6093429f71f3d371ae1568338d368242065 |
| SHA512 | e6aee9d712a097757c9cc50f96268b6b793c0257136ec37c3e83fe39481bc8c2380482565b7af0a86db402abc941e3d21b66a5fb7005952adf11f92b16cfcd22 |
C:\Users\Admin\AppData\Local\Temp\aMsG.exe
| MD5 | 390a026838b3136227b75f028c36f859 |
| SHA1 | c65bca55059888ae43754f0435bc30030e6f0c90 |
| SHA256 | c909ef0ce5e6850a3f0b20e7739291eaddaa8979808023ee91550d3d21bc12a2 |
| SHA512 | 096f111fc1ed99ae9c92ae1dd263b7d9e9f148d3aadaf2ce5106f3fec49ece8f5e1ea4512fde966a6807dfc962e1c2269dfb043629ac9f6d0044264b8324a3a9 |
C:\Users\Admin\AppData\Local\Temp\moIo.exe
| MD5 | 3439c4eaafe892ceab7960d5dee343f5 |
| SHA1 | a6e39945a79615997a90b2fc09f1f7dee2918008 |
| SHA256 | 749473b8619a03cfc68238a77dabcbdc486a812c2f6d17b1fad9bec7d4b9143e |
| SHA512 | 91740ed2ce3b7bf0059f938c34b32e799dc06401c643ab836912e789f85d66f7741ce67e85d88b3835c99be757b00037fc04f4b4dbf75909ea1770e58ec2ec0e |
C:\Users\Admin\AppData\Local\Temp\IMUi.ico
| MD5 | 47a169535b738bd50344df196735e258 |
| SHA1 | 23b4c8041b83f0374554191d543fdce6890f4723 |
| SHA256 | ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf |
| SHA512 | ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7 |
C:\Users\Admin\AppData\Local\Temp\WMkI.exe
| MD5 | db86f4ffc9b42e3c1816027efb4f1579 |
| SHA1 | 702a5ce1969950289c51f4e3bdd1e14cfbe9347f |
| SHA256 | 2abf92bf4cb4e5ca894932dfdf1dbecc801ef46dde0bb97d549733b91a071096 |
| SHA512 | db70beb93ed437b48d38d0ada43f0ee468ee8ec2914adbd46dcabb7183cbc7220137fdaea604afacb190c6ff37843caadc04ada8edd9ae2ba23d17f68ed6853b |
C:\Users\Admin\AppData\Local\Temp\hUkQYoQE.bat
| MD5 | fabfb38b6e16cd45d36e8560a4d8d653 |
| SHA1 | 9ae8b5f19e900f746d10dda3f8c0f3bb0a478b34 |
| SHA256 | 96a9f64adf8c49ee166b570485218b75b2e8cb46cb18cbf14d71248a1c530f8c |
| SHA512 | 5c03183940a6008a64d10da18fd2340a9d0958ada126bd1bc116d860a6d95d2f0d9e5efcfbf0ca2af96f52014e5ce00a14deb7a246a5ee3e446df2ea2b0be706 |
C:\Users\Admin\AppData\Local\Temp\osAE.exe
| MD5 | 518cd1544fc21889460953426f0a23d2 |
| SHA1 | 51049ad409a7268079cc2e569973188b91a2e763 |
| SHA256 | ffadb731d6c917f32a2973c01a8b005f6f3ea3e4913c09441399a3ff64a37289 |
| SHA512 | 9333a94cd58c6c4d7a600b515cbe2dc8d98da844df4eb42ff5ffaadfcc554c0672ed0ec9da2774c79210b8a880e6d07c5bf26b8ee15931046c5cdffcf9ff38b0 |
C:\Users\Admin\AppData\Local\Temp\uoUI.exe
| MD5 | 59430cfb64fd968ec644b90066802a55 |
| SHA1 | 08f0b06639373a5c3b38519868a6b37595bd12f8 |
| SHA256 | 40eff092b48fa7daa4ba733cc9ce40ac9f923de26b2a1bbe78aaa37662ea9eb3 |
| SHA512 | 96e4105205563a49f56bcfda7487680276664ec6cd7856b2eac6b7993455366068dfa555cebb9499f45694f68ebeed2a49c857bb48b92af5baf64a4e11d74587 |
C:\Users\Admin\AppData\Local\Temp\kwoI.exe
| MD5 | 8af20fcaa70fc4a8a386b6e8e7926d7b |
| SHA1 | e48bea0aad39eed24bf444a0be33012857032f22 |
| SHA256 | e03758b4db21db0e573c5260487f5bbea0f81a83cfa9e84ea11b49e0ecbaed35 |
| SHA512 | 9798cd5f45f849159823086c358fe4cadc673cfe4edff17d4aaaaf68d9afa986b6b3a80fb11322171038906b9ada24e6e0f5b08eb52ab18ef934423bed3a0802 |
C:\Users\Admin\AppData\Local\Temp\IgcI.exe
| MD5 | 66af8f4853f3be558ba3112660c7cfe9 |
| SHA1 | 18fb4017747150a7406654ca5f3840d61ec3c867 |
| SHA256 | 898c072fdca580824a05971167f3459eec71600188a6cde2795c941c0a583388 |
| SHA512 | 9a713ec6efa28fdc979005c91186dcd50150496f174756e637ea1d72b5f48fa0a5be539099d664344e052894c65d9c301fb273d87a21a6ac7a04d3b898f365ad |
C:\Users\Admin\AppData\Local\Temp\KckQ.exe
| MD5 | 2b7710d3e07bb5bf6b1fd4b64ce17c00 |
| SHA1 | b3594ad34dae62034b7820a213dd16ee0ba50787 |
| SHA256 | bd9d923496c07cc9d89096da8f66500df25c6c3c867275e532eae72418b2b999 |
| SHA512 | aad2138078add5efdd25c092074e6ede3c5979b4e21e5da28495d3237ba501803b16007f6477a5d1cf6034ec910c4ca807c76d2eabd72aba846d56511dfb6653 |
C:\Users\Admin\AppData\Local\Temp\wwsW.exe
| MD5 | 41fffbcd568c0ea57c00d006f5d6edc5 |
| SHA1 | b70836896843cdfc9ca186edac5450840ecd2d17 |
| SHA256 | 7ec8dc260e1c37d9a5976c3afed6e50250cdb6e7e80a5a57d8afc186e0cb59c9 |
| SHA512 | 34d13c883ecbdff6e1e4800503fd4cafc985f3764d5986f61ae089352e35a98df93d75a59136fdcfcce161983b69469fc2cf9edc42416ff47e04d6ef91666339 |
C:\Users\Admin\AppData\Local\Temp\lQsAMYko.bat
| MD5 | 81f555c55e9fa36d3ae652535013a171 |
| SHA1 | e844d0c17bc457e25c6e14402915de67e662924f |
| SHA256 | 7a1c7903d2f7d98e65569a025b6ddfc04105fa6caa95953fcf11e6f986eae22d |
| SHA512 | 3b0d0fe0afa32e9d5c57c53d94b8f36ebc355481af3b23c9b903640a38908af989715851dd69c6cc07e5a0a7f6c28759dbcf29ca5345df2ffc3d0a2c4e4b0c78 |
C:\Users\Admin\AppData\Local\Temp\gQsu.exe
| MD5 | 43656c695f5870860dde3e2d4e0103b4 |
| SHA1 | c209e41af44da7e5465e38f05757143522df8758 |
| SHA256 | b9124a6ded083dcd7c0b5d63ef9c61770d79e194a28ac85a54eecdf3601fe2ff |
| SHA512 | ead9363f27701f0fd3a284370af641315bd76b8c42be9be4dfb309032a6c6c0113a71e1f973cd2f6f7fd0689d344ea3d4bd985c32854fbad0b8ae1d5145397a0 |
C:\Users\Admin\AppData\Local\Temp\McAI.exe
| MD5 | d70ec21bdd226b34e081afb6d08e87b9 |
| SHA1 | 35bca489712ba7abf12f5059b4ab515bf69af092 |
| SHA256 | 80aa0249593f55bca62059bfa8791b4fde88b96b3204c53950e6ed2e53f6830e |
| SHA512 | 0e4e2b7217a07561a6c871dc31971a8ea6bd0934ede2605ff293c13fb30053f44079d4e33ef9459d2ddec3c9fc7722dbc43a0840d94b9a984784b2faab5021f2 |
C:\Users\Admin\AppData\Local\Temp\ikYG.exe
| MD5 | a9f59ef765696024c55ca92db0c9950d |
| SHA1 | 1e0d1da4f2cb52b7c76856e999177441a5e4700b |
| SHA256 | 2b0951f68a8c22f3db11586e6379e45615d9d44b856cfdb557fbca2c60107411 |
| SHA512 | b1f9ae43b39b2d82667b567729a8dd0ccaf1448bc4153e0d4e59bed25486bddaa4f98fa58ac287eb50a4d6fa48dc037323ebb88838c584e45ac8e5566f5c50d3 |
C:\Users\Admin\AppData\Local\Temp\eIYE.exe
| MD5 | c8651033af3bf7273daf785e02431422 |
| SHA1 | a7cc7b6b954bdfd527781a8cc7a8e0d58143229b |
| SHA256 | c7d7a11a5a2faf98dd86b23c4e5c014dce0d4b8ca442887556a3f9596e09bce0 |
| SHA512 | 8dc03d76c00ada23aca01f7a194a28d7ccdea70915af60b8b6dc2786d8f1811233e19bd200015d705438632ae1076897abedbdaebc2370755e4970042dcce82e |
C:\Users\Admin\AppData\Local\Temp\EkQE.exe
| MD5 | 4b52dfecc5f5a4a471e2ee4ac8d4196a |
| SHA1 | 15fb7e388ffd43a5cd06a559bb6711f22bfad58e |
| SHA256 | ecea445dbcce560c4ae6043d31da2a80f5f2067a34a13d282f6ca30605f8f17b |
| SHA512 | 7d6cc35dbc1b4033c07bf8150bbd1da5d1eab7aa41728d905633e2b8177fd70db84f091f1622ed9f686515e1cbcc0b9e56df26bdd3ec2dfe4c1054f725f47705 |
C:\Users\Admin\AppData\Local\Temp\QccS.exe
| MD5 | 183e0d8478bf2de032da279713d10ab2 |
| SHA1 | 4ad729adb94b5ff82f9371a05e6d8b526c3b4735 |
| SHA256 | a2b3102b828be800cc48ab8145e031e8c453aa5acd1e0fc92b97bad100053adf |
| SHA512 | af42b538054b34a8e0ae45123616cf2063a38930d81e004745ba6dd10ce419a6c9972d5fee87cc23a2be7ceccfd1cd648a66596828785253eaddb21c4a7530a9 |
C:\Users\Admin\AppData\Local\Temp\cMsIkIsg.bat
| MD5 | 1dd86e27de9e6225855a20eb1fa6bfbb |
| SHA1 | c02980337b5fd2c10aaa87e1d25cbff0329e9c7e |
| SHA256 | 536c0fda6f5281638517a9bf6edfec43634883d5bde9a0f4bf0e212f3336ec04 |
| SHA512 | ccf6e7e5039b84b4845a7fe79e456285f9a94e4d5fc518f98925fae30456e1c253e5ab24391d1ee5851ec85c20ad8b65e8c8614318040d4b74d5a13ee85474ee |
C:\Users\Admin\AppData\Local\Temp\acwc.exe
| MD5 | 3805a2f0285acfe4b413932c3e0cfd20 |
| SHA1 | 41e36f5bf7fd5b266e62410a4d840abd8180051f |
| SHA256 | c492b76a7206eacb08e5a5627f57cd486f6a327f751be2f01cc733ec871ef89a |
| SHA512 | 84d7175a7243b96136a01f80d0c91897ad2047d4f2d3c4ff6346cbee69243a99b817fe21d5bd58f9f8e1b6e4b9ee00141b1809f50585ace609a74c2d53b9cdf0 |
C:\Users\Admin\AppData\Local\Temp\KYkS.exe
| MD5 | 100a43aa04f127c46d46dc74fd0c89c1 |
| SHA1 | c3068bc7e1803eaae67f4e843f62461439f0fd2a |
| SHA256 | df5d801da15ec1f10a28cdecae8a5d3bbf5b28ed9050381f47499ada9d4d526f |
| SHA512 | 925e7b48c25b659319bbdbb8b2caab77d6141aafe9a882b756fa70d0e5096553091fad56a1c9e9f156d74c109910e72d8a291b7690d4f5f33ad09f8c42130130 |
C:\Users\Admin\AppData\Local\Temp\sEMM.exe
| MD5 | 75ff292dab335bb906f14a324fd7d0df |
| SHA1 | e181a0acd975a8f3056526a737040a79b7338583 |
| SHA256 | b4c44fa1235be16cf97d50443dfd9a95a198387afce3b5c8a621c31c6b0bbd54 |
| SHA512 | ec08bd688eb376d044c63e9d4a162036a754d97db00d71de848068a95d98962860480cd7aa19999d6fad151dba33d7007d12f16c0476b3a65e54cd90c6dc1407 |
C:\Users\Admin\AppData\Local\Temp\Eksa.exe
| MD5 | 768238c50dfe61af378e6400eb6e33df |
| SHA1 | 9e4ddd7d8e9f1807a21dcea487977b179bdfd9af |
| SHA256 | 597c405e1c578711f0fc89ee05a244003728ee656a7842867abecede0e190ae8 |
| SHA512 | 15262a00bb5c11fd3074ace607882ce8b59272d3158d4d67fa567ba6c4a926d512626f6b0d211eee6b76517a6f19fad56028ce7079cfd7537701e30c75d9de76 |
C:\Users\Admin\AppData\Local\Temp\WcYE.exe
| MD5 | c4b941e614e8bd0959dedbb0598a109d |
| SHA1 | 5f337ade296a4308ac12d48f06890beb7332bae1 |
| SHA256 | 05c1bdd6ada507e32fffdfa7565efa2895f08a2a3b3f12fb05d1c77c964838ee |
| SHA512 | 5488083e5f40f2b3ed94d0e47af2e8507e084e2f4e76cce165105a56f80c2ad98a4b89dad94ba4bbb57c59f051d0ccef7328b5f7fd581421fed55a33d4726879 |
C:\Users\Admin\AppData\Local\Temp\EQQG.exe
| MD5 | bfa66b0ac4f87e3aff9d3879d72e7453 |
| SHA1 | 2317238def1d290219d54a173dd19a9a393ac694 |
| SHA256 | 7a853c9767ce800276f8923fac093e03c08281b6f75bfddade5774f3c3d389a7 |
| SHA512 | 25d047815ccb8c1f4aba45afc693f074c00b54fe6cfa7d3df6c01edfb1c76ec90c91e3168053d365721a374c8c96cb9227ab01c3388172c21caab2202e32d5e0 |
C:\Users\Admin\AppData\Local\Temp\sKEcMMwo.bat
| MD5 | 2eedd94e8eaf0b20e437c5a1652bf2e4 |
| SHA1 | fe021c4caf693529939a1b4b479bcd97bf812a77 |
| SHA256 | 4f37a5ce9bacffd4709fdb117d897a1de37d741bebf36568df8e09d8e2dce4ba |
| SHA512 | f7fb4417834c12ed33c0abc63d1a03ce683e5308f90394050f5880e548f09d1009e57165c2cab4cccc24612a7d32afc719da6fa8733c57fe0b4e710b65a0eeff |
C:\Users\Admin\AppData\Local\Temp\AoMM.exe
| MD5 | 71f54498eadccf61f3fd3e75c92466aa |
| SHA1 | 45e1ee6aa0606398d7190c00ef8d7890e2cbdee5 |
| SHA256 | 9db0f6cc786d446bae680f5c5272a02cb44d5ce82e9c6e7b2300cec337218214 |
| SHA512 | bcd747556d3bb33332907b778b8f3e8f965c7fe1d2f3383713d6450289a6982037eacebbcacc0317d01b2e87264de3215817a747e6aea85355f8d68650c8e485 |
C:\Users\Admin\AppData\Local\Temp\IwgA.exe
| MD5 | 589b1fce0caf00f9252c48ae0fadc008 |
| SHA1 | 3d38b3bd7fff787510a4f714c373cced1e3a06d8 |
| SHA256 | 95c41210e8fd9d1be1da561a420663aca8a04275ef8545761898a291e8a2e35a |
| SHA512 | 17dbab886064384ead3f7477569d315f99e031ff5514ccc85745a01dedef4a0f716054af171a2f50605571af80471de90d764dd53274bb6f85607c0ebe6fef90 |
C:\Users\Admin\AppData\Local\Temp\AAIe.exe
| MD5 | 9b78518332d9c36c70a2cf696da8cc61 |
| SHA1 | 26b0be301904fe1644c6975adaada3164a358511 |
| SHA256 | e3bcad4b582d716652290ee76f444215f22fc8af1b401f0c7a042ebae10c8a40 |
| SHA512 | df5b46ab0c1d97ed5faf02ed681c8c4689fc786647b6ebb9992ebdd6316d1b926e526bea9ed62d41450140dcd91d9c2dbf357196e2ba8c8b3fed2ce9f6a087a1 |
C:\Users\Admin\AppData\Local\Temp\mMYY.exe
| MD5 | 1e78ab1677a349408d88caf739c6401d |
| SHA1 | 1feae890d43203d0822cda94196d1c1641603a53 |
| SHA256 | b86a9e9c6522d170696584a63bb7374de92c38072f7d406685daf1081216144f |
| SHA512 | f44c29d4a7a2449469e52f6fd173850e0965164afc0a4c6cbb305a31d474b6b572e66d2dea02658689c9ea21733087e3836b3afa77dd4278d9adddee06b4f4da |
C:\Users\Admin\AppData\Local\Temp\MYQg.exe
| MD5 | b836788c3862d7d83020a9b1a5720abc |
| SHA1 | d7e7b1b6f8a9f3f8566a61fd6e82d249dadf0029 |
| SHA256 | 27b0c68f42c9278796b7a65358cd95548f28893d65f508ae99a8b1cd5c5aca63 |
| SHA512 | 15ce260b821d2f7fd88076967f12ddcd96d96927aa26a1d57964916ca3a04cf7d4cd9ee38b931a9f6d313d68614f30d78a55c0ca9e11233482df600c58b15093 |
C:\Users\Admin\AppData\Local\Temp\wwcg.exe
| MD5 | bf0b04261033e939d154ee4db114f5e0 |
| SHA1 | 56235d3602ae6dc62e5cdeff2af29b6a117e3c4b |
| SHA256 | 3de4a3360fd17132ee521b69751fa78f34eb389254f18efe2d5279b731fac25b |
| SHA512 | 3078aae9e6d91c68597e9d002e38468379282f744e93b41b1c1524dc1ed249dfdb8d10f7ca8bde2ad9b9bae6efd9d1638ec5a5975f9184077784262ae8553cbf |
C:\Users\Admin\AppData\Local\Temp\mAIS.exe
| MD5 | 463c5fe79f3cf2c7a8e944ffad9531c7 |
| SHA1 | c76ddd4ffd9205b549d6cf599c2f31291491e669 |
| SHA256 | fbdbb7e3367bd8a8d06c371573e35f14d6de5961cf30f388f852af08a084ffbe |
| SHA512 | 1aac26b93cc9f823f0acf9416e7b89c869ad4c4ed82b50cecebdae0bdd06e30b6a2c33478874057626adb43a6ccd776ee97efca98621f05179c6e1c5b2caecdb |
C:\Users\Admin\AppData\Local\Temp\UQkcAEYY.bat
| MD5 | 0504bcc65c16212af9bd478af9cbc533 |
| SHA1 | eadb0543fd18667bede0f13b3457b509f3d678f6 |
| SHA256 | 6d7584dc225e098624d0fb4f8bf782bdba1199d12a21ea25aec4d9ca467b5a9c |
| SHA512 | 2e72f8ad2ab79af727352947a01863ca1213953aeae26bce74962a7ca775f92cf0cbe5e0fbd24ceac18df18f2246da9f20f665bb0ad9b6b94ff82405ef24a867 |
C:\Users\Admin\AppData\Local\Temp\EEoc.exe
| MD5 | 6ec7d43fe2fd388e07dd50faec15d55d |
| SHA1 | c6974f3ab0ac29352adf593fe2eae07524f42e21 |
| SHA256 | a73c5a820b30dc2bdc9a1eec1dcb18704ce7e2bffa615f578bdf5cd004d57fd3 |
| SHA512 | 14f5db1ab374d455e4944a552dcb17d82d70efcbc03536222c0576589b56f4fa3b3b6762cf6c38176cc5d5143cc0c19a34c8212a7cda176d04ff8f0f065e6ae2 |
C:\Users\Admin\AppData\Local\Temp\UAwU.exe
| MD5 | 7a9af08d11a560ca5dd57977bfdacf81 |
| SHA1 | 9514189c5d8620e517efa9f1c9a34223d9f05641 |
| SHA256 | 2dd35191383dbe7f61d1433406b543cea0692a2637a2bd90b9de37dcb13d449f |
| SHA512 | 9d8c2f22c151394b442f8caf130d29b0d580b481f47eea5f9d861344e9b062a060894cce09d4532ae0b00182c4407dc9403b5fa6509f4b717802f2405a8d3497 |
C:\Users\Admin\AppData\Local\Temp\qsco.exe
| MD5 | a26725fdbf682c9a5ba1b443d8d17071 |
| SHA1 | 32b9bcd3c11517cbbf9693354bb375f25045375c |
| SHA256 | dc39849aae9cf964ec97dcf9fbda59c576e5f4a443a1b6566db0c3653a2a778c |
| SHA512 | 04a807d24d6ffefeede30841b7bb5ea38aab890eb704b9b6705f17d2536b1dfa8c0541a67fa34eba7cec33b477023982df26a5407f53b1342a685c21546151d7 |
C:\Users\Admin\AppData\Local\Temp\WcwY.exe
| MD5 | 112094eb4171f1fe1d2655bfa4dd0dd1 |
| SHA1 | 9f37d80c65d6c004066d9fccf178ee53da3d9a57 |
| SHA256 | 33b1d0b6e5c5dfd678838c4ac47e7054b9711ff8d73554a3aa10716fa4a0ee69 |
| SHA512 | a362885c8d8528e60892b17b8bf8b12b27c5cf78f47e4e04fc577a48e4a5a9d9e880dd31f96cf904d3a45a93a027dd2dbaea3e804ff5baf144f16419e54f8752 |
C:\Users\Admin\AppData\Local\Temp\IsYW.exe
| MD5 | 4ef2ea041a0cce794d5eac4f953a8000 |
| SHA1 | f0dcea0b5fcfecb6f83a2400f9928a132acfb90c |
| SHA256 | 398ea47a23a6c6c0b4ad69720f33c7e80462d90163eb924da5f53a6d8300736e |
| SHA512 | b39de0c9ed535f45bc3f4cd8334cbf1066a6d1b848983185720acc889fd1ff0b6ad08f4625b5c2056ed1ef8fabad6d30e1bbd80cb1df174d8ab3188357c212f7 |
C:\Users\Admin\AppData\Local\Temp\owYK.exe
| MD5 | 9ac417cd41be3bfc7703bd9efd0b819f |
| SHA1 | c3b4e9f555228c638d8a1860617878aad6949181 |
| SHA256 | 1862819b2ff757999f060d1274ff426e03b2a574fd6a017a1ff0448ef3799300 |
| SHA512 | 8574caf794ce4551a431b4fe827c0c643cd86377f38564b512f49a4c39ff4556bf295e1a225e064227144aeae185b19163d5319a50a1a95262776ac1f2aa206e |
C:\Users\Admin\AppData\Local\Temp\gWwgQcMk.bat
| MD5 | 79e917dee97279476ac4bf3661dfaeab |
| SHA1 | e829463abf1f2b38383001706ac62d721b49ddc5 |
| SHA256 | 37ccd4cf5390f1a9078990b1065d1ebbaa8b26e4e288155053f2302ccd7472d7 |
| SHA512 | b9c5170fff3538a3862dbfcb568271a1d154fe5d02f648a86d8d8af293ef9b27a05da7edfa36c5bd771837355c6cf5d6395bcbbdd591c207935141641a73c1a8 |
C:\Users\Admin\AppData\Local\Temp\SwYq.exe
| MD5 | 23421c1f59e0c5ef37be6d286fa90af9 |
| SHA1 | baead67a81599ef322fc6cf8f1914b535073f661 |
| SHA256 | 7ac02f3433e287ef1fc7b5133c94014cbef753a9e9d3303d7eb64289429cd950 |
| SHA512 | cbec251115c268349b44d64a2d35b099bb7eb83267334685fbc63b5491a89df72beb8a8093dbf102f001c3af5eaa204a765c58d46d47276151de634897365bba |
C:\Users\Admin\AppData\Local\Temp\WEgw.exe
| MD5 | b8d6caf2709008eea81f69f9fe59cefd |
| SHA1 | 822ad5aa3d960c028d91a149199ef8f51792bda2 |
| SHA256 | 73f5d91144c5bea1f0d2cc160c6bf82d3ffde91c034ca58818e593060f2101e4 |
| SHA512 | 2f77b00a568436a4b9feffe230459372548a2cc999e31aa2dcbe9b3105210c06136fbf83813e49ccecd7da42782f83684cfd7e9c612422296ffc4bcf389a0067 |
C:\Users\Admin\AppData\Local\Temp\KEME.exe
| MD5 | 990cc6ecc01e3da7995465e7ce64c722 |
| SHA1 | 0c45c9f0ec94bff55201a1952d2e5e7479e28de7 |
| SHA256 | 75434bf3104f5fcc628d43a7807fbea19fdd9ca55d79fd2b16d712ae3815e5c8 |
| SHA512 | ffbf45906b0e84f7ee29412691a7cc1184cf5e610802c2929f8d735687c30d1612346bee164937e43ccf5f16abb32fd71e569cc7097bb43aa29a0a6eeb02a655 |
C:\Users\Admin\AppData\Local\Temp\kUsE.exe
| MD5 | 3ea21b564cee307ff1cfa062cc3595f6 |
| SHA1 | 0de57819813a94ef33155f5f06b916d67ccc6917 |
| SHA256 | 1c8cdeed30481ee601812cb0489e626f0e0def3637f5394a657aa13f30c17786 |
| SHA512 | d1ad1c1e6761c6cef83500b154e7f3c0d99ed1819a239a4da3915b88cdef071fe537699cdd8e8cfb1f7dfb8b4aed4dba404d9be45645719f4760901c53573f4e |
C:\Users\Admin\AppData\Local\Temp\wkYk.exe
| MD5 | ec31e219f4d75f3c7a2f500a72533305 |
| SHA1 | 3288751a8f60991d532f0bf43050c9c22c60d686 |
| SHA256 | cce40d274f42cf5c3c6ea9156488d2eae74017a89a1329f9865d25de0f920777 |
| SHA512 | cb933a2e0a33677abf828098d3af9b5b3760aa059fd2dc70f256c7f6b48a7dfe178046fe7904a88c33decffb17e9a88eabb7543f650f0751264704cad9de4d6b |
C:\Users\Admin\AppData\Local\Temp\pAsgIsoI.bat
