Analysis Overview
SHA256
ae902131766463db3d8a54a584cd6de03bd2ef4c50e57401ad9ad501261f3501
Threat Level: Known bad
The file JaffaCakes118_046457cbd394579894127270aafef150 was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies visibility of file extensions in Explorer
Renames multiple (51) files with added filename extension
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Modifies registry key
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-05-15 06:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-15 06:47
Reported
2025-05-15 06:50
Platform
win10v2004-20250502-en
Max time kernel
149s
Max time network
144s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (51) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\International\Geo\Nation | C:\ProgramData\uMgoocUU\OOwUMYAw.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\ooYcIQAo\hIUMQYgM.exe | N/A |
| N/A | N/A | C:\ProgramData\uMgoocUU\OOwUMYAw.exe | N/A |
| N/A | N/A | C:\ProgramData\NAMgYgAU\tYIUEgcc.exe | N/A |
| N/A | N/A | C:\Users\Admin\ooYcIQAo\hIUMQYgM.exe | N/A |
| N/A | N/A | C:\ProgramData\uMgoocUU\OOwUMYAw.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hIUMQYgM.exe = "C:\\Users\\Admin\\ooYcIQAo\\hIUMQYgM.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OOwUMYAw.exe = "C:\\ProgramData\\uMgoocUU\\OOwUMYAw.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hIUMQYgM.exe = "C:\\Users\\Admin\\ooYcIQAo\\hIUMQYgM.exe" | C:\Users\Admin\ooYcIQAo\hIUMQYgM.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OOwUMYAw.exe = "C:\\ProgramData\\uMgoocUU\\OOwUMYAw.exe" | C:\ProgramData\uMgoocUU\OOwUMYAw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OOwUMYAw.exe = "C:\\ProgramData\\uMgoocUU\\OOwUMYAw.exe" | C:\ProgramData\NAMgYgAU\tYIUEgcc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hIUMQYgM.exe = "C:\\Users\\Admin\\ooYcIQAo\\hIUMQYgM.exe" | C:\Users\Admin\ooYcIQAo\hIUMQYgM.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OOwUMYAw.exe = "C:\\ProgramData\\uMgoocUU\\OOwUMYAw.exe" | C:\ProgramData\uMgoocUU\OOwUMYAw.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\shePublishFormat.png | C:\ProgramData\uMgoocUU\OOwUMYAw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheResumeUse.docx | C:\ProgramData\uMgoocUU\OOwUMYAw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\ooYcIQAo | C:\ProgramData\NAMgYgAU\tYIUEgcc.exe | N/A |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\ProgramData\uMgoocUU\OOwUMYAw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheSelectResume.docx | C:\ProgramData\uMgoocUU\OOwUMYAw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheUnprotectJoin.xlsx | C:\ProgramData\uMgoocUU\OOwUMYAw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheUnpublishExport.gif | C:\ProgramData\uMgoocUU\OOwUMYAw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\ooYcIQAo\hIUMQYgM | C:\ProgramData\NAMgYgAU\tYIUEgcc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheNewBlock.docx | C:\ProgramData\uMgoocUU\OOwUMYAw.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\ooYcIQAo\hIUMQYgM.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe"
C:\Users\Admin\ooYcIQAo\hIUMQYgM.exe
"C:\Users\Admin\ooYcIQAo\hIUMQYgM.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\ooYcIQAo\hIUMQYgM.exe
C:\ProgramData\uMgoocUU\OOwUMYAw.exe
"C:\ProgramData\uMgoocUU\OOwUMYAw.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\uMgoocUU\OOwUMYAw.exe
C:\ProgramData\NAMgYgAU\tYIUEgcc.exe
C:\ProgramData\NAMgYgAU\tYIUEgcc.exe
C:\Users\Admin\ooYcIQAo\hIUMQYgM.exe
C:\Users\Admin\ooYcIQAo\hIUMQYgM.exe
C:\ProgramData\uMgoocUU\OOwUMYAw.exe
C:\ProgramData\uMgoocUU\OOwUMYAw.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hyYEAgEw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NmQYQQAk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGQoooUw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JGYAsUQY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IqkcoQQs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQkUkYoc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XcIcMskk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMoIQIEk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BeQwIkMA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKkYwYUo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOcIUcgo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LsMksYcM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMooAIEE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOwYwYIg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\McIQwskk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MakwAUMA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\laUUQYgA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LoQooUAk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sOwEcMwM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSYEIYAo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UucYYIIA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIEIcwok.