Analysis Overview
SHA256
0c07ac694ef7558a4e2277d2076fb1a432992648748e38ac2b4db4beab1bc6d8
Threat Level: Known bad
The file JaffaCakes118_047c408df84c32f8d5712456276d1680 was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
UAC bypass
Renames multiple (51) files with added filename extension
Renames multiple (56) files with added filename extension
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Modifies registry key
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-05-15 09:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-15 09:06
Reported
2025-05-15 09:09
Platform
win10v2004-20250502-en
Max time kernel
149s
Max time network
142s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (51) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| N/A | N/A | C:\ProgramData\SsoAQgEQ\ggswYEgU.exe | N/A |
| N/A | N/A | C:\ProgramData\VIUYgsog\EKAcAsMs.exe | N/A |
| N/A | N/A | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| N/A | N/A | C:\ProgramData\SsoAQgEQ\ggswYEgU.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RIIoEoMU.exe = "C:\\Users\\Admin\\hkwMwwsw\\RIIoEoMU.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ggswYEgU.exe = "C:\\ProgramData\\SsoAQgEQ\\ggswYEgU.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RIIoEoMU.exe = "C:\\Users\\Admin\\hkwMwwsw\\RIIoEoMU.exe" | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ggswYEgU.exe = "C:\\ProgramData\\SsoAQgEQ\\ggswYEgU.exe" | C:\ProgramData\SsoAQgEQ\ggswYEgU.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ggswYEgU.exe = "C:\\ProgramData\\SsoAQgEQ\\ggswYEgU.exe" | C:\ProgramData\VIUYgsog\EKAcAsMs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ggswYEgU.exe = "C:\\ProgramData\\SsoAQgEQ\\ggswYEgU.exe" | C:\ProgramData\SsoAQgEQ\ggswYEgU.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RIIoEoMU.exe = "C:\\Users\\Admin\\hkwMwwsw\\RIIoEoMU.exe" | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\gYkk.ico | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\QUQs.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\AWYY.ico | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\iMAq.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheSaveStart.xlsx | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GQUw.ico | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\QQgQ.ico | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mcgG.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File created | C:\Windows\SysWOW64\coEU.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File created | C:\Windows\SysWOW64\mgca.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File created | C:\Windows\SysWOW64\yUkc.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WUoC.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File created | C:\Windows\SysWOW64\EMwC.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\hkwMwwsw\RIIoEoMU | C:\ProgramData\VIUYgsog\EKAcAsMs.exe | N/A |
| File created | C:\Windows\SysWOW64\SIow.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gqwA.ico | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WIMY.ico | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\skYS.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cgQa.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File created | C:\Windows\SysWOW64\kIwe.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kkYY.ico | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\KOsc.ico | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\uWkw.ico | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\iIYW.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\asYW.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File created | C:\Windows\SysWOW64\qsgu.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\auMY.ico | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\AOEs.ico | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File created | C:\Windows\SysWOW64\CAYQ.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\uYUe.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File created | C:\Windows\SysWOW64\WsgK.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\QOQg.ico | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\coEU.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\uqEo.ico | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ukka.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kscU.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ooIU.ico | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\eoso.ico | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sYoY.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MUMk.ico | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\IwQu.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qqck.ico | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File created | C:\Windows\SysWOW64\qAQu.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File created | C:\Windows\SysWOW64\qkUY.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\asIa.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\CYUE.ico | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File created | C:\Windows\SysWOW64\mYMS.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\qAQu.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File created | C:\Windows\SysWOW64\WUoC.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oYUC.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\euko.ico | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wowa.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ucAa.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\hkwMwwsw | C:\ProgramData\VIUYgsog\EKAcAsMs.exe | N/A |
| File created | C:\Windows\SysWOW64\kMAU.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\qwMU.ico | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\scYI.ico | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File created | C:\Windows\SysWOW64\oYwY.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ywYC.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\OQoc.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\SgsI.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gMQc.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File created | C:\Windows\SysWOW64\Mowo.exe | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cyQQ.ico | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe"
C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe
"C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe
C:\ProgramData\SsoAQgEQ\ggswYEgU.exe
"C:\ProgramData\SsoAQgEQ\ggswYEgU.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\SsoAQgEQ\ggswYEgU.exe
C:\ProgramData\VIUYgsog\EKAcAsMs.exe
C:\ProgramData\VIUYgsog\EKAcAsMs.exe
C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe
C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\ProgramData\SsoAQgEQ\ggswYEgU.exe
C:\ProgramData\SsoAQgEQ\ggswYEgU.exe
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGQUEQkM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IqAEMgQs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iuwEoggU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSIsgscU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWkIsMYo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DekMwEEY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KccAYcMs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AyIsEwcI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lacEkMgI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOwwYwQA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VecwEUkQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KgkYAYIw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EscsMsgc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qmkcgIUs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGsUIYcs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMUYswgw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\beUEMMYs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vScEAooY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TyogYcQw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QoowEwEc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYIwgcks.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwQwIkUE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwssIgAI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TQQYsQoI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wyQMUcMI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mUAQYkcg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAIgQYYs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.251.37.35:80 | c.pki.goog | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
Files
memory/3304-0-0x0000000000401000-0x0000000000475000-memory.dmp
C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe
| MD5 | bdf66af55f453a9df62681f38d18c176 |
| SHA1 | 7108eb8f9abc2cfebf46673ec3e2a76efcf49fdf |