| MD5 | 4d1d2ffdcbc68798d28fa05a92b6c4e9 |
| SHA1 | 691d2a39c0cf72e72775a58e2415c7432ce25079 |
| SHA256 | c4ebc2191a6687433c1ab49975d05e33b8220c923d5f2f5028679c51bd766fbe |
| SHA512 | 6d720592c9815a8271d19fd962eb8d7520849fe269ae92ef1ce487f44d4146fe6566a9f21c7ec79f289ec68722fa3665277a64938b7073d03f88bf1d5970c7b9 |
C:\Users\Admin\AppData\Local\Temp\OggY.exe
| MD5 | edcaab92ef5746f75dd70f2de5b63955 |
| SHA1 | 5832a4323d9609654a5e9a5c327f8c12f0598a02 |
| SHA256 | 9da0fc5efa5d7222c1fb06657d6d9628e8216581c7e0ec28fd4cf7b2322b79bd |
| SHA512 | 02ac9688ddb2d5f018429ae4e53a2d9cec0bb25b235ed8ca531975e7226c265d7f34542f9278ce8308928f8aed29d8ffe540ccf82abb85f338de3a44e6a5eb09 |
C:\Users\Admin\AppData\Local\Temp\SMUu.exe
| MD5 | f2bbb26719b24cbf0ccfe63350949a4c |
| SHA1 | b935bb056d5e7d63a9944779b4ef0c1228b01be5 |
| SHA256 | c822770dc1d045a50f02f2adcd389b80db3ddd618233a36a01983da2cb12c5c1 |
| SHA512 | e021d443b4011842277d85743fdf198a69e52c5644eae6e11f73f5d4a6223a3cf7c43b88a2e1b7dbc491293a1e5628ed7d52667cfd4f686399e8b1d1c2a4f3b5 |
C:\Users\Admin\AppData\Local\Temp\MkkO.exe
| MD5 | a833999310d144a71bc7e90dcd3c395d |
| SHA1 | 6201f7402f173a238d5fee22a5b4b0203184aba6 |
| SHA256 | 46a56daee52467f8376dca69247ce27ebfcc123fc9c0e881aa96622d802be15e |
| SHA512 | 9813d3e0c9845eb0795890a92385bcb4d364e32e9d97f94abfc8e27e4d6710bbc79a8cd15c87b59d3f278c671747a71a697556609fa79a1b69bbd7d4f97043f4 |
C:\Users\Admin\AppData\Local\Temp\YYMo.exe
| MD5 | 622c35457ae3735b333dbbc42730e59f |
| SHA1 | 24382daed56ccaebeea48501a94f54526cbf0e78 |
| SHA256 | e7e6baa0a1cc19bd474d050505325e13d4a0875cf6bf588d4276348f912745f7 |
| SHA512 | 4d0ebb41cce2f359445330483243e8aeb0bc3e8c4dff4f28236627077bceb665d010275ef1654bcbae25ac1b72e3e2329d881f5790f934a3087ad91592b03992 |
C:\Users\Admin\AppData\Local\Temp\UMAa.exe
| MD5 | 9cd97232563f3b0e1c42c6a15c1a88f9 |
| SHA1 | 3f39930ba73b0ec7d7b6fc6f6f114a8831dd6fd4 |
| SHA256 | 98f1b97004e6eae100d16299b77984912de523c3fa4c23b7d99702ac189a51aa |
| SHA512 | b86dd76acde6ed1a9789ec525c63f93259d388ec59976bdc90c36d38065abc2be5473d3b191288d7c621963273eae89250ef1243fa71e2c584db4f2961d364ad |
C:\Users\Admin\AppData\Local\Temp\XUQsgQoQ.bat
| MD5 | c49345a15a157a739f624241756f35e6 |
| SHA1 | 25979c3fbaedd683ebd6a1de840275a48683e78c |
| SHA256 | 3cb8ea34ee7967ae419db5d787403af703fa311060ce8210b11975a6aa53addd |
| SHA512 | 7596e6b2e0ad15b534e3f51c5a45e03e2840762763d1f6d3df6e266d8234bc40b23b4f92321e0b30533157f4f7691190d13c4af929157b6685786cdde9e0c758 |
C:\Users\Admin\AppData\Local\Temp\YkYw.exe
| MD5 | 893d2dea1afd7cba8ea7bda2cd450659 |
| SHA1 | 4682924fb6c3e59b805551e72548112dd3eab72e |
| SHA256 | ce9543be4d538164ca752e8e9d159a76cfc010246da62c4df6e4150f21f059fd |
| SHA512 | e8d652ebc81acb6dfb7b044bba0259f8aa5bb1ceee2c2fc7d357d9ba96522e1fcc42a0e1222c77844167aea73ffc649e553b00cfaa4a32b1082a4f5ff6864059 |
C:\Users\Admin\AppData\Local\Temp\ccMO.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\eQge.exe
| MD5 | 51bbc66d91dfc6bcd4081846726a7b09 |
| SHA1 | 2d530fe24c769d5f12cc6fde8e8b3f480df34b80 |
| SHA256 | 0dba5f66fbf9060a731cbd8d4195519431266b72588f4c087c49c68d634abb3c |
| SHA512 | 33babed9ff6087189a84dd7ee7c615557e3ae6d4ee48c14fcc4c2ddc45b39740f6d4d86e8c9dcb4fc40585bb99b9079c4da4624788041f09bf62e099e4337d30 |
C:\Users\Admin\AppData\Local\Temp\gAYA.exe
| MD5 | 0b52499e921bb6066361ea20d6e190ae |
| SHA1 | 8bbb92c6b7dd049f0c26891a64a87400fbf914f1 |
| SHA256 | 834c9a714b13de287fa384604fe47c1f9d7f01460718bfd7a133db5dfc23ccb7 |
| SHA512 | dc8f29716445fc8e3f7c56c6bac2b8e95233ec2181ed8a88283c382d030642754055ab383ef5fc43da659ec03a02941522df3e91ce0aadaeda4929708e02cc71 |
C:\Users\Admin\AppData\Local\Temp\uIME.exe
| MD5 | feb4a84db4597515444f4d4d55b777bd |
| SHA1 | df35f4400c6bd8777501dac1a4baced4e6e810dd |
| SHA256 | a2ccdedea46d37f248ca0baa9252c3340c95b7c7e74dea212018a0fb27431d47 |
| SHA512 | 3ccedf20211459045c354fb8284a7b870be36f5c470ad4a0f016822e2a14855171f56689daf6767479c8d6f45ac4a1d8c7e8b5955211edaa2bd2af76a93e0d11 |
C:\Users\Admin\AppData\Local\Temp\lcMYoYoE.bat
| MD5 | 337494434b69489752be99ac35e58248 |
| SHA1 | 94af1d03b15053730bb675633bc955d2138343a9 |
| SHA256 | 3a545dc742ec97185590688c3e217738e0dde17c1d0c091668321f6cbbfdd943 |
| SHA512 | 29d4f6a83e33949be4a9bffeda597fdb8fab6b9dfb7cce9b4a220dbe2ddf3b8deb97b69ea91bbd95f0035de5b84e275ed62af4e443e8a9fe8e9183814ff6ee87 |
C:\Users\Admin\AppData\Local\Temp\nAIcUYcc.bat
| MD5 | 6f057fca1727cef1553994884b0bf883 |
| SHA1 | 37c7dc832c9f3f2b537a2fd6881b6cc1a4ac5194 |
| SHA256 | e3685ac2bd4bdc9e7eeeea6962c2e44dc1ae2d7315ea3763177aa8392e6b2341 |
| SHA512 | 0abd4bb56fd29bbbeeea2ac6ab224813cdc57ee1fc3004e01dce24761daaff4da94fd93fe5ba3b4517a19629f02844106841c6a1cecd333fd6eae2b8d686e445 |
C:\Users\Admin\AppData\Local\Temp\wEwYMwAo.bat
| MD5 | 6656d00327dfb97d7208df1ecb098f79 |
| SHA1 | a4a8171e49da814c387aa2110ed65caef7e3b4b6 |
| SHA256 | f14c6922b4775648e5ddfe8303d50e128a50283b485c7f43108abaebc80fcea3 |
| SHA512 | 601f7e1a02b896bb471a9b1b1d9879b55d3e497704ca370132312332331ebff50f8afe8c431d0e61acbdd03e4b6c9c1a9b5705590c9c228b9f9088a3e964efc5 |
C:\Users\Admin\AppData\Local\Temp\AoAQQIco.bat
| MD5 | 6d5c3d0ceb2a65c7ff5b55b41a9372f5 |
| SHA1 | fe7610726a2e5c983b41a23e522cb6624b9133a6 |
| SHA256 | 90997de2d5fb686e5fa7a7a10d73eda41af2127661c827b6a6d928b24e5dcbc3 |
| SHA512 | 4c0c1a555d230c6d84fe2dd25be0edff8d0eb917d63759f153bd122e2de3e06f253a291bcb16fcc45615361783b16924792b9f4c2949054ac6514d60c07bc52c |
C:\Users\Admin\AppData\Local\Temp\gEscYYEM.bat
| MD5 | 2bfc855bbec5d84f5b22c827ac5a5e02 |
| SHA1 | 03539022a2f89210dfc95aace276cd6bb4d36f44 |
| SHA256 | ed81ad06fbf5ac0cc6c625dbb761250aceab1da26939ef95c02f07a37f8b4e7b |
| SHA512 | 33938c7b6c9d6701dd13dcad81e24c44a525eab8504c6b6f25ebaf75ff61f30276bb0db731a55a59b857f3ccec7b5f6cb6368e299c86885c6143a673fc596746 |
C:\Users\Admin\AppData\Local\Temp\mWMYkkUw.bat
| MD5 | 06c718cfffe477de7bbc9726691c9941 |
| SHA1 | e748ef591d40c721ea72d0342e1dd2cacb8035c8 |
| SHA256 | 05576fb6734bd944fcc5adbc8463fd88e3890087dfed0c6a39e7731b93c0b397 |
| SHA512 | 5fad18eece8db2e90a0f2e61bf25098f68dd3605a1c4d5995bd2a381c4062c2e5bf49da40c42ad89aea18bb1077412fe39ff92dc6904706a8f7b4b56bbe0b426 |
C:\Users\Admin\AppData\Local\Temp\iessQgoM.bat
| MD5 | b4549a8a4f2e654c4cbbb14d4ec698c0 |
| SHA1 | c35fb3ca057974d7450047cd84732ae7a1d697b7 |
| SHA256 | 367eef28be0f913767f19f90f3984d420d3f2306d5d861fa3c21f535167b668b |
| SHA512 | 374437e7994e3bd77b280126d1b85e4239401fa4e9103ff1207389c5449da5dd2f58d16136149894e0a5140238de1bee57c5e6b0fc9b340b2a50f7729917d3f9 |
C:\Users\Admin\AppData\Local\Temp\gOcMYgkw.bat
| MD5 | 9be2e291d4c6366f11cc6d7d8ef7724c |
| SHA1 | 9a64de6dfe24900cd195c1e7cacc1d10713b81f2 |
| SHA256 | 033350c4e5bf01987551873d7ed6fc469b680aed507da4740ed5389958d0f99e |
| SHA512 | 1f7c7d4a55fbcaa014c87dabe1d1203ef96091ea59dcc05e2b5d81c459fceb2504fa2ed4b2f28bb2da5d645f1eee6fb46b0934ff30033a4a4cfc6e83a40e6758 |
C:\Users\Admin\AppData\Local\Temp\BKsMkQIE.bat
| MD5 | a1158e696f128d616ff8764591e6cecc |
| SHA1 | f26de799dedc38dac67940d59d0b866d185599f6 |
| SHA256 | e221b072e5353a4a63af636f2feb58449b7a1f9329e5d5b3265c9dc8b19d46d1 |
| SHA512 | aea44782895ac26e2533cf64fbd104046d6a33ed3ee3584fe95687b1acc974d1f5a016c24b0516347c41f38db4cff6f8644571e3227c265d14d93ceb718b4cb1 |
C:\Users\Admin\AppData\Local\Temp\ngUkQYQw.bat
| MD5 | eed956a25c8b72046719f74edf9bc63a |
| SHA1 | b642c8e0c4bec87b1ed3531fed41f6cffc6bf3f9 |
| SHA256 | 65e3ddce4f95dd857503e9a71e4c062b0a31486f0c32a1af7214c58d004340ce |
| SHA512 | f6cd4c27f7de06ac84326dde1120fca27fa2144f6874dc7c2dcbb4e105feee88ffca5da0443436f7940b43df360bfceecc42ec0adc20bbfc0dbe688cd9e80c13 |
C:\Users\Admin\AppData\Local\Temp\veUUQcEA.bat
| MD5 | eabd195dc155faa65ca3a36a769ccebf |
| SHA1 | 2a904e0a8a1ccb7286beaf9c4f8d4fb70f00e9bc |
| SHA256 | 18bc2c708e0b550fec440fe6f7d717edccb6112ed50a488890aa3c3d8528878f |
| SHA512 | 54e4b5e89ccb431009162e85757e928611545f62d0ba3ff3fe9728453ba78163ea53b3d96ecb413783a9bb2a6a73f497c04f2b091d321b0eef873e93a9c4180e |
C:\Users\Admin\AppData\Local\Temp\lMcgYQEA.bat
| MD5 | 0aff085322a24b5a13c85182e4bb2d46 |
| SHA1 | 04d2b12e56092a80620c712a290394abbdcf6501 |
| SHA256 | 978a8632aed9c2dbdae25eeb63ba2af0115d43d0845dd94dfe81240fb94242bc |
| SHA512 | 462afbf3f45930ab18b669f87eac6441e3320beacec46efbc1c2053059b32e27b125f8ff57103025faf6fa770b7e593e4b24443e3c83225fa09414a044318167 |
C:\Users\Admin\AppData\Local\Temp\OQMgwEwY.bat
| MD5 | 3d90005dfb5cc15eca940627432db036 |
| SHA1 | e0640cb81dfcc44a2c838fb4410bf91c25907701 |
| SHA256 | 1a90be961c5b026cf1a5d0c5f64765466081d143b396e1a053e1a854972c5f6c |
| SHA512 | 759a118bb75c0c76f56e4147004c8093534f160ac119ee3408b8409fa40a6e8c8c4b73f02602d70e31018b65b08526115dcfa7135dfbb7c52ce3b44b982cc475 |
C:\Users\Admin\AppData\Local\Temp\kqAcokco.bat
| MD5 | 64061a42dca7a3c98666241a02d65a4d |
| SHA1 | 31881d538f90da2f5f201125f4fc70b8364475a6 |
| SHA256 | fa44f13cd41fe2d9e5f5563f74e8bcf483bf21ae2e0f9e9589953755d265b30c |
| SHA512 | 8d663642ae140bfe9de3a71de3feb34edc867347afff9ce2527bcfcb454ede1411bc3d4749a625d8b64e275ed1e6a178856ec6de9b048185fa515df2d2e140d4 |
C:\Users\Admin\AppData\Local\Temp\egcg.exe
| MD5 | 344092a34a403b64f34da5015bd8cc26 |
| SHA1 | 7375c2867b0c6477be0b6d3e6788026c4c8ff4c9 |
| SHA256 | 6e802cd9619f10ea11bf2f596c1757c15f1e6f45d13716e434847c8b4e4f15f0 |
| SHA512 | 9d50692fe78a997401386c9f080db9846d966302cf580af80f7d55db9051763483f7a209e6a5102eaea1456e5ed825e218e3ec41694f48ace07120367e45c2bb |
C:\Users\Admin\AppData\Local\Temp\GKMcIUoU.bat
| MD5 | 0a686839b0fa113c01466b57db29bcf8 |
| SHA1 | 1bfb1dba855e5693a0c46ab6aecf491ba655630a |
| SHA256 | c84999593dd84ab4ea4c1b0e7ccb10b3c32818e1fb8bac931939d28063f50864 |
| SHA512 | df96dd7ec7c2dd3d2311a94076532a96eb5590cb370fdc8e96af671653fa44939917fd9e6f38e875075e78ffd5be0ac3d8628e006d3e4bf7696453cbcb45954e |
C:\Users\Admin\AppData\Local\Temp\iUEQ.exe
| MD5 | af08d708536d9c9ef7ddf3746aeaa776 |
| SHA1 | ec5dc15d40c8f9a48dccc09b87f5066b697e2ae3 |
| SHA256 | 06f8108e40636f710f437a60aa87529f85b16ca5f653163fdc77adccbda9c61e |
| SHA512 | 852306edecb8aa8f67a5b1e11416a5fde51c26fcc75e98d79e81c50adcc205a8c7a469cae8f9bd1d2590fdb2d7f01a0ac1130412dda4f39f150aad18c6090864 |
C:\Users\Admin\AppData\Local\Temp\WMAc.exe
| MD5 | 067c297780f71e91d09b39e0eedbf4ac |
| SHA1 | 43f335642eb498fef85d89b2d304d066af687361 |
| SHA256 | e557e45ebd3692bbcbeaff3925fc9841d0b6f1c75deecfe54cb749b27ed03624 |
| SHA512 | 747cb2f3302100e7d7d496e7b4b201e053ce7ef1f6b310cff3a189d6a346d198f8ac999dbae2e88d4752033b0b75feb6d9a7058aefebf5c96344b0b0ce707f52 |
C:\Users\Admin\AppData\Local\Temp\gUgY.exe
| MD5 | 09e579604ea874d884ed2ee35a235130 |
| SHA1 | 97c4f0e094d32d877108224c9efe8441ae234220 |
| SHA256 | e98f39423d653c9eb82365e8a207db33465c6384ac231d29eb429adb86fda6bd |
| SHA512 | d2fe9d12d3a0c1ca89e7c243fab6c9a5f1ee8fa28aac27b804fb3e5c2d6cb3750a2a4e41ce89d52dc00814493f63eea62c1ce2038339ec7f8db8ee261676c549 |
C:\Users\Admin\AppData\Local\Temp\cEgU.exe
| MD5 | 413ca1f063d060254ce96a97474bef25 |
| SHA1 | 8477d82861e50379020b70d8f0a42cc30c4eb31b |
| SHA256 | cea193ad5d3db043b643db06e4fd636688b2362ada35313366b2cf9883954802 |
| SHA512 | 1352d975b46eba1ae622bd64028c1d25da62b01144cc7e2f8b3851d33492234942e522a89e18e3ed23d486d95ab88e999c0cce6ee7d6b4953700c43b0be20acc |
C:\Users\Admin\AppData\Local\Temp\goMA.exe
| MD5 | 7e4aa77c41e809e8e6365887d3172003 |
| SHA1 | 43549a586afd47fcd97bd43bda0bc824eaf41812 |
| SHA256 | 724f032ddc64d08e5c318bccf92f8a78cc718c3d5cfc0584eee8a914e981e208 |
| SHA512 | 71246ffa3adebef7e4c52ad183bf6277dafb7ff14428c3c45b770cabdb665b0922a3834083aefa86094708a7f7e4b37ef1a29f20c4fd25a09011f297fb2ec07a |
C:\Users\Admin\AppData\Local\Temp\UQwS.exe
| MD5 | 8e8951710d5245ea18a44332faad46f1 |
| SHA1 | d516351451299bdb178dbc7e289a206753840270 |
| SHA256 | 8087e9a80a15db9ae0d8e9dc0536540acd2415913acf5a73fc907aebe8f93ed8 |
| SHA512 | 0ac1ab612ccf98fa7b476afe197d72d1409900f69e69cae28bcc17d4e084f8139f3935a6f5d7a2dbaba30452f035f414a82d04b4ed17d5bd0ce5097428e16be6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.exe
| MD5 | cb6e5de70cdfb63c5bef5cdfefa01013 |
| SHA1 | dac5b8ebf61685981651ad936922eb79184eb426 |
| SHA256 | 3f3b687ccb9e848b1c250e32e60f0903b13380981a3bd510057ef3fb7529489c |
| SHA512 | cfcaf6fb7d4c97f0c556590895891ff094bf32f6a28d3a3b0c418f8cd835e5f8e75d8de47c386915e5f5a4989e371dba3a5627884b65171f678eb318b23fd2d0 |
C:\Users\Admin\AppData\Local\Temp\OAgEgQcs.bat
| MD5 | b69a5ddc25822c1c433f56d136e1d196 |
| SHA1 | 86af7d03537481f8cc56ba45edab7d469e3b78d9 |
| SHA256 | 3dbda802bbb973add89fa2ff80a56acb6af73d3f75e6d6bb8d9d1c4fdc2a474b |
| SHA512 | 26073fed8d39fdb6916fea14779593da7814bebac090a16104f1c16103da97ce52da7dec4dd848277f138800598cb8e68cdeec994501fc15962da003439d19e9 |
C:\Users\Admin\AppData\Local\Temp\gogM.exe
| MD5 | 348386a99b37fe3ea4614a13552ac81b |
| SHA1 | 35c5a9952133bbc043b9934eb26c20c4a876a1d8 |
| SHA256 | fedf83034e9af32cfac4938805a05bde6edfb652e2e7a507fe8f2e978358f520 |
| SHA512 | 64054b288626f7dab0e251da5e594acd52f6d7f999552750b3240e3700964f5b9198f1c758a22c8c5c456606d77eacdfa2e064c922a3f3b9a3d23fe1acf37947 |
C:\Users\Admin\AppData\Local\Temp\QkQk.exe
| MD5 | 7c6c07d81e96ac028112916f00c2f419 |
| SHA1 | 09bb15ca75bf6183218a21f1c871226897b9bb6a |
| SHA256 | b9e138c16e3e612821a7ce36988e3dd07c04c8b7b3e65272ee856f5cf5066c4c |
| SHA512 | be2c020dc0c8e688393bf19fc7f706fbad63647d86055f0c2c09a0d83384301537dc15af72a339af31851e7db253436c125eda8e95d945d86403011ac720b2fd |
C:\Users\Admin\AppData\Local\Temp\IEgA.exe
| MD5 | f762f0e45338c2e67dd848441d13e0ef |
| SHA1 | b457128de426cd257660bfa5cccf242199c3a271 |
| SHA256 | 0a441cbc148af72fda3bf2e63da01e7e664c663f4a3af284235cf5baa6c48cd8 |
| SHA512 | de4b4f72b7767b9a3ce8348e4c6daec2a36cacd3e51bca33542269e2d5e100e85a68c04cb678328f134c917ab781f35b3bfcdb8a5d04357302e5c03cf6602881 |
C:\Users\Admin\AppData\Local\Temp\EQMM.exe
| MD5 | b1b55ad344f85ebf585ebb7c994b420d |
| SHA1 | 021b9ce717aa3ec6ffeb4482b2544ecc5a6d67f7 |
| SHA256 | 89049bbf31aa328707c50710ba24b34c5394771650ccb985083d7d2b295515dc |
| SHA512 | 812808fa722b8b9d52823c46fffafe6e60aee55db1b8498f83688e0e1519392ea070a48e9b78b7c1f55be4e4dc7233e021dc11b729136fc681ed43d9e061e03e |
C:\Users\Admin\AppData\Local\Temp\gsIK.exe
| MD5 | c0b2743bd9d939eec6ca2ef603942676 |
| SHA1 | 6eb4b1c34cade36f2db91aea5440b7adb49591d0 |
| SHA256 | 0747ece47adb5818dd809986bd457b5af8676ee2119987b48e3d982807bd5d1f |
| SHA512 | 585bd4806e40460f44bbbf8ad7fe5c127b035f6783a87fb8d3bc85bcc0cb70c3f2ead64e23bddc549d8e35aeea6adcc9213478841bac96eb034f47cea74ef781 |
C:\Users\Admin\AppData\Local\Temp\kQwE.exe
| MD5 | 9e358b3008ef4eecebc102d1a53adbbe |
| SHA1 | 3cb849e11a5ba9c4896177c9af09dab32720b212 |
| SHA256 | 9eb1b40d4d584697ddad7519d0b1293fade9117087a022c3af6e532570cde4ae |
| SHA512 | d71f316dc3bffde3cf8da63c64bfc1f80021328bdd1cf252b50cdc612a30dae2886e52f21172b3e0915056ff7a3b791ff468459003a5826de1df0d87dae1c058 |
C:\Users\Admin\AppData\Local\Temp\GIoa.exe
| MD5 | 1c7f690c41aa2bb0fc015194b76e0cd5 |
| SHA1 | 73a8229e507a43e7cb2447c3f48550285a300dd1 |
| SHA256 | 493ad09d6199692b098781f8e14acb61e084a512e2728ebfb43a507237cd7bd3 |
| SHA512 | 5883455dc55631d871162c1065b0daa142c7d4e6c17ac88b4448304aa578c0bd7b491f9b827f73ebf0daa4d31e5f124414e3838379989e6d5082948346bf3b97 |
memory/3004-2474-0x0000000077B60000-0x0000000077C7F000-memory.dmp
memory/3004-2478-0x0000000003DF0000-0x0000000003E42000-memory.dmp
memory/3004-2477-0x00000000004B0000-0x00000000004DF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mkUS.exe
| MD5 | 834f76bbdbae38013319495ad142a5ad |
| SHA1 | aab7a24ee7f95a1904fb1933a8dbc91fe9a87533 |
| SHA256 | 7a000556f400923a9e93492a18acf7c1fcee9ab71eb800c3fed62ea6a9ffe3e5 |
| SHA512 | 1554f62b1d4d24035eee80a3ffc9975773c1ec25a71c5d88b90d320eb5dd511a0a6647a5ee224e1493a92d7d6c8058a96ca67505d19a655085dbb4a0e67af130 |
memory/3004-2476-0x00000000004B0000-0x00000000004E2000-memory.dmp
memory/3004-2475-0x0000000077A60000-0x0000000077B5A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kgUO.exe
| MD5 | 9d3dec80f5ce502f2c632d5e43b2fc8f |
| SHA1 | 749f8e7309c188e345e3c2f51695df7af2cb0631 |
| SHA256 | 1a175ac191d5851208e04d08b1021b80073ce873c67608bdb2c84fba281821e2 |
| SHA512 | 972068a29d2c748269c0ed69ed67a8beddaac6ab04222a2c31d92fcbc2f2f6595e52d8a682cac54dd268d8a3ce4d9cd8744d044444d919b4b2523b58976394a3 |
C:\Users\Admin\AppData\Local\Temp\GEos.exe
| MD5 | e29acd10ab8e254df7063a287d4e33b5 |
| SHA1 | 9df718c17d8ab1a0aaf9a6822a9c1a35d3212e6c |
| SHA256 | f7e01589befb34ed21c603b4c590056d360959a6c51878431fac17733d7a4946 |
| SHA512 | 904c67a077b5103a2cd4fa6426b96855e8fd5f0a128957659a441b4ebc64c3be1079846f2789cf91cf9619964ce48f95072ecb49da17beb3eec10db192d34241 |
C:\Users\Admin\AppData\Local\Temp\RaIQMYws.bat