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAskooEw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\byYIcIYI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WeEUsMMQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YiUUsQkg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omAoEsgs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOgUgkkI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGMQUEME.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOgwEsoU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIgUwoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ogEgUEgo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mOwgwsIg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wggAEosg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PSswcMcg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZiggkUUw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYAogMAY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOgcAQYY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEUMgEsk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe f13a122fbdec339146125bcccd44c75d AOQyA+p/uEazGqryqxqslA.0.1.0.0.0
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WaoMEcMY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAsEogcM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PWIksYMY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jMkcMgME.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOksgwQU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWMcEkko.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MssAUgkE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEQUcQMg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSAwYEgs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scUQcgog.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hoYYMIUU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zsIYgwEc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqwIQkkI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGQAYssY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gsQYkkwo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAUsooww.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ROsYAwEE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZkkswIwU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmMowYQs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcwwcYYw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwwgoMos.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmcoQIkI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OWMAQYgU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HiAEQMYY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGQogcoU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TcEAQgsk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 104.115.83.49:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.251.37.35:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | tcp |
Files
memory/2052-0-0x0000000000401000-0x000000000046B000-memory.dmp
C:\Users\Admin\ooYcIQAo\hIUMQYgM.exe
| MD5 | c0f5a904807fd298e6d62992f08d21cf |
| SHA1 | c41af072ac79a73b02cfcf7389cbde126792401e |
| SHA256 | 2d3c0039bc0524cc7b7eff6a7176ba3facc0492ab7f6390589a7f7181834cd3d |
| SHA512 | 7abde2ba40f49fe8c962f492a50081a6d24b6b9cfb20a50064257c525cc420113147573a92230f17d1edfd52149452efc171d46cf90d510762094fcf31ccc946 |
memory/2136-9-0x0000000000400000-0x000000000046E000-memory.dmp
C:\ProgramData\uMgoocUU\OOwUMYAw.exe
| MD5 | 00fd6e6d24ee0cab7bc85e86bb2a6624 |
| SHA1 | 10ba2ea1e0afaa4f788bd420597c66d09e7860b0 |
| SHA256 | 1e9a9be1e49ec9fcae470dc01c018da94b3de59fff47a268386ff03db7aca26f |
| SHA512 | ebfd261b6e87a917533034eef2baba02cf4f3f9c9e4d424eddeb1143ff8e3215cd0b24fe7eade155f0708ce68ffc34960f309dd05733df3135b5e2a8ee76c198 |