| SHA256 | ad294f4660ca66d8f56eb4227a242daacf44434015106d64417500e9b80ce5da |
| SHA512 | 43ff204cb977e6ef9674b23bcac59578e1b3acfb1e3d88af440ae443ffe6f816b25bb1a3706bd9dfb8ff2ddd409ff3b3518f797f4461a5a63c695d516061f83f |
memory/3924-6-0x0000000000400000-0x0000000000479000-memory.dmp
C:\ProgramData\VIUYgsog\EKAcAsMs.exe
| MD5 | e3f26bfa9c2bd95be3bac31450f5eda9 |
| SHA1 | cad4aed7326c374d9168bc6f44a8c674f78f65d2 |
| SHA256 | 60a67ffbc2620970deddcffc50ba77a661bda8f831ddaf3aff0389b9589522b6 |
| SHA512 | 7f5309204c295d9aef9f141816b7527588b9727d5d95462fc091a5a229af09ff416dae6c06ebd9acf4a94712a87ca5b67141bc4a7fd0ae26b86c608cfe3ddb6d |
C:\ProgramData\SsoAQgEQ\ggswYEgU.exe
| MD5 | c9484c198135fa759d0d932fc15eca0b |
| SHA1 | 4ffe6f55f837706feb152a2faebaf1ae2285ddea |
| SHA256 | 6f63a1f5c7a817309c27b39d02980a194f27b6f65c45b2f6d142c3528dc64bc8 |
| SHA512 | edab5eb9d4e12528ae9fd73578b011c8fba502da89722bf24213142ca28c3eb2f500c617fe09602c6abf554206651b8618dd0ddf82297ea89e39f4d34a1e8fc5 |
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
| MD5 | a137db26123ef0010b9a5a32a99280dc |
| SHA1 | 5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6 |
| SHA256 | ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd |
| SHA512 | b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f |
C:\Users\Admin\AppData\Local\Temp\OGQUEQkM.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
memory/3304-141-0x0000000000401000-0x0000000000475000-memory.dmp
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe
| MD5 | 007475f79d444cedc6c6c7feeda57209 |
| SHA1 | c6a14922b823d95f32d0e025c8a13d61b3b9f0ff |
| SHA256 | c2be50c1ebb6f519bc6483f04ab0c0777210c40a1ae4ce30054306d37f929541 |
| SHA512 | 130ebeb8f1061f998b5eabcb4df28a9c78e76438796aaeecc3efc703e50f9d64f7b21886adfe654fbbe8ae97da2739d96c11b55e090d378e18a65b3d16f3ad57 |
C:\Windows\SysWOW64\uYUe.exe
| MD5 | 1400f66850db138b8286da28ce67675c |
| SHA1 | 2c5e797954f79e6ee6aaa2c7722cc3da2dbc3d3d |
| SHA256 | bcce830891259036ae8b339b8e5130dd160477d0c0927349cf7f9115b5fae81a |
| SHA512 | 5b1707f0ee68eccad1303cada340292714519962521d98c97fcbd67c3adb4844f679c89524c704a6b2b44d04e68a8798cd0dbcc514bb8ac1f6d246283d54dd30 |
C:\Windows\SysWOW64\ikwI.exe
| MD5 | f94c7386ebfee305a08bb78d5b19d59a |
| SHA1 | ce2b1fa4169567d39d4105ec2f4d52a744f44dc3 |
| SHA256 | fa0387e11f0ae63b66b67b6d0da9369216140eaa6d766c7c5657230278728e1b |
| SHA512 | 767380fd0b6dbc77e52cca29ee88a01e3e3909a98493f98694981c8bdf2ca59b35c69ed57b56c5a6f03021165ecb9a1645e4a241467e2f3640dd7f9dc6426277 |
C:\Windows\SysWOW64\eoso.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Windows\SysWOW64\aEAC.exe
| MD5 | 6f455cfe5aef6b792a258ab104e145ca |
| SHA1 | 67d3c2949c1245353fb38d2ccd7ccf9880c2a784 |
| SHA256 | 92b354c7628e1e39438b4d50e8c039cac050cd4626bde8bc59b4c51cb77c676d |
| SHA512 | 2c69c8d4f1b7ecee5fb475877e6836216038d33b76e5b43f7da40f737b9ec503208376a29499f5461cc70a1c178a898dd823bab504691bbb7b2b1e4f539c2bc3 |
C:\Windows\SysWOW64\WsgK.exe
| MD5 | 4a446baa471dc9907d01421507cff447 |
| SHA1 | 7830db80643addb54e9d06fed1a0aa91ecc70048 |
| SHA256 | cd1ebefa1604134a129b5d645ec779368700574f0fbcca505958088e9eaa139a |
| SHA512 | f588b1a18226b857418ca99eabfc80b8d318dd7cc70193c95f78438189ed72307e66bb1069d4ba7386dc91dc9ca63647b728f4255e9a917505315fc94609f732 |
C:\Windows\SysWOW64\SIow.exe
| MD5 | 8783abd64994bc25307357b8dd06e93e |
| SHA1 | 3ff9b542642b0b0988c0c72d63cdb347f368c918 |
| SHA256 | fa8e736986d5aaf08bb3d6860b00bce2b4b414f4d6d2aa98216a1ae5bcdfdec1 |
| SHA512 | 17b66900fe2794b14fa8becaaa5c1cb888741305ef046f761a8172861a14c49677c5f239cdfdfbedf660053011019429e312e55ad64be5070891f5465cda25cc |
C:\Windows\SysWOW64\WwEO.exe
| MD5 | 7af74720dd22a2356ab8eff9097f8b89 |
| SHA1 | c69721318bdf7e173a23f3ab1d9bfbfb6f01c71a |
| SHA256 | c4de04e835d9ca2c436911b90aa872d0bf73ad90b97cc664de02bd4093210f21 |
| SHA512 | b541cb3a9249e40e74c40cc93abda5c882943c70f2e47a03d40edaed136041c6d703534b24bdd640bb317b967d513e59450d3882d967158ae2454800bce43b34 |
C:\Windows\SysWOW64\kMAU.exe
| MD5 | bdc2b838f10b25ceaff893154c4973e8 |
| SHA1 | 5c995426b790da6a2b48686f1a5fd75a794e4761 |
| SHA256 | 6ac09f23440caaf38a00b86718d4b135742288a97625d4c30c3c8cdfa44ec99f |
| SHA512 | dadabf3acc939224f9a3204354853f9b34ef415e6c0ec156cf0cd7eb6e983d76db5d7ffeee30007c675ff517111736a15b3ee0ea970abc365d5ddc7e293a94e9 |
C:\Windows\SysWOW64\uAIi.exe
| MD5 | b9d02fba785bbc5eb84719ba43f335e1 |
| SHA1 | 778c6c0a373aebfc9290d9e91fd257e164a7be35 |
| SHA256 | a289193f45870526a888133c0c6b91ac8674cf84df9fe5a058e48f181bc6c907 |
| SHA512 | 2fa49a502412ec8a555ee9599455a29867018cb05afa3a65675610eef32bd2635e589979ee4f15a42fee3877b6f7f3aece6b72e45a4478371311ca23c9674d16 |
C:\Windows\SysWOW64\wIQo.exe
| MD5 | 986a6f0485d38900183abe8a14a68d7d |
| SHA1 | a0f2981a0aa14327aafe186d3c6281dc7ea16805 |
| SHA256 | eaa9978dc53c0764a5ff0620ee85b3d1f7ad57a5471ecb2fd0b94cb0ff05f112 |
| SHA512 | 14420bcdc3ef3ba7e351f374f44292945335831893a5a7cc81ac018422fdde376e31b0da8fef9e9a8ccbd0b7297536e4304dbc4c8f00a56fe08e01c0170f484e |
C:\Windows\SysWOW64\kwsI.exe
| MD5 | fbd3bce3962d573081a42e28960c2dc9 |
| SHA1 | 2051421e7b06f6bd6ace4015148b76027f153147 |
| SHA256 | 6bf2612e0558da629c07dce3b031990d88926f07479ac8ec0c4e5cb8e4bc3171 |
| SHA512 | b8bf100a6067d852704e52042708426ae60ce2f6fcb1291ae9726e799b17e92ccd10093a1cad0b3540a80b4e696b8330c45aa35fe14984e831712ec6bcec5eaf |
C:\Windows\SysWOW64\msQk.exe
| MD5 | c4e102a1f78f0ec8df44a790cc9477e8 |
| SHA1 | 496762d5b5517e279b544b5728578e307c628824 |
| SHA256 | 4ecab730f34e965f4c820f19d048a546367781557f5e4476276aff0525ff5feb |
| SHA512 | db51e0b70334d8bdf714aeffd08b2bf7af15a3c541cdf8710c937fdb4eab36348fcfe5f7c9940ad43f38e3a3bdee18dd5abec98c604dee4c4aab5b09144af8b4 |
C:\Windows\SysWOW64\QQgQ.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Windows\SysWOW64\gMQc.exe
| MD5 | ed99ca261acc5a5bb14bb34d4da4a515 |
| SHA1 | e5b94d8a0229d9539fe57c0352aba1c74a405381 |
| SHA256 | adfb057653c47030c8e1d72813ab754a1c705d2eccee2cc41fe14dea875a4158 |
| SHA512 | ec4ea0dca25088c1afcd2c742d8433d158d89c2b4c0e6c9d4f12356ff253a19e63d4956bc0a5f09edace742bd57cdeb6f58682aedf79111b5dffeab9379de701 |
C:\Windows\SysWOW64\CQoA.exe
| MD5 | 124f03f00c24a506ea554d137801d323 |
| SHA1 | 9b1563c3806e68f4eb7d67c0f7c42d175f1d6020 |
| SHA256 | 5cb41d58e3fa98f58edd6c81393a0041664456a0fe8c89002a3a6cecc0ed7326 |
| SHA512 | 95d627acc63776e2f693ac291e23fa39d997ba4e9ab64f8492f940b9269265d3c318cc9fdaed180246cb6dedfc9bba10e0628643dc84203a98f836227327b5ea |
C:\Windows\SysWOW64\iIYW.exe
| MD5 | 35b67450d21d7151faf82b5a26561e5b |
| SHA1 | d42ea89d5d9bf3b1e683b8800652532d9ed7b1a9 |
| SHA256 | 314fbf1221ee8c0845507e68ee3441e58c836fad0a9492eb16ae00f22ab6a7e2 |
| SHA512 | 96ebcd4cce89fb57d79a4a4c5afeb3d3dd1f149fc652ca55444d2601370903e736d4e7f0d7c41729fb135bde03bee9dffabb6de4ed616402e20276633af50437 |
C:\Windows\SysWOW64\IwQu.exe
| MD5 | 0f331d24d6715081e2970fdfee0abb7a |
| SHA1 | 20ce288a8b4846b01db6a38602e0af8095e24e09 |
| SHA256 | f3e4e80fdd45b8a8b262bd71feca7248dabc998e086669cb586a1ba0e60c43c8 |
| SHA512 | 25d57c9dc01fb2dade0cb3d1b7b698033fe1933ed6de288c275bd9d927611a692a75481915c767695f818fa62622107c0ff7c1fb38106e3f06b35c9687fee167 |
C:\Windows\SysWOW64\qgYG.exe
| MD5 | 245b5bf5dc80f644dc6345c6f28ffb11 |
| SHA1 | 9f1681c2793b8f48a8abf3daf981400659dcb542 |
| SHA256 | 89b3c23708bbc6f7af35ab70e60ca5cb3de7fa162cca1c973559f5fb899ad5b5 |
| SHA512 | ab128511b5c35a7357ada0f367f25729159c5d99118a2a1adb1014cc94e35281108d55af7bfd3bb27bbb104a20d809161b90bec25306bf30f380cfa17eb989bd |
C:\Windows\SysWOW64\mcgG.exe
| MD5 | 1125e55fcb533c036ef18723b622f2ae |
| SHA1 | 00fd5c4f5f58304d1257c537621bd1a068896634 |
| SHA256 | 2f4f5877d82900f50c3efa310e83af3ac5c303e9e1e9f1c4c0793f95371032a9 |
| SHA512 | b249f330c2a848d900147541fa1c8b427ce7b7514593bb73f42876b8d6d44af567a98483ef18770ac7dd3906583a2b21689ab0b1e1365d317e40c6a40ee2ef4f |
C:\Windows\SysWOW64\yoco.exe
| MD5 | 2e5248d842e522ae3aef53e782dd1832 |
| SHA1 | 228bec46a14a2bf81bb2680b7fecda5a43b7faae |
| SHA256 | 4cade649048bbc58b70aaecda144115d9f2bb64b1e21dd8f5e1cb980a869dd5c |
| SHA512 | 02d30eb5daa87a19ddc0b5631667b7111c2c13edb8724b15ac56220e085d80961b620d93b58ca03a20a318e1c099e4a4c464be3b21f2878dc679f2e335a4b953 |
C:\Windows\SysWOW64\UkEW.exe
| MD5 | a615d12fb58d124521483bf684e46f3d |
| SHA1 | f4aa61f0e2b38a098c7e7db36405d478764f18e5 |
| SHA256 | bb0c3b005c956eafa3faff59b1a082c5540ba07ed412791be9a73075e6b70937 |
| SHA512 | ae883dcd1fee94dfb501d3788a5cd0b2bbd54b3eeeaad795aa24ad56ed769a6b672baf7163e4404a4939335823d360d7c1bf42431777605158542673ab552691 |
C:\Windows\SysWOW64\ksEY.exe
| MD5 | 5a9f4cfd061fbab081f4e3f18f69b1e1 |
| SHA1 | 5e5732b251997f2bd3d97e9bcc81f515203c6705 |
| SHA256 | 29d566a03a171ee25a86b328f0d2f3f2cc28e5c52da0d83b8f8e828467a419fb |
| SHA512 | 00e54ed8bcd8e8a4e27194b7ecc479fb716e42153d79fe8d7a2955ca277cb12495fd4d8c6c3a7674f130624bfa627a8000922c01e9c4db0803c286246da4c544 |
