Malware Analysis Report

2025-06-16 06:31

Sample ID 250515-k23e9avsf1
Target JaffaCakes118_047c408df84c32f8d5712456276d1680
SHA256 0c07ac694ef7558a4e2277d2076fb1a432992648748e38ac2b4db4beab1bc6d8
Tags
defense_evasion discovery persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0c07ac694ef7558a4e2277d2076fb1a432992648748e38ac2b4db4beab1bc6d8

Threat Level: Known bad

The file JaffaCakes118_047c408df84c32f8d5712456276d1680 was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery persistence ransomware spyware stealer trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (51) files with added filename extension

Renames multiple (56) files with added filename extension

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies registry key

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-15 09:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-15 09:06

Reported

2025-05-15 09:09

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe"

Signatures

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (51) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RIIoEoMU.exe = "C:\\Users\\Admin\\hkwMwwsw\\RIIoEoMU.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ggswYEgU.exe = "C:\\ProgramData\\SsoAQgEQ\\ggswYEgU.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RIIoEoMU.exe = "C:\\Users\\Admin\\hkwMwwsw\\RIIoEoMU.exe" C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ggswYEgU.exe = "C:\\ProgramData\\SsoAQgEQ\\ggswYEgU.exe" C:\ProgramData\SsoAQgEQ\ggswYEgU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ggswYEgU.exe = "C:\\ProgramData\\SsoAQgEQ\\ggswYEgU.exe" C:\ProgramData\VIUYgsog\EKAcAsMs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ggswYEgU.exe = "C:\\ProgramData\\SsoAQgEQ\\ggswYEgU.exe" C:\ProgramData\SsoAQgEQ\ggswYEgU.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RIIoEoMU.exe = "C:\\Users\\Admin\\hkwMwwsw\\RIIoEoMU.exe" C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\gYkk.ico C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\QUQs.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\AWYY.ico C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\iMAq.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\sheSaveStart.xlsx C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\GQUw.ico C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\QQgQ.ico C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\mcgG.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File created C:\Windows\SysWOW64\coEU.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File created C:\Windows\SysWOW64\mgca.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File created C:\Windows\SysWOW64\yUkc.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\WUoC.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File created C:\Windows\SysWOW64\EMwC.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\hkwMwwsw\RIIoEoMU C:\ProgramData\VIUYgsog\EKAcAsMs.exe N/A
File created C:\Windows\SysWOW64\SIow.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\gqwA.ico C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\WIMY.ico C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\skYS.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\cgQa.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File created C:\Windows\SysWOW64\kIwe.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\kkYY.ico C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\KOsc.ico C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\uWkw.ico C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\iIYW.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\asYW.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File created C:\Windows\SysWOW64\qsgu.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\auMY.ico C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\AOEs.ico C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File created C:\Windows\SysWOW64\CAYQ.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\uYUe.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File created C:\Windows\SysWOW64\WsgK.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\QOQg.ico C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\coEU.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\uqEo.ico C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\ukka.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\kscU.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\ooIU.ico C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\eoso.ico C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\sYoY.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\MUMk.ico C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\IwQu.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\Qqck.ico C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File created C:\Windows\SysWOW64\qAQu.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File created C:\Windows\SysWOW64\qkUY.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\asIa.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\CYUE.ico C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File created C:\Windows\SysWOW64\mYMS.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\qAQu.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File created C:\Windows\SysWOW64\WUoC.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\oYUC.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\euko.ico C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\wowa.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\ucAa.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\hkwMwwsw C:\ProgramData\VIUYgsog\EKAcAsMs.exe N/A
File created C:\Windows\SysWOW64\kMAU.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\qwMU.ico C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\scYI.ico C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File created C:\Windows\SysWOW64\oYwY.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\ywYC.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\OQoc.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\SgsI.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\gMQc.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File created C:\Windows\SysWOW64\Mowo.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
File opened for modification C:\Windows\SysWOW64\cyQQ.ico C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3304 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe
PID 3304 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe
PID 3304 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe
PID 3304 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\ProgramData\SsoAQgEQ\ggswYEgU.exe
PID 3304 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\ProgramData\SsoAQgEQ\ggswYEgU.exe
PID 3304 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\ProgramData\SsoAQgEQ\ggswYEgU.exe
PID 3336 wrote to memory of 5068 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe
PID 3336 wrote to memory of 5068 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe
PID 3336 wrote to memory of 5068 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe
PID 3304 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\cmd.exe
PID 3304 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\cmd.exe
PID 3304 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 2044 N/A C:\Windows\system32\cmd.exe C:\ProgramData\SsoAQgEQ\ggswYEgU.exe
PID 3140 wrote to memory of 2044 N/A C:\Windows\system32\cmd.exe C:\ProgramData\SsoAQgEQ\ggswYEgU.exe
PID 3140 wrote to memory of 2044 N/A C:\Windows\system32\cmd.exe C:\ProgramData\SsoAQgEQ\ggswYEgU.exe
PID 3304 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 3304 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 3304 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 3304 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 3304 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 3304 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 3304 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 3304 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 3304 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 3152 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
PID 3152 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
PID 3152 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
PID 4908 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 4908 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 4908 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 4908 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 4908 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 4908 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 4908 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 4908 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 4908 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 4908 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
PID 2812 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
PID 2812 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
PID 1976 wrote to memory of 1336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1976 wrote to memory of 1336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1976 wrote to memory of 1336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2116 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
PID 1524 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
PID 1524 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
PID 2116 wrote to memory of 5668 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 2116 wrote to memory of 5668 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 2116 wrote to memory of 5668 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 2116 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 2116 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 2116 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 2116 wrote to memory of 5868 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 2116 wrote to memory of 5868 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 2116 wrote to memory of 5868 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 2116 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe"