memory/4552-16-0x0000000000400000-0x0000000000470000-memory.dmp
C:\ProgramData\NAMgYgAU\tYIUEgcc.exe
| MD5 | 259836d1d801bf617d3fc9a16dce8b53 |
| SHA1 | 0a97cd8ffba452b6e5de00cbc6a5b2d3ce0c09d4 |
| SHA256 | a942fbdb654c579c948a21f5742f21c09d3b55ea5588bdbb54669384d0ffb215 |
| SHA512 | 44b245836157a0060aa3e29706bfac75b5e0f6691b6e33982e3e46845a8621d2ea81be70a996a75aa71b8a349ba74cdd5d1fe2e86368bddbed7ffd804ee6b997 |
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150
| MD5 | 8d59f5f3929b07ccae9ff4d9c238ff7d |
| SHA1 | f8cf4e4edddb2335c6868295456eb9092e42a1d5 |
| SHA256 | 075adc45d321bd8b0562bd8df87febe1c0991224b9d00363550a7345de8522db |
| SHA512 | 1cc4e3dfc9c6bd6e7d368d1401b74224162d0597b85cfb06fa671bae31a4e1ce9659f0caf72f3bf16f2fd61437a685cfc7cdf0b5524ff078a5a888644f5f1809 |
C:\Users\Admin\AppData\Local\Temp\hyYEAgEw.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\Mooc.exe
| MD5 | 4be62220d3f29c20973d669c8118836f |
| SHA1 | c6df46e334eb8ee844d3e14276d37cc0749400d7 |
| SHA256 | 53a80c100ee09790602f6462329fa37bd1aa7477436ca921d396703d4da70e0a |
| SHA512 | f40c4b7a77f81b359e12379352aa26efdea05fe9067638a60ae494df8c0510fbe23f73a5751c0f3c7cf3da7dac9062974ed2d596940202b21d4bf0bdf79f2620 |
C:\Users\Admin\AppData\Local\Temp\ossm.exe
| MD5 | 9d5730325a3103e0bc9c693f603d6cb0 |
| SHA1 | d52725ff5f61375f64fbadfa55c666b2a23eeb09 |
| SHA256 | 2445902764b23a92ab6a22dd5cdf03d11b5e255d41e4805739de55a3b87cfb83 |
| SHA512 | db006b744d95b1b1c1ea974be0e2a724143dbfc9f4ed201dfccdbc20f598d02a8663c3b84b27d4fb83807cfda5c825ec64c68f335a58514cae8756927d6f4300 |
C:\Users\Admin\AppData\Local\Temp\CgEQ.exe
| MD5 | c7b35148e3b0f5389af005a3431f34c7 |
| SHA1 | de6aabf45aa4a06471632d45299180214baa5453 |
| SHA256 | 36e2c71682c9238f1f62870bdd0359cbdb4c932d8dec878c93bc6f20d85cecd2 |
| SHA512 | f1fbee8384cce162ab8b6b93d6d4d7d48124c74cf1a39193276104a5b87233f4700d1fea3ec6e67b608d64db46af9a59657fe4f74385c8daa4e1827885982485 |
C:\Users\Admin\AppData\Local\Temp\Oywo.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\AUkI.exe
| MD5 | 3fb7eee4818c695c054330a5b9a02bdc |
| SHA1 | b5c0cb69d2aa5053eee660e0a6b47a6ca1ab1ac8 |
| SHA256 | ce72b0ada0664103c4e78bd27658aeb9171a33fb0b5c104877a065cae0fae156 |
| SHA512 | ce88392bad76a665eef0a5201dd463a9711b58ea9fce28e0f9eac1fdf6c06123a4f1f66bb20e5306120a145bbc33b86fcbdc02441158f7a975919d261517edfb |
C:\Users\Admin\AppData\Local\Temp\IUIW.exe
| MD5 | 6b2023645fc21bd6d9eee42778ae3e5e |
| SHA1 | 374ff4f48a4b778ae8c80015c474a44541456289 |
| SHA256 | ac7b1feb573280057d7a4f77c6a2511da4cadf2301afa073bc4f42cd2030b846 |
| SHA512 | d35d1d96a81542b95dab4e944b51c016c9853b4b77e28d6da2599956ff8025a2b3da55099cf7906e419a314fdbdeb8419008d786685014cecea9c19684f30572 |
C:\Users\Admin\AppData\Local\Temp\mswK.exe
| MD5 | 2a98fc01e63164cc3af839d2e0d00703 |
| SHA1 | a38222faf17e6271a192d2b5a072eb90edd311f9 |
| SHA256 | c8e2fd14bd4122348a36914f33ed7e2be4f82246f7835510114e8b9dfe65eae2 |
| SHA512 | 781e1cfd4d9b4ca27933cc2adceeaf0f66d85a1f618286f650916c301285cf7d86edb287db2a1a17c9ee38070f986cfab78f8ef6a0d83cf6a21257a71773d0f3 |
C:\Users\Admin\AppData\Local\Temp\gEYc.exe
| MD5 | 222434926e056e17e4a35df781f096b1 |
| SHA1 | d065fa72474b4eb96f33df3186ae4096fa9ee81e |
| SHA256 | 1f3947c20e2128b2cc9762c37786a7dbcf6bf8ac714194a863f89fbc036e4685 |
| SHA512 | 5c6698d47e0475fd48c3d435e2d73b3ac829003374fbab1958c9cbc48f4bd642a32db8abd0c40b293602a740405afd65fd2c6d315be7d440bd54a96e62a7656b |
C:\Users\Admin\AppData\Local\Temp\OkgC.exe
| MD5 | 0b17876ba043f59fde61b0789466b6fd |
| SHA1 | 37c6d7418b40dc67a19fb12e5fa044ca978f7538 |
| SHA256 | 954000a7d1733130ad2faf3c95b8110609604c0019aa98779e95733b3affdfe8 |
| SHA512 | 2941dac3861faf1369f1dcbcf1e4dc031ae26193b1d941af96926b53b0f0b4903cf71e11d03c03c406f53f0284182ea07b1f31d7ab22980a12e7bc4333496a8e |
C:\Users\Admin\AppData\Local\Temp\IAUm.exe
| MD5 | a39233308d51acd953601293de1eb452 |
| SHA1 | 3a7bebb623ab3125f02085e8f173f9de1a26cb25 |
| SHA256 | ecb26ecf8e0b155e8644caef73cb878c4e5d55fc6ed9bb364b04d4b4890fe60d |
| SHA512 | 70214e5d2dfe450773d8daac3164767fc689be5142fe0f29b4115f038d62f3350c786bff250e78049c07b8de3111850ad6d673aeed41de54977aec8834a32e05 |
C:\Users\Admin\AppData\Local\Temp\EswC.exe
| MD5 | f9ce529a89a713a5b1c62d214c5ce741 |
| SHA1 | 7a0e5d7066e7a805f69ec4976da6da36e39d0a09 |