C:\Windows\SysWOW64\asYW.exe
| MD5 | 21c3628190bb0b668e69493548cdeebe |
| SHA1 | 1d5fa412f0c217de7b52ede1c7edf9aa44ded12b |
| SHA256 | 19a43ab92c56b00e9beadee477f46d83094d40f8fb938c3e3086d689272bee8b |
| SHA512 | 500eca6c7748fb5812cf80fba7fa3df459b5200e8fea9fdd9fd7576c8575e6ab673af61c60911dca7a7fea465f15ab2f306688082a6d7c5c6d7eae62bf3c3163 |
C:\Windows\SysWOW64\mYMS.exe
| MD5 | e48bc07d15fa29a032b49bdf292a75a7 |
| SHA1 | 65ec44a8e39a50a73737bc5c87a8eb4f6ebba046 |
| SHA256 | 35788afaa470c50117cd81521f12d1be730523697f5fbc757ed76bbf00d39eb1 |
| SHA512 | 7fb5b82a055598a6082f68a9138e56a040281b7d648de187d71168bac7d38aa82c0477125d6669acf93536f306558db00b2b1bb6d171ff9335dbbc6e679700e2 |
C:\Windows\SysWOW64\qsgu.exe
| MD5 | 9bb3f57565a234b501b53b7164874e38 |
| SHA1 | cfcc083c1290fea424bef9efa6d45367b98537b7 |
| SHA256 | 28cc4fefe6910a1ce3b470d7a9551894abecf3dffcfdb2d841235a599eb078e8 |
| SHA512 | 2e998a967d59f70861c49d6d0c648387a0c9943f46b9de6557fed06b6475611c56a0efa7d2c16ab2eb905ada6f5dd64a62ede952d0760044f6a67eccd0e8433f |
C:\Windows\SysWOW64\IgEY.exe
| MD5 | 9215dc85f95a4e8292559d1ddf1a5e55 |
| SHA1 | f96632bea0e1280425a79dffde43434191a33284 |
| SHA256 | 65a3934016242fd01554cc5119a8380edf9be155905aef10ee4c2ad4b1062304 |
| SHA512 | 783fde414bb06fd4c7a205657ea1dac54720f14c2adccee16a8ba22aff794ec2000a18fa95a6ddd94d4390bde3f24744eb7fca030e6a6c68fd8ef5979996212e |
C:\Windows\SysWOW64\sQEo.exe
| MD5 | 4a82ffce1d88aea58c105e1e0f6652c9 |
| SHA1 | 9fec34ab257735d71b6767d9c4b7a1950444e4f7 |
| SHA256 | 3f507ff2ecfefb98b2641a3b694b29133fe80ed70871511029a1a5f7b4f6410d |
| SHA512 | 808a39bacc19c167504acaa5e9ca0d49a9cd857e0a86a1f3729c427b1176ff8522aa6dfa0b1c09020eeeaecae875cf2b1e9036177a581f796c9425b56702c61c |
C:\Windows\SysWOW64\WEom.exe
| MD5 | c730534e92809ccba7abd829a6fe37a5 |
| SHA1 | b674b4dda957b95f9e9320021151c42b3dd6597e |
| SHA256 | 70877d6e76a7eed92fc994cde366ec7640f7957994c5228f81949e4722b37e80 |
| SHA512 | 1bfe2970bfdadfaa34479439e8e61a9d6704fc5116c869997f3e924b9ce3a63229d4ab35ef40ba28d2a22c31dd359a635097e06158c821d948e5ad645355e157 |
C:\Windows\SysWOW64\coEU.exe
| MD5 | 8c4da847494f986703b01d9997dccf06 |
| SHA1 | 8724eb315b5acf29f0451960b06fd14720a0da19 |
| SHA256 | 5b91da5e78c3f14e6516f255550fc36638e4991c1019de0e5c28c99ab5533d0b |
| SHA512 | bec022809e8fe21fb734867ea7eada4ea84da6d956495bd3c356250824b1c6a1d092dcb248e902e501164fb072280b560126295cf3ec25ff615697712c5d8c83 |
C:\Windows\SysWOW64\skYS.exe
| MD5 | b8d0022f38da039a917f9d0f5a7ab4bc |
| SHA1 | f73da0b8e2a34488786d1a30fa5c51475ce13998 |
| SHA256 | c274ce86aa84c42c1fbb38059ca292132131391f4c86ff487ed2ca3eb7abd20f |
| SHA512 | 7fa1400f32741f76cd1a63bb78dac2fad223814ad04f521f6a542fd28b25c0496a75f6be79d0753ddcc825e82b70b7d9fe9bef956951b4e898a281823de218bc |
C:\Windows\SysWOW64\oscm.exe
| MD5 | 6c62744f1d1ca1af750d9cce3172ecec |
| SHA1 | d12c1fc47151092e88eb764a02fed9b9fcb2a225 |
| SHA256 | 116a9c295824c8bcbfeb1fbe1c25565af546c51536a7c3fef09ee571874e7348 |
| SHA512 | 069922bbc0a1d7ecd548bab3f51cbc030aada5e49dc17fdce016b60a9c520e9d2cfa19f30414f0a5c0300e4ee3a15c93743bcb0210113481d753fab58ab577d1 |
C:\Windows\SysWOW64\EwYm.exe
| MD5 | fcabbc4815979d49f4c1f35d8f625875 |
| SHA1 | e7c2cb50b9e01c012e9310fc19e4053f9ba86fa1 |
| SHA256 | 03d5e0f3d5fdfa775ef064ad4c6e5e8c0161ff337a831124a36456d2c486b55d |
| SHA512 | 8ed8c8807bf08b08f0c78fce209922c1e961fa211e2db22259670614b1c08d56b82b6e24e485112068a0aa7a3a7128ac9e8ef89152b100cfca873230bf75f771 |
C:\Windows\SysWOW64\cgQa.exe
| MD5 | 049023cc7147fb89ab6bb25066dcaad5 |
| SHA1 | fd48b8ac127089ae84a2de8fe2d3576c75e57a3c |
| SHA256 | 3231f3e1817e663e78b388f1408d74fa23d5f3b361ff1ff20e3df0f75866fae1 |
| SHA512 | 6d4f7a61dedf5630a2d321c2523a3fe6e66f79bbb92c19e398ce3b85149deae51ba6c3e3dd2a4f5af96a3e6487a6bfce37807416f84b209a774748931f24ce8c |
C:\Windows\SysWOW64\gkMG.exe
| MD5 | 514114f5426033e823f8a4ee7459523f |
| SHA1 | b4422b0fa101a839106d8a370d6b277cc0a00fdc |
| SHA256 | 626f5f16dea7ccfa92f73ed78d342c921e4e72f181d0df10737c7582d7adbd6f |
| SHA512 | d54a5aeff3058971b38deeeece544c5f83321ed7900023ded476ef77b92248c9f4a875a414768f5df49e9f661bf960f352e5c033bf1cba14725f2fae8bd02c18 |
C:\Windows\SysWOW64\QsIs.exe
| MD5 | 765022b0f6479756312dae69164ec5ef |
| SHA1 | 1a67e3db4d1dbf569c6fe549138f966e47fdbaa2 |
| SHA256 | 2560ade81c9c7d6dda6a1505a5a8a09402d6882be7847bc6343e0bee26e31e58 |
| SHA512 | e5d5d95a9f9c710193f12a931ef4cb8a3459ffd64b24011350cd90026056b662cf5ee91052074e6af3884035c7da4feab3a54e5c8ed87f088478f9eb8718ecbb |
C:\Windows\SysWOW64\cMUy.exe
| MD5 | 601ea93d46583898fb1be2c26c1f7dcb |
| SHA1 | 57d36c38c8bb30a76e26f41dee57334d5b83fa8a |
| SHA256 | f3c86d0520fcc11e62467ca4d7a5a0d1ccc355976a4848a3c030c5a94705d111 |
| SHA512 | af78b44eb32b8b243ba7e785f8b6b96c85335f2b3e70d3095184d7f56874f9e7821bd9839d14babec360f9a2ab426a6830eb111de33b1c10048cae635a0d866c |
C:\Windows\SysWOW64\YQww.exe
| MD5 | 55eb54b32cf7b414ec62f824553b21ed |
| SHA1 | 1bd8977e32bf27d703043d23507297d7723afbb7 |
| SHA256 | 9d9c7514130fe645152c365bd186c5f7c8c063f0596a0b564c0fb08cfcce4eb6 |
| SHA512 | 065a8cbead66f2f746f81736f9cdba7c12382c4ae6d03b1e67b4d6bdaf5d4ad1b751afcdcf02561c012dcf824400d56c09192090c3c9eccc8da0796979482135 |
C:\Windows\SysWOW64\GEcw.exe
| MD5 | eafe1a175306159f775d4ab9a5461b81 |
| SHA1 | 03dc89f71e32c360123108269978a2883613ab58 |
| SHA256 | 29ef1fa885fa46e7c341859eac641da69d8bedde6e0b1b807456e1d9fe6c33cd |
| SHA512 | 4251641aec86e4d322a8340af213ea28aba02f3746b3e012802019c4bcb14f0722831f79b51feebd5499743fda4e1717cf62a227f64ef626d474a64ad0c859bd |
C:\Windows\SysWOW64\qAQu.exe
| MD5 | 0d0b5a7fb02ead58f104f16125fadbf6 |
| SHA1 | 09e9d542130fbdd50008d1447b308cda18083b07 |
| SHA256 | 7e118241b3fe8cba82e9ecc131b225dcfc8f191eb4738935e37e43b67aabc53d |
| SHA512 | 4934d5697a13aa5a23ff99f713e426feace3458db70e0d4e5a7f26cf8765174be3feae64b84683062a046b67e147f39547ed43d656c9843bead233a39bbe8fbc |
C:\Windows\SysWOW64\ukka.exe
| MD5 | 3fe80aab718032ee296ca787b9a73c82 |
| SHA1 | 7e9b883d3f4b4a8f95b91d249737ea3399018a55 |
| SHA256 | 008abf741387e52ba9f76072588da0f701d90cc12d2faee3bc044efa795fbc99 |
| SHA512 | bc52062ded1a85a540a9361dfb68cdb3668d1e654815874878a34dcdfedf12490c2154f693f5cdb8593d16cce3318c80dcabde45e0d2c6868457922dc1fae65b |
C:\Windows\SysWOW64\yoUg.exe
| MD5 | c07deb8a7b9d55ecece6fa70a4794b1f |
| SHA1 | 03d9b4bf69f16e38c2eabddfa9fc1385cd4d5723 |
| SHA256 | b15691e7dad7c85e0b53a6700f0073b739ed97f66ac8ef959203b189e04ba15b |
| SHA512 | ed64aca521563645697af6095b13e798bdf9c6aae5a668626ad250f5bb8e26bb5333936968520da21534fcaba7126f6edc5165444b595c1817cfcb5ef022ca1d |
C:\Windows\SysWOW64\kscU.exe
| MD5 | ea4b15d4944dd903176cd1ebd30db0fc |
| SHA1 | edcbe5c1fa667f8dce6ce3b6030bfcd02d9a0762 |
| SHA256 | fe6b80b80c1edba4b007257fef41f98a5485d9e3a4cf1b589d711bfd2c219975 |
| SHA512 | 474b114b28758ad124c5f61ef8bc8bcec8338ff37fcf2d5f6041cb9407977b18fdb33d787b23da69915282d5fbe8211e29099f4e039a3bc8aab17392b0c3d4e5 |
C:\Windows\SysWOW64\kIwe.exe
| MD5 | ff849726eb3e99bfccb9cad1cea39882 |
| SHA1 | 76b556e5afcdae231012bf8156ee44034b736929 |
| SHA256 | 33e3ede82358f44c33bead23e553e19f001a1add8cf19e4cf83c6fd7305cf6d7 |
| SHA512 | c36067b33e15fe40859604d5a641df7548397ebbafde5e600de9369490ce8e66d75f110526efae57eef0d13b8d753fa861f87c6c416ea7cfd5f664a5a16d190b |
C:\Windows\SysWOW64\UUga.exe
| MD5 | 56c3fd59b15ade5cc54a525a4dc71b70 |
| SHA1 | 1f42fe4382d9a6a1870f39b4cc1e297c42cb4614 |
| SHA256 | ffffa2725e09b74fa10b8d5aa37c3c2b60a41681e05f802e3085e86b0cf0e1ae |
| SHA512 | 1f044bd1afc8fe2176bc47e8ce3a9aab12143585e9da86e383b25807485bd418668b7f29fc42080a1de59bbf211af3aaa668b0e10d9301c660fa4ff7fbf475f6 |
C:\Windows\SysWOW64\gUIK.exe
| MD5 | 22f8d2b0300fac22f38b8cc1b447e7ef |
| SHA1 | b1c5f5ab6465e3b45d990dc46495f2d7434505ce |
| SHA256 | e7d06145de48ffe4d634db92c3556417043e555eefc551914936bbf7cb3c65a3 |
| SHA512 | 6685ae77362ad0689732075af4ab44fc21948341e39dfc3df8c54c07b14f33b69040f2ff663e5e4e94b32100a9da49837ebd10a75bc21af80869bb8f44fc1253 |
C:\Windows\SysWOW64\mgca.exe
| MD5 | d4278f2556810ff0aac945f98fec357f |
| SHA1 | 75f6379b614d79359e724e940b8be0d9974d6e83 |
| SHA256 | ffbb1866e47fc072458cd6b1232021e3dc4e3daf0fac884846073cd572cafd48 |
| SHA512 | 8c3fabf47e94a60cba74afb44518283d777a733bece10029bfd888408fccf5898cf90107dde327b70a0be9d9f4a2fbe208e1b2a7ffad5557c53f315031883702 |
C:\Windows\SysWOW64\yUkc.exe
| MD5 | 3b5aa19ad8a3e439ec617ae7cb7e7baa |
| SHA1 | 769a9296fef00835d3f494d42053390b24499360 |
| SHA256 | 4b36c83dc16859d7d1a6b89d39e6aa4e5a89af87305e5984e1389d888039c813 |
| SHA512 | 2e487ebd3ffa264ebfcb2151bece50a5208efcca910b9de7060b900d02eb188b778b3c45421a1a2372d045209715d165a7f9555c61a6b167df9c4efcac3a9c52 |
C:\Windows\SysWOW64\oYwY.exe
| MD5 | 1d2024c9cf3fd604eb157540e96f3330 |
| SHA1 | 82372e3bb0007dcf5e88296a81de1d3d255e9915 |
| SHA256 | c97db39cc8ea6946276ea9c995db3a7673bbc24c479d191939d7333c9949a884 |