C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe

"C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe

C:\ProgramData\SsoAQgEQ\ggswYEgU.exe

"C:\ProgramData\SsoAQgEQ\ggswYEgU.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\SsoAQgEQ\ggswYEgU.exe

C:\ProgramData\VIUYgsog\EKAcAsMs.exe

C:\ProgramData\VIUYgsog\EKAcAsMs.exe

C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe

C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\ProgramData\SsoAQgEQ\ggswYEgU.exe

C:\ProgramData\SsoAQgEQ\ggswYEgU.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGQUEQkM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IqAEMgQs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iuwEoggU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSIsgscU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWkIsMYo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DekMwEEY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KccAYcMs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AyIsEwcI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lacEkMgI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOwwYwQA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VecwEUkQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KgkYAYIw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EscsMsgc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qmkcgIUs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGsUIYcs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMUYswgw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\beUEMMYs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vScEAooY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TyogYcQw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QoowEwEc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYIwgcks.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwQwIkUE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwssIgAI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TQQYsQoI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wyQMUcMI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mUAQYkcg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAIgQYYs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
FR 216.58.205.206:80 google.com tcp
FR 216.58.205.206:80 google.com tcp
FR 216.58.205.206:80 google.com tcp
FR 216.58.205.206:80 google.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
FR 216.58.205.206:80 google.com tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.251.37.35:80 c.pki.goog tcp
FR 216.58.205.206:80 google.com tcp
FR 216.58.205.206:80 google.com tcp
FR 216.58.205.206:80 google.com tcp