| SHA256 | 8f97245f791fc7a265d6d9457a189b4bb7d02a71f792af17fe5b33a3e9a4008c |
| SHA512 | 28279310269a03459d697a34d8891c7e9cfd0db176e16abd06b3942ee9ce7b14f7195e59960bfab061e65b7255a680b1972f9e69e314f71b59d99c9e2b81fa27 |
C:\Users\Admin\AppData\Local\Temp\QQQe.exe
| MD5 | ee550bc15a2d4ffbba71264467d8f34a |
| SHA1 | c45292daa2e0cc46e2a620abafc0c3973565bdea |
| SHA256 | b2cc0b3897a69b3b00e7ecff70550414772e09cde9325b056024f013eba75186 |
| SHA512 | cf5585892859aa1c3d2b192fa8af350acef98f7a60451982413280eaabcc2667068a9bcf7fec2042a1d824c9a8bd671b668ff854d961d5f3b7a48b7d0cf09517 |
C:\Users\Admin\AppData\Local\Temp\eMoA.exe
| MD5 | 7e37ab47327aeee78d1d2f681e4041dc |
| SHA1 | 5dae807627be7dac4cfacd3f238087aa9e30ad1b |
| SHA256 | 472b602c80cbcaf266385d0757af6bb835c69f83697986c34fe88bd1a2527b4f |
| SHA512 | 7e867e88395c4b537c97055ad8d85fc6e28006b1ac23c344960bfccd2e0171b06b71c0a98656d5da2037cde054bac2252697668e25c659bd48ee27e453eb55e2 |
C:\Users\Admin\AppData\Local\Temp\uccE.exe
| MD5 | b1df22e6e921992f236bd9520a6aa075 |
| SHA1 | e9c979a29f02a68b8f772439f698f936f4994237 |
| SHA256 | 7a9fc4ccce43b2a186f62d66b8bb1c292fae241904fef9ef75ab7b66a4b8fed7 |
| SHA512 | cc1a3b7e4885d575b97478b3d07edd47771286b2ce1791556eca20b92b5859a4eb1073a70fa997bf8519032acc6ca5bb2c43029e8ca6baa729fa5097abee395d |
C:\Users\Admin\AppData\Local\Temp\oucw.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\YcYG.exe
| MD5 | 9f3b5e043d3d426a0d100b2e29889757 |
| SHA1 | fe4bf7970b32f377526b1e79214e4b634f6f42cc |
| SHA256 | 5452bd6132dab4fb974b0328fbac40dbe32c375b079c7481937a19be34abb396 |
| SHA512 | db79e40f9e88e4d87f43006fef7535e626ecea571815b24ca1c2e86948a559b56f534316d39c1148bf6797e76955640572ba9795a1a8884c79774af7f9a1400a |
C:\Users\Admin\AppData\Local\Temp\AgMW.exe
| MD5 | c6ec1bbb5c6725c4068bfe3c45e67fad |
| SHA1 | a21a36fabe4c43e19dd074b231ced635f7a404b3 |
| SHA256 | 04d1e2802c7196ebd4e5ba1091493391fedbc98ba81545b58bf91ed8676d4e46 |
| SHA512 | 7115f881ed208d8f36173a7b3f7a3fc3b0d7d53e8885c6fd1ce55ff79aeb28ab1e1193e9186a3d351ad74a5aa07639fceb09678ca5be5e6bee6307f799a005a7 |
C:\Users\Admin\AppData\Local\Temp\QkIU.exe
| MD5 | 41d38f40a202314dce0a9b566ce214b6 |
| SHA1 | 7a07433eacf6b7565ce23819be67b4f4d67bd471 |
| SHA256 | 9a092839d777d48518bbe24498544cca33aa865f87b1998ea95db4a459ee6ba3 |
| SHA512 | 36af6287cde4e65d9ed331199d2de174e9070a03e3b4ba938c9ad110e31b82a12b05b921e4e4b167337be9df43941ec021941049d177c60dd5306319889362f8 |
C:\Users\Admin\AppData\Local\Temp\kcgW.exe
| MD5 | fe998601b3c96b198c06832ec6f6352a |
| SHA1 | bc8aa0673812c2088cc177a34472d9a57146cacf |
| SHA256 | 88f4289470dd8e6658fedd12c4556eaa060a57fc3d4d01e3d438c37b4b39c273 |
| SHA512 | 9b005669ec2edfe56fba48db161835ce200d399ce94fbbc51f8b673198a7ccafb4febe3abd8c30c63a5f6c1c0b0883f2ad4230a9a120aa46bc1d908b8c10279e |
C:\Users\Admin\AppData\Local\Temp\swcc.exe
| MD5 | e7a1fc070c1da527cb4adc5655382cc8 |
| SHA1 | 63c0b05e3442709f2afec380823bd703d0fd808a |
| SHA256 | 7422bdfbe34a0ca09463bd92d99251fef2ad60d6f9e7e6b63b9cd95387add9bf |
| SHA512 | 78e4f05bdf50d0152bd57e73b77f2440fc704694fee3278e787021eb5a0ff109011ae565e7a2c38e77e25ba6078a19ad0d72c25c04dc3dba9142952103c3625f |
C:\Users\Admin\AppData\Local\Temp\oUsc.exe
| MD5 | 847504e3213befba7c6c484457975ba2 |
| SHA1 | f17712bad7c11b1e0982facdfd8bc55676dfa11c |
| SHA256 | 89e326d2e25ec16c5ae1a73a52b61f458cc34adcfe56f0bdbe93b1666429f5ef |
| SHA512 | dcbbf52b1ac189adf6e7916378059e6eb5d99cb2cbbba17cb2072e7e3691b73f10e536f1845a002b34893da37844a71bf258eb4914c06706b2f4b4a4cca45b6f |
C:\Users\Admin\AppData\Local\Temp\EUsM.exe
| MD5 | 195304feb16b81af82734b0e8aa63631 |
| SHA1 | f4f53999d542a7b22d300773ba62c281872f7f4e |
| SHA256 | 01f60d93024963c10822f1531c086935d02d472c4aaa4039ba81ec39743aca5f |
| SHA512 | a64ed24ca1e19fe1a670b3258e6c973e567bddd0f9a39b91fa714f8d8979016e56b4497a1e1b755335591f61576d0865752fdd55c5593f994240fa80b2a01b69 |
C:\Users\Admin\AppData\Local\Temp\acsI.exe
| MD5 | 92aada76a3f3ce3c4c8e73c4e839d0a2 |
| SHA1 | 84d7e3d42c39764875c6aaa1face7fa57e8999b0 |
| SHA256 | 936890aabe2a6c0002ecf94a10d0f2b1c6d3e7d4d3c2635ba0fa0b0669adbc8e |
| SHA512 | 9a2f24d147d2f3a75fbc849c0abe4217bc6f4e5053203cc3ff311470689ba5bf9b38194e7ee2a16a9d8cb5f30baf3efadb659613cb5deab0a4553ed85a7046e3 |
memory/2052-468-0x0000000000401000-0x000000000046B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csQA.exe