| MD5 | 4a18b7538cea5d5b30e259da2867ee91 |
| SHA1 | c62882e97b60b89dd95429e362015a828433eb41 |
| SHA256 | bf7f7bc301db77721669b04585e60ae9e877b86437e81c410b9f910c852cca2e |
| SHA512 | 5549c5bdf1f765b6c13d7ed70d9e6b0cd0315e2ea48bd4a96104a50457f4d8a244b6b7c7a135b708bedf2e4808fb25387567d0ed0f36f7d9c0189151c4164bbc |
C:\Users\Admin\AppData\Local\Temp\yoAu.exe
| MD5 | cfb67fcc004b1c0d4b6725a10b94438e |
| SHA1 | 30a990de8e46fa06938f31b37aa4bf441815f11a |
| SHA256 | a68c4cde96c9378d096a7348e3026bb3b24d3f875a380d9ce984d331bbf7fb76 |
| SHA512 | b95513b9397908e355fe5f1c784b095a83c0cb5c0b7b7a5e50f70c60fa5692abe1d8c08855972eca54d2cfcc1eb4026f743bfb7fa4e83cddb098b575479e28ee |
C:\Users\Admin\AppData\Local\Temp\eIcG.exe
| MD5 | f429385e41a6b694dbd2ce8618d07d68 |
| SHA1 | 9084e53cdd6d2710a2ded50d60a25c84eb8585e4 |
| SHA256 | 224abb9d15170a63728aef4e50167a74ae25cf2f30e686a90396d09e55c9e825 |
| SHA512 | 6bb00ca3ab3ddaf81f16debb46da36031183d96d7c5b12ea9600046a188383703a19f9de7c81875598885b074b8b93e92c1acd9c8eba824976cefcc3a5041042 |
C:\Users\Admin\AppData\Local\Temp\McUk.exe
| MD5 | 8eeeb2c5e7d31df9627536f092e1cbd3 |
| SHA1 | 0c0bd70c6309e155a236982a4c38cf46c58ec26a |
| SHA256 | 3499fd5cf5711b7c5d418f351726f5c01025a6a6ea3980a4e4804ae2b6b31ac6 |
| SHA512 | 83800399458ea7555e379f9e378830e56da226a92c9b58aba815ef22f5e08b32d0ee781f9c5c86130c3e8355456054033e04616b0a4a58a17e2a8f8634ee99d4 |
C:\Users\Admin\AppData\Local\Temp\Osgs.exe
| MD5 | 4c7062ef190af12e8d2821102aaf5070 |
| SHA1 | 32157de0486fe64a98979d9735fdca7b9135a345 |
| SHA256 | fd6194f1382a37b302a7e55a8a6f0531cd5dd67fdd640bf4429cd77373b7d427 |
| SHA512 | 1f39eb0ab09bc5dabb46ca5882265cb60d99ea346fdd36b5c6a83f9b4b0f27fb009c9fb190fe9a018c183d4948c41a94e71c71212889ef56ca5a8cc6545d10fe |
C:\Users\Admin\AppData\Local\Temp\EsYG.exe
| MD5 | 966eae29474c74679afeedfed67d1d74 |
| SHA1 | be49fde3b4778b0673161dcc2e52fbeaa84f1c61 |
| SHA256 | fce9e910e3662e3af1b0a8161aebcbf770602aa66803613853ad46f2ec9139c1 |
| SHA512 | fef056a4efa9b8025de59287e2de2d31ce57c03a3ec7cfacbd308422b2269c3d428ca00699a86057dd97564d46a9c9516bb042d43ebb38ae384f3eec5fce67f2 |
C:\Users\Admin\AppData\Local\Temp\pCYIEgEM.bat
| MD5 | bfab29c6fbc6dbf770fe51b9b83ffb48 |
| SHA1 | c19b300533d9d9e5c2977b4b29627a1ded2285e6 |
| SHA256 | 7fd5f8f400c57d2fd93046ed4847bfd4cbdbe567f2b6531da507330edca5c2aa |
| SHA512 | 5a78503c3244b69a6ac059d5eeed0057b9ec3f15bb28577adc094493c4b1f638e8412d67cf1da52efb7c9beac880b8308a112a0027d7ec53e5ec444f5cddadb1 |
C:\Users\Admin\AppData\Local\Temp\GoMU.exe
| MD5 | 07153283e00bcb58b78a51dd92a11916 |
| SHA1 | 69f5a341bd8fd9cb75e0d673468c1215dde09a5e |
| SHA256 | 09ed30fe67610f2ce6516c6d41f776c2653e2ea6c9c5109301cb64f0be6626dd |
| SHA512 | b685657bbf7fc7260ad043787814aeb5a57472f625389862fc3bca71c1b478c07b39a25ceb56c4916ce257cc96f14e5c181e2ff83a1aa7e24ead55b1bea9b132 |
C:\Users\Admin\AppData\Local\Temp\iEoQ.exe
| MD5 | e598417e53d0eb5fb63b7b416453c35f |
| SHA1 | 36249e7df2dae39689e3fedaf823470ed33b5fb2 |
| SHA256 | db008e34755cedbc556c08b7db41fc331783b793ccb2d1ac3eafad430e3a6736 |
| SHA512 | b80e6c29d9186ad966d31727cb64ef0acdb6f98e6703448c0dac16b781738f56e4f04a5bb4f67edad1996370cfd8a5d9f82dea4f481408ab93aef5bc16deaea4 |
C:\Users\Admin\AppData\Local\Temp\BOcwAoMo.bat
| MD5 | 636ede6172fe785241bd94360d555550 |
| SHA1 | a22ac78071d325484e0770f48338ca336ee4a4f5 |
| SHA256 | eb4e8a98338ca34e8d811b379144c4fdebb4193e68316e05272c9bb7c0492736 |
| SHA512 | fabd178e99f70fb690ce081e10a24da5da3e5414280f368455de2f445193fa87e14dcfce30ee340f031b06165cacb86799859bbbc45ad422a18c064274087f3a |
C:\Users\Admin\AppData\Local\Temp\CkIA.exe
| MD5 | d38f9f1bb6fa28e5b92331dd09944718 |
| SHA1 | 67f42740db6f89c1221e4f79735274727267e320 |
| SHA256 | 736610604baec993107f223e814829a5713b207c8c26f72728767690cc4446ce |
| SHA512 | 1bd3fa6c0da251ef4350bf9ed9d55a3dd0cbb6cdb0a43f83f5a2c8b114cf4c907fe7993a2b66ff886fbb98a1548f37ff7ad3290da5fbd4770216cd79cbae7526 |
C:\Users\Admin\AppData\Local\Temp\soQI.exe
| MD5 | 6a4379a7c67a6efc3d78730f8b2c90db |
| SHA1 | e081cd298e46595719d0d1c042aadc25d47b4d0d |
| SHA256 | 026a7b55f6d87a1577152b383d2c193bc713838af61931a3d91cc1779602ef1d |
| SHA512 | 7720264f586b9c49ec8600dea45659087ecf7a5adb63de1d9b52cbed44262f4afc2f5ae106521d2fc796a416593bb164ceae6b7691a46a0bb4e40196ed77b41a |
C:\Users\Admin\AppData\Local\Temp\KOIQoowc.bat
| MD5 | d19a38389f36a95078b691d495d0f1b4 |
| SHA1 | a6aa71b37099268d6e73ad83d5cc6ce200c92be2 |
| SHA256 | 7777424943d80c8c87963e49f75735dc379ee3a24df8a8944b95f23dabcce01b |
| SHA512 | 1d2e989bc12f8d9fc175845c69cc11fa4ce44109fd04b829b344a3ba710a0ed16db45f35eebd5d5dc956194a5945d7ae453ee30f0803f08ca936ab1354937303 |
C:\Users\Admin\AppData\Local\Temp\iEUO.exe
| MD5 | fb28505cc6b01a388415ee04d8a3b4f1 |
| SHA1 | c423c5f0fd0605067f5fcf054d7f044a642a0af3 |
| SHA256 | c1471e8c0d698913632867fe4086363bd2b5a0db6c6646d97880d05c70487afd |
| SHA512 | 7817f72892d3e1df95804f03e8aafdf5774a295a36256f3f91e00f17f00927ae7dbed7b3df032f2d32f676fde30dbf7f8795bb34f32e07822d2fc108f5dd08fc |
C:\Users\Admin\AppData\Local\Temp\EAgI.exe
| MD5 | 641623ee4b300d663e854cfdddc14a5c |
| SHA1 | 868dfb8ddedaf0ba8459e006930b496fd6b0c53d |
| SHA256 | 4de2013371d9650ef5dbc39a3d2fce864a23da3cafa0300fc0263fd7e4649c9d |
| SHA512 | 5a1f1203f2c420b2fe971c072edfd2c1ccf3f2023d48d75d1fafa4f8ba787846221708a21e8b9d5edfa57677908cf27b6c9555cd0fb471e70d95c1d37315ebc4 |
C:\Users\Admin\AppData\Local\Temp\uGkUQgAU.bat
| MD5 | 31c8aa2d9477b831fb634c39057be68d |
| SHA1 | b2ea69e8d0b9bfac32c312bdbab0860667baf3cd |
| SHA256 | 78bc0a9cd9a8b0d6420a84f53af3a038447e7317ba71ed71aa77e50105a00b8a |
| SHA512 | 2e112c9554500134b0c47114def30209fafe556ccabe14f4c089a4a935d6821360c4378dc7e5c65ff74418543bab82ce58ddcfd14f434a4638a9085e3e05fb32 |
C:\Users\Admin\Desktop\MeasureRepair.xls.exe
| MD5 | 42086999eaf611aecf72ed997ad0456d |
| SHA1 | 3b83ad2405c70aaba5b060fe5a0f622b4a274f4c |
| SHA256 | 8c1ec93b7f53f0b86e6d97c60b4807e7f5dddfa3a1fb777b058a349508b80e24 |
| SHA512 | 2e4db99a2fc84852dc6694cff7ee2f3a8b35a1627c4bf0c54df3355a9ba1565beae4bcb778960d8a8fb48552f47430ac5dc731c4647467c9045477aeae8218fa |
C:\Users\Admin\AppData\Local\Temp\WssG.exe
| MD5 | 0b1b6cb7af2e2153499a8b3a0d021c2e |
| SHA1 | 2cd2c6b2984b1ad73bd2c87ae1d168e1e820f809 |
| SHA256 | 6da2b9215c83ea229a6b9fef62cc138ad3066af49ddc3ca11fdd126b95c44d97 |
| SHA512 | ad52ebd098add254f74c7afa67cf1e276c58f0bae7a3b0e16d8f00f71a1df1c5c7a47ec8a57d09444ef39de1b4b774a5f5d84756305cccaec6a8129980c4f783 |
C:\Users\Admin\AppData\Local\Temp\YYYS.exe
| MD5 | 204f4367de4a27f645b06d430790eaa5 |
| SHA1 | 8021c2911f1413a838f7876e3a9096eb9c30211e |
| SHA256 | a73d1bd2c9d539dd53e9593cf0960e85ab42b45d396f4cde059091c744e7f55c |
| SHA512 | 49213a2676e756db803f4e885209196093209a14ae0992ef2ec59950c8cdf722c00ecfe5529200cedf547ac4d5fe02b51ad58a5197b7d3e69ee99def7cc2ede9 |
C:\Users\Admin\AppData\Local\Temp\mEAG.exe
| MD5 | 3bca39a8f1170b65a2a5ab39095f0c9e |
| SHA1 | 0c5864ef34bb9e53d0a4cccb023a840686df3fcf |
| SHA256 | 3530e1b5411eaa1ecd69c71ee2fb78aa152ea7ac6e715497dd5e4b8095f58467 |
| SHA512 | bb5d23af5bae552b9288e6e641162eae595805596e1d82740a82a550b6bb1c69cc7816d300cc7ec40951e00baf7ea9a2a39d8ac82825e4574bf6a95fa6245505 |
C:\Users\Admin\AppData\Local\Temp\IEAW.ico
| MD5 | 97ff638c39767356fc81ae9ba75057e8 |
| SHA1 | 92e201c9a4dc807643402f646cbb7e4433b7d713 |
| SHA256 | 9367b951a0360e200345d9aa5e6895e090fc3b57ae0299c468a5b43c0c63a093 |
| SHA512 | 167328960c8448b4df44606d378f050ca6c24969fbd7cc8dcfe9ddeb96ac7ccd89e507a215b4c1debff0d20a0a239d547f1e496635fa2f06afad067c30597c46 |
C:\Users\Admin\AppData\Local\Temp\wYIO.exe
| MD5 | 59950e0cb73e5888420bc844a4e961b1 |
| SHA1 | 535800f553a9981f78e0232aac2782b8edf2f754 |
| SHA256 | b32028e3bb43fdf7a0a72a52ff40b94d7f3a3afb98b234d8a8d55f6574cfd0df |
| SHA512 | c56a962f07370c3ed9a151ddfb238144314a180c54c8277c5ea98546f74b61da123937a47d3ecb426151f9424c866551c4695a62096338b6e835a3329b98b2bc |
C:\Users\Admin\AppData\Local\Temp\IQks.exe
| MD5 | 79cd85a446f3cdeb22eee5adeece916e |
| SHA1 | 3a98d7e6583afa22c701e09fe2bc857f05f01e4d |
| SHA256 | b4be1338c4499c51fca6ad15225eb9e0a1302264992d2f18dad60ca40feab6a1 |
| SHA512 | b71007e64756e2261f484f81d7f146fcd3ce0b66239f6a959ebe30938e1c7ddca313412ebb001402870fa2dfab15eb84d9922496039ae23970e117e406b191a3 |
C:\Users\Admin\AppData\Local\Temp\mwMa.ico
| MD5 | 68eff758b02205fd81fa05edd176d441 |
| SHA1 | f17593c1cdd859301cea25274ebf8e97adf310e2 |
| SHA256 | 37f472ca606725b24912ab009c20ce5e4d7521fca58c6353a80f4f816ffa17d5 |
| SHA512 | d2cbf62540845614cdc2168b9c11637e8ab6eb77e969f8f48735467668af77bc113b8ac08a06d6772081dde342358f7879429f3acc6984554a9b1341f596e03a |
C:\Users\Admin\AppData\Local\Temp\yQUg.exe
| MD5 | d1e91620a7a3dd5ad4995af5c03bd823 |
| SHA1 | b34183b9f6811d37ab3e7871cdb9f39c99c4b571 |
| SHA256 | aae6679efb0fb2a551609cd164006c0c98d071177c8eda62766bcb9f01257249 |
| SHA512 | 8de2a761fda83cd6418b488086e591bf7b92e51f8a5a43a3c5dfde9eeaac03ff1a91efdbe0ce7906ec666e6d679b9be5e682771818d0b9b8208d50627949cc39 |
C:\Users\Admin\AppData\Local\Temp\kUoEIUwI.bat
| MD5 | 51af4da61ddf4732d093a0a7ce3445b8 |
| SHA1 | 5e2d06f76a5398724576e7cc79d471c4e8d1361f |
| SHA256 | 857c5651f9934240b3384d81b265ef13c8272410185a1a919b825ad49dad645e |
| SHA512 | e8b72134225ff61d042454823fccaec779543215367ac1b3ce7fa09c8d6c7ec6b24e14b56a8a888ebc7e694e1e232b9bc0591790033c79e021de8880a78ce94c |
C:\Users\Admin\AppData\Local\Temp\MEsa.exe
| MD5 | dc2e6d9ace18700d368651a9b676f6ed |
| SHA1 | a7313761636809136cc872c0dbf2febf7044e797 |
| SHA256 | 7779a9115cdcdcdb2be45ad858e6687d676354166a9631e3814a744a4bc86528 |
| SHA512 | 35c4ef6f41ab6d61dd27d2c884976f37fb7562d7bc4202d41737bc10317b75b44dc7a49f0e2cf9edbdd4ad98f36684d1814b9e93e4f73c028f4d2782d2e31fff |
C:\Users\Admin\AppData\Local\Temp\MEAO.exe
| MD5 | 27c907f6f2b6441f6b9730ee1448bee6 |
| SHA1 | f5fcd4a44e38ad362c89927ed16e03981a525de9 |
| SHA256 | 04c17d4f3457d690c4f7c40600b66c24529b3cb93b48d7697089ae5d34e7196b |
| SHA512 | ee93ea3b2d350a030510487925e68347b51e2df84b192cb05698edca3bc5cb40ced1e2a69df3247711894dd225c1cae752811dd522d08b030ac5fc6b1c12bcbf |
C:\Users\Admin\AppData\Local\Temp\UAoI.exe
| MD5 | 71c52dd282a8d57e905edb48a8877c03 |
| SHA1 | 3aca10a7df659b396a76b1d7a1ce4f27285cc969 |
| SHA256 | 83efa7f01d606660f1cb673dc89ee2c4fd327893ad938e02a89f9b0ffb58b4d9 |
| SHA512 | fd53654b260d6b5e01c409f7f9eb2cf75dd008ba530056cbc334bb6eb244113b66c0027c67d31c331dcf6f01c60631749613aa601ec0fc1a860a9d6bc1414a27 |
C:\Users\Admin\Pictures\UnblockStop.png.exe
| MD5 | 004d41e3b167e632a061b77dab45531f |
| SHA1 | 94d8a3f8e3aa569f19011ce6d746d12182271bfc |
| SHA256 | c7e8a9fdc0595d4eeb1624991adcb44e2537527d3a294f4461654b151269fade |
| SHA512 | 7ea933671c6db993ca7a93d78a8a52dfcf91fb98283b0e39a9c60f61f60be1c0da18207dbd6180c8b72a6ad14028b1a51e8b2046c84af18f0a2d24e7c67b0024 |
C:\Users\Admin\AppData\Local\Temp\hWEIEwsk.bat
| MD5 | 99ea132e3a16f907184de577be51cdd9 |
| SHA1 | 91c1961d27140f23538cb15166f66a3f094f1fea |
| SHA256 | 4da7da5f6889c01a885c459f6b238c55dfd366e54509bd259e9f3e5e482195dd |
| SHA512 | aa1dc7bec0874c4fb03a894b3e1b83b752dde3ebe29c601879b913e07ef0ba8ce8480f1a0c81923cb9f2b8ff7ab9d414867b4c1f234f3ce8877e54876e732dec |
C:\Users\Admin\AppData\Local\Temp\ekQY.exe
| MD5 | 16fd7d4c6d7d69cb501cf9dd8ee80aba |
| SHA1 | 4a0b3808b306d836ae97f350270b3b008a78d5c4 |
| SHA256 | 64577987a84e2a5c944d75a067f288cca26eb7b6b6e6f18c9f37a9f13bedf6f7 |
| SHA512 | 2168bd07c5776a6b171d9cea73a850563ea7ba9819022747acf0b18b9c71e8dfe12ef058e8c7691c36226187f37ad42340e4593dfd054f6ca1f2600acc466daa |
C:\Users\Admin\AppData\Local\Temp\EMgy.exe
| MD5 | 2faf8fa77623ee222c493f58b22cb72f |
| SHA1 | 5e51fb82b362c47a3f6e5676936b910ad562c936 |
| SHA256 | 4d8cd5f70c13918eb94d0b2e834fa9a5979e9a15a71977d2ba357ce3618b5e71 |
| SHA512 | 347f1d0ebefb05abaa144cc0033dfab1c9ccf35fdc7ea67decd05f36e407e83913912367881a7f1cdc3838f5f15efda1542907fa81d013cf659dc5e02b18298f |
C:\Users\Admin\AppData\Local\Temp\sogW.exe
| MD5 | 5a3ce40392a7fe5aa37e3214802614bc |
| SHA1 | 11b21bcf3b5e81f935849fb5b8fc0e2ccd5d96d6 |
| SHA256 | 6a96d8fdf70053b651b2255834e7765ee8020f6760a6cc01dc792b3db973bdba |
| SHA512 | e7c7e746c4c20c730d1025180df86bd0c0912facb5cd17213aa0c594fa981551e4d6da5c2998e88d4d5d65cc2e0eaa6e59d85fc631f5a256ba75df07596758b9 |
C:\Users\Admin\AppData\Local\Temp\XqscIoIs.bat
| MD5 | 35d5879598c037c464f2b959cc24ba06 |
| SHA1 | bfe23ee5194ec4c97d95976e011081a95802fbd7 |
| SHA256 | 35001698439c23fbb98524cb02c746123008ca7e74f1d8dacac75087fc2ea84d |
| SHA512 | 72fe1626244d4c247dfa522ae24a667d4f38513df6e9670104ba9854d44696cdd7a7da540c9a1e24fc87e0cb9ef9140ef5abbe165a8acbfbaec1aa4a456a4b9b |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
| MD5 | 9ea0b55cd6c0fb34b333c9cac31288c2 |
| SHA1 | 237a7cc1197a5720cfeee0da1ea99eb3d4c7f5d3 |
| SHA256 | 61525ee2a3aef176b8360525cb70fb572d58206f8ff602ad7a57b6ea7e462abb |
| SHA512 | 8e79be0c8aa9dc094cd0e34f7680291c02bc9eaec14b79ba71e4254938a9e0380dd72629471ec5015b794f436f6284379cba90eeb4332e6c27cfcfff1152cb97 |
C:\Users\Admin\AppData\Local\Temp\SUsK.exe
| MD5 | 1f37580eb96421d4f3718b9374205c97 |
| SHA1 | 488a081e7f85ab7f101a2daad0ae42237e1b2285 |
| SHA256 | e16745980862c814ee1334b931bd5d45a8d09f49fbb1a274cc90795c164dab3d |
| SHA512 | 90e24c177d1de67f0ace78d4ed61703f65231574399f108db59ed51557db3f5c5f5ca4a78ccf283ba395fb311214ef851cbf98dc60f212039ed0fa46a3762d26 |
C:\Users\Admin\AppData\Local\Temp\dagoYEMc.bat
| MD5 | f7e5b2a36620ce9382a72c998af755f5 |
| SHA1 | eccbad6466bd9ceb463e9c5ee73df4f96712eef7 |
| SHA256 | c1b4ed05397df5eebb4ea2e233ce45ce62e56b34d4b37d81f53059291ff741c2 |
| SHA512 | 86b29764ff87625027744ba1319aa5fbad280ae32bce897e1f2006a0ab4c3e795169eb1b6263282b48b40acf28e6a0d5b0ad9aba8c822859032d9554e14e0f6b |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
| MD5 | 477f7b4e0d4bf458fa8c87729946bbf1 |
| SHA1 | cb1a93b3a32f73de668b926487152ccbfbee6b92 |
| SHA256 | 90276ff95175b74b41cedec0f824c5ac44b075f7c282505786f3127d9ae75222 |
| SHA512 | 59dce0a87751b7972060080f0631cdce5ac10394c0dc3cbcd465d747eb3dfaa94b8f6f71f3eaa4476c19e317ce826eadbc351917396b87c759bf00a4c2d7ceb8 |
C:\Users\Admin\AppData\Local\Temp\EYAE.exe
| MD5 | aa46a56c96566fc27ad04588ffe8a361 |
| SHA1 | 39c85f354974b5e6928460117959e1eab0da14a9 |
| SHA256 | 4cb173b7ba54769e36f72225e2d6894e367ee8bb0b2fb9ef612b0ec10e15f42c |
| SHA512 | e868bcc1ab50718fd2dcd002b9b5f5febcc0ccd694e66ceb3c3f1c7bd72acdfddf26028a1b7fc524e30957bd071f0f2746ebec20a97e05bee871db8b7fd9f575 |
C:\Users\Admin\AppData\Local\Temp\DYUUYEAw.bat
| MD5 | 483ea3164213938152e28aca20760790 |
| SHA1 | b3bbf11688243e6c1ea751c6bd948174ce52c3e1 |
| SHA256 | 00920e7ffa1c82c27e2dad620bd14c2069552c66db3d84371ac3f1c0b8be0687 |
| SHA512 | 05e78303461ac5eaf6ebf608072075f239028ddd137627f4ea21eb7db8c7eccee18944586dc436d54a78926b37fc4e4d3df57581793e0e6893b795e8aba3c214 |
C:\Users\Admin\AppData\Local\Temp\cAoC.exe
| MD5 | 82dffa8489e0a0aa3ec48911a425da61 |
| SHA1 | 477ebec1d01a97aa77bc45d1c60dba468dda0c5c |
| SHA256 | 68d274bfb6e011cc47a1d86bbfa4e09c0694f03412d06f80758edf5eb0f83d30 |
| SHA512 | 8ba7dec463f9a97ca9bc5b2471ef63c4f26f770378a22ff67f5974c4fbbc2f8c36f74a7f0da0299736f22afecebffb6e99860e97959c37f8c8f3c7efe4a0f0e0 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe
| MD5 | f7ef500f1057f6707ec1c480cbdccc27 |
| SHA1 | 9b27082bbcf426f1ca6c0f7930dab3e7a343ba87 |
| SHA256 | 191f67cd2848eed3d5505ad057567123c85effb265d9590c5a9b0ab43ec98c9d |
| SHA512 | 8e10351c63d2ad9879e1be05730bafe1269db0dc1a5050aa11d033cbca821e34ef91b0713674a64cd13f2b4a9b573a0034ea548f2f032059bafe9a3ad371d29f |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe
| MD5 | 790f211d2d5b19a9b7aace2db8ff6574 |
| SHA1 | 8baa4a32f86d19ca05913aa5d301eed662b4caea |
| SHA256 | b2887d4486f7249e0957cab3e9c1ce25725889eb8498a03612f8ed2ecdc968fe |
| SHA512 | ecd5f74577138cd7986d9cd5035ddf8c4a7eef1237871a26585778f92e053e57acecc9e03a1993567d87abe01970f4e1cec26dec63db81caf5d56b055f87b784 |
C:\Users\Admin\AppData\Local\Temp\hmAUcoQg.bat
| MD5 | e2e560b4d56b12086c79a2df4ced782e |
| SHA1 | c4ff3ad0b6e3560db94f2e6a743f97434d409910 |
| SHA256 | 6781f2d6534cebed88991381c4c7e12b46f6474a1b3e8f4ffe500fce33646008 |
| SHA512 | cf0003fb6a93565d98b8f5503029366e7c9ed6b86c38b6453894b90c5aa445d0f8a30e9139e6106bed43787b38d08d3041ae6daf71e54edd4f2b20479a1be299 |
C:\Users\Admin\AppData\Local\Temp\QEEI.exe
| MD5 | 6cc4ccea002c3ccb24d1e2586f261637 |
| SHA1 | 7af974d09abd69aa3a25dbd9ad8f7f1623c8b441 |
| SHA256 | ef5eb07cb104b47e8a646ff377244267a499cd825df2fa676f76b18eeb081e0a |
| SHA512 | 5304f4e308e8d27ba9a83b4f47c13b36a0219cb8bd68a0e1593bb9f48899e052cc0de51baf9f32668fd439f857ef441a3b273d02d022197a1591de2ad5d6ce78 |
C:\Users\Admin\AppData\Local\Temp\sEYC.exe
| MD5 | 7ed8d39ec179d8976f53d4548918913d |