| SHA512 | 46ce88ad78ac7a42836214839ab1642fd643d13bd82cdbc6940d6c9a2039790e26cb4ef8f60b0bf053b860c04b245240d0a4de18394492292aae5d7c96c12c44 |
memory/3924-899-0x0000000000400000-0x0000000000479000-memory.dmp
C:\Windows\SysWOW64\qEsy.exe
| MD5 | 41aac84f483a7426e8047521062d1de3 |
| SHA1 | 0e8be7956a2547c968e16daa670568b1d23cb82c |
| SHA256 | 87c43851b5e536e36660fdb5b7d47dd789505f7f5e84a353ae4e91904462e118 |
| SHA512 | 18f0e3db28c55aa852240c02f7e71a90b26b85bb0e52de784775ac948689c190bbb00eeebba5c7f0106c5de737f4e3f8ea0b3f4ddfd75798c14b6791476ea615 |
C:\Windows\SysWOW64\WUoC.exe
| MD5 | 7a8b50eb8dcd9e95009c134dc144410a |
| SHA1 | 9129abe4da4935c98491fa76c3c0488ad5679bdf |
| SHA256 | 658fa2e2d317c6cd7f2f0110e5af1c3c828289684cedfa3707cf7da4ef5efb51 |
| SHA512 | bdf11771f8fe65f20bb304586a81d1b524457177f09dbaa6bd4b6a17807d06fddbd579d8f46da8c84e35819f8d8a8708c7377e4f1ddf32261ac87ca1189119bb |
C:\Windows\SysWOW64\qkUY.exe
| MD5 | a5c6bc1ce460b8d68f0972fecce92e35 |
| SHA1 | 491784b2d735f274672848e48c192e876a662609 |
| SHA256 | fa8acb88475a751d420771ffe4ee8c4fe3118e0959598cb8cd381fcc2fd12fb5 |
| SHA512 | 5484d60aa02d42f17f8411f41d1d1e53a56681e336a7c9d8c8e6d9978602f13958302978d1da03ae4e544d09da410ed5b4b07f4577c7e31a031122b3f5bea2fb |
C:\Windows\SysWOW64\qMUo.exe
| MD5 | 86b0d6f04c3a00aa558b2f6c73601e87 |
| SHA1 | ea99372b2505a229a663e2ae40702156f958c713 |
| SHA256 | 271d265e9e3815fa5ddf19f3ed1aafaedd8e632deec502c9f48d343ab930d5b6 |
| SHA512 | 36853c29e73f10ec528291d1816ba5b430571068c2fa8d989c0bcb70d7c2d5c5dcff26be54e77e3682935c321e7db38ad3daef22717d721625ad1a2794e2fdd3 |
C:\Windows\SysWOW64\Mowo.exe
| MD5 | 4c413c831a08525906fc3926d9419fc9 |
| SHA1 | 8d011a50906be87267921b99dc444712b0148910 |
| SHA256 | f96b6c9e221bd1166f8ee9f44cadc212f91f4f84d686eb3e321970c6023c7e3e |
| SHA512 | 856b1654c2da16d28776d0dc1421fba4c7ec8920324779e5b506d0c0f247b013a7487dda8de075ecbe2d522b3a81186d5f72de58db42f94eb74e5078997d3221 |
C:\Windows\SysWOW64\IgAW.exe
| MD5 | ac8df4980a761b13521203ce474dd3f8 |
| SHA1 | f269327d38a0d59016c1b36419d7f35e71963855 |
| SHA256 | 1b24c575964b3cd393f4784ddd13536ff7cf32c308385f70698e61421c38876f |
| SHA512 | 90ac8a5a0f554032e2c6777a337cc318e8b80ba16cd79fbf030db7e8d384422070fc49aa226e819d58053f6293f60aff614c56f1a801d68e36254f62d2e16abc |
C:\Windows\SysWOW64\asIa.exe
| MD5 | 9cb5bf2f95b454d98255c747473f552e |
| SHA1 | f6bc740077efa439714c7654f52774563ffd0cc6 |
| SHA256 | d7289209f6842d7b09ee9afad77f70dfbfdc45fce9f74426bce6a2041ca0e0d8 |
| SHA512 | 63c46a07e3e07c96a40d1cf38a3bc01555bed19c3a8ecfa5fb27a367bfd7c14e0693f473e31a9c0207ecf7c3b4b13b2c387d787bb3614dd0fc966c78fce69b58 |
C:\Windows\SysWOW64\QUQs.exe
| MD5 | 8e335ca939bfc213ba2cf205b3a5289a |
| SHA1 | 9404f26cdaed6574d36af756027332ae36b7be1a |
| SHA256 | 8762a7bd65a06eeddf3f45d31f00b18fd7318a3540467b5b80cb699c7e535af4 |
| SHA512 | 16e3ce2b0671802752162e85d7b6052ec3fc30f1f061f4a2c948d650aea31872b787b17d24ed255c20d169fd3378ac7b5e5271f5af7bcfd022ba733d8ef29c9b |
C:\Windows\SysWOW64\CAYQ.exe
| MD5 | bd5ff40fbfc0a005a0e2ff2f296a6196 |
| SHA1 | 6baa8fd1677f78d9d562e631e81d10dbc27424cd |
| SHA256 | 031c8b668d6860875b0fa8570b110912dc05f033ed197bfb6201e661810ec7b4 |
| SHA512 | 13818c28fca9716581b7d274d030e79ef739bd443a84098acfa93855d978fa666587247b49de7c90b64a7e2122b64c47827e378c4025883428a41efb0dead6bb |
C:\Windows\SysWOW64\oYUC.exe
| MD5 | 937472fb583683967190306e887a6209 |
| SHA1 | fecceaa47312727e8364fa492f381daf38258f26 |
| SHA256 | aac294cfd06f663ea6acddca8fa53c97bfbb99bbeb7e2e94080cabfe1a2677cf |
| SHA512 | f3cd598466f438f0a745a38b4f7ac7bbcea3b8ae5a996b221ed24bcbf21a48e59662abfc7977ae707c6bc5599c7ad39ac487549594c17bab46f6c7e452e0e12c |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe
| MD5 | f17937c400304ef1e2a4ddaec8ebf340 |
| SHA1 | a907180f61d2962c7caf7307aa64ddc8ea6a2972 |
| SHA256 | a05bf277c327b52211a5cb0573b5088b2038e719d452d6ce5f61d488982675d2 |
| SHA512 | c8a0b07907812595ca38a039ab87a392916719bd569ef657741c527569c5e1157116fb23bde1b861adeb84f176f2047dfab2a72942d2f7414b5d0af7ebbaffb9 |
C:\Windows\SysWOW64\ywYC.exe
| MD5 | af5e99def3d1c56c2240c6927b7a6da6 |
| SHA1 | 6791b174b172cb4bac093897909d801db57ef1d2 |
| SHA256 | 2eed280cfd6bccd5fe71d8eb1a9017305e332f5c965cb996836f4b21f47fb191 |
| SHA512 | 5d6f501635b55657723e8c19a46102fbb15cbf443351007ca6099d3fb87bbd4088ff708aee63589ad4bf611106969950a930b9637030f3d8439745113e8ccf81 |
C:\Windows\SysWOW64\gAIu.exe
| MD5 | 8a7290c087b50bef84c9f63de56e1e35 |
| SHA1 | 2d575b4d5142a0e25b74b7ad754c7dfe10e92707 |
| SHA256 | 89a61cf34d4026143ed27cb254f89625a630f091bd0caece8db06febf2a95b08 |
| SHA512 | 8651904f57705b71b8bf601218d8ddd622d67b9a85a7298eb07fc1204b6d0ae22457c250c42fb74857607342d59bffc64941661286b9611064b5cfe9595e98ea |
C:\Windows\SysWOW64\OQoc.exe
| MD5 | 10bf96db851b957a313044189a892ef0 |
| SHA1 | 7d1050080974b76f4bacfe6b139bce810fc557d7 |
| SHA256 | ef1a73ab2468be396447bfcc15209ec85f5391ca29b02224043262806a37f616 |
| SHA512 | 7030fe61086a259c30e9de823014154f30e095999242f41eb776b0f91f81146a73fd53d351294d57de01d5c883c5ae693eefcf421270cc96e345f9c1b6d66ef6 |
C:\Windows\SysWOW64\GEkg.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Windows\SysWOW64\wowa.exe
| MD5 | 5639f73e1c14dfffc4ec87eaf5b29a7c |
| SHA1 | 3e4dde6770453a2848f7c9c28d3de68c9fe6a339 |
| SHA256 | 75556a72af6323a525d999cfefff12daefb86c5abfde325ea38825bcf3459507 |
| SHA512 | 96e3bf026e92a31ed9f956d5407ce13e79d818249bef8fe43117bac960d65bba81e221d326fd806c29cad2e7bdb5bf3f6f3ce3fae1994f7f1a5d22df0748c0e6 |
C:\Windows\SysWOW64\SgsI.exe
| MD5 | 983ea25bfc4748b9667ef84dc1a56880 |
| SHA1 | 3196fd9d76379fe5d93b8bee49e8e878e99d09e0 |
| SHA256 | 99c46b4625de6785a5acce392272f51227000e19ff565c972aa81e61bb9f4a19 |
| SHA512 | 62f3d02193168973b4bfc0a9843d9e1bb94d7025c657e8deaa7379af8e825363364b98efe524f196c2ae94f21609e478dfb1cc79740f03b556c920e8995ed0dc |
C:\Windows\SysWOW64\ucAa.exe
| MD5 | 6dec97e1843af358ea797385a1ed87fd |
| SHA1 | 785bac9c56a34cdc59936eb66c709780ca9bd11a |
| SHA256 | 8568328faa420c5d78940e5d7d5d24751b014ca7dbf97f7dd010784e5ab677b7 |
| SHA512 | bed8a7fe0d922cb43fe4eeb48c8a940ea0083d127df2a7b25c4d45523d93642c1f29e0a6879999a9614d3bbf7d4348ea351b2c7ad947f173f57c013a1c588ca9 |
C:\Windows\SysWOW64\iMAq.exe
| MD5 | fa190f9371468d20d0cc57f717d55ce0 |
| SHA1 | 2c07c663f9875ea19191617f57a032533a7dadf7 |
| SHA256 | a9280a4d52eaa489e98310130d92e8cc12d4d17bc7bace2e82feaf7d129e3697 |
| SHA512 | 0a840cdc324e6a253b92113f53773e27ebc82dab19c7e87c9fe0dc5739ca4dd4073b3ae34660ee7d23c4c8152b31544a3f6ce215ad7c2a1c9cd9655e0b9e4dfb |
C:\Windows\SysWOW64\qYko.exe
| MD5 | 434934988fb040ea969c002e37040400 |
| SHA1 | 31dac883189360ef76f77a01b0c99efd1e1bcacd |
| SHA256 | fb6fd96070d91dd32dd29278f97c59d6b758e3840bea0edf5a9b4ed518573d28 |
| SHA512 | 11df826b5b8e243a09bda9e5425226a798258c0f680568d869edbc248671eeccbd718a7806fcb0d55f8bfdad9dacccb9dca18d4f0e91d930f5d24b19e3750f8a |
C:\Windows\SysWOW64\qYkK.exe
| MD5 | f03e4b1e576abf053550cfa89b056b10 |
| SHA1 | 2a1d5cea27abe0df2958f19441ed62f65b5d8120 |
| SHA256 | 8f573382b2e25e43a7e54cda9b6c53d528c45bedd9a58b9dc6f15b1b2186205d |
| SHA512 | 14f6ebab40957cb81dd52609737b9e1104b88a9c4b586235342778d7d8c5c78085b76a7b62846b0cabac2ae1b54a58e73ccaad720277d9c68ec265414142478f |
C:\Windows\SysWOW64\mcsO.exe
| MD5 | 87caad2f0a55c1d5b1e12f6e7e289d93 |
| SHA1 | 40d65cff947a1b47fd7c4ccb6dd43432c7cbd387 |
| SHA256 | aa99c5f6240b410ddabb992b4d7eaaa371409d613284e1c92a0980a4ce7d86f3 |
| SHA512 | 095d6433b6633da4764686f667fb6453e996fa3d8301a6af983ba6f840bfecaf78cd347cdd00c5d44ff8cf3f00e9820b52252bbb5490c8117fe4fbc2ef74eb87 |
C:\Windows\SysWOW64\Owwo.exe
| MD5 | 6832a855a232cbf63c59becfa95d11c4 |
| SHA1 | 9322ced5f05480c6e6adecfc80103911a1bd9859 |
| SHA256 | 0fe0fdff45ffd6e65c41ac0016527c6722fbd7b4f77206d93fd9b99d764bbfd2 |
| SHA512 | d41c59f5ec6d36d631783baa3ec82c4c8f93a9a5509186f419609bd3e055063508d42eefcc875907853a468413896c40412204dabe8550b936411820d8882727 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-05-15 09:06
Reported
2025-05-15 09:09
Platform
win11-20250502-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (56) files with added filename extension
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\BokIcAUI\dqQMQUUc.exe | N/A |
| N/A | N/A | C:\ProgramData\BUkAkoEw\tWYMwwQw.exe | N/A |
| N/A | N/A | C:\ProgramData\seokUMsk\rgUYIoIw.exe | N/A |
| N/A | N/A | C:\Users\Admin\BokIcAUI\dqQMQUUc.exe | N/A |