| MD5 | 26ea0e5e4dd6dfb2eb4fca2fa3eb6fb8 |
| SHA1 | 197302d38e3e179c680210a16b5fdcc17b7a15ef |
| SHA256 | 260fefcb9b7d8137744154786b8ad5be80a7b65208ed5818ab1c54bb7a52c408 |
| SHA512 | 07fc6d5bf2c8a6706ad726c6898e998c84ce54cad06568dcd5e7acf1a1449aa5370f9f4811eb35d33571e52186b9f5848976a9d255b43dc24c37b63ff02b6d26 |
C:\Users\Admin\AppData\Local\Temp\YAAi.exe
| MD5 | 7d0b0dbc14c167f1eaa1c7fd8586a4cb |
| SHA1 | 6e10c723465e367011750abd3b7fcc35e08eab75 |
| SHA256 | d4472d765c628983a9cb5a8156b6f3fb1cd8fdd53b0e26915e4421819a089105 |
| SHA512 | 805abe79f02689242be0c810ed3454c468d9975e65ae6010a9a802401407aab08886d32530d882c5fe4741cbc8df255dfb9c02ffb3f7fb7e9e5465c0bcc6f166 |
C:\Users\Admin\AppData\Local\Temp\mYgu.exe
| MD5 | 95b49c9d7e5eace2056cdf5ae37acf2d |
| SHA1 | 46b5d7a68abc576b39093f661070cf4c598d67e3 |
| SHA256 | 86b2b3e75a7126b5fd13344c0bdcb3b027e2a444f12f6ca21a092864142a194f |
| SHA512 | a498285955a21706252da4a8a3663976e66f63a1d2ce1087a66d03903a15532dd93cc852136382772ee86f65f9cde9d32aa92d79eb8c734b7d8b387609282e9b |
C:\Users\Admin\AppData\Local\Temp\KscW.exe
| MD5 | 5f155cbecadf10053df7f70006302554 |
| SHA1 | 259c7144a94060655bc226c34f23a1c0ec422f2e |
| SHA256 | d71d4b02c9b81384ba845ca2f1bc8eecf2ca8871edb98454ec3f480750a16e67 |
| SHA512 | 29f9175d9a1ac2999db745567383be3dfe06b0a47042e192ba5b3a427585afda7ad295c3882d59d836497052ba99363b66c323b98bc283eae91881641e89726a |
C:\Users\Admin\AppData\Local\Temp\AEYK.exe
| MD5 | 03b7f77186068a405b51ab02d26e79fd |
| SHA1 | f527b93cf06acbbbca3b1f7ce5057db162f10f86 |
| SHA256 | b171eb5d7a7ebc993661ee73494dd0e93e523b07ab755140c1a5146bdecd77c4 |
| SHA512 | e64ae24feccc13f91f8b087d1a5de7bdb6aaba6a9f1dd878f41a2d713311ac219ae0df5729a821305ec80f478655c7979151880bfde0ed884fea7480faf01508 |
C:\Users\Admin\AppData\Local\Temp\qokO.exe
| MD5 | 7513ca07ae223dcace5fa45aabc408ff |
| SHA1 | cb19fd3d6e81c9abe5b3613677a2ee6f815e9358 |
| SHA256 | cce52931605920367079379f6e8c46be2c807bd4303526addf7bab488e56a634 |
| SHA512 | a293ced7b136c6b1bdf20aa1808d8a3dc48c05e0e46a2168b5c5b8f7484406325aedf0cbc6ac9a24b92efddaf0737633a65c784eb5e299beb1f580596fefac5b |
C:\Users\Admin\AppData\Local\Temp\EkYC.exe
| MD5 | afa17b668af81cff9d316a4e015084da |
| SHA1 | 57cd7fa4d6689cadaffdf9ca649d506a0ac76469 |
| SHA256 | 78020407b2127fadbb4721960e749541514f9cfe1a0ca81d54949c62eb3a1b24 |
| SHA512 | 37c198a72c11bc05ed891602e3cba66cfaffa986bca88347d48c1964144d2867db8a1181dbd8796188afef155dc9eecbca635b0da799fa2d862cb18c52a7944d |
C:\Users\Admin\AppData\Local\Temp\ocAg.exe
| MD5 | d6c7c0f3205f4a7c034c0f9ab20204cd |
| SHA1 | 7b60f2cfe743f3080a612d1bcd2fd6e30cd4639a |
| SHA256 | debc0bff9c41cab1b99d5dc59bb4164133bb4d71aede3fe4a26efa928b7a619c |
| SHA512 | 03fdce621fb1e1a3df2b92cf83523cfbc8071f2dd9473ce283a031aa726bee37be5d43f5a7d3e63582f08065a91e76d9181f1cc7d8ac0d63001147da0d87a852 |
C:\Users\Admin\AppData\Local\Temp\iMAC.exe
| MD5 | c38bc28ed68be36cb56787b18372780f |
| SHA1 | 705967e83f3ca04220804c93cb70900c995bba03 |
| SHA256 | 4848856b57e8da83a382151fa949586ff08cad3d9487664f8bb5f00b38a4a41f |
| SHA512 | 66beee7b9a644ece41cf14124b187e6dc78f0bb086fbe3bf008f3b740c4219b970cf5ebd8c32c9dd2196a153bcf55054be80ac33eedd6b05da0be3bce3fe607e |
C:\Users\Admin\AppData\Local\Temp\mggU.exe
| MD5 | 2b6aa007743589be9b1092bf3d0edd7b |
| SHA1 | 7f2687a9080fd5a46268d97d07235f32cec55cf6 |
| SHA256 | 28b2f5b47162c98faccbade5385db93e755a1d2bea78642730756816628fbac5 |
| SHA512 | f6f7645343a40a34a46377b8f8e5dbab162cc9297b388477436fbaa571fd52b68f8a1cd75ceeb6a1f32cbaece615b7c8e06a95a9c5d2ffa9af606368186fb40b |
C:\Users\Admin\AppData\Local\Temp\CkIE.exe
| MD5 | 1b16e7ab1825355ce4b7be5473a13611 |
| SHA1 | 27dfd190a85f376c8cfc6e3b2ef5d676dedf840a |
| SHA256 | 46a2035c549158021094a70be6ec855f6da6b16e910ad5a9176e8d114fa605c4 |
| SHA512 | f0f0e29ed1333a0233e7594f12c936878fdf5bfe3ff00df6e1326918cf09d467584a61022a99b10bd7767e7cab75c3a9fc48c175ed53d10b353e161ed2e3f5aa |
C:\Users\Admin\AppData\Local\Temp\IUMA.exe
| MD5 | deeb0f686d6b319a690c8a05996c1cf6 |
| SHA1 | 2512176b6a03bdac051dfae695a65ac022e2afbc |
| SHA256 | 6c60ad9ea4d4f15e0c1d19dc32411f0e04a1ede8c35db4a71c85a74b6f213531 |
| SHA512 | 6668bf00a45921f3be48bbe7bf3f220c636f877a5670bb8a4fecc6411aad8b64e46e5fe2e5a307d78dcccd3dd5670f5b9dfb3d521c54ce9785522c44e199fb03 |
C:\Users\Admin\AppData\Local\Temp\OwIk.exe
| MD5 | 87ea5fd87d8f82648126b14cb84c67c7 |