| SHA1 | afcc661ee9c1e7d35ebd034c15fa25ab8f48713d |
| SHA256 | 8bb4291f6730d7e2bd43c906572c7650abfaba8d14df820f757a29c12651900c |
| SHA512 | f30811aecf270879061b476b128e1e5f6d9a395af12d320810c97f20d572e684e51169675c885ea4712a4cf05ec666df57f8bdf3a7924c8e3176e1ec8a314aa4 |
C:\Users\Admin\AppData\Local\Temp\QIsq.exe
| MD5 | 597018507a71abbf4634afd4c6691212 |
| SHA1 | 587776d416e57ff7017452c0d86c09ebefa9bd01 |
| SHA256 | 88fd180c7d3c9fb0b492f42ccbcc75ef5b5a7e39914201cfa92f1b095512cb71 |
| SHA512 | b0bb2577943f3315bb23d5f7c7c83b8b4d7ca3c0721ed52cd9d5ef702d86907084a41395f9a8eeb30187db31679cbc5d6ec9bf3f46fb048343f94ed0d187d319 |
C:\Users\Admin\AppData\Local\Temp\iGwgYAYs.bat
| MD5 | d4e99041d81f5dacc52adb86665699c0 |
| SHA1 | cb943d75b9f1e08f1663785178b6551e6e07fed2 |
| SHA256 | 1f192407d226037ae21357475f8eeac30464cef95018505bb4574861d80749fe |
| SHA512 | 2a8ac0f44a3a563bfa6f9bd0dd0a479afa262db6e44f196b1cbc77066f1bc5e543b2f57220f4070d00dcc7f83fd396c9d94425b453e42ca51ef93073aadbef49 |
C:\Users\Admin\AppData\Local\Temp\WUok.exe
| MD5 | a2f23621a721dab38010a676a045a4b3 |
| SHA1 | 96430e295f5786df3ae02f6261fb067c959b56c1 |
| SHA256 | e7d1e0cf61fb52e9f0f1f78b7f9a6df2f1c6b8198469b38afb8086df8143ea60 |
| SHA512 | 1276d49f9b514468c6efd419775cb01ed722665b18ffed10903f3c96a7508514f9d99771787899682db91aee6a1d56ea5db5b77ddfec3edce02a58638e701a16 |
C:\Users\Admin\AppData\Local\Temp\mckC.exe
| MD5 | 7241b5b2e41b9a102cc9d21a3d92b7ba |
| SHA1 | 907b83fcb758e12c87a26ced975a793778570966 |
| SHA256 | 700d3ba0cf6d8121648014cde059b17987d8427f94ba5ca8d862227e4462d993 |
| SHA512 | b3416693d8511734e043ad87aa90305e50eb14e2e41031dc4bc8897657524d6ecbaf2de0d9dc21859fd2a5cae4efc43b88fe1498baa7ba3893defae90a1388fa |
C:\Users\Admin\AppData\Local\Temp\GwQo.exe
| MD5 | 146dffec13b81422959799ec51969348 |
| SHA1 | 26d9662f6e196f4417e825e9461830bdc17c6d2d |
| SHA256 | 61f100671f4e833e0eb4f4826443f10d9f4a10d428a620d704784bde48e934a0 |
| SHA512 | 85c0aa8e099a893e24ad494d2d8e936a46df96ab0309c02d8a980cac182dde40d70da88799deee2dc476d33a8644da3a7823c42eff7e97870193371c33406ee0 |
C:\Users\Admin\AppData\Local\Temp\iEIkMMYE.bat
| MD5 | a5dfae12c595806055e4cfe27e4697c8 |
| SHA1 | fd042a9e9781e68d890f7e4a38d762a67878c354 |
| SHA256 | 105857555b002e1ed98758b6a192fc605c1f207e341fb4398fc54b5bfb4a3910 |
| SHA512 | 819e3913bd88ffcc65779fb67c7be55ed85cd75b3badfb1b7e962b7d7143c994d521484cf5972bb0e07a8c02bd8112132152dc010e7fb70e441d08c8a704d96a |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe
| MD5 | eca82887531c923a6a4a357bb3993ee9 |
| SHA1 | ed84a0deef584469ed0fb9563c07366c4b3a5461 |
| SHA256 | 5f19253daba807960b3b1610ad9938f3e2f2798a614c50783bd916127409e2e2 |
| SHA512 | 6ae7a6463439fc11a561b00bad09b7ac5fc5f40581951cdef9454040202144594ec3b1f69072eb3f1645da3e8348d444a5e0582f58bee85b40c3758b5e8855db |
C:\Users\Admin\AppData\Local\Temp\aQIU.exe
| MD5 | 64ffe6341b07dcba35fc8a4857ee6033 |
| SHA1 | a12e349344dedc332d61e21d87a9107b37aef3ec |
| SHA256 | fadc3d1ce5dd32e0a3f0e6c267d785c86c43933cc3b6b1376b98bcd1be230fc2 |
| SHA512 | 4e8162b8ff81acc022ffc2897c99e8fed5b3e4eb603f98f1288ee16738d3a767fcb1731862797f18101ab536d77747f0d828018c3af1d5fa8e27affcbb3092b6 |
C:\Users\Admin\AppData\Local\Temp\mYYw.exe
| MD5 | d5079beee28e93a36c3a99aa85e31127 |
| SHA1 | 61077c0104a2ea7b1ea03835bf8d39e415836a2b |
| SHA256 | 536dcad252092811e576c3d8ed6327507c4daad9c06111916f3660601595eda7 |
| SHA512 | ddda40ecdfb32822e841ffef699b490dc94bb3376db8cb8e8ea8f14b99f56619dbd26df57aecb57e7ae6bdba7ea2750c72e659b1c072bb2b13d4697916f9992c |
C:\Users\Admin\AppData\Local\Temp\msAm.exe
| MD5 | fb5ac2fa11b48b4e02d9652afb8b4a2f |
| SHA1 | 892b98094dd27706164a17514982d3e860ffd809 |
| SHA256 | 5626ecf57d58ad997f4793bc416e32b4c30b337bae9e07f130b01751ceec0ba6 |
| SHA512 | 9400da1815ab33b47f8bd3a91a796d608dcff929f46940bc73683dfd2c84d64ea66b2e8fe8e2fccfd731a9556e4b376753435416a0ef4788f473962bd242006f |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe
| MD5 | 29f3e17545c12babbbdc744e7dea06cb |
| SHA1 | c2130d17fabafd7ec248ab5ae8207db982c8a84c |
| SHA256 | 92aacfe72bed3a0db76b615c2070b10e9efc7860ab22b972c75124988ef376d2 |
| SHA512 | 6b054c94c8416b9c6ed5d0721cd07a3cd69f32ac18cfcd82448ce7c11d56a90475875d69a1bc7fa6d9d2a5c7a0cf85501abaf169641a5bbbe355a20350e2f84b |
C:\Users\Admin\AppData\Local\Temp\UmkksIUc.bat
| MD5 | b336ef5318c85f405ae5582d404c5f92 |
| SHA1 | d0d4efd919203a1ecffaa3140263793e06773fb4 |
| SHA256 | 3cec1a9349ae525d274c33d3a3c87751b4ac2627020722ef5a76adfdf044cf75 |
| SHA512 | 0ecaa22d89f7192bc7a3da8eef02ffb4960ea403075a7d1c8633ee67522f5a37368877d4f6edac55cd3f62196008d40c1e86febb038aa2488432369af5831bef |
C:\Users\Admin\AppData\Local\Temp\CsEu.exe
| MD5 | 7843a55f7216858e01997185f02763eb |
| SHA1 | 899d5435a8eda296f0ba7c35ccb736c958dbdff5 |
| SHA256 | 0c9634aa094b23e631ed8665d2d840b9bc0c24da72a8c8650af95576c0ec6655 |
| SHA512 | 85a3a231dcd4a9d47e86e0b167537e4eaff3709fd5dc8e02a59e5a6d305970c870024e5d1237b76eedd5c560d2edbdec103670744807ee165533a4ce9e734693 |
C:\Users\Admin\AppData\Local\Temp\KkgM.exe
| MD5 | 3aa5e405c6623261edb61575c0a83172 |
| SHA1 | 1b21a02537d16c575c72e03cce8cf76d535835f6 |
| SHA256 | 5662232e2855120369b7de58863db13633a200f87cbba49bd4dab1b5720c0c1b |
| SHA512 | 695b56e100b7fdefd5d01bcc5ca6f1e28eda7edfc0be7f05f30059030278eff995f8dfaa1d146919841a184e4cc7bb4516525d4b84b5c70c7ce554c7942703d5 |
C:\Users\Admin\AppData\Local\Temp\OkEY.exe
| MD5 | e901cbb33e7103e2ed0ca73e26c260e5 |
| SHA1 | 1dc355e8d4d44f4c59884e3a9cf02ac08a164c5d |
| SHA256 | b44963727ecc8b810a04ae7e2633147e06175f78f41a9d54b3e119f8000bc78a |
| SHA512 | a077278a4569c1d42c773b52edb047d0db1e120c7ef690de75ec935c105343b9d085f7e8efb04358ca6bf534867118e843520fc1dc5805358dbd145fe3d9a238 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe
| MD5 | 7261ce72bf59094529d57bdacb4c7259 |
| SHA1 | db6ccef84a2f9206d34d57e3efe6abed276719a6 |
| SHA256 | 899e98a811bdb50d24e40a4f81a958e4999200fce4cd788721b0dfbba61b6a45 |
| SHA512 | 781c8eb7a984b0f0df050a2b9bcf422b8762e53210a9202a1233e555b61e645fcc89bf0dfbffe94ba4ffd4f95c12d53d22d7c58ff1ead2fa6fe1f359c0d150ff |
C:\Users\Admin\AppData\Local\Temp\cKEocIkk.bat
| MD5 | d60c4bb1d433fa5d8c9e64adde5b48a8 |
| SHA1 | d3a4609efe083b780d0c638701c58987a57577ec |
| SHA256 | 7c36755c431b71134ffc6e48bda7bb67780614c8cf7b0372e762d59811256bab |
| SHA512 | 0e231b2ef20a6067f70861d1e58fd7aaf4a75c3ef1c4fd28e6c1a2de33cb66d6e5c27fe372235292c1547d0358c5474c36571acadeef02778cb3d27664034cc5 |
C:\Users\Admin\AppData\Local\Temp\EIAI.exe
| MD5 | 8a567810e64e4e8fcb34e858187957c8 |
| SHA1 | 37bb84ee0231e97648028e1b423e289c9b1db824 |
| SHA256 | b2e3474c505607ea271564cd03fc9497fd23cb1359fda41890b6cb5d2eca210c |
| SHA512 | cee2e09a4eb348937aceea20d34128f7bc390c10668a0e85ccc5940564ba33c7130fa01b1f95f4352c879b597734c15078ca1612ec8dd56f751eb323ab21c2fa |
C:\Users\Admin\AppData\Local\Temp\usgu.exe
| MD5 | e5f317123a6f2d622afa07ef6a773c06 |
| SHA1 | 31eff5eba1cb6f685ef3f214b72d10b4e2f20f9c |
| SHA256 | 954cc5d25bb5704af7e627bbbcf0564a0fc0f3a4a45d1a31afa0f36923d49772 |
| SHA512 | 99ba899460ceee37546fa1a804772d32cb78f6b12edc55ab75cbbe2a73f25edc6df47b83d43169f8b998abf17b0fa2a2efab9f2950372c905cdc2b7b267f5feb |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe
| MD5 | 251e6adb87c3e85dcf64407cb66916a3 |
| SHA1 | 3635ce73943885ff7047c84c78b92b5908ad38b8 |
| SHA256 | 29bb92b9636c64cc486651e4dd501e83931ac95ea152111e5c8c7305fc63ccbd |
| SHA512 | 7942891f5530e68f0daad88409a671c736835388de59ba8ec3ec41b802b47d774a656b3fc1dddc4e7becabfad2eba2f6ae06ac08f2d8e16589e90fcebc38d9ab |
C:\Users\Admin\AppData\Local\Temp\nIYAIYgs.bat
| MD5 | 46cc4a585a095e9224a51b7ded5c047b |
| SHA1 | 10f5b690c41ec1f79ab88c95b8476be5fe9bde9c |
| SHA256 | 473166fa9c5b160a33f7ed89b57b76a4b00d6f08c52f838eb6707152e16558bf |
| SHA512 | a94846d100bdac5af3f2434d93f603344ec5dd3eacda7e5507bfda2c54b79067df10a6b29ac2cbad24074773d1451fbac1341fd7ca346700fc292ca7e6ac4b5e |
C:\Users\Admin\AppData\Local\Temp\KQwm.exe
| MD5 | b03be78740abcd37cc033b81f490af7c |
| SHA1 | 5572aed1163e0e12788ba00235f563345ca8ad03 |
| SHA256 | 14d4086feb65999d35c079de4265d4a4eb9e81c9fedf38c201def0b1788a840d |
| SHA512 | e79206fd982b0c6b713687d08e5af9b210c64154b19daae3a9f3e28711c6c1e4f21836153dd9c7f334287b18b822127a27e0862354825c6113d02180965fc20f |
C:\Users\Admin\AppData\Local\Temp\sgEG.exe
| MD5 | 5aed707cc06081caddd6735d588e43d7 |
| SHA1 | 175a3200414d98734154a0b2a5986b302f70ebb9 |
| SHA256 | d7afb5a45c8ab9829d46dab473bdbd575973dbf439521da047793fad34516e33 |
| SHA512 | 0a767089000aa90fb2122552f5098b6b6bb94c145ff05c7bc86da8d9d4a4e930985d9a1cd2cfd233ab29459514dc004ca13c9d3586160bac6bb54ecfbec2f308 |
C:\Users\Admin\AppData\Local\Temp\JqUEgAgU.bat
| MD5 | cd83eea1cdea44b6e925566df56203b4 |
| SHA1 | 37bfec6ddc5a8d5a95c2a3181403e79d6469a02e |
| SHA256 | 5b002886fe2fa9c8ee0616b4dd32ab47e4eb08e1a0d916522af419377e0bf1de |
| SHA512 | 6df71d3009063b460528b0cb12e8e1a4c6ad398b99b6192bfee5b9430aeabbdf5b928623e737a3930736c445b3ca3b3b327ea1ce6680c52cc3fb0bfc9f73e846 |
C:\Users\Admin\AppData\Local\Temp\oocE.exe
| MD5 | daac6316c2bdf107734d7f39282a07eb |
| SHA1 | 31c39f7ce7ab52f653efd9051f791737ddf6a1bc |
| SHA256 | 00110634add484063d37e3e42da91af34b3e84fdf938731faf5199afba652be6 |
| SHA512 | 679a1bd31bbf3a61cde18abfba42c0780b599a8e6795027d57fea7eff401ad9e1f1832f8aa0ceacd327ce3d7f7b742d3ac863ac5d90428077563d237c2c398b2 |
C:\Users\Admin\AppData\Local\Temp\cgYy.exe
| MD5 | 1d790783869f38658e2f9c163443e36f |
| SHA1 | 7a796a2957b421c8503104cef32f5e21207a14eb |
| SHA256 | fbaa08b0ddded7fb7bf46a2ec40053ae64e5e18913f344b38d47fb54f541d34b |
| SHA512 | ea61001b811ff9857e35df3f79a02e098de81a04882f3bdb41675fae7249a87c5f651e89f1c9d5179fb59359b56cfcfeab688c72d747d54459898fa32e18ae3b |
C:\Users\Admin\AppData\Local\Temp\yIYq.exe
| MD5 | e30d4d4b42c8fd7fae944584cf441af7 |
| SHA1 | ffa0a8b556668bfb82b490250f1432d68199206b |
| SHA256 | 3d6898275e3790b2cb7838c6216560b17b90f1dce47340514190e347efb5f748 |
| SHA512 | a99b2d76bf732e69ffc1c6164c1876ba03b159d91cd70c8080ed8bc8be95a692fec5528d649eda8a1edcecfc12c2018f9c37d685d2990dc19bbb6af169d7bc0e |
C:\Users\Admin\AppData\Local\Temp\bqUIIEco.bat
| MD5 | 6b2ee0d4f1b48fe0b160f456ec8c33b7 |
| SHA1 | 5719e390649d06ee94f8809d8a299a77c1e4d6f4 |
| SHA256 | 8f2378dcfa2b6b09ea787fa4a7eb907b13a8c7fa2106524888d9e5628f9d7c55 |
| SHA512 | a6299d6ab5f283cba2f6924ad934382b8704931fb2b44bc17f7a6fc995ad2d79f91c98ed882d4560eb4b2c70845bac38023ba6c7b0fbefc6c76c047b4106b8fe |
C:\Users\Admin\AppData\Local\Temp\UgcW.exe
| MD5 | a27a2e6bd5ef1eb5c66aeb3d56a6a1ad |
| SHA1 | 0a99882cb2eecfac55091315bfac6e193609eda6 |
| SHA256 | 2b657e0e668ad350deeb7ce7a11e942275ad224713a15f27af4979b6754b32d5 |
| SHA512 | e7449ac567b24f1d82116e8d4afeb02a46d9057fb0b8b00525d8f76b709cde85cb4fd00224f3932dded3ae5890cc45b60bba56a558ffa4d6653fdc92270ba543 |
C:\Users\Admin\AppData\Local\Temp\yYUk.exe
| MD5 | 408506b97fcb4482e45b2d95b299af28 |
| SHA1 | aa155dd5a59c361c760dbd9fcd7aa0d99ef819af |
| SHA256 | e08e0cf5f1dfe0dee292cac3dfe5e6cb3bf80211ebe7723ba6825a5b3ff36afd |
| SHA512 | 90c006587fbf61b4a0a251e2d54506717391b9148560dca85ce503fa65b68de8b1c07d5f08c709c0a4789f1b9df73e1d3aae1ab79e78f43526da95af1a1aa991 |
C:\Users\Admin\AppData\Local\Temp\rYEwEgQo.bat
| MD5 | ee17ad11007dc4e8082e8f706f9a8d1a |
| SHA1 | 9ecdcd1ec2ebdb1a2e2e489e503f46ba6e74e8f0 |
| SHA256 | 599bd0c5f53d1c451ec2984614eaac55ba954cc50ca55567760b2017e2907655 |
| SHA512 | 0fbc8ece131be7658e9d87d4e7605b1fd2f5b5eade711fcaa1c525b178ee5a5362facf78ec0467e00b8146badd2fe7a50887c565458973433c72a45c694b38d2 |
C:\Users\Admin\AppData\Local\Temp\gYIi.exe
| MD5 | 207a3ece05d9773974a6afb2c3a87f74 |
| SHA1 | fdf2e8337878e7a253c0bbc08d0beb08f2c3c948 |
| SHA256 | a27ffc8476be0b2c81307dac5dd1ace396da058ddee20e3b26761b094f3f1784 |
| SHA512 | 76a5a3980319d6ecfdbc5f519261d8a01b147afb22039bab89daf3d41ef4a0bad01cf69d28abc9ccd8c9b84737e3c20884d420d4014237d27ffd42a7352e4415 |
C:\Users\Admin\AppData\Local\Temp\akIa.exe
| MD5 | 5c1a9a512c62caadd4295ae51f63b132 |
| SHA1 | bb11902dab68e473410360038258d14ba46205d3 |
| SHA256 | 6e60aacab8c8a169c5b15b68ec9b913ade6026eed5eaed68888a43b92c5f22ab |
| SHA512 | 2f170f28856a3b1b85a968a725afe455ffba7acf4019b8c9b9d94575491f5c4a0dfc0e5ee2faf71f74510b81e1e6f2c3a2e11245eaa0bb4a4045766e93a807da |
C:\Users\Admin\AppData\Local\Temp\SMkW.exe
| MD5 | 014210e6b2dcb0fd195eb781a94cc771 |
| SHA1 | 461d004af926efe12350d5d726064688a20de92b |
| SHA256 | ce91847025619a44706d335f0d5632deac1431d039cbe190b800f98da6fd7d1b |
| SHA512 | 98358200b2929f132470d02e657b17eea7e3543d81a7e8a42c44cef3a0b7681ca1599b8ea4c0e8f9a6db110d95b677ce265c36679d44effb6c82e30c05c00777 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe
| MD5 | 19405cb603d78cd3fc0e962f3df00f61 |
| SHA1 | 7a159213622ab186636506f0fb276137b0b9b514 |
| SHA256 | 2f2d63cf951da663c7b83ac6e096e803837dfaf6f73ff83c723ec7be15b8011d |
| SHA512 | 2d871337a15fcb0c7d6ee8526df5bfb7825523a2aaf5f27df4a40278684b9cfdf500b93328def10713bcb5a6227203d493af4cdbaf0fb4168d0e064cf941f227 |
C:\Users\Admin\AppData\Local\Temp\CUwwksEQ.bat
| MD5 | 705c2411d108398b5f4a6e5073e2e890 |
| SHA1 | 5597a4323f25947420acd4420e4df035eda78e06 |
| SHA256 | cdae21c2505009fa82f450c41f9e607d0626a5d60a852df7ac8c77213830b6f3 |
| SHA512 | 5db5712ddef16692de0f9d87f4f0141e991f45d16b6baf1f035ee28b80c5568ca0899ef4c18d3d20bdfc88722f09401452261df0ac2862fa6d5dd7208e3d87ea |
C:\Users\Admin\AppData\Local\Temp\eAwG.exe
| MD5 | f79799e3006db2297e0e74bdcec00381 |
| SHA1 | 1751afdb87db4c4475f3abab68e40de53346a37e |
| SHA256 | 7cd6b05b03adca3d46524b372e604756a8662a47d2ccb26f6a4fc112de0b7ff0 |
| SHA512 | cb70d00725e155e991d52f8b59dcb427af00754665b3b5c6b77af16e6f0876a92d5c2d5624153ff88fb39426ed28b332ac37af670065e042b3f25f794d48ce2f |
C:\Users\Admin\AppData\Local\Temp\KMEi.exe
| MD5 | d7354a0e39b664428fbbf6cd3b3d6d16 |
| SHA1 | 576c0e05a04c17edd54042b3e031e54e2f2f7aa5 |
| SHA256 | 7cdb2dc7a7fc2d9cedc4729ea540e705deffbebbb86113b13afe84633a9fac06 |
| SHA512 | b7e344c3b8b4ea53331b6a90e6bb19304dd1b6435347e33db4a52da0b13f8bbf1f89df3aa3546710fb186139c64b28e62e958df76238f7d1d7631b0f43409928 |
C:\Users\Admin\AppData\Local\Temp\kcAIkkIc.bat
| MD5 | a9bc9d39944ad2b41bf39c02f1f8f837 |
| SHA1 | b159b88e83de4ee85ea905e32ca7fb4e4ed3398a |
| SHA256 | 775e3a8de011849d91176cf92468e3def1ff91dd78f4dbcaedf951209d69b747 |
| SHA512 | e66312a2205bc9376081919e1e85d1811c0a5c50fef4f1aa128a8759a446a801fde4fb6330fcdae0c6f061f33e746abf2714115ce2361cc0c0866577da81916a |
C:\Users\Admin\AppData\Local\Temp\yoMkYssA.bat
| MD5 | 3efb8bbec7bb18bbd35c2c3f67d7204b |
| SHA1 | b1fa135e78abcbbd0be94683cdb099d61d4dc7b0 |
| SHA256 | 7380f417a945ff3d56596f921de9e4d112511680308e2fc92c74de41431ef614 |
| SHA512 | dc72da8222f4c41b8932c32882acda206a26a5f81aca38bb3a79ed2941111c62b4362a855cd8c07fba70c14b04fc8b29601b29e19193e1c85fb547c8c8a45cf4 |
C:\Users\Admin\AppData\Local\Temp\mAge.exe
| MD5 | 20e0402481aeb1ece8fe51119325970a |
| SHA1 | 9a2747ecf86ea3e4f44ca9f0a0182501cdc0b6be |
| SHA256 | f86ebefccb0f748f0f1b1d9a8df100f96fdb179e0fdfcbca597b26cf55c22a7d |
| SHA512 | 1fa38f46ffe1d0b2d7a5e7c4acb834d02c01df2ae505005c1e91af1768203a7e98d3af17627c7b5bf9e8d32ab63a2c6c5e2788ba7818c6dd8449e7781e0c8e97 |
C:\Users\Admin\AppData\Local\Temp\MMMe.exe
| MD5 | e952fe4f2f30d418255e44e2676403be |
| SHA1 | 1950fcfdb00d8c8a00c7b25275906ece064cba4d |
| SHA256 | 6770c432a3ae578d2e44faa55b0cc23120b0a531a5aee221f39eb55cd76fcc1d |
| SHA512 | d8b23834e30dec8ed091791da040d59c68d05e16bd3486135113047020aaf1517f587730c778a451669095a0d5913721cf39c3c02adfa36c729f43e5215b611d |
C:\Users\Admin\AppData\Local\Temp\osgm.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Public\Music\Sample Music\Sleep Away.mp3.exe
| MD5 | e6040392ef6bf4e2dcbcc984dbe03ca5 |
| SHA1 | 180e6444b7f78100d1f97eacc651298082c53e21 |
| SHA256 | c436669adafde15ddff43ed276eea3f7f4bbfde04a5a9981a8c3452882728103 |
| SHA512 | f662b95b3e7ba989b3aa98788361acc0c87bbd13c17da585c57c4ced019cf71a35e7eb7b6dd0ae4aef5faec6d15b08c2bff300b50d59099ced427c6bd9c10d7d |
C:\Users\Admin\AppData\Local\Temp\kWkIossM.bat
| MD5 | 0e5f899f545d744715cf6f162285860c |
| SHA1 | 3806fd3c5723cef632b963503c64f18be54d819f |
| SHA256 | 18936a1d06fd29a244f3279a294b966a589c487e3a7f3283b94057175f02ecf8 |
| SHA512 | 1fa03120721e11708113ebf01edc23d57dddbafcbc0d2553551de1d5cc41a1c533f34aaa829fbb06c194cb6782782ae4045b4e883cd1f0388092a330eb46726c |
C:\Users\Admin\AppData\Local\Temp\qcYQ.ico
| MD5 | f461866875e8a7fc5c0e5bcdb48c67f6 |
| SHA1 | c6831938e249f1edaa968321f00141e6d791ca56 |
| SHA256 | 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7 |
| SHA512 | d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f |
C:\Users\Admin\AppData\Local\Temp\yEQe.exe
| MD5 | a088ac15fc5d19cae644e1c66900d2c0 |
| SHA1 | b51dfb669bfdfb7c01bddaa047d073879feedfe1 |