| N/A | N/A | C:\ProgramData\BUkAkoEw\tWYMwwQw.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Run\dqQMQUUc.exe = "C:\\Users\\Admin\\BokIcAUI\\dqQMQUUc.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tWYMwwQw.exe = "C:\\ProgramData\\BUkAkoEw\\tWYMwwQw.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Run\dqQMQUUc.exe = "C:\\Users\\Admin\\BokIcAUI\\dqQMQUUc.exe" | C:\Users\Admin\BokIcAUI\dqQMQUUc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tWYMwwQw.exe = "C:\\ProgramData\\BUkAkoEw\\tWYMwwQw.exe" | C:\ProgramData\BUkAkoEw\tWYMwwQw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tWYMwwQw.exe = "C:\\ProgramData\\BUkAkoEw\\tWYMwwQw.exe" | C:\ProgramData\seokUMsk\rgUYIoIw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tWYMwwQw.exe = "C:\\ProgramData\\BUkAkoEw\\tWYMwwQw.exe" | C:\ProgramData\BUkAkoEw\tWYMwwQw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Run\dqQMQUUc.exe = "C:\\Users\\Admin\\BokIcAUI\\dqQMQUUc.exe" | C:\Users\Admin\BokIcAUI\dqQMQUUc.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\sheWatchLock.xlsx | C:\ProgramData\BUkAkoEw\tWYMwwQw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\BokIcAUI | C:\ProgramData\seokUMsk\rgUYIoIw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\BokIcAUI\dqQMQUUc | C:\ProgramData\seokUMsk\rgUYIoIw.exe | N/A |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\ProgramData\BUkAkoEw\tWYMwwQw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheSwitchExpand.docx | C:\ProgramData\BUkAkoEw\tWYMwwQw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheUnlockRegister.zip | C:\ProgramData\BUkAkoEw\tWYMwwQw.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\BUkAkoEw\tWYMwwQw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe"
C:\Users\Admin\BokIcAUI\dqQMQUUc.exe
"C:\Users\Admin\BokIcAUI\dqQMQUUc.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\BokIcAUI\dqQMQUUc.exe
C:\ProgramData\BUkAkoEw\tWYMwwQw.exe
"C:\ProgramData\BUkAkoEw\tWYMwwQw.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\BUkAkoEw\tWYMwwQw.exe
C:\ProgramData\seokUMsk\rgUYIoIw.exe
C:\ProgramData\seokUMsk\rgUYIoIw.exe
C:\Users\Admin\BokIcAUI\dqQMQUUc.exe
C:\Users\Admin\BokIcAUI\dqQMQUUc.exe
C:\ProgramData\BUkAkoEw\tWYMwwQw.exe
C:\ProgramData\BUkAkoEw\tWYMwwQw.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSgwsIkU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKUkkcUo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YSAEcIco.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WMcksEwg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QwwMUQgI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BusIAQcY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZEwAwYow.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOMkMoIo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MyMEswwE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WMkcMcAA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZqswgMEI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMQswcUE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAogUsEk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HkkUggkI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mCcUQEIo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WaEgwUAQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EacksUIU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUkskkAs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMUMwgkU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HoskgksE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgkAkUsE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awMMUkcs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\igAggAgw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ASowkoMA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWAkogco.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FsQUoMYE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqwsoAYc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wioIgkgU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIMUEMAo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oakgQswY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HEUEAQgc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fEYsssAc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zGgQAMcc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEAoUggk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEQMsMgg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yuYwAokU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKcQQYcA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgEkMcco.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIwUgQMM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jkMwAwIQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSsUQoEU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmsswkMY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sqoUockc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\quIIEoMc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QOssEYMQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mIcYoQQY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zswUoUEw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PQcsMQQw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TsYMYgkk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MGowYkgQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\guAEosYo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ekoIcsEw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IKQQUosw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqIUgAwE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nesUYgAM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGwkkcgU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PocggkMo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYYkQwco.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UiAgccEI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UiooUkoc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KewQEgAE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NSsUwcEc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REAIIIkQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NAYoMcwY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vccowIgs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iecIsEQg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAgkMMsA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGokMkwI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMIwMskA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zEUkAsIA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwkMAkwY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcgQUEUc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOIosUAs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYQUoUIw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CkoUoswQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSEogMIc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fakgkEsM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkEgooUw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RKEEwQAY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gSkoIYAA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smsIUIQY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMwgkYkY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqskwAUg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
Files
memory/3848-0-0x0000000000401000-0x0000000000475000-memory.dmp
C:\Users\Admin\BokIcAUI\dqQMQUUc.exe
| MD5 | a688a2bd6a1d51cfdb87f202a4a1e010 |
| SHA1 | d0b3a012ca860629d231f9cccb1639f9063db5b2 |
| SHA256 | 7d74359dd0bb19720ee9ab91785ebf4554ad4f1d63510f8395b90550162df4d4 |
| SHA512 | 046566774aaf2938d51204f9ca6790b3278ba2a3c0396d67bf11cf620dde4b6fa20fb84d3308d32aefcda38db2f49aed864ebe830717894f1a4f7f06c16eac04 |
memory/2820-8-0x0000000000400000-0x0000000000478000-memory.dmp
C:\ProgramData\BUkAkoEw\tWYMwwQw.exe
| MD5 | 7de6a31a2950e97b530b1617c1dd4b44 |
| SHA1 | 338e3e086a94f1b8083d055e9fe2276fc3df1455 |
| SHA256 | 0f3bbef79d371dcc222c288fdadde7dc37a9f139c33bfee24f25dcb02fdd7f22 |
| SHA512 | 58658c5fda536b1816a338ed3bd401915ef888a5c635fd1bf43772d7af401a42461363f3eae93d2bb10843cb7015868da7256ebce8995c2277ba9b61b63556cb |
C:\ProgramData\seokUMsk\rgUYIoIw.exe
| MD5 | bc722107270b70ffde4fd2def40936c5 |
| SHA1 | dabba5f1301403040f13d75298dfa99a1d87ae42 |
| SHA256 | b54fab906e4e4a8f746ea9d1db8e5257a6e6eed18e353c9d1d92f1fada159739 |
| SHA512 | b9a554d752ac060965c84e15d654e5cdd2119387b474a272f8959bda53c818f1dec796cb511757fdcabbf4b001d1a0be8f8a29723769850a55e91a64b34bb5c1 |
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680
| MD5 | a137db26123ef0010b9a5a32a99280dc |
| SHA1 | 5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6 |
| SHA256 | ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd |
| SHA512 | b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f |
C:\Users\Admin\AppData\Local\Temp\QSgwsIkU.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
memory/3848-151-0x0000000000401000-0x0000000000475000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aYUQ.exe
| MD5 | 32785e057be2b214a603d48015d75e48 |
| SHA1 | 19e44f167f7a9b762301212e868119e605ae4057 |
| SHA256 | 8cfd17213ef67999f547d29b897bfe8144fe7b3e979450e35998199fb5be887e |
| SHA512 | 7518155ae45379f17336f1c6c78c765d6501400b78af470084b0e436415510e795b51bd9cd2d012c1953a29a1ca2ace3b28325c4dff35dba31a70e4f115d3e1a |
C:\Users\Admin\AppData\Local\Temp\iIwe.exe