| SHA1 | b7f0fb608a3aff736987f8fd1951272ca14789f7 |
| SHA256 | 5e44a973147d9c951b2668bbe305aff8c3fb71281c13053da31c003274b49959 |
| SHA512 | fd5c2c7362b10fbad5070a5ee55df1f0092c29f242679c50cc6460c45330a531250df533d60aebff1c901dab4d4312ca335a4245a1d48363dafd057d31877a94 |
C:\Users\Admin\AppData\Local\Temp\AMcy.exe
| MD5 | b8696af1340ed9bd42064eaa3408412f |
| SHA1 | 9c06561769a79ca8d373332f770ff8b6e4bbba68 |
| SHA256 | aa68de5aff359a7dd063c8eb980e23bce12d37166989c96e37ba6fdf01e5799f |
| SHA512 | 7fbca174b1b7436773f501fc5b201d523a3b4a34873d78592c561e85103f9980239a274ec9389ab232dd9f81bd50bf07cbf99944cbce33f077c98e197d079768 |
C:\Users\Admin\AppData\Local\Temp\YAEk.exe
| MD5 | dac80a49b8323dbb30a8b180d3766f18 |
| SHA1 | 0e255afc6a939d335c6038fed0306018484997cf |
| SHA256 | e09b75ff402640a654229efc93adf162ca9a8baaa87e5f5791b4cc932b8c2b6e |
| SHA512 | 1a5472f07edf6b391c64b1ccdbda455cd2c98c187bb90490773bc3389c40c9bab775a993f2a1471bad379259e593b224ab997b8b98aab86a592ce100862dbb7e |
C:\Users\Admin\AppData\Local\Temp\moQW.exe
| MD5 | 70afae50106fecb115a470146ca02e0f |
| SHA1 | 5a319c85e9ea613c93711aa8f6fa477232f60e4b |
| SHA256 | 31c85b40b1ae25d24154c6192ef43ca431a775e11f76010f097c97f83bd6d2b8 |
| SHA512 | 948eba8d8062f4ad93d34bd753a5837bb1fab9e97e2eefcbe62a881772859ac4e553b53089e40497a1c6b5787cd7936fe0ba9920094f4b88cdbba42c7090265c |
C:\Users\Admin\AppData\Local\Temp\CIII.exe
| MD5 | f8ce5dfb354d08bb2853f0455ac2d08c |
| SHA1 | d24e795d1a9f8fbce02ccf531a235336fef66d0d |
| SHA256 | a0317ea511a1d821675f14fe3e9d01322b85edba62705dc49f7bd168b383f4c8 |
| SHA512 | 400074d7592e526e9e6d7f09018f6b74c78afb3e2f0b839e89e5083fe20f84cbd4f6e4c8278b8eaebf3b6490167ae31fbbe1da92c80cb8c94ec8815b9a187bad |
C:\Users\Admin\AppData\Local\Temp\mAga.exe
| MD5 | fcc145c71e70628e12a6d4dac422e874 |
| SHA1 | c3b8ea45c8411a6f43701213b14683a68f694a6f |
| SHA256 | c87dc6d0ece781bda66d34e94c53ec87eeb78f6f02c58905f94fdbc903dafb01 |
| SHA512 | c8f11aa3e7f7aee3de992101bf1676b21d192536b65a6345afbb615b7364a20bbae81b28aae41cc8241f7b55a5acca9d461ceacd36f9e298409713c5a669bb98 |
C:\Users\Admin\AppData\Local\Temp\YQMM.exe
| MD5 | 4db8c250eb067df309508d004cdb6203 |
| SHA1 | 6ca63d08f33a44e35f45cb23c29b3010505fcd72 |
| SHA256 | e968f237ad3a819c4c9f7e9e418e13e48270f8a7b10892c3c15539cf31900274 |
| SHA512 | d0755aaa21f795d3bfd44862f2702bdefa789412c47eb79b166cdead38a0df53c867b539db29017fca9893790190b7b04ab3f9b558f56340e1629aab05b2d401 |
C:\Users\Admin\AppData\Local\Temp\wokI.exe
| MD5 | 41ee7eb28dcc4d27d24338898560b352 |
| SHA1 | 20a11db019af47e470d683e9b107d3ee8427ce29 |
| SHA256 | fe1fb2541200c0944e915f7058fdcc97ebf58bdf8f7c9cf6dfb186c4a27c5fb0 |
| SHA512 | 44c7d7ee949f4d9a02398eb8e5c7f1ab3921140ccf1acad6075ce250c3da501599f653be86cdb6aa97583be95357a504a68d8e9ccf6cccda6aeaebbd6ec6b269 |
C:\Users\Admin\AppData\Local\Temp\IcYq.exe
| MD5 | c66842d43df02b490a7ba0bbb40665b6 |
| SHA1 | 7a3e09d51a18fc20ac1b59102df9be90211941d2 |
| SHA256 | 08bc9fd4d11c3cf6e292a38392d2f2c27cc346433cd4ce042f0c4295e6e72195 |
| SHA512 | ed60d545bdce4e2269caf4fbcc1132f29d175e14d2c45938d1a51316288985fe640eac2c8cf8fe1baf498769ee42a77893c3d8f1b0c829c2dfb0933a2c240bd5 |
C:\Users\Admin\AppData\Local\Temp\WUAm.exe
| MD5 | 2744226e1a80dc796c427f7b8a673e8d |
| SHA1 | 6a89a905ecf6c79b16e263a07f9fec69d719ca32 |
| SHA256 | 4dc84f1efd3b439f41c7d14d01aece41faee38a6cf171a07e2364005f430204a |
| SHA512 | c7a891489e8863890e55e94eee84f7c449b4e01534b9896a4357d391dd290590eef4cc109e26ac242c6064a650a5dad4b68d596c06408495febc20e297acd271 |
C:\Users\Admin\AppData\Local\Temp\GUYk.exe
| MD5 | 1910b32b98721f145c497fe39a77b671 |
| SHA1 | 1a19f94afa897c762a357666bb2da592e6f8867c |
| SHA256 | 6df0b917b25f3e23c5d35e8170b22948ecd7d12d179ae60d9c96ccfa204f204f |
| SHA512 | 54836d78ffffc3ea5201219794bfe9f6996c2d59a0604a4949634bf6fd181b17490bd6c1dd37c026288053d924c47fd94d33649deab7c6bba25397213a92899e |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe
| MD5 | 617b30c5ef44fcf895e95d6c0944935a |
| SHA1 | 7bc4426b294f61c5e0a6a345a79adb6ed1872c9c |
| SHA256 | d4b5b943ada27279c1ef934cfe285287fbea85e846485ed7d25e1d8218bdb002 |
| SHA512 | 99aafede71be8fcfa1fb8235539f527508a30660fd3c9e38046a16b5972ef531ae6cae63790dc3c04d1558c3a087c0cae93b4219ed7a61565f54922a4b3b8b23 |
C:\Users\Admin\AppData\Local\Temp\EYEw.exe
| MD5 | 3e6cdced362357cb701c5f1d6b341137 |