| SHA256 | e76d1e14dd454ff50887939f561e377788c020f7405f5dccc706b906cc3ecb1f |
| SHA512 | 023530a3262eae6108275736b0ada9273002a231dd4a352e09e4c1c4adfa8b14322bffd8c7076c1282e47ae6c6133f643638374d39f3c31167b781066da4b8e0 |
C:\Users\Admin\AppData\Local\Temp\uUIc.exe
| MD5 | d7c741edfe7d02773d37437c7d5e2860 |
| SHA1 | 8735b80f8bd555f6b3b5700e2297e52c9c4e4cdb |
| SHA256 | ecba5639d54254674c65c250ba575ffbb3bbb3d72c7411f329ff283eb0e818c7 |
| SHA512 | 52d8449e077204557d206f50457da36f5ce8edd3424ec45e6c864443e6d55a64b231a7b7f23cbdb422cae2d6b21a5daa56466deef701a37e3a27b1062244f11a |
C:\Users\Admin\AppData\Local\Temp\Agkg.exe
| MD5 | e0a92ff4cc7221709c651e20d5aec3a6 |
| SHA1 | 77376c2cc9a23d0b166fa6a2300808e4af3b6699 |
| SHA256 | 1e40a508cafef9a5abe2ba223537e2976e8f069a762db3a9e33e3fca0dbda21d |
| SHA512 | 3c9257ed89bb68ead6288593906dce42a605d71015fcc2e7940e11ada2286fa9527f4ca037fb1935b09698c67d9e36aab7c9207445df9ef1c957d87865cfe15f |
C:\Users\Admin\AppData\Local\Temp\PyQAwQQU.bat
| MD5 | 511eae997410eb5926d4014aa78e2cdf |
| SHA1 | eb76e79cdd47adce427a3a64ff2a485dcb113aff |
| SHA256 | 2d902f6f155e186aff8c5573a22ea8d52e7077c8e92c0bdad407b69ec7b51312 |
| SHA512 | 722589e5e1eda10f8bcaa875344295cb6d773ad0a7b8d1042f0f0dcb3c5552918adc8a1824d111fcecb06d6a28dd2cdbaa2c6cf8ce7b6c55d3c1cc80ea487610 |
C:\Users\Admin\AppData\Local\Temp\qAEw.exe
| MD5 | 490604cba0c16c2f1189162e1d69fe69 |
| SHA1 | 6b09c911fb610257ba6a8b019d5a1967d2b0dfa2 |
| SHA256 | 09d6567558a33782b7583a2ca77d3a64b7a0427769e20c51b98acb25de766aca |
| SHA512 | d2bcbcf513f171902f03e8d330067bc220ad3924249011066a650ae091f41bec1dd974ec9e1efaac852f450a8d8a50281351c1b8e3b1977f57ce500d91406296 |
C:\Users\Admin\AppData\Local\Temp\YEkA.exe
| MD5 | 68cb473b78cb5c5f725fa533a73d1bf0 |
| SHA1 | 46f1dc1e9ea71a550d17cd1f66fb00a5a3b319c5 |
| SHA256 | dbb82865c81d60c50bd1573bf90061d32124f17134dee660bc9e6c37a12fa748 |
| SHA512 | 93cda1331378adc24be67bd24f492b0ed6360264bbff22d2df5b6324335fdeedcf6a8e3492dce1cbf6a47a3831320eaca12a8a10c17167afb0fd531e91696b61 |
C:\Users\Admin\AppData\Local\Temp\QAQg.exe
| MD5 | 2ecbd19150c3721a88dba4d0c8851dfc |
| SHA1 | 55d615fb9e538058d17bc8f864733e4ff53b7b46 |
| SHA256 | 721440497fc9ad2ce760a05615e6ac3263d1bc928dd52c64304bb9813f4c51de |
| SHA512 | 8380c627e4f2be0e304fbb505336140792ca480dd287dc365d7d355ecb732f9c73d4d6c137a03ee44a78fe8ad8754389e890a93313e58c72e16003ac927b61b4 |
C:\Users\Admin\AppData\Local\Temp\Iocy.exe
| MD5 | 0cc4bc07d604178baa9d1f103c06395e |
| SHA1 | d0750f7d27b335cbc42c465c1248212153393f16 |
| SHA256 | b7c1f284a2f8cce0242d6c11e47f771ee6272ddefe330509166cd9d5e44899e3 |
| SHA512 | c9e569b2e0beb67c6439d98e8b674443f34a1fa2e74a5bc6d1be2eb43e0d50901669049fd0e50dbec2c1a1933d2d6373f0d533d50201945f3fd681d040dd613a |
C:\Users\Admin\AppData\Local\Temp\SwoU.exe
| MD5 | 2d6157ebaa5b24ee438975bfd7371b67 |
| SHA1 | 88c95664ba0dab1f5ebb217d0ef1970fd5d50b17 |
| SHA256 | cc881e5dc0e9e7f3ada49a6027745d159d15e5fb1d92434aae3bbe69d1e5614a |
| SHA512 | 70383fb7c0cef01ed4bce55b33e7730780d8f1bd9d85d0bfa5d7e6c7facfc9fbc0cf8075e58907f98b0ff723fa4d64c6a7505f340a16fd3bf667c28e004d2c78 |
C:\Users\Admin\AppData\Local\Temp\FUksEkEY.bat
| MD5 | 38abd3c6d1421678dda8cda14cf3af23 |
| SHA1 | 8405bd8e3ffb58ea6cbcb18ec0da9ce6cb35abb6 |
| SHA256 | 4891d2fd4afaf9cb32fbd4c506143efb0361b82283429da10e0d6fd7b54c35a0 |
| SHA512 | b875d2643248410650f17376de440107d85c4b5b01f7af0c463f6e9f74e33f5848c7b7e4a8a88c18d9e091abcd5dcdc53a0031e96e87435903c8f1679e90f37e |
C:\Users\Admin\AppData\Local\Temp\vEIEgwMA.bat
| MD5 | 3d03e5c4005c9e939c8dc11040e4386b |
| SHA1 | 6eac21b82b2847a6ff5681fd475fac0a2ed43652 |
| SHA256 | b7eeb27febf732b17c26526d84b34752e952d73b4a7c1e912c5efa2cb7866154 |
| SHA512 | b6c23f42777d13c88e90870bf4d499cba2b62e0fed7943445eaf2a28c9e01d82a14a10df89167629a957519c8647ab8762942273d350942a756627f224f79e0b |
C:\Users\Admin\AppData\Local\Temp\JWYsokoo.bat
| MD5 | 47c344247724648998c83e9dbe47369f |
| SHA1 | 1b336b03072b6ce45992d5e3389f4a514e6ee762 |
| SHA256 | 914ab088c0218f4f0d2d391ee687c955606a701a1bf569c8320fef20cf0db4c0 |
| SHA512 | 89fca8b80a7e3b4f99ff790f89f914f6f5ec3f5ff813ae59e2e5a75b5c015a094988d3f1fecad06efa1b3b3f6c59d1156b1616546cea0db496179f0fc7bd721d |
C:\Users\Admin\AppData\Local\Temp\gccAUksM.bat
| MD5 | 0998f09a89f79ce2dd2108dfd3c34831 |
| SHA1 | d956137d5399dad3152d8f9d3fce68212dadc7c8 |
| SHA256 | 34070b06c82f0e8f7fa727f75476b16ea96b9aa72b71382bf80aa6a4e4da1677 |
| SHA512 | 2954499772d0a0cef3d3375bd1086f097113737720223bc0f2e75f6a68e277e5f908b64b32df21da2ceb220a226cbbf0b3698f48e3355ab4a6822b33147d1da9 |
C:\Users\Admin\AppData\Local\Temp\aWYQMQUU.bat
| MD5 | cc2323b640414ef2504f81162e49554a |
| SHA1 | 275ae6a91b93eec34101a63270a6361623cb2960 |
| SHA256 | 766f9c9d9e5e1788730f09e4d2801c784f5e868bd29ff99f32721a1563d1e034 |
| SHA512 | e5f3766fc003f4d54257215db531a4e05a6df14a27d4fcf425582a093c7dc77c5fe26f22eb1c25d55723b81ffd7f15f64bae260b5b4aa3939fbf168617387ee8 |
C:\Users\Admin\AppData\Local\Temp\MEYcoooc.bat
| MD5 | b7b5a2a9a62d6c491cf8f47ddb8252d0 |
| SHA1 | d50307b8125ef82b70c87b4adcedc055e9c29849 |
| SHA256 | acc899319aa590a7ae47ccac52303afd342df2eee07edd3bc7b95f3c4edaf9cd |
| SHA512 | befdc7468f1cd82867b1887ef254c0e4c0cfa19161ab2f573ea0d4414d5706ca8d05aa4bdb956e287eaf4ed3e83508eb627b5d6f41274a35c1ab8e7f0eb57e33 |
C:\Users\Admin\AppData\Local\Temp\IwUskMog.bat
| MD5 | cfdfdd2a4221634dea4d4591e39591f8 |
| SHA1 | 55b4ffa5502848474ab76951975dd355b7b74e40 |
| SHA256 | 2e4e673bba67bebed4a7a16f230bf2b9658e448dc2b1993c399d0cc413b1441e |
| SHA512 | a44bd1c83c8040b43d668fe8b2a7254a5b7974eee3cc116532fe3f1f78794c78b749b008526165b6292a72977959b10ea1061543c06016b4676e922074b3b553 |
C:\Users\Admin\AppData\Local\Temp\PYQoockg.bat
| MD5 | bfda9611ed2065945b24e8ba18af4970 |
| SHA1 | ca161e40e3f845a1702a716c0172fd0993568757 |
| SHA256 | 0a1d536888be46b01ecd757aad4bb094f38b0831e43a5db2b373340de3b76812 |
| SHA512 | c54c193654bded37c4c4bf2367fb75528cd614fa01b825c8d6c935957ba6a1a195ee920b058a39c950256e6381eb52f4b3e9f718fb58da055b5ef08a178c3775 |
C:\Users\Admin\AppData\Local\Temp\zoIkgoUI.bat
| MD5 | 1fd43b12a156e62d7e5395b02a056151 |
| SHA1 | b0acf37ffeecedac9651173c8f4185b4144148d6 |
| SHA256 | 0547073e5578ec7eba97de9e1d621d603a2da6d967e7b42d79bf0d383a0bbafb |
| SHA512 | e66ad66ea5174fa32d2b7914a56afdefe11de4641d7a0b5043e104abcb6327d2aff2c583e7cf3b5601502b2a180273ec5c3ef5d943a8c749e0db5f03ea347242 |
C:\Users\Admin\AppData\Local\Temp\HMogwscc.bat
| MD5 | 2b43af5937074eae208e7b06ca521a9b |
| SHA1 | 1c527d55f70d7d9dc76d2dfed2a082212d818442 |
| SHA256 | 411fc73090c8f63ccccb0a202ef612f28af782855e761d827e9166896b9c152a |
| SHA512 | e6ab598e527f12b120ff984372ecd52c67e5c3af617ab2194201ecc0d75c1469dbe1483d798ffc3cefceaf3adb0e3218235bb9195d9f011695d15cdcab6ff12b |
C:\Users\Admin\AppData\Local\Temp\vwoQAwYE.bat
| MD5 | 29da63f3f0ddd1b1e6cb958dadb906bf |
| SHA1 | 6399c45eda8985a24bdc6f781b71513e12af23a0 |
| SHA256 | cf5ca43fa4545866cfd21bd3c7856fb6bb8ab4ba3e38e6a1597753c19d56b557 |
| SHA512 | de70e997da4bbf64b1ff2648fc57a43d3c89df3df14b30bf3739649feda4242e182a18aa4974d202933d72f3ce82ae944df5dda6b9b19f35406af7395bb16e37 |
C:\Users\Admin\AppData\Local\Temp\umEIwEgc.bat
| MD5 | 38099de4404fda86a7e225ab4db16d61 |
| SHA1 | 2f8c486b9f15e13084b2ccd60f687f81fcb0d23f |
| SHA256 | 20a1408128e55ccd83a51c33bec2db4fb89c4beb471dbbf6caa67e8d0412431c |
| SHA512 | faf1cdab1a73eb453eb2794b837f51d409fc6817d1fcb12df98eeb403ccb8c15af0ef11de3eca4b1a114888caf76170ac159151153b0f2fc5e8a786efe6b8efe |
C:\Users\Admin\AppData\Local\Temp\euwEAAcA.bat
| MD5 | de395ca4bac3f4d60a406786caa8ed3e |
| SHA1 | c56aa2d32deb32f15166ca4dc6a4694e5287c405 |
| SHA256 | 6f5d153d83243477fb548bea1ebe89587f515c51cd155cb4550d00e4e68f97a2 |
| SHA512 | 965b29ef6feee315b2ffafd4b6b465ae034ae2b879ffa9b2a5293a8936278ac84146097e3e373221d7143283e4768c4b3661e2e8f1db56af6475c9ac4873306e |
C:\Users\Admin\AppData\Local\Temp\YWAIUEso.bat
| MD5 | dde282b8b6f08dfd5fa59db83ccdf339 |
| SHA1 | 611d900f4d7bd90b855eee6fcc86e059b8e041c2 |
| SHA256 | 9ba04819c4fac0dc88b87d934792bf46628934776c388e01f91bc2a76e7746ff |
| SHA512 | 411f68e5118d95be8379406334a7dddd2ea47236294f09f7ed2a65b903b3c497ec8055203902533b142aaeede425b88739f6257d1317724d5f8dd51c3ff0ed51 |
C:\Users\Admin\AppData\Local\Temp\YgoUYIgo.bat
| MD5 | 6771b7ad5a9532d54e1d242a3074546a |
| SHA1 | da6218ec16926f6003640ba19086a4c17e318fb9 |
| SHA256 | 15970a0eda6fa43b4dca66a8becc5c1949a152801666266cd616e8fdf4060216 |
| SHA512 | 4422c59e0024f27de4c3e6373337206eb31299a55deaa60c24aad068f1390c405c88d7d84ebe318db9c159e9664faaaa4ab4a4db2f0958f5a3005a05c745f634 |
C:\Users\Admin\AppData\Local\Temp\XqQsAQcw.bat
| MD5 | fddb65b0b6b9a7e7cd62e58d83d277c5 |
| SHA1 | e98f2ec5d92eaa2e86607c8a5ac29238cff8741b |
| SHA256 | 8a81a88c0a79b6f030bd7340cbd9ac1cebf2b7f84143d063df3cc9fd1dc50217 |
| SHA512 | 5d17af7cd2cb89ce074c764f4ec94f03277592dc2f76e90704ec47b3ecc3839dcc3366059743cd9961d78ed72e2a656aad427c5edb9b5fb22e08ad0cbc327516 |
C:\Users\Admin\AppData\Local\Temp\RGwIcYcg.bat
| MD5 | 7e169205c059fe263fcc35e2cdb3f683 |
| SHA1 | 7b1906cbf3f60892c159390b47af7c234a3807f9 |
| SHA256 | 73a762f3ddb7db4764a7ee4665d0f69f71cb93d34df68bf01ac4eccc7ab0ab2c |
| SHA512 | 17689e607aed5e7fb0e4875786e466d40d055e7746b843d6a7576eb7a275421b8861e86e19430413a2ede1f7ecdbf4fc3ad3c56f68b73657f6c4982568b6fbd5 |
C:\Users\Admin\AppData\Local\Temp\pWYkEckI.bat
| MD5 | 45744e47461f2811ea3163637a536436 |
| SHA1 | 953adf13a88c92979570fe18a3f552b1e4c8c184 |
| SHA256 | 0e1aebd93ccbbea4bf97d4aa2dc1a449c759b1cacdefb25313ec2eaf7232a104 |
| SHA512 | 1bca7ac7ae59efaf6582ee5d7a870eb1c33d12d8dc0e6b3b0737c370e3128d4b4df4f19a9608383d3a0267f545370a268c3f0489ebea00a2fe9682f70e32e34e |
C:\Users\Admin\AppData\Local\Temp\jgYcIAIg.bat
| MD5 | 9edafb8c40c3f6d98e4f20575cc848e8 |
| SHA1 | 2d834213e7204923d87d50e959bf980f5fd77dac |
| SHA256 | 2bdaafd848a1a7871086c79dcd5174bcbf31701431be752639a1ee7ccde2620d |
| SHA512 | 13c00a90a9229bd811f76296c56a96f323fbba789946d65c053c82964e248d297afe2ea398f6a7899591825485be4e84aae023c3798cf5b1d294d4d547e2c669 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-08 07:33
Reported
2025-01-08 07:35
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
Renames multiple (79) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\hYkwoAgk\QGEsEUgU.exe | N/A |
| N/A | N/A | C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QGEsEUgU.exe = "C:\\Users\\Admin\\hYkwoAgk\\QGEsEUgU.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eWIgIMYQ.exe = "C:\\ProgramData\\IuQMgYwg\\eWIgIMYQ.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eWIgIMYQ.exe = "C:\\ProgramData\\IuQMgYwg\\eWIgIMYQ.exe" | C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QGEsEUgU.exe = "C:\\Users\\Admin\\hYkwoAgk\\QGEsEUgU.exe" | C:\Users\Admin\hYkwoAgk\QGEsEUgU.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\shell32.dll.exe | C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe"
C:\Users\Admin\hYkwoAgk\QGEsEUgU.exe
"C:\Users\Admin\hYkwoAgk\QGEsEUgU.exe"
C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe
"C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CKEcYUoY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iqIsMYQw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcwAAgYw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fukcYUYQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tiwosEkI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tgUIgggY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEEEQwAk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QwIgIcgY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amsQsYEE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aqwEQUss.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rekwMUMU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZsYAcskI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TugUkcMk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JckUIUQI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AcAEwcUY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UuwAIUIM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgMsIEkY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWUgAYcg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYckwwYg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bkYwYgsc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lwEYsEso.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uQUIIgcY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkMEQQwU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asoYccYk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RyMYUEgo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XuMUMYsI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgcsYAMk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwoEgIIs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SSMEcccQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqUYggUQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OcsUQckE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQYMcYsg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKsYQkMg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LaAAsgsE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQIMMAoU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGIIQkAY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGEoswEg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSMYsEAo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pyEgwIok.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMYooQMA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWkMYwAg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bKIAwIwI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amQAcAQw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AWgckUcA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGowQQIw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tSscsMcg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZeAowgQA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOIIoQkw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XeAEgMYE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmcsoQcA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IksIQkgw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MioMYQAw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgMcEIIk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCEsAcAQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcYcwIcI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YwUcYkUE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YaUIIkcE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OmQwMAAo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ouwskMsA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zGAYAwEk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fugAgkIc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TggEMQkY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\maMIskUQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USocYMEY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKUoUgIQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMoEoooY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZagYwYQA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hWggUgYA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vwMMogwc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqwkwAUM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\soQccMIs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmUYAwIw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eucYkIUg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hosoogEo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSMkMkEw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jmkQoIMY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bGsUsYwA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWcggkUs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gaYAgckM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scwEwsUQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgsIgIwI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIIAocYQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkUMsoQE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCoQowYw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkIIwEok.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQUMIgUg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qCIkcMMY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAkAgMMM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAgsMIEI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoYUIUIw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIogkUYI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKgMowIA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQgsgUYo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WuosEsws.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GiQsUIco.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIsUwsUA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tGAEskgo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XUwAYwIE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcQsMcck.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWcMAssg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OogAEkAM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WMEIgMkQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv pF75mgUsAECvbR2Mr3onpA.0.2