Files

memory/3304-0-0x0000000000401000-0x0000000000475000-memory.dmp

C:\Users\Admin\hkwMwwsw\RIIoEoMU.exe

MD5 bdf66af55f453a9df62681f38d18c176
SHA1 7108eb8f9abc2cfebf46673ec3e2a76efcf49fdf
SHA256 ad294f4660ca66d8f56eb4227a242daacf44434015106d64417500e9b80ce5da
SHA512 43ff204cb977e6ef9674b23bcac59578e1b3acfb1e3d88af440ae443ffe6f816b25bb1a3706bd9dfb8ff2ddd409ff3b3518f797f4461a5a63c695d516061f83f

memory/3924-6-0x0000000000400000-0x0000000000479000-memory.dmp

C:\ProgramData\VIUYgsog\EKAcAsMs.exe

MD5 e3f26bfa9c2bd95be3bac31450f5eda9
SHA1 cad4aed7326c374d9168bc6f44a8c674f78f65d2
SHA256 60a67ffbc2620970deddcffc50ba77a661bda8f831ddaf3aff0389b9589522b6
SHA512 7f5309204c295d9aef9f141816b7527588b9727d5d95462fc091a5a229af09ff416dae6c06ebd9acf4a94712a87ca5b67141bc4a7fd0ae26b86c608cfe3ddb6d

C:\ProgramData\SsoAQgEQ\ggswYEgU.exe

MD5 c9484c198135fa759d0d932fc15eca0b
SHA1 4ffe6f55f837706feb152a2faebaf1ae2285ddea
SHA256 6f63a1f5c7a817309c27b39d02980a194f27b6f65c45b2f6d142c3528dc64bc8
SHA512 edab5eb9d4e12528ae9fd73578b011c8fba502da89722bf24213142ca28c3eb2f500c617fe09602c6abf554206651b8618dd0ddf82297ea89e39f4d34a1e8fc5

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

MD5 a137db26123ef0010b9a5a32a99280dc
SHA1 5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6
SHA256 ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd
SHA512 b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

C:\Users\Admin\AppData\Local\Temp\OGQUEQkM.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/3304-141-0x0000000000401000-0x0000000000475000-memory.dmp

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

MD5 007475f79d444cedc6c6c7feeda57209
SHA1 c6a14922b823d95f32d0e025c8a13d61b3b9f0ff
SHA256 c2be50c1ebb6f519bc6483f04ab0c0777210c40a1ae4ce30054306d37f929541
SHA512 130ebeb8f1061f998b5eabcb4df28a9c78e76438796aaeecc3efc703e50f9d64f7b21886adfe654fbbe8ae97da2739d96c11b55e090d378e18a65b3d16f3ad57

C:\Windows\SysWOW64\uYUe.exe

MD5 1400f66850db138b8286da28ce67675c
SHA1 2c5e797954f79e6ee6aaa2c7722cc3da2dbc3d3d
SHA256 bcce830891259036ae8b339b8e5130dd160477d0c0927349cf7f9115b5fae81a
SHA512 5b1707f0ee68eccad1303cada340292714519962521d98c97fcbd67c3adb4844f679c89524c704a6b2b44d04e68a8798cd0dbcc514bb8ac1f6d246283d54dd30

C:\Windows\SysWOW64\ikwI.exe

MD5 f94c7386ebfee305a08bb78d5b19d59a
SHA1 ce2b1fa4169567d39d4105ec2f4d52a744f44dc3
SHA256 fa0387e11f0ae63b66b67b6d0da9369216140eaa6d766c7c5657230278728e1b
SHA512 767380fd0b6dbc77e52cca29ee88a01e3e3909a98493f98694981c8bdf2ca59b35c69ed57b56c5a6f03021165ecb9a1645e4a241467e2f3640dd7f9dc6426277

C:\Windows\SysWOW64\eoso.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Windows\SysWOW64\aEAC.exe

MD5 6f455cfe5aef6b792a258ab104e145ca
SHA1 67d3c2949c1245353fb38d2ccd7ccf9880c2a784
SHA256 92b354c7628e1e39438b4d50e8c039cac050cd4626bde8bc59b4c51cb77c676d
SHA512 2c69c8d4f1b7ecee5fb475877e6836216038d33b76e5b43f7da40f737b9ec503208376a29499f5461cc70a1c178a898dd823bab504691bbb7b2b1e4f539c2bc3