| SHA1 | 631b6391b28021164e24e5e4e1101eccc50894c1 |
| SHA256 | 586865f7a8c7e61984d38a28addc38a8c4a219bf7b1000c69e9597e6549698bf |
| SHA512 | 806b831dc8afd73fd30946335045ad59218910c173afb813bee0b68d0ee3bf97c5030006ebd2a2fed884fa50ea3933a81127228576534f909ada3963c4ca0f49 |
C:\Users\Admin\AppData\Local\Temp\GEso.exe
| MD5 | c1cb197ccdc8122e6782a0153814d19a |
| SHA1 | 4df685d9ed49a57e4b6bddcc863c22a675b124e5 |
| SHA256 | 9ec8147bf4cf436380b7aaf51d4cd4edf7f89cb4870e9a6daacfb32fe60b9089 |
| SHA512 | 211aedf26340c04a20f43f9dc22bff4a1ff4d9a4c420fc29f04c220993edc81043995e4fcb59b9285bff6519551e5ade4b5b715925ce0cdab36aabe91155e7e9 |
C:\Users\Admin\AppData\Local\Temp\mEYq.exe
| MD5 | 71bbc9a25a9ea6a512f3df66d9119545 |
| SHA1 | 0c2a40ac23d05818d41791277d8b1dc2adbb2c1c |
| SHA256 | cb7975b21e2acd677ee40d571ee6ebb35c56aea1014c15f3b6182f3c20feca1d |
| SHA512 | f9b8a0241d6b9cbd4eb9bc9e5eaf1d5949dcb25525b364d18bc95bc50aaed9070ecbfb47040bb2db805ce6461a7aa793f219f9ec9f4de09eda8619dd48939fce |
C:\Users\Admin\AppData\Local\Temp\Gosi.exe
| MD5 | 5b744d531b5e56a5fa0de5bc61dc1878 |
| SHA1 | d006f20bff772592634965e8c9d0a552367184f5 |
| SHA256 | ae0a56f5c55f080f14eb0529c27b5fe4071cf2d2e2034fe05534550db0a8e9f1 |
| SHA512 | bd85d7fe3db6b4ed8fbda210a5df87170ffc62b4791575eca992aa92721210d54696ebc367a456b1dd82678b81cd59f10967247cc002df9f47f8603f7aa94ea4 |
C:\Users\Admin\AppData\Local\Temp\Eskg.exe
| MD5 | 597da45aa9bcf360557df184f2c0420e |
| SHA1 | d3f7a5f5394e026fe32620a04c463f9c5af02783 |
| SHA256 | e2de29ad6af956c3c37339fd14226e6acc7953547949292b52bfd72a1d55acb3 |
| SHA512 | 3095facd7fa3d866160f67d7c4bd54c5925df2a636833c18a9d921a9777793f62ab4928e77dcc19e091a68c147485af1455c6650bf40b94c9242afa5fd03ba71 |
C:\Users\Admin\AppData\Local\Temp\cQMs.exe
| MD5 | fd04ec75f52c4fddbe9f6418736210b0 |
| SHA1 | 3ce4f4f92eb267b414e27db2a35982363c3cff47 |
| SHA256 | d49d6897122c0a0f1d8ee719966c2db4335f12e6f513d68454aba6a30eb7dc1a |
| SHA512 | 8c1bf5a1840bd96fbdf847e875a887b3f009f51f2fbd7e7efaba2d6879076d227206c26f6da7e4f535d24c2649e4e914cf350e090b9093589b67a7eed27ab034 |
C:\Users\Admin\AppData\Local\Temp\wUkU.exe
| MD5 | 09ddf2207f4d38c7dfab2633d774bf9c |
| SHA1 | 25c06033dc1287397275aa948ac143be2a4d61b4 |
| SHA256 | bb76396fa7f8f163c233487faed0bf3c5ce381db81a85acc0e286a175e0186be |
| SHA512 | 351c6b2b44190a5fc07436cd0f494a1528d8c659fa414712992bb105a9b8408305a6c877b1f4ce4e0fb8021d343b91502fd0d218c5d5f3efdbf5d530dda20ccf |
C:\Users\Admin\AppData\Local\Temp\usok.exe
| MD5 | 414e69a338fabb961bea8b0d202340c5 |
| SHA1 | beebcaf5c3ea25a2d68cda55cb4a89ab7b317253 |
| SHA256 | 16722fdfbc360392a77a9884890ac17f745bf01ccbcc1605ac47a32ab23e4c56 |
| SHA512 | b42a87112e5e7cb3ded0fd8d3c7be923faf3deddfe117390244ee6205fb53c0f9d9ff16840558e2c2e27c23ad6f788c257e70592cbd37a86bc065eef494af6f3 |
C:\Users\Admin\AppData\Local\Temp\AEYu.exe
| MD5 | 78ae88954619a91f3697cc07ef25385e |
| SHA1 | 07dee853513f7c5ec3a06925bc1b27290c81879e |
| SHA256 | 044392a0cee64f02f991d51f32479c71c4faa14237454df5bb4e597591fcc1a6 |
| SHA512 | 59643ea7167bbcc6621ca4431014de9c61f635bbb029fd4ed25148e9da7d570c8e1e6f5e001a2c2a05d6585c77a1cf9b65c4fb535cc37549461538f057030d63 |
C:\Users\Admin\AppData\Local\Temp\mcwY.exe
| MD5 | e59d58bd9e8a82e722da0a50b5c37585 |
| SHA1 | a23a99a75db2de524f25095ae8f5da49dade5c4c |
| SHA256 | c11e5ae280bbf0bfc9f9059e8568ba08495bb818e20d1cf047d53c5559c3006e |
| SHA512 | e0ac6ecea31f7340e4a64b7f02fc75af7471b50e7c9d018835321be07db8624276c9d763f63bf7986cdac2edd590a1e44b27a3836c9c7ba7808b29eeca5725c2 |
C:\Users\Admin\AppData\Local\Temp\UcwE.exe
| MD5 | 796865e88f495c4c1976da8bcd0b68e3 |
| SHA1 | 43ebce5b22792c57777882c69d020b8068e180b3 |
| SHA256 | 6899f490345485b15712fd38ccf279a3dcbbede82bf794abbab06a2b762966ce |
| SHA512 | 69e81ded4a322e9ddae77135391e465e7298671e823772248fd79ffeae3d2b2b7e7f496b8d6be0a35a115c6a063bd092b6fa7235958656a037bee47ab15e4ad1 |
C:\Users\Admin\AppData\Local\Temp\kMIg.exe
| MD5 | 60dc4c88c3e8b71ca5dfd86b497f411f |
| SHA1 | 097692cdb2a29f70921b371ba7aedbc1b23ea406 |
| SHA256 | b9ea3420f2b048f409c712d09f361d5d216a92b59ce1ba4fce1755ea45312c9f |
| SHA512 | 68aa6e37277ba7e01b5e0e1bc7b40bc247a250f61ef3e79dcae3d62617c17150f7eb657f80648e181702f5f817fd6ed84e5e3122b81bb6c9e4997d6b4037538c |
C:\Users\Admin\AppData\Local\Temp\qIwa.exe
| MD5 | dbacabe21b18a29d896a4a42ce49cada |
| SHA1 | 6dc11f52adb3bb2164202d13d41819d8dc2fb74e |