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rGogwMEE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\noEscwkM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqoUcUkw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DyAMMQMU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qccAUUIs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aUgMEMgU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSIMoMso.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SEUQgYsM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dksQoQwU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwwkEMAc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGEIMwsg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQckIsQE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DGswsMss.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BsQUMcso.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKIwwUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WaoAkUQw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KSscsUQQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQMAsYEk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZmgYEAks.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PioAEkMw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rcQwYEAg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcUkkgEc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISAIEQEU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScsQAEgE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eigcEwQg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgcgEowg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RkMkIYEQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSwMQEEM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqEIgMwM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\muUEUEgY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.180.14:80 | google.com | tcp |
| GB | 142.250.180.14:80 | google.com | tcp |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | 14.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
Files
memory/2024-0-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\hYkwoAgk\QGEsEUgU.exe
| MD5 | e4d2b36a6e50199c73d50e8da790862d |
| SHA1 | 5b4435eded4081877ec34088cd6b2f766f7d7d68 |
| SHA256 | 2dffae656151451b2dd47664fd08f3873215a120342a51738468c89fd06f94ee |
| SHA512 | a2bbaa8106dcb7f45a730511a2166f1cc7d5802e172c2992e8801c447972021d14a9c288a42266df323eeb7cc82c47d836bfbefe0ce0c2a5f305b0781a1a775a |
C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe
| MD5 | 3f6bc21a09cefa8715633403d1053e3d |
| SHA1 | efdeb8c0ac2c8982e9bd6471b739d23fe6b64f10 |
| SHA256 | 7baec492af21b6894acd6d0ac7b3c80e093a6cd74a7126fe53b74bffae4e0a3a |
| SHA512 | c5b702e6f5d80b4f0396f24bed9bea428aa2a0204d0ada2348b477ff94b5757db6f46c2f0b7b25f973634c28e46e197421ce64c7866cf1db0230ce17c18aeb6a |
memory/4292-15-0x0000000000400000-0x0000000000431000-memory.dmp
memory/816-7-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1372-16-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2024-20-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b
| MD5 | da2a3e52fb41d741eda2a8c6060447c2 |
| SHA1 | 5beb278a9da74a7fceb212f55676cead6727976e |
| SHA256 | a9a0f8fab82eeedc05fe5e22d42febd125145da26d8bf3283f5d8f1b6926b81b |
| SHA512 | a2c2eab0f6fa31bce31cc149e30c36d32aa6c2ccd998010fd4e7467baaf5628c69c20f660844c870174c165bc3da77e2bdebe2c72aee1336437ab4c6741eaafe |
C:\Users\Admin\AppData\Local\Temp\CKEcYUoY.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
memory/1372-32-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
memory/2120-44-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1584-55-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1592-59-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1592-68-0x0000000000400000-0x0000000000436000-memory.dmp
memory/780-80-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4928-91-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4496-102-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2572-115-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3868-116-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3868-127-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1200-138-0x0000000000400000-0x0000000000436000-memory.dmp
memory/780-149-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3420-162-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3464-173-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3392-184-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4804-196-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3592-208-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2564-219-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3944-220-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3944-231-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\hYkwoAgk\QGEsEUgU.inf
| MD5 | f934e3ede4fdf357c61e61ae098d53db |
| SHA1 | 80111d63d674404d0aac2380a7125c781f0b0488 |
| SHA256 | b33f5b68480f8229dc563667fbe5f4efb0925a37bfeea6dd0f7e255855191d82 |
| SHA512 | e0bb0f9125ff5f6dd8d713102844b140de95a1c3afef05754b98206c23589757ab0a37ac84800bb3f7270f411d15fba670f96a3997bbe26e471d9caf8a6898c9 |
C:\ProgramData\IuQMgYwg\eWIgIMYQ.inf
| MD5 | 63368bb5c55545cd9eb12e136bfb3188 |
| SHA1 | e0eacfca360a84dc035528ae304753fe20b2ac87 |
| SHA256 | 06256e0871ea1905eecef2bc107f872e7fd36f9c4ba936097059f43c38fea622 |
| SHA512 | 462654de9d8fd432769607165fff92056986ac9e846eaaa3263a6db2fd166549b9f7746ec72e097c8da9303253bc30cd8e4fe5c973600fe5e1fb96db93fa9fef |
memory/3844-246-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3508-255-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4788-256-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4788-264-0x0000000000400000-0x0000000000436000-memory.dmp
memory/316-265-0x0000000000400000-0x0000000000436000-memory.dmp
memory/316-274-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1044-283-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1700-285-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1700-292-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3844-300-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3880-310-0x0000000000400000-0x0000000000436000-memory.dmp
memory/5012-318-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3024-326-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4108-336-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4156-344-0x0000000000400000-0x0000000000436000-memory.dmp
memory/632-352-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4260-361-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4380-370-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4912-378-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4928-386-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2144-396-0x0000000000400000-0x0000000000436000-memory.dmp
memory/640-404-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2864-412-0x0000000000400000-0x0000000000436000-memory.dmp
memory/184-420-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2104-430-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1280-438-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2132-446-0x0000000000400000-0x0000000000436000-memory.dmp
memory/652-455-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3084-464-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2452-472-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2768-473-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2768-482-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1936-483-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1936-492-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3196-500-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1020-508-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4984-518-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3464-526-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4444-534-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1720-536-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1720-545-0x0000000000400000-0x0000000000436000-memory.dmp
memory/736-553-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2988-561-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3712-570-0x0000000000400000-0x0000000000436000-memory.dmp
memory/5060-579-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1340-587-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2832-595-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2364-605-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2512-613-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1724-614-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1724-622-0x0000000000400000-0x0000000000436000-memory.dmp
memory/912-623-0x0000000000400000-0x0000000000436000-memory.dmp
memory/912-633-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4684-634-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4684-642-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2180-643-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2180-651-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3024-659-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1972-669-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1596-677-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1208-682-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4788-686-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1208-694-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GIcS.exe
| MD5 | 8498f79d10bef5f5b8483da9cb3f6c7b |
| SHA1 | 0fa5b69a0700c137964552d3d5d9473cf899503c |
| SHA256 | 6b0b32170f1be67c0a7fd9f8886e117615a8774f33db3e1360cb455bff19e744 |
| SHA512 | a89ebeff1384085ca1bb9eb6f043744fb9d102f33d7f9895ce055b5023af617479d1838ecc3238e4d6938229701860121ce93a39e3efe51fe5da1621bb7369b9 |
memory/1484-719-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KMkW.exe
| MD5 | 4af0833cbf6f8765e8c5588dd38937dd |
| SHA1 | 54daa5483609cdad467373ab894f81e4049ceb9d |
| SHA256 | b5db9a7d6de4e2003aa3021b1869588b5837c5cf911e0e9e2a42fa0e6c3d839a |
| SHA512 | 358646b2486ebeb3624aba1d4a2dbf205c4113d5af8173706b0a79331b53b4470832386c61198fd6b49028ba2e029ac9f6bb76665a1edf94a0a5d70dccd082ad |
C:\Users\Admin\AppData\Local\Temp\OkMy.exe
| MD5 | 8ce37dd66cc4d946580ca055c429df6d |
| SHA1 | 5331c645ed86dc36ea439a1b978deb142ea45a85 |
| SHA256 | ac3897acce33dcbd511e79181f5027fba47bf15e8608ec928f3c1b160e2d889e |
| SHA512 | a367c38e9d05f0c1f92d497709e95e899b6f023c819d2f555cfce0c9e5ba31236f79f606b2fb5c64f1a1e38364f338c32aff6fcdea311208e514d9c0afc87058 |
memory/2116-755-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SAYM.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\CIME.exe
| MD5 | 8aad468d85f89da120ffca89d742adb6 |
| SHA1 | 50055f343b3b20d4785b87c14058a9d57e0b7096 |
| SHA256 | 163ee985b02323476afcc054bb518dc02e84524f188e49f33978859c896b98f2 |
| SHA512 | f9fa146a982d2b71efefa0a34b01665f2d9d661f90e2461c7d91f14dd410c9f738f5ee614f2eef13137e3b31b0748365e969a4586eaa390f31e05daad22c40a6 |
C:\Users\Admin\AppData\Local\Temp\gsoW.exe
| MD5 | 8838bd04490ae4e937e06cae1f3308bc |
| SHA1 | 53b8d4b390e23dbd21861b5e03e48d11ec3baefb |
| SHA256 | 75910c232d57e11691086136804ffe08a403ada57f33591b7c7e73fee796dfe5 |
| SHA512 | 8a988360f3b574ac340119b724d4585d7827ea8ee70ef99e08e1f8343318628b7e543cf8179a6bb76d3315b87342f6581021b915f2f07d4bc6cfc053b990e644 |
C:\Users\Admin\AppData\Local\Temp\YgIY.exe
| MD5 | 25814e943ee13b9e4fed66d109519d75 |
| SHA1 | 0cf02d42f54bcc7837eae91af27443ef6e2b4167 |
| SHA256 | 7ec6fba69166e115c9bbaac15ed8feab89a15b190c6a058d882536e67df52613 |
| SHA512 | 41601cceaa55e401be88a5f69dcdc4c21795a1e6f46081346362c680e971ea722428891d5ffc50ef72253a41b6ca387c7876a1e5104431cc50fcb5e9ced055e5 |
C:\Users\Admin\AppData\Local\Temp\IUgE.exe
| MD5 | 8f8d3766fcb7d762a766317533a8828c |
| SHA1 | 1b3cdb0e5418c95346a321d4917691ab055f84df |
| SHA256 | 95e0ffb914153e512bfd494b308a0a82d785b111403ec4bee51afbd6e6ae6920 |
| SHA512 | e9ab20739716038a20c299389a6d5218b9e6a8cd237edf514f762dab8b40a2093183380b00200da4acb726ac015a20f6811878b6e5fd4c3f978213910473d2d5 |
C:\Users\Admin\AppData\Local\Temp\SEEI.exe
| MD5 | 232ddc565e4b12cefbb13443330ba628 |
| SHA1 | 99ee56f9db5c9633849d247da64a79e330a5bb77 |
| SHA256 | 11769078fdff1078422bbb6787477aa79cc299f6bc3fb352e6dcd8defb9cb3d5 |
| SHA512 | f8e6d7347892817e00b9a17d8a4a8289807ec92c6e38c64fc2594e6e1b096a99f5a7883d2a97b44c4f668f673ca55010332feb818dad33424c70574707d0f0d5 |
memory/4792-833-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WAoC.exe
| MD5 | cc30efbbbe29127dfc6913a257a387da |
| SHA1 | 52f0eb838bbb19cf615c556f4a1ccdbf26294b8c |
| SHA256 | a8f0f7797c750509742dcee5dc7fc0d7d3b191dcf15131a1c5fb6450f367064a |
| SHA512 | ae8c8138e8ecdcc39ae608d4ae661072a37e89b8ce49424e307c3d2e7b91850333404dc25109755fc68818f0d4e6f71bc5b18c3f93c6445ec82d1b8599a6fc82 |
memory/1488-848-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iIQO.exe
| MD5 | 61e3cd7cafcd9e00514725fa579b109e |
| SHA1 | 0bc8a4a1fa0df0204170e2d92f686a00afeb926f |
| SHA256 | 95942a800c09e4c03c24e0a456976de62ab1893bbe32e6c316d64c24766666d2 |
| SHA512 | 17d9d5b2801854c271f4e90c8ada038360aa271f67fa952558a7882ee6e2428484a47a1732b789ee103939ea8e57ee579c2fe64f3320264ab6558fa10d27aa6f |
memory/1488-871-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csQS.exe
| MD5 | 567de8b7dd27098abbbd2f80e2e70b87 |
| SHA1 | 4d5edcaabcf4f403b8cbfb73f9bf1a0c68221f15 |
| SHA256 | 3f0d9da03b0ef5ccd43af051908dc92e6348f700c5dc7c89d1e98204e5c5e8b0 |
| SHA512 | 52a390dfc38fb69c0fc8b1918965c86a3ee39c5c1d0766444bf9f61af345584635d35b0c35e2aee8e2eb61191b571ae99f2edec0ec9fa44f4368c505e14548dc |
C:\Users\Admin\AppData\Local\Temp\iAMc.exe
| MD5 | d5fb0098ea68a12bcf58d6978c1ab659 |
| SHA1 | 9d3917b75fc08a2ba92fe1ed93976d64b40070fc |
| SHA256 | 2c85c1c73e072cb5283961bac36da9a5752f663e6403f1d9708b5201a13560af |
| SHA512 | 6848b916ca3d4756ab9584c0407e15570276ab54470d6525cfa34d109366c8f02c8b5cb5c7f2a3fb36aa825efd4ce5af33a44d340208a8f6df4c7bf466d6205c |
C:\Users\Admin\AppData\Local\Temp\UIAu.exe
| MD5 | 1aec0c602ea34c652c509953cc786d63 |
| SHA1 | 66000b0810e85b33f720e956d4e23a3c1a4ea1a6 |
| SHA256 | a19e6825a87742698ca45242d56ef784d4a3f2de504d2cdba113aebd3965cf9a |
| SHA512 | f7892c47dbf8685aadd6a2bba1b3af25a8e646a9b19a493b759f668eeefa38db0464c923e80e13bd1fd8ffc83cd9f33e44b583026f382777441d1ac2ac280023 |
C:\Users\Admin\AppData\Local\Temp\iwca.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\wIki.exe
| MD5 | 1a31b27e906a3c3414370bb92630f655 |
| SHA1 | e9616b637c70b33c684a9070365c5b2d3ce1a212 |
| SHA256 | cd7ab9737ca4f8b0e581dc4a25c984d1adfdedf98c87643f6a636bae1e423226 |
| SHA512 | bd8bdcdb7dc5d18be07f04d8bad876b4ef78959b7db905a24f72673868e295af681d84574b5cac80be47a0471bd1942954105861789eaab0f74db37dcf00856a |
memory/396-936-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3844-937-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mQcg.exe
| MD5 | 73ed7e6d08a13cbe937fb05d64713a0a |
| SHA1 | 42e08b43086f66dc85012dc83cc50ccd6ad7fed0 |
| SHA256 | 327856569b6d26669966d60ce0b17336b64a2a5f2cf1d4e8e4d711b7a163349e |
| SHA512 | bcb877622eb9a5cd0a0057c5b9e0d46ce314706dc568ea6e650f703a324423ac2d913cd09ca35faf40c5f89991b36565fc09405d3c64c1d47882b277163cf01a |
C:\Users\Admin\AppData\Local\Temp\koEW.exe
| MD5 | 8785397cde97c0914ebb36fe2738de3d |
| SHA1 | ba8623dc40b75828e980cb290a5f6fa7c845d711 |
| SHA256 | 77ff5905a4f9990db64655a53c973a3b0af40be097591b63fc0a6476cdfba5d1 |
| SHA512 | f0a69bc82dd35474467d1b6035f76f2275d75f40c48ed370fe65ff43b60b224c2b9e5ad466975fa007189e75280ef42ed142875304d1a9ad45906fbfd57c4f50 |
C:\Users\Admin\AppData\Local\Temp\OMsw.exe
| MD5 | 66eedeb17da6147dae34f47e1a0584a4 |
| SHA1 | 1c253ae2bdc802931338d6cd199b9f3dbbab5d55 |
| SHA256 | 87fd37c2c73c24cbf810c354e7f6cc9697df3b73cfd241af86cc20ac16563831 |
| SHA512 | e31bc3d683cb4b056741b5e134be3c16bbcad677171f1a1083afe3c4c62bea736e0138bc82e867419023390d340c8b262789e8cbffc96cdcab3f72db99b14be2 |
C:\Users\Admin\AppData\Local\Temp\OgwO.exe
| MD5 | 44bb96d8ac8c8d4ffdd453a1b7e64066 |