C:\Windows\SysWOW64\WsgK.exe

MD5 4a446baa471dc9907d01421507cff447
SHA1 7830db80643addb54e9d06fed1a0aa91ecc70048
SHA256 cd1ebefa1604134a129b5d645ec779368700574f0fbcca505958088e9eaa139a
SHA512 f588b1a18226b857418ca99eabfc80b8d318dd7cc70193c95f78438189ed72307e66bb1069d4ba7386dc91dc9ca63647b728f4255e9a917505315fc94609f732

C:\Windows\SysWOW64\SIow.exe

MD5 8783abd64994bc25307357b8dd06e93e
SHA1 3ff9b542642b0b0988c0c72d63cdb347f368c918
SHA256 fa8e736986d5aaf08bb3d6860b00bce2b4b414f4d6d2aa98216a1ae5bcdfdec1
SHA512 17b66900fe2794b14fa8becaaa5c1cb888741305ef046f761a8172861a14c49677c5f239cdfdfbedf660053011019429e312e55ad64be5070891f5465cda25cc

C:\Windows\SysWOW64\WwEO.exe

MD5 7af74720dd22a2356ab8eff9097f8b89
SHA1 c69721318bdf7e173a23f3ab1d9bfbfb6f01c71a
SHA256 c4de04e835d9ca2c436911b90aa872d0bf73ad90b97cc664de02bd4093210f21
SHA512 b541cb3a9249e40e74c40cc93abda5c882943c70f2e47a03d40edaed136041c6d703534b24bdd640bb317b967d513e59450d3882d967158ae2454800bce43b34

C:\Windows\SysWOW64\kMAU.exe

MD5 bdc2b838f10b25ceaff893154c4973e8
SHA1 5c995426b790da6a2b48686f1a5fd75a794e4761
SHA256 6ac09f23440caaf38a00b86718d4b135742288a97625d4c30c3c8cdfa44ec99f
SHA512 dadabf3acc939224f9a3204354853f9b34ef415e6c0ec156cf0cd7eb6e983d76db5d7ffeee30007c675ff517111736a15b3ee0ea970abc365d5ddc7e293a94e9

C:\Windows\SysWOW64\uAIi.exe

MD5 b9d02fba785bbc5eb84719ba43f335e1
SHA1 778c6c0a373aebfc9290d9e91fd257e164a7be35
SHA256 a289193f45870526a888133c0c6b91ac8674cf84df9fe5a058e48f181bc6c907
SHA512 2fa49a502412ec8a555ee9599455a29867018cb05afa3a65675610eef32bd2635e589979ee4f15a42fee3877b6f7f3aece6b72e45a4478371311ca23c9674d16

C:\Windows\SysWOW64\wIQo.exe

MD5 986a6f0485d38900183abe8a14a68d7d
SHA1 a0f2981a0aa14327aafe186d3c6281dc7ea16805
SHA256 eaa9978dc53c0764a5ff0620ee85b3d1f7ad57a5471ecb2fd0b94cb0ff05f112
SHA512 14420bcdc3ef3ba7e351f374f44292945335831893a5a7cc81ac018422fdde376e31b0da8fef9e9a8ccbd0b7297536e4304dbc4c8f00a56fe08e01c0170f484e

C:\Windows\SysWOW64\kwsI.exe

MD5 fbd3bce3962d573081a42e28960c2dc9
SHA1 2051421e7b06f6bd6ace4015148b76027f153147
SHA256 6bf2612e0558da629c07dce3b031990d88926f07479ac8ec0c4e5cb8e4bc3171
SHA512 b8bf100a6067d852704e52042708426ae60ce2f6fcb1291ae9726e799b17e92ccd10093a1cad0b3540a80b4e696b8330c45aa35fe14984e831712ec6bcec5eaf