| MD5 | 0efec6845bf9a3190ad20adca8fa171d |
| SHA1 | e5a794f016db13d2b1b8b107b1261ba4c6923da4 |
| SHA256 | 40b3497ade38bfaea902d27fe7f8dbb926df022e8c00c5448dd73b916bffceea |
| SHA512 | abd996a3776e21e0f4972dafcfcfdb217b49e25963643448bc5c3f5cd04331c8c79298f64016fa9bc25312b6b28c7395cbc64acd0d71e2ed0dd45a3751e84c16 |
C:\Users\Admin\AppData\Local\Temp\uUgK.exe
| MD5 | 44cb4493afd5d8e6c6a452ffaeb56164 |
| SHA1 | 119e4fb81f090f3bbd8a9375d30126c314d45e6c |
| SHA256 | 6063f2322360f62c3a062e3d149457b1c242be2a68d9867b89a15f5e014d231f |
| SHA512 | 1873c010e91851c1bfbcad4263b0122370e1848c9a7943d82f91d1a4f0284fbd1d4301685033c040f0816b4c1e764794db3b677f31e098ad46f85cc6a8c203c2 |
C:\Users\Admin\AppData\Local\Temp\yWQw.ico
| MD5 | 9af98ac11e0ef05c4c1b9f50e0764888 |
| SHA1 | 0b15f3f188a4d2e6daec528802f291805fad3f58 |
| SHA256 | c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62 |
| SHA512 | 35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1 |
C:\Users\Admin\AppData\Local\Temp\AQoG.exe
| MD5 | 9ee21a4d7c15050c8b152a40ba76f6d5 |
| SHA1 | 24ec3819cc20131624753a67ca187fb85ff5d8be |
| SHA256 | d867a77738d7cf88220835335a7d3ac6c0f04bc9446451db01d342b0545eb9c3 |
| SHA512 | 80dfafbe340c039e597fcbafd589d3cc8d45df7a69c07ec3ae14f8e7b31320145a99db3a8e472e1fb7c8a152fd97fc61922bbcb1bb4606dcde880a395ac71622 |
C:\Users\Admin\AppData\Local\Temp\wMsE.exe
| MD5 | cde807b1ad611416f65d55b0a4eb4c86 |
| SHA1 | 9a4fd349f4ebed891a3155d65c1463c573335186 |
| SHA256 | f7b3dc2216a2333e8d6e073945d4cffb2ab36816aa966ec20a8b405c65578613 |
| SHA512 | 2cb36a26d91c5623ecbe2bd9e201c503186cf3f95878307fa486149b3e38237a1ef3cbd1f97231c61d4fccf7274f9aed9c1f4ed27f503d1bd2fd310659673f48 |
C:\Users\Admin\AppData\Local\Temp\wMwq.exe
| MD5 | 01514118c95ae3382b046c24d29578fc |
| SHA1 | d4284436b05f5491c9ca20994aaea7eef10a8704 |
| SHA256 | 70ef39b3c012481ee83185c67ca5e4f048ae9516e0ed5ca6b766adb4d63124e3 |
| SHA512 | 1138ac54ffff96039b4ab0c87d7b0155dcb973c3797d2ed8dc8401a2c73d612c9e5a4e74a5175e1577c4df5db218139d03671b966c8d5184c0a6562d2fc8b328 |
C:\Users\Admin\AppData\Local\Temp\ogYg.exe
| MD5 | 562120ec77ad69536a16c65cd019e184 |
| SHA1 | 6cb25aaaa0db949a964f00711be10cdf04cd9cf1 |
| SHA256 | 9c49c56afee3c1f1e89be838eb48b89513e5129515b31ecbb0eadccfa8434e65 |
| SHA512 | 1e64191188193f8c1ab63f5094ec4922e247ea8d33c05c07b9504bcbe5a67ec40c7a0e9be10317c5b10f09115888b5d5f4cb39a59e2d4659adfab5dd9df35729 |
C:\Users\Admin\AppData\Local\Temp\MgQg.exe
| MD5 | 7a634f124f5ed6d6e5ba5311e9baae39 |
| SHA1 | 0fabf578465c06a6aa2dee74b5b6b92162297819 |
| SHA256 | 214c01955f8916f173f185bd9b5c145db01eade87656107aff4b6b38ea132033 |
| SHA512 | 746e9e01e72cfa17df9415c924ccc05604ab93435f8a1e28922a5e8fd3330ca001d3bdef32e0aec1b6ac9c6ee8216639542e3fcc1484abd53abd92187edd2c60 |
C:\Users\Admin\AppData\Local\Temp\GkYo.exe
| MD5 | b9ef69c9f34f4b2e688c0e269027505e |
| SHA1 | 44e48f0d72bb6b4f0c2a41f8ac0634ad44a6b541 |
| SHA256 | 6f7fe9a7f6a2a9b26331f569635e04d9d42467e824c4f30b89357856cd31879b |
| SHA512 | bf1de4c61c7afdf1300fd0992586fd6f609f11c3999de54d56988b950a56879911eec24b9d6f166db1a85eb3da4db4fac66de55868f533052676c690afe76b63 |
C:\Users\Admin\AppData\Local\Temp\UoAU.exe
| MD5 | 1a55d188ec40a3341e5db0f7f2dc7762 |
| SHA1 | 880219cbd740be8fed32e87ea6ace515056ae8c8 |
| SHA256 | 607c276d302061b8ddc8ca5956871e06fc43a4e0537278cbc86b17d45c321c92 |
| SHA512 | 91a8abe24a000a2a14555d83990026456d8ad80fbba3f6282acfd93fcec88f157f8627284f099d35b5c93ba9f70352efc9aab25c0a04533c4b9f82bf068d24ee |
C:\Users\Admin\AppData\Local\Temp\sQEY.exe
| MD5 | ef8b2abaf1fb83a035805626756d86bf |
| SHA1 | 7d72ab9207f7e176011efca94df7dbcfa3a5c7b2 |
| SHA256 | ae3dabb87877512f5282bec34431ec9ac2ac43fa49c3df8b76b4f675f17534ed |
| SHA512 | fb4cf042cd81a6a7b2e445b635bf00dd4c477aa8301e3be884446ebfbc739515b22a16b8e1310cd15e9d1a545514227d2367c96178e4e71b632012c760ae2a20 |
C:\Users\Admin\AppData\Local\Temp\EkgE.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\iIcg.exe
| MD5 | 069a89246d0f39302b8194834d26b1b4 |
| SHA1 | 2b17b76d624214afc8db692d1b8ea07072e74cf4 |
| SHA256 | 74437c27a9b4dfd82f9a5ddd869a2d5588fb0a5d7c7dba757bc52bda3662e4a0 |
| SHA512 | 65ffe95e77b963cceb7922c5e516d904172ace99d1a24ffbb51fd8ae3886ae9dde5c020b66d66e3e3ad01e9de2175989906a1a976d42bcbc02acee95a7281d14 |
C:\Users\Admin\AppData\Local\Temp\ScIK.exe
| MD5 | 687886fab9105839aef4055ff39955db |
| SHA1 | 1ef2ee9d60ba548869af5d2fac306f2066957e68 |
| SHA256 | 0b728d86f9cc156e2607bc6ac2e3e424d1edf00dcc288633d919cd736347f352 |
| SHA512 | eb776776685e33d0393604d1acc3ac1321fcbddcf46a3ff45518382d01e28db332dcb3756ecb4721cb8b1560c173c80e441e040b9a995e3f71db2d3bb855f564 |
C:\Users\Admin\AppData\Local\Temp\CsQy.exe
| MD5 | aa32f52d63ca24e29bcc9b906f40c320 |
| SHA1 | e872d8d296e3d89f167b40ef3a6f131669080a64 |
| SHA256 | 8551fd899938e80bcaaa58b5d31e960318abf97b70a8804f711f86cab341dcf6 |
| SHA512 | 7bffc6de710b5ce16c295219c3d6f03d092c2064424b1e7ab7c9a9235fa4612c340629a0731e8eeb66413f04fd0bef5429a5e48a3c1e903dd8a169154f3d14b9 |
C:\Users\Admin\AppData\Local\Temp\ckEU.exe
| MD5 | 236d0ae557dca94d580e44404ae300a1 |
| SHA1 | b08c30ea217404d4c3a9ecc5e10444bfd313268e |
| SHA256 | c46ce91b5fb7c5dd78a6a76b6506c99510307e880e282ce82e9adacdbbaa457b |
| SHA512 | 0b8053f28845ce9ce25ebf0505389c59f3c33caa6bcd589b3ef2918348e258fcb1c688262c0a3a6bcdd0442040d6f3adc54558fd2490d2489369695068633738 |
C:\Users\Admin\AppData\Local\Temp\UIcO.exe
| MD5 | 19125e7758d51da84ae645bda000562c |
| SHA1 | 5bd0d657f3c5850d851b0ab7ef50ea001fdfbd9d |
| SHA256 | 22a6abed6f69c0f2f580a14fe5a174b7faa17ef62647ff8fa21c27ed7e91f62d |
| SHA512 | 5d568f2aa458a8034454affdab19738ed1d33aadb3a0a6effe5f22b4a5d75ba4826e6b4d9b61c7c213b26e0a82e1b27e02057da8de9ba77104d0e9b024134020 |
C:\Users\Admin\AppData\Local\Temp\aogK.exe
| MD5 | 127166c55a0121dd7d7fc1caca218906 |
| SHA1 | c29dfcda085efc5d92626561840c324893b603e8 |
| SHA256 | f08bcb8e9f8a4c36d111c1653bcd9516f5c01f644bec2adb91f71ceac2f9d480 |
| SHA512 | c563c70f45bb1a1aee26065bbede48f2ed97245213bc8ddf1c5afb7fe96377f34de5bb9f0f63f895876b9019aa04dd8d041fc992d679bef0b75c576f8422943b |
C:\Users\Admin\AppData\Local\Temp\wcsq.exe
| MD5 | 69dabebd786b7903746aab89008c89c3 |
| SHA1 | f4d9efd00de4b03bc0da0983a1eb17e88a44971f |
| SHA256 | 9225f28f3ab5d4b3fb72d923a50d8f5d31030fb5b369e0bb81d06f59e0a33024 |
| SHA512 | 453f2a27ce8ab0f99ad91d12dbecffeef6dbf6d159d5c36ae61ca7842049a876fbd7ad496754a1e6ee6f8e27c7534f8420fb84f36e0efd74d73f180632c5bca5 |
C:\Users\Admin\AppData\Local\Temp\CEky.exe
| MD5 | e89253a1dfc9ad66753b382571ef6008 |
| SHA1 | 65e3740be2c9f1d972df08312804ee72b25977da |
| SHA256 | c3c1c7a8f183aed50c0ac0f2b50ce975aa7549aaa5b15da46727aab65fc6ff34 |
| SHA512 | 4e013d5b70670e9c5ecece6035bfb777f0c769813215fdc5a3db860d296e23cc47c3f388855a6285d8ad3bb5e872b09f8d532d6962405e4c7d6ab2cc558952bf |
C:\Users\Admin\AppData\Local\Temp\cMIq.exe
| MD5 | 7c9c77ef14b9c3b449d452781d4f8a5e |
| SHA1 | 495f022fd6616622493eac7223a6e5c5684f8e95 |
| SHA256 | 21eb8d95e0711252c3e8b954cd8d7b0038aebed248917d48cbd0c65e3be98380 |
| SHA512 | 7a97b133d1f576300b86787bbea9e31a0cda92bbbeecaabca6811ee8a999c27fe1f7e77210015510a7e274201aebf63a01a1090643c88b0df20a053b8accacb8 |
C:\Users\Admin\AppData\Local\Temp\YIgw.exe
| MD5 | ccf89a621ab92bd89060c24957238073 |
| SHA1 | 3cbcfe01919e084beb327cd544161ebd15c8d967 |
| SHA256 | 64d1a3f26229de73f8a421249275a4d10b246a0023f564a1240e85394990fe41 |
| SHA512 | d19dca535f6acfe6f8666377fe75d53bcd446fd4150b8251b094f85a4eac12fb6e4699b10ea443df1b431b4819437be0ac3736edf5afd0a44658fa95a23d3008 |
C:\Users\Admin\AppData\Local\Temp\AEwq.exe
| MD5 | 41ad60fbb4c43fa74fe4676af786eb53 |
| SHA1 | 8f4023fe5ede6675543665e11048ad696d649c94 |
| SHA256 | 1397983e63923cff2ce3713ebb45c7fd02890476789567a32509b1a0fee0e8c5 |
| SHA512 | 4dda3ecba179baf3a9dedec7c31fc275c65841257c2ca4f17be94339475ad635a7a1cc53d3cfdee37a1368f0549eaf95d7cd74262dfd928a13c830b64e480a7d |
C:\Users\Admin\AppData\Local\Temp\UowO.exe
| MD5 | 66a3dfbd96b55a6bfe7cdc36420463c6 |
| SHA1 | 52316c98a55ac221a62e7162065c453a1eb75101 |
| SHA256 | 842c448c86ad9756c25255e94c06e50ee6797ca4d78a9b34fd8ba9baf9066438 |
| SHA512 | 865e20f8bd3ba25152b42675059bba5f75e353b5a3233740b1e7f55c84c5b8d3e1e8abca86b9ce11a8ef3c5f5f4fc752f18c0f2e06c8fc10e04e7edea35e94df |
C:\Users\Admin\AppData\Local\Temp\YowA.exe
| MD5 | 4abaabb68a6f01e4ee878460a81cf43f |
| SHA1 | 7cef352e2acfc642602e5f158d6c554b678497e7 |
| SHA256 | 2f90448d5d757eaed06e631db19276490d6a04443f8d10f4fc9037e6b1a0b86a |
| SHA512 | c5635270437ee012d282834e535c6c62a3ac521e75209807ca7770bae81dbf52f1531232672f0ec8051766570019bc0e4e91098617da1b32399d45ce4ff18d9d |
C:\Users\Admin\AppData\Local\Temp\aYgY.exe
| MD5 | 6f59e1de8fcbcc6c3fb0e61070a82fb1 |
| SHA1 | 731d725b8334dcaceaa29ef7aaf751eff4b41083 |
| SHA256 | a2eeafb57f0547b7fe5ae694a2e743b19f5784c0c0b6bf5809738e64f21d2790 |
| SHA512 | 726a9ce3c49fe7cb6a158d45a5caaf05fd135742e2accf6280a61231a2200e0fb044e877c6ce78403bf7a803b634e0dbdec93ca09d7626043a18ab106e63762e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe
| MD5 | 577cfc8fd6c77cd8f73c83e125f58e72 |
| SHA1 | a0a74a4d94a6784e76b3521c478832759b8f95b0 |
| SHA256 | 202129b66e37a5f067607ab8a417d84ad0c99105e6bc1f4edba1abac804ac4b4 |
| SHA512 | e89e2569a37f47242a25c8078ba2c9018c0bf8d151c243372f84d6202f828baed960921a60c48a56a660c82596dbeaf0b9e413584730fb0194313f886b87d7e3 |
C:\Users\Admin\AppData\Local\Temp\aYUW.exe
| MD5 | 2a89394a01503f30516016be43004896 |
| SHA1 | 844179bbcb9b4df5fb0ee791ca5a5830f93e1709 |
| SHA256 | 3448d9d786f535274ab88753c450add763a694982437805bf261d19096d06d4c |
| SHA512 | 38d4b42183aaafe62e104df83af9441e7283867b67f0dfca0ada263b009dd67357cdfcefb131f71598685a8abaf921e48ee6b99fd04a8633f47f570e2ce84337 |
C:\Users\Admin\AppData\Local\Temp\wAEA.exe
| MD5 | c3cf23f3057a250d873fb3f3b24d95a7 |
| SHA1 | 5e71a26f1587a9af3755aeb8e0b61751fac56b0d |
| SHA256 | 658e688e94142688aafb3b81aed684af61bf5796a4b49e0983fbd35ec10ca6ee |
| SHA512 | 32d2d16f9d4cab135fa9e35321e389911f92772d64284a5d760c30de67e1aa90f94301b21b565b2946c08918754aee1622d534de7550b99a2ec713eda602714c |
C:\Users\Admin\AppData\Local\Temp\qoAK.exe
| MD5 | 1205aa90f539db86ee2e7a0e2689ea4c |
| SHA1 | 47a0cbed73990c914e3349bc5fc46f090465a5d5 |
| SHA256 | 6af651ed6f50ff8b54bcddeccf51b0dfa1c9ac1d2c88be1c0a8cc9ad75b48cbb |
| SHA512 | e4f7e03356aded8fbd47ec5f53a7c92ba80b30605bda88bea0b4917c950ffe4a8d901ba9532264fde41b7af445d5bb699d202022d29ce0e523db74a40c7bdfad |
C:\Users\Admin\AppData\Local\Temp\UMkg.exe
| MD5 | 00dea0e890459b35c3ed7d7db5fb5ce2 |
| SHA1 | 1388ffdc2ecc06ad69129e731637c0720efb7eec |
| SHA256 | b527bfc13204c635c885c2b141676eaaa70add526d061956197562d7074be338 |
| SHA512 | f618d1455a6907f6207dc1851411369139151f610b5cb427494161d0f2e69c8e620e78c1b6f528acdad3e6d1c242b05d407cc605058414baf760d556a77e37a0 |
C:\Users\Admin\AppData\Local\Temp\skoO.exe
| MD5 | b73f3754934840362479331b7d9ec9d7 |
| SHA1 | a0731003e500b39689aa7ea086c3420a9fddd5a6 |
| SHA256 | 888edc056d18c4f53cca7aa279891d03177a85ef7e6def5214b7facc0e751403 |
| SHA512 | de409756c014560f201dbf8d5b2eb0d62a0c50adc0be1d89e8afb8690ff7b4251ff98ceec6f8dd4336206ebe05326ceaf3d2c9bc826bc8112578c3937dec5d48 |
C:\Users\Admin\AppData\Local\Temp\ecUE.exe
| MD5 | 4b9f9d716d26951c9f2aa7ad5f5fb8c5 |
| SHA1 | 61d8e932926053798e772ff176906967f4c3f247 |
| SHA256 | ec1fcebe76d22a3131df3d8310f32c4972f3d9fd119af72019d156211be887d6 |
| SHA512 | 766e6acc0e9acb0f9c2da65e438d22dacfe3626c6aede7b94abf445ca7f7fec5085f502e4ec7860a2802bfdbe305559e5ce19e9bf2281c12c020289e7261cd8a |
C:\Users\Admin\AppData\Local\Temp\IMAK.exe
| MD5 | 1e4e7862612cf883b5e9e6241768aedc |
| SHA1 | ed83f26dea64ca54342f8bebb2ba64ac542b1050 |
| SHA256 | b271504675c53dcbd3334438b04601665ee413176caf34906ddcc7e1612ef99c |
| SHA512 | e9d56c09d4f48c485e8014124b4e3244a2e500d7674ec86c1367e20b3caad8e12b8c1846535ab78359a055b37d3af39a3162d84d933053712fb657016378d93f |
C:\Users\Admin\AppData\Local\Temp\SMoQ.exe
| MD5 | 573aeb5caa8b8a585c53c0a37efeba8b |
| SHA1 | 911492f94671602a655b9b9d5172ac8591d143dd |
| SHA256 | 6c4c53407032e2c25ca431c5b9e44711a0768ab76197130143d5bb066699819b |
| SHA512 | 62b02900c6b59f0a68345be179d7b9d2e85a725d96404ba01da0b0fd5839b5d024961a694c2c84962278dff9f5403d8c679cdd19067f447b26c410d7fb84bf83 |
C:\Users\Admin\AppData\Local\Temp\owwQ.exe
| MD5 | c189c13c57d70f9f272cfbe1cad0226a |
| SHA1 | 8891ea0067ca54c4bf1534fa765d32353e0c7e70 |
| SHA256 | 7726187cb3423afe8cb9255167ab313f9e67510354b2a1eb87288bb6b590e2ff |
| SHA512 | bd3b914993eb4e27809bba9ffd5ec47d41dba39b8553a0468dbcd721120bb0fba313dd90531e2f76d8db0f121a3dbdf0f19b9023289174ffe05e414bdb2420c3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe
| MD5 | 1c8e401eb11f86db17644ec16a01a1de |
| SHA1 | 210cccd578e2ed31fac6d28b647b57f89a40112c |
| SHA256 | 19641a6ce4ce88810cb517c22b78d24e9d0e048c3807d699f877779f9c90d221 |
| SHA512 | 6b0434398d7d367b1122c6a84f0a9630479efd1ccda9bcd67f4dcd5a48a2d8d058dff956217e78031cb3ae50700c915e9d46865f649d7729d2eea0c8df0e28b9 |
C:\Users\Admin\AppData\Local\Temp\QMEO.exe
| MD5 | 8c83154658f487a836bdd6847bd05929 |
| SHA1 | a2b3eb14fee18d90058a32ed7f8151be266075ce |
| SHA256 | da1e57e1f828074f7cca1dbe3d3bf6842ef2d9bd47176c3552ca69318da701d7 |
| SHA512 | c89861ef25b8600675b3363410fc2713a64147d7da2b509062adbe40d78ee4a846dbfc877b76abc8426e34b18684f87e7c02d93a57779926f5f89989d9c45da2 |
C:\Users\Admin\AppData\Local\Temp\kswe.exe
| MD5 | 13715bdc49e4c6e9bc98b1f94a09e4af |
| SHA1 | 171f990c75922918516d4ac69d4f61361aae6bf2 |
| SHA256 | ee1d21da41c550ab0958d0d79e4e1c2f4bbd5562ec26e6d57f6583d732473ca5 |
| SHA512 | d24d86468d961cde1bd014c7f716d0d78b40436693a424636aafc25e3b12e7f18cef6468e77683d1d7c2128dace2dbbc170a72cfbe383d1d7e79ad6fe564d6ba |
C:\Users\Admin\AppData\Local\Temp\ckAS.exe
| MD5 | 1d1d02688f5a74f05140e9fa017877e6 |
| SHA1 | e6e77590c461b8e41806bbc92b508ecdc0ca7954 |
| SHA256 | 894200587d501ecdd47488b3bb780c7b566a03b3391cd9f2126cd07b15e55a76 |
| SHA512 | 7c4cb73318d3930fd88ad20bf4d5b3f21ed7505fc759bc051e4f7624d865a25cf559bba9d5e5844f29b0b2439dab7edd90263eba03fd8e04f777f4bf8579ddfd |
C:\Users\Admin\AppData\Local\Temp\qYkY.exe
| MD5 | 6feb76d04ab7216acaf0f67f401f0803 |
| SHA1 | be488f428133df7e115fac1fe57268a780044740 |
| SHA256 | 25bf96b705c625a484ccfa48d989b4b979bf5904a38fcf2f40339420b0fbc2d0 |
| SHA512 | b65bfce0bce8abc290e880d0c7bdcb0b959d4b27bd3fd2cd034ac310e0f741ddaf0bfc8836a83dfb3863eb48ae0753a39963a1340a6065e204c17966bec49144 |
C:\Users\Admin\AppData\Local\Temp\MEIo.exe
| MD5 | e0738ad9f8d1e0a14a61f338e2294100 |
| SHA1 | f07b9a6de639cec4a07e082f3d38a8b3329f5f63 |
| SHA256 | b90a9ee0dddba95881569ddd223b4a9cdd117bf533f34a46d8c705908a9e5761 |
| SHA512 | 456cb020e1b3d239af7dc0a8c5cd5894568c3adc56121fc2b77d2059fabac937e1d3312851f837f17adbeb80a49f34c01dc2b931725d0dd5f062ee709d6d84e9 |
C:\Users\Admin\AppData\Local\Temp\sooa.exe
| MD5 | fa7e5cd20980782dc9f542dc897a6d65 |
| SHA1 | c3f2f37437477e6b2d8bc8c986d830a575b00caa |
| SHA256 | 306fdc455697c13ae03f363d638a5b9a000bf4e4cec3fbe290e5e2f354801d55 |
| SHA512 | 3b641d4bee6bdec40e8297e4a812a45347512737b9f026213c82da2f8f7248d4beed0835ab4dd05b1f6417b7436bebbf6ac446a2d3513ce669b2e28f8fde61d9 |
C:\Users\Admin\AppData\Local\Temp\eQsg.exe
| MD5 | e70238fa809c907588fed4b67b1e8e61 |
| SHA1 | 968965ea38540971d3a1ae2121538acfd1c5c888 |
| SHA256 | 8214f97579eb3892e038f4d180bd4fb3e401cda85f6b9fc2d39eb1ca704921c1 |
| SHA512 | afa939b9329640beb0dd7907dee674f22798b9f791788788863581e4b01b567d1f2e2a29462e885da761dc92cabd3d30786b1e6d87a53ebd6e19c859662042b0 |
C:\Users\Admin\AppData\Local\Temp\IggE.exe
| MD5 | 9105c6d1676801fc7a758e5e1e9f6d7f |
| SHA1 | 58954da3e88324a7ce7adcde2140ccd1b812ee40 |
| SHA256 | b6f4ec3d627e6a0851cfd11f52ee373f760f43ac7a878941a9ad749dd2573399 |
| SHA512 | 47b299bfd561cd085872352c8a4839cbf00b4443ceeea6dc040947f8428cf2dad167eb969e6447b2179c99d406cee2f411dde19c586cf156d01f8fd6129c0885 |
C:\Users\Admin\AppData\Local\Temp\OwIE.exe
| MD5 | 148cc61dafcf00c22bc1031e263eda5f |
| SHA1 | f5413a0ca907702368bf0bc19ab12506c50b4c48 |
| SHA256 | 9e849cf494fe5462bb30a317bd1e46fa874d697f398c09180e7a5e2f5598873d |
| SHA512 | 91129d40b1be6499be41aff5ec71f12c4c5387e55a7a48e972ae821e33ba3293a5bf57779a344143fe10eab309276ffba321c1504aa4fa7e5a1e109d070a7887 |
C:\Users\Admin\AppData\Local\Temp\eAow.exe
| MD5 | 2e66552ab795d38224f40a905b92ca7d |
| SHA1 | 490c0a8939ba39453e7f657cfe725c2e27a348ee |
| SHA256 | 06c0bf85948c7c60680c55ea418f9ea42ba2cb9964c0da9948ec3b07c5149078 |
| SHA512 | a8264ef3bf03b58fb0cfa8a374472e7a89b5f340026ada67e237f509df8e1e0eb0d6ddf620f95a25ed7f2de7c48935bc9602c064561e9c0376e2bdbb018e6843 |
C:\Users\Admin\AppData\Local\Temp\UIsE.exe
| MD5 | 30328f72f5da4424238fb94eebf4cc7f |
| SHA1 | 25caedf6699090aba1f132bd73dc0831c1926f2d |
| SHA256 | 056c8dd3206ae518f0ec880cd1aaa051696ae3e1d8f384e344a86ad4a2bf652b |
| SHA512 | 79b9ff43167f1952400abdb98200ce6d36d9a1e36d1d80b61e707a277a6dc6ad6098e2a867ab4f7a32618685f09218333cd483c96b7edbae4ee1d254b9db36f4 |
C:\Users\Admin\AppData\Local\Temp\Iggw.exe
| MD5 | 74da53d2d58fdd60a13b27f784262787 |
| SHA1 | 9dca8a5c46d0d64478f8f11ff1b646acb07a7f33 |
| SHA256 | b6773e3b2be5357d857ea3cdaa8701ea6fd891c583aa510033df856c207ef00f |
| SHA512 | c2e8cae7170d7b93f203b41ead51dd71cb899bb751d5b3d452fee860e0b57c27df0f3693c16c57c1ae87c4a239750d9a5a331ecaab0649bff6e7a1b22c7a0973 |
C:\Users\Admin\AppData\Local\Temp\gkQk.exe
| MD5 | 4ca811278fd9665379c155dc3b29fd82 |
| SHA1 | 56d45bafba55b22fb079b4c2ed42dc8fe7162529 |
| SHA256 | d3b7e178bce574d1e6368b31e3dd4573b6c10ded5b38c166c625ef7bddbc8692 |
| SHA512 | 837bc34457554126b24c7b6d0a6a5717c6559250f80fc3f8737f79eb557b112489a0c3c7e03b87af382d61353ec7f0a3d0e0fab4930b9a700501834aa9f43a59 |
C:\Users\Admin\AppData\Local\Temp\UoUc.exe
| MD5 | aa0b1d037743bb15c658262f270f1dd7 |
| SHA1 | 289e95d01fdd6168b1927f670b15869c9e9ae287 |
| SHA256 | 3e944c024f4114add6220de2c0384d2cc0e66378a55a20419b96d26930e50e30 |