| SHA1 | 98e7e3f2b33802b06ef56ee850de428558c63549 |
| SHA256 | 13c5b4bfb43ad74f86dd8678d455a5464576c69afd4c77d036ad8d2a0740247c |
| SHA512 | 4180baa0aed9a10c80b90cf0c3dc9a4d6105aa209222a417636136a9e59c910ecbe879426929636fb1f21a1c2d4bec3f0a0ace6cfbbe472b72d1c76b75f22af9 |
C:\Users\Admin\AppData\Local\Temp\MAoO.exe
| MD5 | f5ae0d63067b959842eaf3bebab2e4b1 |
| SHA1 | 1943f40310e385391e64dd93da08758a6f22e758 |
| SHA256 | 7c2c4b61e2ad82046a388230c0992c805507fa0a07e43bffbea42b0be23f0768 |
| SHA512 | 8c1a88aaeea1099dea20a88a89efb8e1cbc84d6baf005fffd2a3e568b282064bf761fc37b455c9ee2af0671ff93c5597d5ea43b98e9d21dd3129e5c125be44ee |
C:\Users\Admin\AppData\Local\Temp\MAMk.exe
| MD5 | 88f456e3ee95676bbeba3a59a26497d0 |
| SHA1 | 3a37e1eaedf112b5494d3c094034e29ca9dbbc98 |
| SHA256 | d81458a01535f5581833ceec79e35ca095b5e05b2f2021524edf5431c86300ed |
| SHA512 | 7cea712f3fc0ad6fe2d9778791c71d9ee73c6c1c4bec4fc644f405ce54d3d60d2bfdb8b017715954c412b195dd769484e553de2765c028e45669e535ac3004b8 |
C:\Users\Admin\AppData\Local\Temp\KkMO.exe
| MD5 | 52bc2c162537381e3e616ea7fa54ba82 |
| SHA1 | 0502dae01bd2fdddeb53f9ba53b753da359fbd04 |
| SHA256 | 028c0a6c9db1b8c29ef73d838f776cbbd2f9894108170a91c9124546a863c332 |
| SHA512 | 3a2d59a3c1606ccf6721e72f223ff1dc1b8622ed796b58f609e9120d3a7057507f8ef047f886c344ae3187f089d2643d1801e0c4721836ba0796793370ca785c |
C:\Users\Admin\AppData\Local\Temp\yAkC.exe
| MD5 | 714caed2ede6197e7c0bb7dc04b2a726 |
| SHA1 | 90e467ed88762ed2788aa07f3b374a4dd23c70b2 |
| SHA256 | f682d8cd244014260f230597a6c7c99d97d7857e60e3d3b761639b41ce3d8a50 |
| SHA512 | 898c0334649d9b7011991913e2a423875b36b80e126cee6d2333515e9cfb3b872618526d5a58a2d3b8601ec01540744d50dc59da340502b995cdd42ce4dec86e |
C:\Users\Admin\AppData\Local\Temp\Akwa.exe
| MD5 | 7f20cc9d0a8cef586d36b38b7a1946f6 |
| SHA1 | 9e7aa4bb3a0b848ad5941743dd17fc1bc2cc362a |
| SHA256 | 5b457cb84456420a6edc0b7bd9f138d237637a456fc691e8e0089b7e7343740b |
| SHA512 | b04808f55c83aab07641402a2fe7fa29d9cbae128225ba55bce98d66d5ac7e365a42a55e57f55239a8e59dc9504727e06684d9b2084f67890bd9b7c926756f19 |
C:\Users\Admin\AppData\Local\Temp\gYwy.exe
| MD5 | 861f67545a96c570a7ffd76c557ab6ff |
| SHA1 | 345ab2cf90c70b84c8bb5eeacc0bd81293efe291 |
| SHA256 | e080c15ce0fc9ec86af0785edd584c304b8ee0f08e129ca937d151a85f6c7e23 |
| SHA512 | 48bddb52b51ecb808b79d784f677d6f4a6854728590bf7547eec48b9aa300877688302fe2a45f65ba51872635c4109589e558633baeebf9dc7505bb92d5de904 |
C:\Users\Admin\AppData\Local\Temp\swwY.exe
| MD5 | a8da40eaadd68662e6f2ce6f67d4fe12 |
| SHA1 | 9bd7e391244fb9dd9e32a8a2a74a8aab67751515 |
| SHA256 | 0613822a8f9724ad231deb4209267f7738a391be8375ff30244e9ae3f5c5d013 |
| SHA512 | b046eabad052378f4e6703b2ce461582fe166f71c4389ea0ade4d3e63652ae2dde452cc1d5334a6811f42a2454715996f6671354fc9f657c23889559d4176450 |
C:\Users\Admin\AppData\Local\Temp\KUsq.exe
| MD5 | 4cd564fbc47aba6e8e71d0ed044f1e42 |
| SHA1 | a81c636623b89fc41ce773190dc7dce31aacf2e6 |
| SHA256 | 483a11593c0641ac8aa3595c112d7cd30a08e78a9f4c8ce500987d0f8eb170af |
| SHA512 | 678fa1ec5e70659e422e141d94cd2a4229d1f347db7c52298e176d551afd6be9135ecc8745dcfdcf90aed941a6017f2d8b2e4aa173b75216250d31d988251255 |
C:\Users\Admin\AppData\Local\Temp\mQco.exe
| MD5 | 6c6791329e80bbaa22eb44bdb9fc4243 |
| SHA1 | 8a1f0513266dbff440c125093a2e5c0217ea8476 |
| SHA256 | 13805b1c71c7535ddf30b0e8adadaca52130a88adf0e2d1ffa95f64b32e55c96 |
| SHA512 | 4fd05ff006fccbcbedcfae53777f7cac62462d1852fc3749567b9f58e4a50c7af2439037e025428a6756b6355fe78c9f5689bf2cefb1f9483cb6a67d3b3e0d50 |
C:\Users\Admin\AppData\Local\Temp\ugcy.exe
| MD5 | 23f685912896533707a04b0535601b90 |
| SHA1 | d9f699dedd4d80abd3d1282e253a02b214db7018 |
| SHA256 | 95d488bcb578eb170c4e89392be8764d6d673c116ac1d8ad6c5010ff177baf6b |
| SHA512 | bd7a871c774c00a4e5afa08297993addb89658916c4c2edcc6d378d89dae58e7f20762041c62bf8ee497447a9c4ec46dbd6d6a5d3d70b0d9d42640ecb3815a45 |
C:\Users\Admin\AppData\Local\Temp\IkEU.exe
| MD5 | 2bf98f336fcd0e5b3d7f7ad41c58f701 |
| SHA1 | cbbe57c7dbd76cb36439c9aedd9d3b699e2440c9 |
| SHA256 | 8b9c0f5717a39d8faed6cf7b059ff8d034e1099710a460cca537be5aa725650b |
| SHA512 | 1dfef10bbdadfb57c49718605aee87466762dcaed099537913c7e8a98682e32cacdc8b79a1044b300e17e9e513b67835033840b1b0902c638898a2975a0cf425 |
C:\Users\Admin\AppData\Local\Temp\gcYY.exe
| MD5 | c96fd27679a66ab3f636a026ee95b0f9 |
| SHA1 | bcd58006dbb3e47e4e99576cd44d7633042e0f8f |
| SHA256 | 5716d0926e06d88fb142529d55d5fe3fa0dc091b142acf5cdac280eaa13695a8 |
| SHA512 | 85c449ace7b66d6bf247ee3e0fb7eb311e081812f726b32c0f0a7a419bb464522f7774008e94ffd9523f25bc0b72d4e3155053ba00f9db7f25c0e8689c02882b |
C:\Users\Admin\AppData\Local\Temp\iMIw.exe
| MD5 | 5a8622d1201ffd0e3be41730bbf25f79 |
| SHA1 | 81a2938833469a8c6e6c1f3a424195fe37514b92 |
| SHA256 | de9b3a5fc87e7fb624edab9ec1ce7dfcdfb0abf76e6ac8bfe7436282910ffbce |
| SHA512 | 35d19a4d73bfbfc434cc6dd5ec9ba1812125f30ba1513f6159ccdf9ece8c0b3eab723cab3715f585b6eb9e5a0a29c940cd0858ea96f97702066383cd1af3d844 |
C:\Users\Admin\AppData\Local\Temp\qEAu.exe
| MD5 | c652792878ba6da5e7e21d28e1562172 |
| SHA1 | aa6b0ba2fb762332416e10027b3436a9e2b1e3ae |
| SHA256 | db36f4b8ca9a56afcb86d34435371fd95203bf56c946d866dc771566a85de6e6 |
| SHA512 | 756c59b6889ea54ed85dd5b7a426cdfdae22f367709b46a6553db82b61e918c8e56e27a72baeeb6cdfd5bc0453801060440f38a5daf51093403c8767613b3a7b |
C:\Users\Admin\AppData\Local\Temp\yoEO.exe
| MD5 | acfec7b83ccf930ef82cd1fd40092466 |
| SHA1 | 7b3b39435358f411a2b0f385f992766f7f0b23ee |
| SHA256 | a8a38b1482bbac48cee29919f2270907fdf47b79c64fdad302e92c2e35793b5b |
| SHA512 | 4d3e8f317d5f24fcef5559326505eb3d38820eca3b66887ed77831e002c75b043533b1561714c0f45d71be03dc0d1bff22458eea6ef15d83b30b40318a7209ab |
C:\Users\Admin\AppData\Local\Temp\wIoy.exe
| MD5 | c29c4dc2e80d8121486742305b755542 |
| SHA1 | 3c92bf8cd8be89f479ba90aa584c4bcbfa381d1f |
| SHA256 | cd36fca128c96fd8e27dda42a131675b8536be4ef7fa35b0dfeb2dbaa261c3f2 |
| SHA512 | b959dbc5de5be714666015df13c5138119da7fda1a24cbe8032bcefc598dbb3174cfad364e9f2f9a774516a0b4676ada38f302d3c495d850c93db66fc6ff5341 |
C:\Users\Admin\AppData\Local\Temp\WwoI.exe
| MD5 | 76842849cf5183e5067b469df02acaee |
| SHA1 | fc40e83a4be18ce56754dd124349a2684506e352 |
| SHA256 | 52279e267609f835564bbf9ee534390796ea21949946c52231f21934188779c4 |
| SHA512 | 31a68cd390051153a8c537a52f89014fed0bf50b523991f3aae6d121f3f9741d703acff0f7b9a68e66a20846ac32b753e882810e1f1ca0171ad5e5502b0d607a |
C:\Users\Admin\AppData\Local\Temp\OwAy.exe
| MD5 | 014868377528953e00c23dce62529e2e |
| SHA1 | 8eb124efb1410711bdfd0da4fca1ba181801d8dd |
| SHA256 | fecb1d88bdb31f1a7890b09712fb789c6fb80437135ada02920fcba1bcba4caa |
| SHA512 | e5888e65ea6d39c14c078906cbb3b0e5fa5cb22528e2e921c5ebe88da9c4d8ffee366008e8c760c4f486ba06cbc0005b355688a6ee3633d5bff19c6d2107e55e |
C:\Users\Admin\AppData\Local\Temp\WIEy.exe
| MD5 | cb1340fd37a378b2cf5edac959636490 |
| SHA1 | 9d6ee4eb415754423818a961852923aa7e3cf7bd |
| SHA256 | f36f2c2fb258c66ff0c0aee703dfa00200672c661341ca7d845e1a6ed7f8c37e |
| SHA512 | 9e2cb0f312b9df6cdc999d2727eda6469adf159b46c3714a4743c314cc47def66a54bd3d1dccb7ea44c3a1306a87b7e78bf3258a60fed80b6a33ab1c522e3c8d |
C:\Users\Admin\AppData\Local\Temp\CsIg.exe
| MD5 | 0675e7a58a324f2741c29bac2a7ee04a |
| SHA1 | 17636ba04f59f4c7c4d83fe7ff5ae594f125dc09 |
| SHA256 | 50451fa1e13f0634e090c0d87b7c2382cdb76c9a6cb7f5b72ed9453b298d88bc |
| SHA512 | b341c05bc91e4a4fe19e77b70225acb103490750be28ce7d5a34369edd42000331d392f192220f3ff48dde30e0497b86b345dafc2a44222c09b3949dc490328f |
C:\Users\Admin\AppData\Local\Temp\qwkc.exe
| MD5 | 2a932303bdb8c2766130493230d8c2a9 |
| SHA1 | 99ce38378f141b7622d9a29132bacb8fea20b6de |
| SHA256 | a1a6d1ef474d6be0ef57d9bfaba65c3c207214807f63986e3aa6ecba10dac1fa |
| SHA512 | af3d0a7aa3bcc62c03d03989f791a15549570af91c66ad0d185694fc1bdd75aef897d4dae537ada1fb461a77658bdf5f28f1433eb212c26fbf2c6b1682b88f68 |
C:\Users\Admin\AppData\Local\Temp\GoIU.exe
| MD5 | d3688ee656a53e4a9b3243029501d886 |
| SHA1 | 9a236700b6b0ba6765469ac511b0714b10caf95a |
| SHA256 | a405639b672d1cf16e17a7fd68c279e5013343b3379f267f82b3bc59744d8805 |
| SHA512 | adfe30d5d78f1bdf3d4b022678c1d698deb1fc6ddab237b7c4f8fd4f3aad04cec3cdc9bcbc1457f18376d61ac4be6d3eac91bef14be1f73e3d0f6d636929b0c1 |
C:\Users\Admin\AppData\Local\Temp\ekEg.exe
| MD5 | ccbf48a615999b65e164c6b38baaf014 |
| SHA1 | 2a86120f8eb33e7ae35841e1972d2053fe0974a7 |
| SHA256 | 66771f08894e43f1ab28ded3eb82fa1b8c9e8c1c9da13edb9710da5037cd3940 |
| SHA512 | ec4b239714720ee8ac89f3bafcc439e64f31e11c4836f3df4365df40632a34fd4013fcbbc3654925e73edf63412f61e27317b47ab4647a77f4498ed43338a0ea |
C:\Users\Admin\AppData\Local\Temp\ecoq.exe
| MD5 | 33d686212bf6ef8bd663d30c45968728 |
| SHA1 | ee5a52cd7a16678ebff40d25c2ddca59862ef4db |
| SHA256 | 742be0c979fd78464c5308d856b4a530262471184266f4f8a7f526275730df2d |
| SHA512 | a5651fa340829f96aa5cb224e7313946c75edc13faf0a7e06f43a933adae4e4d9fb7bd4ae7222afefcc93d613c1b964343cbaa1f83eb8e54bfc4df862cec7684 |
C:\Users\Admin\AppData\Local\Temp\YkkI.exe
| MD5 | 672ed90add5c96c457940472567c189e |
| SHA1 | 1d6744d275c9e2d31457f471b5e8d48fa5631cd2 |
| SHA256 | a276ec84965a97b4ee8f0583cef8b1e5e2935906b7d2b194277e1b4ca91222d5 |
| SHA512 | adfee78d3f54569ed1024baf681e8dbe0807f450b4ce137bbd0aa0eab1a197356834dbcce2b712e826de6c773f1efaeb0ca985ba94318eb4c201d1459e0ab968 |
C:\Users\Admin\AppData\Local\Temp\yoEi.exe
| MD5 | b52e0d031c9146627c2fa77d863a5f30 |
| SHA1 | d12790bffc79c251d794e4850f1df0d753ac600f |
| SHA256 | fca06cc9fb1af96deed9fddb00d1ce35d8aba6649312799b084d18b0f1abd065 |
| SHA512 | 3edb0e9f05253f6df155cf2de44af97d403d8aac09b27076a28db6a7eeb1d7a9beb1d057092229fa27c8ca320dfbe04580a8627c73a49ca5c13a6dfb0da5f56e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe
| MD5 | 835a6570790697990cd71da53265db45 |
| SHA1 | ae7d88a0ad77fcbf7ed2b7df4858eeb73a4d31c1 |
| SHA256 | 4db1d8b35ba46e4ba2d4e0994e6526aa947939780ba480d16adcab19d9dd82a3 |
| SHA512 | 45f8741c7ba72b502515dca664bb333e153b8821699f4adb8a1b49e64d82da1aa008d311dcbea63fb27959d7c2fcdf165218b93dfe36cdfba203cbff81ca6d3a |
C:\Users\Admin\AppData\Local\Temp\awgS.exe
| MD5 | 30f990c590928feb5a77237576db1a30 |
| SHA1 | 88efb0cd1e24f0d104aa7dc68a7effda43cabfc0 |
| SHA256 | 2b70b01c3f94d45d5b87b054ac673239e45b89613ea25442d164f65ced8cbe10 |
| SHA512 | b81a54f1370db0e8487cb63a142eadf9fb17ec90a6a575c871cefe4a10b3188e88e7ac2f595c1d87f4f30d0e1e2591523514842d1fbfd5631346e97ae04b8378 |
C:\Users\Admin\AppData\Local\Temp\Qwsm.exe
| MD5 | c3045b511dd6ab414986979548786db4 |
| SHA1 | 625b4fcf9dda7722f64f9f4e5913241c77d05e89 |
| SHA256 | af58d2325f7f33899a0bbc31107ac91e27367ee41bc3dc8156365711a7e5a6c9 |
| SHA512 | 3e846c3419a71516cd3d18a58811ca6a21084fc6b5b695d4d56d840b8eb7fe89b98dd9a4a9cd843169b3e5d05c9591fabd91c569c70b229038afb096619cc398 |
C:\Users\Admin\AppData\Local\Temp\wEkS.exe
| MD5 | 7497b080df0c7999312fcbf2d94249b7 |
| SHA1 | 475193e5e0e4dbddc58271e1c2c2138f2e19a431 |
| SHA256 | 028690e728dd6306ebe8f37540c09621436e12bb3c2e4664e16105b495e0eaf0 |
| SHA512 | ff8869b916ee993f02eef93b419cd3a942aca420a876cc13c882c754ac811b948714c54876a0c04fd5a7a39233afa9e1b4fffd4220cc3658f3cd6fbc96a3714a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.exe
| MD5 | ece5155ab9724f02cc633b8cc5f09ac3 |
| SHA1 | 1205989b3d6576fe4c2fcc3b259b8495713540f2 |
| SHA256 | ad85de6cfee098e535c2c3c8ae68a58c857a73714d4a2b9612959963fe17031c |
| SHA512 | d477249d1072e40363d68deab0100410679046dc1b6488fc8e00ca3f6a356e9ef8920f409640ad4541795c5f151b97e8f34146d7a5ebddffffb9956f4bf24785 |
C:\Users\Admin\AppData\Local\Temp\QUME.exe
| MD5 | e2146fff43be30062f414ae965fbbd1f |
| SHA1 | 0fb75ea07f26721ea5fc1c2ab6436eba085cef0d |
| SHA256 | 6df32081a229f01d0dac9c6c776f0f85aff423db670b78c26953b3520415bbac |
| SHA512 | 62d4f9938e32ca261afef3e37e8fc6f68f3546d4ec00265802a6925eba0feb380a98210dca39380f3b744d214ed441e8e25ea323b5257b2952ea78b8e70e9f52 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe
| MD5 | ee57e3e1226f18d0398fd532cae35049 |
| SHA1 | 81b31617c55b1a108fa0d25d83a8c46a05b493bf |
| SHA256 | b668bc3b74b2538ac17a0255ae0b32d4337db42be80ea32f5c02f91be19d3d77 |
| SHA512 | ea1192999331d426e79022744004671208a214aaa959a9b685241c29ec94d3d3f46fc344c707c567af4397a2c9b8175cb8842043dfd771d9fc12a3f62e3579f0 |
C:\Users\Admin\AppData\Local\Temp\qQIO.exe
| MD5 | a8acf6a27e878a0c11ac193277a1ad5a |
| SHA1 | 8a6d9070a85a01f8b6e38fef49145f3886656018 |
| SHA256 | 1b54a7c05b096a5f969a6a0e632d0fb17adf082e7ba7600106a1b8f88542173d |
| SHA512 | 2344098be101937c2e8b968dbc2aa8670e574bf6df083040401db6e555091858d79511fe51a3e49a11380f71500322c282bec85e7db534c73d8ee82afba169d5 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe
| MD5 | 4f4c839e17a3d1a865683de9c3fb3c86 |
| SHA1 | 921859d46c90dbc22916ebc3af00a02fd13177c1 |
| SHA256 | c96b0db1336827d471d6a4c081162fd74ab270e189bd7ddd78beab9c5a428f78 |
| SHA512 | 5e6bc4f85001024fe6a7d824837d1a6687b258b82ba89304bae971a73dc57e5687654ea4e51883c065c3df18e8d3296436eef90ad0cd76c7f5b322315120324a |
C:\Users\Admin\AppData\Local\Temp\cMkU.exe
| MD5 | f7e42e93e7d9549a12fce8899ed5ef07 |
| SHA1 | f10adda6aab17873a0f97a0dea124ad4da728afd |
| SHA256 | edf553dfeb76a8ddbbc8b3b47073e9638159772b758110c6a47a47abb89a09f9 |
| SHA512 | 15d9f27251dd2f800ea559806afeab2b0fc56b0180d4866f3d93997312cf22a144925203b591c91b11375bb4872dbf7fc45275627609acfeb91008ec21f88f7e |
C:\Users\Admin\AppData\Local\Temp\Ekow.exe
| MD5 | cd70c30576567d77384e65af0ac2846c |
| SHA1 | c8b01766df82df51579352bcc1a2d1cfc80a7a94 |
| SHA256 | 9e90861606e1f66326242003ddddc615d5c213f205d9e839442d5629d43b0b29 |
| SHA512 | 7a7649a5d08f508a901f65c81420fadcff718f2c7497777650cbde0bb16d87f5106327b50b5b99b54c58280c7b7b7b299a558ea511478d5509e362749cc387f4 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe
| MD5 | 364ceb6bb17a0477b91d3824a21a67bd |
| SHA1 | f8306ab5780a8ad37c42daf40d95477838c4d60f |
| SHA256 | 08c70c5fc0f5f40408c26ecd187015640cee76cd61a5423897d1700447b70f7f |
| SHA512 | 242e0f6b8e29b9624706a09d31d56e44eaf019ea6884bac5eb3c6743a46af41df5c321072988c6baa3093e39df2d0142782fd5afa5dbd3f40cd599df0069dff6 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe
| MD5 | 31185533a15b89780526b6cf689bc18c |
| SHA1 | c82cc0153f0fb7187ff7c27e30ca32f35f413958 |
| SHA256 | 762100bba9e22111f8f8e73c604107e2adc9ed88385321c01578e7e76607394b |
| SHA512 | 59e7fefa5e77392add9c8ecd19ceae0050c6a42498049e2eaeee1e7f85a04beb91aa53c096cf86bb4c0ba5f8559839ce6572eec18fe2a6f48ecf07f4d468ca50 |
C:\Users\Admin\AppData\Local\Temp\EcsI.exe
| MD5 | 9005a0310ff3bd157790e4d76ce386be |
| SHA1 | c7490224dc7d52ac695c494330ec0884851e3a41 |
| SHA256 | 965a327fbb4faf95706c68e9b562b57ab580797a03d155c09db0a5e16f9fd46a |
| SHA512 | e20b625f07db1ad22117a0a11890b02e5fa6991b282613ba018563e124f08afcad36228dde198e26c3f9f2fc6510aa54529eddbad54cdfcbf86831c227bfbd22 |
C:\Users\Admin\AppData\Local\Temp\kAsk.exe
| MD5 | 93edbe15989a619c95eae82f7225cb92 |
| SHA1 | 35a1efaf5ebf48a9d94aaa888e01fc8ebd8fe4c6 |
| SHA256 | 9f2cf7f4b890856015434f548b49749456815d211d3958aef7d6a82c5529b696 |
| SHA512 | 5e868e299df421f0cfd922e90274da4634d9f4b3c25524f27e5a0ce805aa596b49b5cf0cb8945e874918ac40421a154b5dc1dae2327b711d4bd0f5768d2bc1b0 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe
| MD5 | 1ed391b918ef23ac713ca8d458efda18 |
| SHA1 | d435eab830b86fde364fd56d73bfaa020d152b68 |
| SHA256 | 3e0219232a42674ec7f0bc6f82294fd1b5ff09ac175383b987776eba4b7e16ee |
| SHA512 | 373ddd98e822e033ef2cd56ace60800b23a04a6ce10d2e51df35fcb9004b5687e697f29db16afbb2bb0218ebeab60f9ebb027774253e1e781c81f5872461d98b |
C:\Users\Admin\AppData\Local\Temp\AAgg.exe
| MD5 | 81873592beae7eeebafe66785cf54843 |
| SHA1 | 31221321b8df38aec2df8e5074ed32051a460151 |
| SHA256 | b6b77fc84f33fe9838825477f030c09aba247edabb730959ab2a24c494619742 |
| SHA512 | 68463e4282c5922cf3fc398a98547eb2d09a0cab5ee7ad2a97f27982beb48db6719f35297d68ae01f149ceba3e122ea8aa5b232cb0e99c4da9f04866decd3025 |
C:\Users\Admin\AppData\Local\Temp\Uccw.exe
| MD5 | 4d53f3ba434e8edfe4f92a16fed7cb3c |
| SHA1 | edfc5439257b5da11e8a478f4919f254a4c54014 |
| SHA256 | b834a11a7c43e26ac3c6a8e342d2f471a7890a7ef50a1c69d9513228548f0817 |
| SHA512 | f54b609949c5b23080cfa09244ef4b882ecdc1af86af69d03c85274885b603dd8835d6445ae0aeb2b285de3822f80276cde450921776231199311bd40bc18e04 |
C:\Users\Admin\AppData\Local\Temp\mQUG.exe
| MD5 | 65b4faa560e75ed8bd4e2f75ed8cd92d |
| SHA1 | ea919305524663de658b6b9128f0377a8a001b3a |
| SHA256 | bfa5d34ba94682301bcd82c7914c1282eebb4eb8b5867e039e58087322e33ab8 |
| SHA512 | 6945455c6926df0c177ac9383e2b18deca35143b1127ef38a88826503772db3013980d8a24cf0874a7583919922dc72548490653d04654a834fe433bb7ddcb14 |
C:\Users\Admin\AppData\Local\Temp\OMcu.exe
| MD5 | 3a61f3922eea5035735baaf39cad162b |
| SHA1 | 2955591bf3c17f3c814bfb774da8416329b36b84 |