C:\Windows\SysWOW64\msQk.exe

MD5 c4e102a1f78f0ec8df44a790cc9477e8
SHA1 496762d5b5517e279b544b5728578e307c628824
SHA256 4ecab730f34e965f4c820f19d048a546367781557f5e4476276aff0525ff5feb
SHA512 db51e0b70334d8bdf714aeffd08b2bf7af15a3c541cdf8710c937fdb4eab36348fcfe5f7c9940ad43f38e3a3bdee18dd5abec98c604dee4c4aab5b09144af8b4

C:\Windows\SysWOW64\QQgQ.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Windows\SysWOW64\gMQc.exe

MD5 ed99ca261acc5a5bb14bb34d4da4a515
SHA1 e5b94d8a0229d9539fe57c0352aba1c74a405381
SHA256 adfb057653c47030c8e1d72813ab754a1c705d2eccee2cc41fe14dea875a4158
SHA512 ec4ea0dca25088c1afcd2c742d8433d158d89c2b4c0e6c9d4f12356ff253a19e63d4956bc0a5f09edace742bd57cdeb6f58682aedf79111b5dffeab9379de701

C:\Windows\SysWOW64\CQoA.exe

MD5 124f03f00c24a506ea554d137801d323
SHA1 9b1563c3806e68f4eb7d67c0f7c42d175f1d6020
SHA256 5cb41d58e3fa98f58edd6c81393a0041664456a0fe8c89002a3a6cecc0ed7326
SHA512 95d627acc63776e2f693ac291e23fa39d997ba4e9ab64f8492f940b9269265d3c318cc9fdaed180246cb6dedfc9bba10e0628643dc84203a98f836227327b5ea

C:\Windows\SysWOW64\iIYW.exe

MD5 35b67450d21d7151faf82b5a26561e5b
SHA1 d42ea89d5d9bf3b1e683b8800652532d9ed7b1a9
SHA256 314fbf1221ee8c0845507e68ee3441e58c836fad0a9492eb16ae00f22ab6a7e2
SHA512 96ebcd4cce89fb57d79a4a4c5afeb3d3dd1f149fc652ca55444d2601370903e736d4e7f0d7c41729fb135bde03bee9dffabb6de4ed616402e20276633af50437

C:\Windows\SysWOW64\IwQu.exe

MD5 0f331d24d6715081e2970fdfee0abb7a
SHA1 20ce288a8b4846b01db6a38602e0af8095e24e09
SHA256 f3e4e80fdd45b8a8b262bd71feca7248dabc998e086669cb586a1ba0e60c43c8
SHA512 25d57c9dc01fb2dade0cb3d1b7b698033fe1933ed6de288c275bd9d927611a692a75481915c767695f818fa62622107c0ff7c1fb38106e3f06b35c9687fee167

C:\Windows\SysWOW64\qgYG.exe

MD5 245b5bf5dc80f644dc6345c6f28ffb11
SHA1 9f1681c2793b8f48a8abf3daf981400659dcb542
SHA256 89b3c23708bbc6f7af35ab70e60ca5cb3de7fa162cca1c973559f5fb899ad5b5
SHA512 ab128511b5c35a7357ada0f367f25729159c5d99118a2a1adb1014cc94e35281108d55af7bfd3bb27bbb104a20d809161b90bec25306bf30f380cfa17eb989bd

C:\Windows\SysWOW64\mcgG.exe

MD5 1125e55fcb533c036ef18723b622f2ae
SHA1 00fd5c4f5f58304d1257c537621bd1a068896634
SHA256 2f4f5877d82900f50c3efa310e83af3ac5c303e9e1e9f1c4c0793f95371032a9
SHA512 b249f330c2a848d900147541fa1c8b427ce7b7514593bb73f42876b8d6d44af567a98483ef18770ac7dd3906583a2b21689ab0b1e1365d317e40c6a40ee2ef4f