| SHA512 | 22adde2253b93498b5df21f8bac9d7e41cc8d3a1033a266ce7f0a7434c2c97120d646a0f7a5fef177138e6127e6866e56854186386a69014e5825d8f4a7b4fbd |
C:\Users\Admin\AppData\Local\Temp\sogU.exe
| MD5 | f759182f9d308e1f89de6a8d29ccf82b |
| SHA1 | 88998a3f3d2481787084f2da85229456abfa0db2 |
| SHA256 | db84f7633a3b1d13b3ec6d9c1e49adbec68ab4ea9b919424eb6e7f73c961153d |
| SHA512 | 3d4521f6387ec38c79d1897c926840ea1ab3a8d4cc3c510c1d64855e206c89db3c502f292ec37b1a74c4f3ff14acbca812703dfa4cfadbcac6de793f4c91aef6 |
C:\Users\Admin\AppData\Local\Temp\SksU.exe
| MD5 | 00bd27af653883e937bdd0ffeed4f39d |
| SHA1 | 5e2c3420ebf4e4a7722de1f448738c22f1f6aa0c |
| SHA256 | bba18886e6a65a8ce9b95a40c0d4b04029ad3a616628943abb5554afd74c7906 |
| SHA512 | 15a4ed358bc98d350b8b03c1fde8d2b1ff86886c3d0cec38a11d495ac17b4e954a2cb86f6596bea3f72a03a3110ceb68522b5541a51fcb8f542d61da3d50895b |
C:\Users\Admin\AppData\Local\Temp\OIgi.exe
| MD5 | 562edfcf4af02246e8f7b95729127104 |
| SHA1 | 2b04ef16b78a4d4460eabcf48cb1521322da33be |
| SHA256 | 4a11aa579509fb4566294740f5c692bec516ac1250bce8bb5265e533133ca855 |
| SHA512 | 9f8862709c528485bbee92d1caa7fdf991112494feebf96ca5f24821eab850862dcbd67bc6d65b98112d5258b98790b26cd2725b441be4a6ccc384e8967cf8d3 |
C:\Users\Admin\AppData\Local\Temp\qAMc.exe
| MD5 | 0bd3a38ed90ecb9139d49e26203aa35d |
| SHA1 | 0a4debfbc90ec01ab47d77bfeb668412a091aa88 |
| SHA256 | 405b424314286e30d40c8f2c7fd23b78a41206fa53ee1d1470dfea072584cc58 |
| SHA512 | 75dd84813201cddada5d9054b0aeb41c1cb608d3b7ce1d5bb4f04dfe43bf1eeabf39aea97b78747c528ad3b395971ca5da7c85ac2aa3ebc6d04d02677e7a3d99 |
C:\Users\Admin\AppData\Local\Temp\cEUo.exe
| MD5 | d8a12e184b1eb18581667b99519eaa8b |
| SHA1 | 5c09e5c29767fc0f818e97875c9818d57d601d01 |
| SHA256 | 222a85f57a4731cb11a4a67d68e05b9e12f4c7ebc6461cdb6f834033ae0b4b59 |
| SHA512 | 4688490bb5db9112d703d9987b48fa8565567d91e265e3dc78370fd138aa851ccf481c1097af4070e60639f60870c7297510d337ca513920bce352e907f06e0c |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe
| MD5 | 68a4428713a06dec7b233fe182977151 |
| SHA1 | 06807417613aa0a2b230a778bbd1399f3a32aff7 |
| SHA256 | 2766c1419432c611616533b23071397108e56af1bdf7d0eb46404edad4cb4384 |
| SHA512 | 2e1796240faa27dc8ef770fbda7ae9caa1a7653f9c201538752d0f3699d8320998f07cc7b415289a82d0bbae3fccd1c459d0bc8e34cef355b64f9abc23863b47 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe
| MD5 | df58047715a2dd042b4ce260b9f9b8b7 |
| SHA1 | 47dbe6725e4482a9b4e66e11bdcd4405a86cf45f |
| SHA256 | 4a3e7895fc545507f27dfaef746b970805458ebc4a2874b3fc2ed3ee642c6c2d |
| SHA512 | c71801eee99f3ab80430e7329f6038ca916b4a5a9f8b0558e9f8b7f743f4500d3d13b1a7651f23370594f258c2bc2064682d8932819bddf94f13e383181df28b |
C:\Users\Admin\AppData\Local\Temp\uEMO.exe
| MD5 | 7121f4bf48309cf4d31eacd6251ee8af |
| SHA1 | 3089840c26dc9c25b470bf12ed232d70ab716b35 |
| SHA256 | b4290a0a2632ce2714e4a6ab0870e550af8c1a25f8eb28fe3d6c8c4b3f982958 |
| SHA512 | 12e39f43832430db553bc4674a3de76c4d2f138eae8267b0f5b391f1ceab4092c1403e5b73180e0a57c25c86ee29b95d19458b403c42f5922a2c9e9a9d4e19de |
C:\Users\Admin\AppData\Local\Temp\MQkW.exe
| MD5 | 0c9e1098a7b2009de7e30bd0bc296e88 |
| SHA1 | 386f8c83b1ca85052e11974850a6d0fc5a91c713 |
| SHA256 | 4267405bf6e634cbe87707d8434f7becdfe09c16466500aa06b906ed16326acf |
| SHA512 | 30e10845a1563114d66997be8ea685f584c5bb548cddc0772465f4021a14b3d6e9ef16b4f1929da58a0d62c01504202dcb3499942f249a4576e12efae2285df4 |
C:\Users\Admin\AppData\Local\Temp\qwQW.exe
| MD5 | 0d74441f83d7ccfe4f9f1b7d1cdc772e |
| SHA1 | 063f13faa067af059a50a5a51724f51a29cd106b |
| SHA256 | 420dbacf69185d07c01cdc5bbb5314941387e2b110c8043baf80fcdae75eb6b1 |
| SHA512 | a0c6b679da8eb5d9a385bdf7e3775a506c59e8dba9d528d3168c5fe832f1227db11de1c591a3bca9983240397ad761da7dbc6899b7507c3319ff2fa87cab70d3 |
memory/2820-1102-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GUoe.exe
| MD5 | 8b868b04d5a87bcdd5c56494a117231c |
| SHA1 | dcf3326a3598ecd279ad9533f9c0901350eb3f6e |
| SHA256 | 53a71e20a6c430033ebba7fd07b6e0df9bfba1e94443496fc46269554ce374ca |
| SHA512 | 037b531210102ee34f476bb35f4d5cec82fe599414c219fe9b0790ff54293f4dc4b9d880e88a7ee5bc49e63a370402157501352fc2c835ebf4c0bffe601c1437 |
C:\Users\Admin\AppData\Local\Temp\yEEw.exe
| MD5 | c76e2c1f68f69b4e650f5f849592c841 |
| SHA1 | 0d7ee8aa9e06561228b2332451d11d260ec0f26f |
| SHA256 | 784ace69285cbac3571bc6d974d2478f98fba28a8a1c154337cbdf159798b43b |
| SHA512 | 9def9c86fae07debe903a5f8376af46986ef0683614e7d3d6f8700c464134ad56d0d4311f710359d4fedeb3f5ed2ce81cfa8bd35ac7b2f13ad3424be7c85b3e9 |
C:\Users\Admin\AppData\Local\Temp\KIIi.exe
| MD5 | bbb97ff7fa622a1e0217379c9f1e4451 |
| SHA1 | f43cf72ed2d0bb2d76c52b5dc3b1c19321799d3e |
| SHA256 | 708c2bc9803588a67d137eaed41f3e42d11a4e5bb5a628666ae9d470abded34c |
| SHA512 | 52f30e464c950e8f1f95cedafe9def8b98445b418ce664dde2d5aeca4a90c36ad27d3eed11a2b332bb7ec8bbe100438b5f0bdcd21b9c6fd8e533cb8b939d1346 |
C:\Users\Admin\AppData\Local\Temp\mMMI.exe
| MD5 | dea49d6a750bffa63f9613d56a583a64 |
| SHA1 | d8b735754d67d89bd8213b5f2798eec9772e287c |
| SHA256 | ecdb71c9b135b0a1d2a7829b07e66ccc2e04356841227fa37c46f543785fae37 |
| SHA512 | 2656cca01ccb133abca8f4202cab9bcd12020cccc3a1d34ea0712b8564eb7fdccbfe5af25368e941f18f8eaf82cd8dd8ff7c908d4bc58cdb9fa1dd47406cfc21 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe
| MD5 | a6e98037cacffb411823764d6899cdb0 |
| SHA1 | 3324b639f3133c97938541ec1f8be5b7a4b438f2 |
| SHA256 | 88a6f69fe4b5a1899c42aa2e76e93ebee5c020d205fc3dfabe886e33feb8d651 |
| SHA512 | b330dc462d0422a4dc42ecb8327d89a752bb22cafaab44f7a2e06146324e8af41fa2aeaf4792270c3db49148471ab56662dee4d59fe0d5c8a9fccff2fd64afd8 |
C:\Users\Admin\AppData\Local\Temp\kQsE.exe
| MD5 | 9ce116ff24f1183df63a1003d93c4797 |
| SHA1 | f7bbace850d4856b105bcae6bb96874507177a70 |
| SHA256 | 31055e9b83ba581d4e9997488d961d0307b6f4448ee61096d868160e57a92108 |
| SHA512 | 7f8118b3f08c6d12545eb7a0a8348e350f0a7c1568784edf71a50daa69455ca5725667a86965b9d1f84bd89e71ab3141eb66707ad027a4f6674457aad56e25f3 |
C:\Users\Admin\AppData\Local\Temp\kIQu.exe
| MD5 | f72e53555e80b6ed732500c62dd086ba |
| SHA1 | 9a9fc3683c0f5a68c29aa82032520d42cca4c765 |
| SHA256 | 49e599b3090533e349964b4cf1d9ceb64272d3f3926950d8a1c80d024a3385ac |
| SHA512 | 5800911b381362f11e57e085715f883639e958f66b47b229559bb9cf62890f4389d4bfe880df225206e5186ca035f7f94a14311664ca6d567caee9cf9fde613c |
C:\Users\Admin\AppData\Local\Temp\OMAy.exe
| MD5 | a34888d8dad00e288da108caab53e763 |
| SHA1 | 11407ed953907c4b766d9d296797cdbab51f938c |
| SHA256 | 4732cdd316f13bc4ed7af4e1c39a8f2ae918d902d9fdca3ee75e004a4f1c783a |
| SHA512 | 663ef4bdb5f9ed5a700ff8fc9bbbf43028eadd4ed2254adec400de0741ef02b6b2601752a90abb3c9850ef6c4fe3e0b17640dc82eae3445e3859817847d419d6 |
C:\Users\Admin\AppData\Local\Temp\CEgE.exe
| MD5 | b2906ba94ddcb0f7b9e48b63075b6865 |
| SHA1 | f0db76ead0f15605250d9c1e47177b086770eb4a |
| SHA256 | 121831af9b5d61e3d2b9d65fea65496a9eb7a943cf232fc336840e6a843b94cb |
| SHA512 | e3915378b6adcda0ad2b89b1cf8e73e1993cb46b8ea97f4cfd86fd7196d055d29365e930a2a77f4bad691ec316717e525592157be7c3694cd4c0f9bf28787254 |
C:\Users\Admin\AppData\Local\Temp\skAS.exe
| MD5 | a5bd09d9b10f9d312a975cf44504f758 |
| SHA1 | bae3bc193cc3107f56e167b0c59c533d4b117d78 |
| SHA256 | 9beeb3586f29fb663eb90e823dfe6199565d06cc9da8830707a5e34fa9bc1e96 |
| SHA512 | 5bc2078fe3b9256af8889704f4e23858d3780de8ac3175a2495e0005e8eaf06e0e6bfc726bd4bc1644a29edae5d38dff65e52f0329715910ec137a1e6070e35f |
C:\Users\Admin\AppData\Local\Temp\QUMo.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\Ikow.exe
| MD5 | ad01a32f50f51349a3fe23deadb5c232 |
| SHA1 | 09e716b13bf4a32a77faa9b5ebe0ed200436ecae |
| SHA256 | 10fada8c871e651451b28a2d39ceb7f1ed38d03eba9399c442c7c84de8fc91b8 |
| SHA512 | f6b68c97a3cc9ca1e6a007e6ec1d0ead44b7fd9437c05f4f35ce3f2b30ab842c982ad7c0b0c2af513dc416663211d6d98181740311c845539f5bf414a50c8f9f |
C:\Users\Admin\AppData\Local\Temp\CkQc.exe
| MD5 | 492c2685418fd96c9b473f44b8abaf1e |
| SHA1 | 57a1677b0fb63c0060e4d93eec503d1662268244 |
| SHA256 | 30dae39552a21b9f528c56aaa12653e20557080ce1602fcdd78aafb8f28739d1 |
| SHA512 | b241448d559bb60bd9ab559cc7f4245319f67b1eda177698e702f16532bc4ed86e3d7c80111b07fcefe0ef434943b9b0bea4b0905fcca93951c1be6128656eb7 |
C:\Users\Admin\AppData\Local\Temp\KMcE.exe
| MD5 | 64e6ac0d2160c30b1c9b1141fc4c318f |
| SHA1 | f177f57d81c6c86e2fb1f129603928aaad7fca3f |
| SHA256 | e4202c152231e9c7cbd95b1605bed55769f18a9f741cec565756e50214246fe6 |
| SHA512 | 39178c75e306512c90397046f2801a4f0633d9c42aa5a3eef5e3f6ab743d107154690a05d283d2768f6948303531ff6244d6f6168abdaa2ae54d93e2ae3ee56f |
C:\Users\Admin\AppData\Local\Temp\kUEs.exe
| MD5 | 1f4b21d1214b6fd87656739266b7a6cf |
| SHA1 | a1ed0323ac86669a5447311e8746de8bec004b3a |
| SHA256 | ea58132aae2be66ffd06e3c4a8b661ffd4ee2a19f7c5965c42472c6a054d5621 |
| SHA512 | 47c1078969ffe70912e01742be753fdb7fcf52aca1e6c3a90d46774fb9939757e0a095d5f5d470e24203a20a3b48194b28edf7fa1ab5f4a9c721ef1180285bb4 |