| SHA256 | 68df81790e444b57477fd8fee4a52d8e28b4a5901ba340590982295e6768a6e1 |
| SHA512 | 60df78855cc11cdc3699bda1b1115f3eb78ca7a32c4e7b86a16a60b75804092e30dbe7c15c6ef4b17bd9256b2f8398b3daa32fc58489326b7233ada604c5eadb |
C:\Users\Admin\AppData\Local\Temp\yYAc.exe
| MD5 | 481fb915337273f7a3d03b126c48f74c |
| SHA1 | 66a2efa57602022ceeb5ed8022e0944742cecc7c |
| SHA256 | d31019d1ffd50df5522f1c8ac6cdd9fae193e48353babd6c19ffdf4c71725429 |
| SHA512 | 36f74f69c9648b6a3536fe44ea154b70e9f9d73ce6f33edd18ffcea13fede3cf5787d0a9706a2621d46703830fe90317172043522c1d7ae380a6bad2968bdd49 |
C:\Users\Admin\AppData\Local\Temp\EMgm.exe
| MD5 | 0bfa79e2de454048e0a7e70c1c1ade57 |
| SHA1 | 4b2216963a7402d5b328cd5b21f4562ae40f16b8 |
| SHA256 | 5e84ca810728ddafd894d19b0e3276dff26bff2ce5aae87eee2c1950d80d2750 |
| SHA512 | 97049f6ef445d0b778c5989fa9ef71ab7de50ce8ef67a9eed34df73bbd2026b4760e77d8f0ef0dfb34ea2b17f4284876bb143b7c53d893851ae1f7601cd013d8 |
C:\Users\Admin\AppData\Local\Temp\eMAK.exe
| MD5 | a9c5b2443abe0e783f3e652a69df546d |
| SHA1 | 85f5cf32e4e13f9f12dd6f310e6786db872718e8 |
| SHA256 | 838bb96e1d8970c7f6a0e15a4f6e3912e385aca3338ce5dc92d19fecc6d13146 |
| SHA512 | 902fa7ad07e5ba0bc5d3e5ccd20b8f8190ad1d43f36c15622cb4b4293094b6b2683b08e4fb99600079d83fc656934cd305608084a3b00a8fd94f24874d46298c |
C:\Users\Admin\AppData\Local\Temp\GYYu.exe
| MD5 | 07eb7d5506755b16013591d4d89ed82a |
| SHA1 | b93439f63300b999d6f55da77f50930a11271d0b |
| SHA256 | 1a01a7895e1554d1d8ad3e4252c91d92a1f50fc9fc62fc561f45a2d79aa95ff1 |
| SHA512 | 31569984a68929bfb8311348e0de39fa8318329ba0bf1c19456e0e7aa6013d0775359005fd2f6d86e8a9aa10d3796f3fea806aafd4bfa10203fd5d9d0df2409c |
C:\Users\Admin\AppData\Local\Temp\UQMe.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Users\Admin\AppData\Local\Temp\cMEk.exe
| MD5 | 20fff97947754cf49aa537a0faadc3ee |
| SHA1 | 3212630dd51ff69862e982541c7453449b6d4c1e |
| SHA256 | 1adcb2196705b7143d7704ec962de14461012855bb49f05761c313fb7ac0e14a |
| SHA512 | 0dcd11c25484022361ffe14b481014c748f5c0c8ee2e6b4bc3f498460c2c11e3bb84d81a7c6062a9c3940f61ce35088edb61c9d480306db232d5ad7045ce0a60 |
C:\Users\Admin\AppData\Local\Temp\SkEG.exe
| MD5 | 99d8d1fd9979ae7cfa42e4efe9986808 |
| SHA1 | 0c111b118b5b4ce72e85e13881eb004cf76cbbc7 |
| SHA256 | 2e826c3630d13fb8a7f8776dfe4cf1963c4b80304bd54ac81fc930ea731c3bd5 |
| SHA512 | 7e17d06eded2b8b98735a3ca165644cc969327281c9c03a11938f4969aad30e547e1473c2054a6bbd3dcad5c99f864e56856fdbd4bb5199606da7ba7fd6563e4 |
C:\Users\Admin\AppData\Local\Temp\icMO.exe
| MD5 | a68ac59a1e19ef5a07fa37682414fa4f |
| SHA1 | 8dbae27dd3c17441a9edf9f3351dc44838257ce4 |
| SHA256 | 6117c57984049be6b29bc5d8f52d0b699b7bdaed342d0ef465bc61e5c4f61f92 |
| SHA512 | 901cf79305d2ff775ad6f55494fa29d5b6a83be0ee97fefbafee7fc1d33d5d54d98678bcef5c649c1b3bf1a572fca135d8a83a68956b703153029de7ccd2eef2 |
C:\Users\Admin\AppData\Local\Temp\mgII.exe
| MD5 | 32d7f5d912e6b7f4d9bf57d6adc6d850 |
| SHA1 | a9d18e7b36d241802c49ebacd63df60f2848acdc |
| SHA256 | 641b7cee28421e75b45a8ee1980dd382988f080deca23edddf4f353cb11bbe13 |
| SHA512 | c8da18a54690ec3923af90a0902db4314deffa818ccae74be2ffe0069e8f5f1b4ce183825fc073c4cc068ad6844be2a5714c9e1e1dd6fab83f1e6597f054d1e4 |
C:\Users\Admin\AppData\Local\Temp\iYUm.exe
| MD5 | 6caf710d277332afa335486ab9bc9363 |
| SHA1 | a8d15231b702afbb44b179987f75d4cdc1b6a7d5 |
| SHA256 | 0cb205b1be83d4b41609ef5508eece83617bde21b8c28d2279c0fb2acb99dffe |
| SHA512 | 3461c465184b0050a350996dab9cf19d0fffb4a914cd983faa5840aae1c5e63789665f5bbfbf8574d21bec3b2b1cd558f5f7f3e142e79bf6353191bb6f7d0058 |
C:\Users\Admin\AppData\Local\Temp\IkIM.exe
| MD5 | e1463531d1a801a6f17101c7cba3a818 |
| SHA1 | b8a61c1149153cc30f5da4c82dfd14ba58cc1de1 |
| SHA256 | cd67c5703acc0258a1947d6a0629a1ebbda1d9f2c297988c70440a374375b90a |
| SHA512 | 65672948ad178f8dc51b164b124f82364e764d11b17fecfd7dab841fec4427b15730937e8b58925f6354c1362a169ca1da771434a64ec680029d4aa0ae3c3a43 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe
| MD5 | 60e7148e99be4b71e6cb03756b9e60db |
| SHA1 | a39c83da2a81ff18069f1dcdc6df9c9842933c31 |
| SHA256 | 3063fd909af8a1c28fcf17e9d2ec1c16f48d46a3aaec982436db73a6c7666e32 |
| SHA512 | 73b89bc9cc1c9b21710cfc008a1f34cb9ed1a123fea81000100d0ee3162668cdf9728f560c297fd74dc14244e16b20c0ee8fe83103910eabfc25f9d1b0edc652 |
C:\Users\Admin\AppData\Local\Temp\AUUK.exe
| MD5 | b511b2efed8598739131301dce4efd86 |
| SHA1 | fdc5392c76f96d6f476c4fe36b5195957f26ee3b |
| SHA256 | 35d031a2063b26b05bb2ff3cbd9eceeb1f00e984be86a78f57f52a9010ddd74d |
| SHA512 | cd39a2d99d207dfaa49f2d1869baefde3bad0bae5d96ba4d062d807b0366a8e82af087ff098edfe5c7401b8366498c3f4546198e9e4b84a74ab77a7e059bffce |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe
| MD5 | 52d583fc3ff98e8a46ce2980fc8c5903 |
| SHA1 | 4bc763209a0dab414802e309d873cfbda61e7ea0 |
| SHA256 | b1e81012a6e5cb6641dbc7be844f935cde54292ff4d6c7f51fa7103246ec4e27 |
| SHA512 | e910daceefc573bdcdc2dba2c8a47b658d10aa4b9612681fa80c08e84dbec9b49dec0face5bb19f88e4afa93a7e5e3d281a853a252c55ded38237ff88526b1b4 |
C:\Users\Admin\AppData\Local\Temp\uMss.exe
| MD5 | 7669e42befdcb90bd6f296c735de75c3 |
| SHA1 | 8dc40be2eb6b7f49718f5ed8cc89447514cb98f8 |
| SHA256 | 62f0246de1d5a378ea8448cb7ccfc6fba60a5a3609efd7b8fc8f30988b5b5060 |
| SHA512 | 62ff6e189816c1ddcde45b1d546af673027a4fe2b8a50832c2b3cccb4cd074a793965fb0d7a927bb0034bce12556302d2b789f4ae62ddb8a594553a4dae24022 |
C:\Users\Admin\AppData\Local\Temp\SEIU.exe
| MD5 | 237bed7561a684504470ac8690424003 |
| SHA1 | aded780f0b42c9ca1ee196736b2631262c0a6aa0 |
| SHA256 | 421c1005b18500715dd6970699f7b6f8815575559c428b6addef5b5188bc0d94 |
| SHA512 | 5511b3360f9e7aa33d951a7d0d359cff0ea0b2b11e980de2f21fb038c4ed0bd493daeee95620a982b0a1afb1c63a199ad26ff9fcef0d0d4a51e969015af3dd88 |
C:\Users\Admin\AppData\Local\Temp\AEUy.exe
| MD5 | de9c73ea18ad303a172ff1401f4600c7 |
| SHA1 | d9e01a2b63bb226480f2a87556b5c3be02eacd74 |
| SHA256 | e523268ec30d7b4561a07505b7600f2fabffec7080586c7261e53e2c249e9a41 |
| SHA512 | 0b11ace35e79c861366cc7f55c4c63a9525f4a6de6f7abe33c11b5d7440fcb32b62a85f6ecf322fd3f271b46f39a4b87d61b4f685781a577443456ba5122f040 |
C:\Users\Admin\AppData\Local\Temp\awAy.exe
| MD5 | 610dd5f3818afa98bf7a972bd3deb3f8 |
| SHA1 | 16f119aa758628845d7b62e80bd946cb48d062d0 |
| SHA256 | f978d59d852863faa1e2f73e8f86bd56ae2fc2ccfcb61e3546008a587cb3ab25 |
| SHA512 | 66e84db37e6eb8cd0a3673c46c8ba6364ec87d97151b1e7e16b36be70972d78a364cc95ab26919dad30fd2f192cd85f6a02afe9a0a1451065d1e0ec3bd1c6ae5 |
C:\Users\Admin\AppData\Local\Temp\eUAs.exe
| MD5 | a03f51a87bc148a610a6379ad178c1de |
| SHA1 | 4694dd918990ea7a71f7d48a1519ed2da2cd4f16 |
| SHA256 | e05f6888c43d4d054e051472adce880c22d20f5e3f0c447745aa2b8e6eea915f |
| SHA512 | 47fa8692f4b8eeab550d2d3dfb0221d190633521454beee25c2a5e2bfa370ded4551fd1fa11ea13507a01571baa6ccd80de06a25104eece63ffc813a45e10689 |
C:\Users\Admin\AppData\Local\Temp\KMgw.exe
| MD5 | 663b6540ec61de5911257b9809e66b4d |
| SHA1 | f48e436688b1c08301afaceb04e4e4075f44899e |
| SHA256 | 3dc28464bee95ee8b4a018d2ddb88be76b932dd680c0c8d1d3c01692bf4a1cd4 |
| SHA512 | af0ef51d8f7684413d8370f6c962d134750bf2df45aa9719e51aef3afdc3d82baa64149b66d738171496c3f87f6a7a57b180ac019a2db343dc198c28dfb428d9 |
C:\Users\Admin\AppData\Local\Temp\CQYS.exe
| MD5 | 6a2a9376e1f8934c098c3d8c997ee3b0 |
| SHA1 | 868e2a39d596e587ea1bfae6e475bf26e6915d5b |
| SHA256 | 6d74177db579b9af574a6cd002c63294251aaa2a83c9fd67deacdfd1d88ec5f0 |
| SHA512 | de6d82842644373e0916e6af87deb3b1be4308585193d34ad0048c83e24f5787808b25b00d14f50a1bf296769039229709b516cfebb5c9d1dee91ae3581133f3 |
C:\Users\Admin\AppData\Local\Temp\MEQY.ico
| MD5 | d07076334c046eb9c4fdf5ec067b2f99 |
| SHA1 | 5d411403fed6aec47f892c4eaa1bafcde56c4ea9 |
| SHA256 | a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86 |
| SHA512 | 2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd |
C:\Users\Admin\AppData\Local\Temp\iIcI.exe
| MD5 | b216fdfc5883d667b758fdb98c087511 |
| SHA1 | 764833cca2e71be51c78253638562f8fb42aad6c |
| SHA256 | 89fcdee668273102d9d6a7b374828763738516ae7f3f5dcae14682e191f02c02 |
| SHA512 | 230b89478b6b828b8e0d3ab349d6edc1e810fa3b767823b740dee0cfe1f62162e6a5a1152ecbb44f9b2a478df4f5d92d89afc4134d184e37d37edb83e741597b |
C:\Users\Admin\AppData\Local\Temp\Wwcm.exe
| MD5 | 09bb1a6eb5034d0c1bd2b96024cfd45f |
| SHA1 | 0c9d77c388ea9c906d9542e3747b27cc572d69ef |
| SHA256 | 02f4c78a9f818ed0027b08191dc04da8b7047d5ae25d370f4920fb15fc6870aa |
| SHA512 | cfe9cb9d4587ab4cb8f1d1780b30265f49f8cb285fc5daa802f3b40178d1f4153276c12f5a4e66a20dabbec823dc17ef4c80395675133e0ad1235f13c4705047 |
C:\Users\Admin\AppData\Local\Temp\QoQG.exe
| MD5 | e4201bf5184e20370a6b387bb5ca2b6d |
| SHA1 | 7806aabf43dcc427025f891ce4510f8a257f9957 |
| SHA256 | ae4732c54aee8829003801ed708f24969a187b486330eb7a1b45dd74a6b44772 |
| SHA512 | e8d66fcc7e1ec463cd68e571e3be342ef9133b3a58cd5aea34dd454c30b2d0454661aa6cd33b0bfb1924421763d584e8336155547b78e0cd18f7e7c3e9055abf |
C:\Users\Admin\AppData\Local\Temp\MQEy.exe
| MD5 | 73a5d4a39529f679bd0719d09f641b7f |
| SHA1 | 6134de8a655f2911ac9991d75d20216bc80313df |
| SHA256 | 2b020f5c23b5e3a2b2e975b3d4de10c28f1a8bca24175bd84915adcea0ce07ef |
| SHA512 | 81720d21c67226a0ecdfed7e9e94963985fdec6b055f87f8d66d0bff770cc52d4bc44c21f36aa6425f4d9f0c575e42e98f4c6bde33ed1c54cdea45f1d604d74d |
C:\Users\Admin\AppData\Local\Temp\GoQC.exe
| MD5 | 1e156ea1dfa00c33c48561d609b71bc1 |
| SHA1 | 4a77b851bfa3d226976987c9138c39c7e6b7009e |
| SHA256 | ac45cc8bb888f55ed735b184632f85bbadecfbe5dbdd34544bbcb433e5eb86c5 |
| SHA512 | 03836373af2dd8ee5b8d3f6a90593a9f5f3e8ab25407af6bd52112b473d01fa9750cc3601a501683c89a07ec4816b2faad70276c9a38d3e6997d7a64fb070416 |
C:\Users\Admin\AppData\Local\Temp\EUMM.exe
| MD5 | a3f93ed56eb3c89a7ac91189a7b9d298 |
| SHA1 | 3587663315bbfdabd91f6983152d1ac374d7e23b |
| SHA256 | 8ecc2d70f13ab663fddfb1df4c5c6bf9d3e5666c42ddd63f3bbac19417e6f517 |
| SHA512 | b075241e3e2f0498197d4c46a3ea4bb8183f5aa03f27a252d6796fccc7ae20eaa323a755c9cb5e98f7b325cfee16b095a8ff003a32752b8e03c01a069e644f13 |
C:\Users\Admin\AppData\Local\Temp\ysoS.exe
| MD5 | 573a2ff469bd2b94d8850e1df99de989 |
| SHA1 | 46f893cac0dd1cd90eb8b215f98db466d8dfa886 |
| SHA256 | 88a4f116747c98c4bb13b7dec9ba5d4c87eda71bc25351586370dcb150d10e0d |
| SHA512 | 1ef2dd15d55c79313e19c45f3fd359b41b2b19ff951d22ee0aaaf5440670d80d436394c8e6942ae2490ffc0fc60699c37c06b55875259e5baf0de7d514e2a870 |
C:\Users\Admin\Music\CheckpointRegister.bmp.exe
| MD5 | 44de22927d69595c9731aa4868f0fe49 |
| SHA1 | c158331d59cddfec056c73d05b99f4b5065a1089 |
| SHA256 | 34d0f93ce372992d2c53c9e0a8eddaa59c99384a9758b8823287304be0a59bfa |
| SHA512 | 746d70b95b5699a681711e8b4e6424ffa0f2204b1f137ae4e710111b38a90ddff5db3598e5bb5086c04507632cfdf14e32667677262022c81d11936732481c29 |
C:\Users\Admin\AppData\Local\Temp\QAIa.exe
| MD5 | 76ba2857aa93c8210c0618ff3a4b0926 |
| SHA1 | b317f75ca88f5d414fadb54b13d8eb21b76f6dd0 |
| SHA256 | 5393fb3f4dcc4ceea79cb501da2c9c318ea6ec50b8c6b61cbce2f4494b4d7a42 |
| SHA512 | 800849f6b2b1d9e20b2a036effe4822b8d85208030adb687dd7ffdca33a694dba8f40187adf62b2c6dfe7b36a17b9d0bfd994d95706eb94c5a1f1388746d432c |
C:\Users\Admin\AppData\Local\Temp\Woss.exe
| MD5 | 0fc5ed1be193cdaf4a17a733c2759e18 |
| SHA1 | a3b68f4d0e90fa4012122731d11ac121d453d917 |
| SHA256 | 1fd28a886421fa9e3593152a1fc14fb7446404eb00dc662bf0d7dd936441c053 |
| SHA512 | 287c1deaa4de99d82f17399f847fc2ebeb7b197b797c1532989c523f91280c8b8945bf1448adb847c8c00a58631f2d5ed3c1ecd1988f16425991091877a04305 |
C:\Users\Admin\AppData\Local\Temp\uUAU.ico
| MD5 | 7ebb1c3b3f5ee39434e36aeb4c07ee8b |
| SHA1 | 7b4e7562e3a12b37862e0d5ecf94581ec130658f |
| SHA256 | be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742 |
| SHA512 | 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6 |
C:\Users\Admin\AppData\Local\Temp\yMok.exe
| MD5 | 3b342f0d3fba4d369aa3f3329e102582 |
| SHA1 | 14b69bb839cffc4c16efbc88cab790b0b0c48656 |
| SHA256 | 86ac7809f209c235b6ce3f7f8133b871591c36a1c5c74a18ccc1f7b433515810 |
| SHA512 | 872381acc187389a609a9ba718b8979ae4794aca9760a65a1b9d0a8d9c52ae2588134e71b5c1136b4db9e9646958d60a38f1f33fc319481d4c7351864923113e |
C:\Users\Admin\AppData\Local\Temp\QAMS.exe
| MD5 | 744fddbb9e4b1a1fa7f00406e421cac9 |
| SHA1 | 2e9351b4341f5e21e43b857457da36e3ea1c670c |
| SHA256 | 059573cd478e46cd760de70bd08b9cb5418fdd9a77fd4bd02222289d2538b50b |
| SHA512 | fa23fe011e34cf119b91f257b66971b68bea424c73df8b47b7d4e8c08f4ab4bee464f846c92c743e16f9d0b24457db0b32a42d3a90931e117bbcb5fa530ccbcd |
C:\Users\Admin\AppData\Local\Temp\CoUe.exe
| MD5 | 492d3faeac28acd9e3a5926e224b9f5b |
| SHA1 | 7121fa4ce47a4913eb58832d79668cc176516608 |
| SHA256 | 144466a42a90c9118e2aff96f7e877ba584e5123a3c5de2569744db2bd6490b0 |
| SHA512 | 20b105f642766c81bf56dcf8d3f4716ba8454648a51d9ce6f6f1de229d10c246db1c10114daa370a30622a86dbd7ba5136df11f11e96ebcb4b5cad51b381f0e3 |
C:\Users\Admin\AppData\Local\Temp\uUwC.exe
| MD5 | 9697b0cc89ba8bf4785b2e73c8f087c5 |
| SHA1 | 830f80d248e493833f385653b29cca5e64bdd0ca |
| SHA256 | be61162dd0ac700b688849b20333620643b5e33b7e239dbed89d410c91c5347d |
| SHA512 | e36a85bb9584810e2c0ecf6aa1355a84b02dc002b3ec12f1f6363821c1ceed0b765f330fb83db7e2448563e7ef5ca6d1f46ccaf22bed1d23bf1ae7c43b1afec8 |
C:\Users\Admin\AppData\Local\Temp\ugIY.exe
| MD5 | 46c838b9f1b557efa27ea3deec2ac20c |
| SHA1 | 877e85537a5f888479b139189b6a8425ddcf0bb5 |
| SHA256 | 3131c78ef5ab30a2190baa788d16223d9ab3511d1d3ee617e587f69479686ddb |
| SHA512 | 8c11a95efa938d55520345bee2a82a5395e7b0e59366af505f2c2d0c63739c0ad05b046f765dd1bd2d030dd4725958554e3832d90903a0e2fc3f49c939c68465 |
C:\Users\Admin\AppData\Local\Temp\KYoY.exe
| MD5 | 949bfb4aaa4b9ea67f7446dcf64ad902 |
| SHA1 | 5d40e585499f99f5a7bd73242fc7c4bf306c2123 |
| SHA256 | b63c8e8745ffdc37f34e3dac5f22699ea5d2d27d61e62d24c11bb85fe3072ab3 |
| SHA512 | e66a5be0b3c6b00c2896989644e3e1ef7f4d5ac5b831df2026737855d1c56e54481c11520aeaaa189688c6bfdeda7d54c4c6b7c0019628070b910d868ca8f211 |
C:\Users\Admin\Pictures\RestartRedo.png.exe
| MD5 | 77b79abb6cc62852fd5eea3106327918 |
| SHA1 | 921dcde76ea7090fe6c793eff5c0c22c65466ce5 |
| SHA256 | 3622586ae7e29b6ecd5a77d70e7deccb392cf7563e400a3740069778c3414af0 |
| SHA512 | 507bccedbb1007a26923e8c68d3173c2c23f67f24052465bb2498e30f2c29871e9b4409070b481e5b3cfc87ff42ee8e5ec7dfbf5e8b55480c44b237f0b9e782f |
C:\Users\Admin\AppData\Local\Temp\wEkU.exe
| MD5 | f4468fa1c222ee1f05f134df83cb39be |
| SHA1 | 0694b3e0df5374699947b3b04bd381708a2930e3 |
| SHA256 | 8a75dd2e28defaee0edba40cfa7b0ea7f4498302f438ba1698a23c777cf4db77 |
| SHA512 | 7d332d615fa5ec171924b0f2dc3dcccfcaebc19c2ce46c93a47107f64f951781190afe89c8b769372a2a9ac591f31c929a3b9b4ea4ef6bf602f78fc130d37264 |
C:\Users\Admin\AppData\Local\Temp\KYAg.exe
| MD5 | 8dfa0d025f018e8c28db314fa925b971 |
| SHA1 | 1283499f984b14d8398dc6f75d778a82701a97fb |
| SHA256 | eaa2fb691406d5b8e8b29d158749e09a470ea836764a9fc7795d581ae344b240 |
| SHA512 | 10a742693cab8313d1dc8dcb4e516d5014b33d29bae479afa3098ae5fce7b6ed4b56bbfbfed253baecdf662e862220fca9b4e5cd71648342484cd0f6c767954b |
C:\Users\Admin\AppData\Local\Temp\kAYk.exe
| MD5 | 7fc2a6e9059482375939ab4d1e0b84bb |
| SHA1 | 64c802baf36e003ad083fe2b41e956d0a32ad9b2 |
| SHA256 | 1a94d18748fdc13cb655a19fec1791c3fd65c2c056b137bc7e10ce991724bc89 |
| SHA512 | f91fa69e1418dff42d661c2f63214c56641bdaa8d1a7559f0d10d80f471f3298861de78ff9171de4d7c1a0b4c3a6de8cefc6ab31efabf5d3adadb152612755d1 |
C:\Users\Admin\AppData\Local\Temp\Wkka.exe
| MD5 | febc1e22b1075bebcbb51c567ca452f9 |
| SHA1 | 3d825ab0380d4ed574956bbf9c1213aa1541324a |
| SHA256 | 8b0244961fb6dfa982ee29e2333c46f9b5627135d4cc55ffd7d3c96b6a925270 |
| SHA512 | c3f3b839ec20ecf1aff8a6929bb509f9bee92e666be66fcba5dd53cda9c971d72f67e134104f1884d72258d2f5c6adc67f293044dec2a343d75cd6b95ddd4fd0 |
C:\Users\Admin\AppData\Local\Temp\ocEu.exe
| MD5 | 8e8194aa9b9770ad8859e36404865831 |
| SHA1 | 72d7c99a8622782b06a2662518b1ea510bf9b617 |
| SHA256 | 7a608eca7f7d4f4518b0469ecc820eb0cd2955c1486727c241f53e66f9138694 |
| SHA512 | 01672f8967f140af4886802531880c2c2aba90f98231eaa925a30a12b402587f472fbf3203c7664c820042f0d344e0b34220651a58e98e25c9ab0405b81dd78b |
C:\Users\Admin\AppData\Local\Temp\qEQk.exe
| MD5 | 0de626068f6b4afb6e932d96121d5463 |
| SHA1 | 963a8df7f49b9be37c8a943901b5628ebaa48c00 |
| SHA256 | 45aa146c7821c177d00a1ef25d927d216bb9c7514f482e722507a26dd2de3b9a |
| SHA512 | 82524275c4f2296776d942525cd22feb52bf46c9094571ace12dc9d7a18bf1328e4b3eb295277c7e17dfe03edbadadeefaa49b9bfe3707fe3644c01b80c944d5 |
C:\Users\Admin\AppData\Local\Temp\UoEg.exe
| MD5 | d09159b12d24a169c0acb5ce1e82ec9f |
| SHA1 | 61d75a87f9d5229ece954f5a5b32b86ee3721e82 |
| SHA256 | 30a264bca024f32440282537a01058e66a9c63a1961cf44cc461da261dc3b1bc |
| SHA512 | 331741db9aef830e579c57c406f45e355c9712f6d544d771508f78693d084631eb764f160e8c5b3447366a0f567db88346edbec599c75d2db20222f85e583ea9 |