C:\Windows\SysWOW64\yoco.exe

MD5 2e5248d842e522ae3aef53e782dd1832
SHA1 228bec46a14a2bf81bb2680b7fecda5a43b7faae
SHA256 4cade649048bbc58b70aaecda144115d9f2bb64b1e21dd8f5e1cb980a869dd5c
SHA512 02d30eb5daa87a19ddc0b5631667b7111c2c13edb8724b15ac56220e085d80961b620d93b58ca03a20a318e1c099e4a4c464be3b21f2878dc679f2e335a4b953

C:\Windows\SysWOW64\UkEW.exe

MD5 a615d12fb58d124521483bf684e46f3d
SHA1 f4aa61f0e2b38a098c7e7db36405d478764f18e5
SHA256 bb0c3b005c956eafa3faff59b1a082c5540ba07ed412791be9a73075e6b70937
SHA512 ae883dcd1fee94dfb501d3788a5cd0b2bbd54b3eeeaad795aa24ad56ed769a6b672baf7163e4404a4939335823d360d7c1bf42431777605158542673ab552691

C:\Windows\SysWOW64\ksEY.exe

MD5 5a9f4cfd061fbab081f4e3f18f69b1e1
SHA1 5e5732b251997f2bd3d97e9bcc81f515203c6705
SHA256 29d566a03a171ee25a86b328f0d2f3f2cc28e5c52da0d83b8f8e828467a419fb
SHA512 00e54ed8bcd8e8a4e27194b7ecc479fb716e42153d79fe8d7a2955ca277cb12495fd4d8c6c3a7674f130624bfa627a8000922c01e9c4db0803c286246da4c544

C:\Windows\SysWOW64\asYW.exe

MD5 21c3628190bb0b668e69493548cdeebe
SHA1 1d5fa412f0c217de7b52ede1c7edf9aa44ded12b
SHA256 19a43ab92c56b00e9beadee477f46d83094d40f8fb938c3e3086d689272bee8b
SHA512 500eca6c7748fb5812cf80fba7fa3df459b5200e8fea9fdd9fd7576c8575e6ab673af61c60911dca7a7fea465f15ab2f306688082a6d7c5c6d7eae62bf3c3163

C:\Windows\SysWOW64\mYMS.exe

MD5 e48bc07d15fa29a032b49bdf292a75a7
SHA1 65ec44a8e39a50a73737bc5c87a8eb4f6ebba046
SHA256 35788afaa470c50117cd81521f12d1be730523697f5fbc757ed76bbf00d39eb1
SHA512 7fb5b82a055598a6082f68a9138e56a040281b7d648de187d71168bac7d38aa82c0477125d6669acf93536f306558db00b2b1bb6d171ff9335dbbc6e679700e2

C:\Windows\SysWOW64\qsgu.exe

MD5 9bb3f57565a234b501b53b7164874e38
SHA1 cfcc083c1290fea424bef9efa6d45367b98537b7
SHA256 28cc4fefe6910a1ce3b470d7a9551894abecf3dffcfdb2d841235a599eb078e8
SHA512 2e998a967d59f70861c49d6d0c648387a0c9943f46b9de6557fed06b6475611c56a0efa7d2c16ab2eb905ada6f5dd64a62ede952d0760044f6a67eccd0e8433f

C:\Windows\SysWOW64\IgEY.exe

MD5 9215dc85f95a4e8292559d1ddf1a5e55
SHA1 f96632bea0e1280425a79dffde43434191a33284
SHA256 65a3934016242fd01554cc5119a8380edf9be155905aef10ee4c2ad4b1062304
SHA512 783fde414bb06fd4c7a205657ea1dac54720f14c2adccee16a8ba22aff794ec2000a18fa95a6ddd94d4390bde3f24744eb7fca030e6a6c68fd8ef5979996212e

C:\Windows\SysWOW64\sQEo.exe

MD5 4a82ffce1d88aea58c105e1e0f6652c9
SHA1 9fec34ab257735d71b6767d9c4b7a1950444e4f7
SHA256 3f507ff2ecfefb98b2641a3b694b29133fe80ed70871511029a1a5f7b4f6410d
SHA512 808a39bacc19c167504acaa5e9ca0d49a9cd857e0a86a1f3729c427b1176ff8522aa6dfa0b1c09020eeeaecae875cf2b1e9036177a581f796c9425b56702c61c