| SHA256 | 417800fbd5b6ec6aff2136631601f18b88ae1d4b7152d680baa9787a6af590ff |
| SHA512 | b8fbc42f1adcc7168ed2aa16684c5c6bcd972cc06cf2a85c2e2971f00ae513f4dd16e231f33750a5c048605bfe5ccd3df0726ce7deec2afe3a832f09f5dd7254 |
C:\Users\Admin\AppData\Local\Temp\ookk.exe
| MD5 | 0d01665e203a4d648c0409b13fbba9a4 |
| SHA1 | c164ffe02b4d0d444e559ff37ba7e014b99a9e5c |
| SHA256 | 26ff44415f5e2a93ac891e9a53b6684bd2a49c409c107831001249f898972e07 |
| SHA512 | 866eeee7c396a84388516d1998bc111f48d6272cad9ef8201814b3b9a13a18a3461e77c9077e988df073ada17bc9e9e384833cbb1c17318318267036830773eb |
C:\Users\Admin\AppData\Local\Temp\EAUo.exe
| MD5 | 67b8d10b7a59c3f333e44d3ac0022d19 |
| SHA1 | 821a82f168402c344c8d1154a4bf40a09f67f2ab |
| SHA256 | 3e8258f2400ab4534cf6fa8b9c411daf378638242457b1b17bbcb83439b9f226 |
| SHA512 | c730221a63799bf6ee76bd77b612239e24570f743ece225cf974a11e80ba4c518f14314e32b294c9a629711ae833dcb28518fa411da9f8372683bb0596511c38 |
C:\Users\Admin\AppData\Local\Temp\koEo.exe
| MD5 | ddf602e2f9b440afa74d54c940ed60ef |
| SHA1 | 97b1da42fef5972802c748a93a0827cd28d02c57 |
| SHA256 | fa4da51c611f2ae67f901b91b813a3786e91d507e886cb957523dbe7724c980b |
| SHA512 | fecee120816e4558b37f88d0f7d4b388f7e5ee2410368143cdbef776bcf42f1f46a0178946451c25a13043bc9d24827e1e6aeac17c7003e22e9f907ad5ad8464 |
C:\Users\Admin\AppData\Local\Temp\ycgI.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Users\Admin\AppData\Local\Temp\qUYY.exe
| MD5 | 0adbbe68a5e533f4e4b1ea67cb3db388 |
| SHA1 | 42903747521f13f67d2ce568d9edc082ea3f14b9 |
| SHA256 | 8bfdb2c418fe6dd273386c08c8d475e89a803c987ee4462d2186d40ab864eda5 |
| SHA512 | 46b2c8fa1285fbd5582df989759d6cbd2726b5160fb34b1f044ae41a5ee1fed9227ddc9ac02a14fd698409b5aeab948f6dbf3480ba075fecbbbe4dbf8bc79c0c |
C:\Users\Admin\AppData\Local\Temp\MwQa.exe
| MD5 | 20026a4d9a29c4eb3a811405f522f8f6 |
| SHA1 | c49221976359e0f4a658849400b2d182608e3f7a |
| SHA256 | 96d50ab44dbc04261653e5f4b8682732135d6d899985f395b1038c62571a4700 |
| SHA512 | 731369c76d1246ac39955f0bc959dff0559927e9d6261bc2efb29c67b665e8b7ffc38a1aa2949aa34848b69146955bf63af31835d72dbab3f29d56d1d4404f11 |
C:\Users\Admin\AppData\Local\Temp\uMsG.exe
| MD5 | b7693919033c37700edf42c6e90c501c |
| SHA1 | a38a25a2dc9452a0770c5af8184a27908e19864f |
| SHA256 | 3aee31bb61bb9fe50470dacce8c080e48408b0a52fd59e2c95f35a1e580abba7 |
| SHA512 | 90a6c90f9c74531a0d324850caaa6b33103d27b2c7cfa727f0810cfa172781faffb8bc2a4e3ed7d957fd578405ba1c48de8d9623410c78f3bc96e7b021c3279f |
memory/2136-1097-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe
| MD5 | c07c8cc929128cdf6de025e9268cc472 |
| SHA1 | 395b718462c55cbeef991f785cee7553c353d9be |
| SHA256 | 528243a8a2004cb6175cfd7b09194f70e052277fd0ee2456d21358fdebc440bf |
| SHA512 | e67dda0b3c3ad04a18c2682476afb32acf407cfc7b6f454fcec44885d2f6c21846fcd1b37863bb79f7a8abd4c76966b9fd431d7e69b0a41be6f33836e6ffb800 |
C:\Users\Admin\AppData\Local\Temp\QIkW.exe
| MD5 | 951b55ff2daf5bb50f6c4645fc376041 |
| SHA1 | 9ee1fcd4511da054c05fcfc778ff8cb246e566c6 |
| SHA256 | d5031e1433035c810df5ffd8ef71f962245c018f42cd0359ae7e62a37ba50c2d |
| SHA512 | ffefa95246fbbf7d72c7df89729e2ed20b6870183deeb8c489904b6381d2f8416a55691395431ec3e164e9037a14c5714067033fa774680afa78d2fc3f241034 |
C:\Users\Admin\AppData\Local\Temp\yYAm.exe
| MD5 | 90ed7a49347edc5dc940c7c821bae2fc |
| SHA1 | 6d6046f90f928944a7229098fd227efc52a5cf94 |
| SHA256 | a8c90ee371da640dd50d2636e047c520da2f376148f10abe8f999782287b8c9a |
| SHA512 | c0967837505607934b609ed20d54b32a72ab648539ab0e908082af10fd6832db21fa4fe12e7c6648fbaeab0cf3faf45b8482936b8c2cab445325ab526b3ba78f |
C:\Users\Admin\AppData\Local\Temp\ogAG.exe
| MD5 | b295112eb3bfc98bd188ebcadd3ee592 |
| SHA1 | b2fef33cbd0882059fa456eef3b6b6e76f45d565 |
| SHA256 | aeb322b29036aa19fd16e4eaa5b9c233dc28dfa87ba09521672af51e903871fd |
| SHA512 | 55081ea7530d6249ac111b670f5ae400de7729233ad7789c1ec6f70497a70d4f4ca0b08f6a26c634c05fb9690d0486e438e26aeb38490e716e66fe75f0dede9b |
C:\Users\Admin\AppData\Local\Temp\SQgc.exe
| MD5 | 33299844105440a65cf0a768cb669c5c |
| SHA1 | 5d3d773d7b4c61c092900a77f8e07d9f1788e42c |
| SHA256 | b8e4d03cd766c33d387ffcbca66f397403e2edadb12c02a9964ac0083aa7e469 |
| SHA512 | fc28b7b999c056ae7675b243696e0ac4dacf365966507c76e737ba9e4997a794563feac4ffbba9d0b6c395df097d1c2794ff5f3325546839c9ebf89e3ae2a022 |
memory/4552-1191-0x0000000000400000-0x0000000000470000-memory.dmp