C:\Windows\SysWOW64\WEom.exe

MD5 c730534e92809ccba7abd829a6fe37a5
SHA1 b674b4dda957b95f9e9320021151c42b3dd6597e
SHA256 70877d6e76a7eed92fc994cde366ec7640f7957994c5228f81949e4722b37e80
SHA512 1bfe2970bfdadfaa34479439e8e61a9d6704fc5116c869997f3e924b9ce3a63229d4ab35ef40ba28d2a22c31dd359a635097e06158c821d948e5ad645355e157

C:\Windows\SysWOW64\coEU.exe

MD5 8c4da847494f986703b01d9997dccf06
SHA1 8724eb315b5acf29f0451960b06fd14720a0da19
SHA256 5b91da5e78c3f14e6516f255550fc36638e4991c1019de0e5c28c99ab5533d0b
SHA512 bec022809e8fe21fb734867ea7eada4ea84da6d956495bd3c356250824b1c6a1d092dcb248e902e501164fb072280b560126295cf3ec25ff615697712c5d8c83

C:\Windows\SysWOW64\skYS.exe

MD5 b8d0022f38da039a917f9d0f5a7ab4bc
SHA1 f73da0b8e2a34488786d1a30fa5c51475ce13998
SHA256 c274ce86aa84c42c1fbb38059ca292132131391f4c86ff487ed2ca3eb7abd20f
SHA512 7fa1400f32741f76cd1a63bb78dac2fad223814ad04f521f6a542fd28b25c0496a75f6be79d0753ddcc825e82b70b7d9fe9bef956951b4e898a281823de218bc

C:\Windows\SysWOW64\oscm.exe

MD5 6c62744f1d1ca1af750d9cce3172ecec
SHA1 d12c1fc47151092e88eb764a02fed9b9fcb2a225
SHA256 116a9c295824c8bcbfeb1fbe1c25565af546c51536a7c3fef09ee571874e7348
SHA512 069922bbc0a1d7ecd548bab3f51cbc030aada5e49dc17fdce016b60a9c520e9d2cfa19f30414f0a5c0300e4ee3a15c93743bcb0210113481d753fab58ab577d1

C:\Windows\SysWOW64\EwYm.exe

MD5 fcabbc4815979d49f4c1f35d8f625875
SHA1 e7c2cb50b9e01c012e9310fc19e4053f9ba86fa1
SHA256 03d5e0f3d5fdfa775ef064ad4c6e5e8c0161ff337a831124a36456d2c486b55d
SHA512 8ed8c8807bf08b08f0c78fce209922c1e961fa211e2db22259670614b1c08d56b82b6e24e485112068a0aa7a3a7128ac9e8ef89152b100cfca873230bf75f771

C:\Windows\SysWOW64\cgQa.exe

MD5 049023cc7147fb89ab6bb25066dcaad5
SHA1 fd48b8ac127089ae84a2de8fe2d3576c75e57a3c
SHA256 3231f3e1817e663e78b388f1408d74fa23d5f3b361ff1ff20e3df0f75866fae1
SHA512 6d4f7a61dedf5630a2d321c2523a3fe6e66f79bbb92c19e398ce3b85149deae51ba6c3e3dd2a4f5af96a3e6487a6bfce37807416f84b209a774748931f24ce8c

C:\Windows\SysWOW64\gkMG.exe

MD5 514114f5426033e823f8a4ee7459523f
SHA1 b4422b0fa101a839106d8a370d6b277cc0a00fdc
SHA256 626f5f16dea7ccfa92f73ed78d342c921e4e72f181d0df10737c7582d7adbd6f
SHA512 d54a5aeff3058971b38deeeece544c5f83321ed7900023ded476ef77b92248c9f4a875a414768f5df49e9f661bf960f352e5c033bf1cba14725f2fae8bd02c18

C:\Windows\SysWOW64\QsIs.exe

MD5 765022b0f6479756312dae69164ec5ef
SHA1 1a67e3db4d1dbf569c6fe549138f966e47fdbaa2
SHA256 2560ade81c9c7d6dda6a1505a5a8a09402d6882be7847bc6343e0bee26e31e58
SHA512 e5d5d95a9f9c710193f12a931ef4cb8a3459ffd64b24011350cd90026056b662cf5ee91052074e6af3884035c7da4feab3a54e5c8ed87f088478f9eb8718ecbb

C:\Windows\SysWOW64\cMUy.exe

MD5 601ea93d46583898fb1be2c26c1f7dcb
SHA1 57d36c38c8bb30a76e26f41dee57334d5b83fa8a
SHA256 f3c86d0520fcc11e62467ca4d7a5a0d1ccc355976a4848a3c030c5a94705d111
SHA512 af78b44eb32b8b243ba7e785f8b6b96c85335f2b3e70d3095184d7f56874f9e7821bd9839d14babec360f9a2ab426a6830eb111de33b1c10048cae635a0d866c

C:\Windows\SysWOW64\YQww.exe

MD5 55eb54b32cf7b414ec62f824553b21ed
SHA1 1bd8977e32bf27d703043d23507297d7723afbb7
SHA256 9d9c7514130fe645152c365bd186c5f7c8c063f0596a0b564c0fb08cfcce4eb6
SHA512 065a8cbead66f2f746f81736f9cdba7c12382c4ae6d03b1e67b4d6bdaf5d4ad1b751afcdcf02561c012dcf824400d56c09192090c3c9eccc8da0796979482135

C:\Windows\SysWOW64\GEcw.exe

MD5 eafe1a175306159f775d4ab9a5461b81
SHA1 03dc89f71e32c360123108269978a2883613ab58
SHA256 29ef1fa885fa46e7c341859eac641da69d8bedde6e0b1b807456e1d9fe6c33cd
SHA512 4251641aec86e4d322a8340af213ea28aba02f3746b3e012802019c4bcb14f0722831f79b51feebd5499743fda4e1717cf62a227f64ef626d474a64ad0c859bd

C:\Windows\SysWOW64\qAQu.exe

MD5 0d0b5a7fb02ead58f104f16125fadbf6
SHA1 09e9d542130fbdd50008d1447b308cda18083b07
SHA256 7e118241b3fe8cba82e9ecc131b225dcfc8f191eb4738935e37e43b67aabc53d
SHA512 4934d5697a13aa5a23ff99f713e426feace3458db70e0d4e5a7f26cf8765174be3feae64b84683062a046b67e147f39547ed43d656c9843bead233a39bbe8fbc

C:\Windows\SysWOW64\ukka.exe

MD5 3fe80aab718032ee296ca787b9a73c82
SHA1 7e9b883d3f4b4a8f95b91d249737ea3399018a55
SHA256 008abf741387e52ba9f76072588da0f701d90cc12d2faee3bc044efa795fbc99
SHA512 bc52062ded1a85a540a9361dfb68cdb3668d1e654815874878a34dcdfedf12490c2154f693f5cdb8593d16cce3318c80dcabde45e0d2c6868457922dc1fae65b

C:\Windows\SysWOW64\yoUg.exe

MD5 c07deb8a7b9d55ecece6fa70a4794b1f
SHA1 03d9b4bf69f16e38c2eabddfa9fc1385cd4d5723
SHA256 b15691e7dad7c85e0b53a6700f0073b739ed97f66ac8ef959203b189e04ba15b
SHA512 ed64aca521563645697af6095b13e798bdf9c6aae5a668626ad250f5bb8e26bb5333936968520da21534fcaba7126f6edc5165444b595c1817cfcb5ef022ca1d

C:\Windows\SysWOW64\kscU.exe

MD5 ea4b15d4944dd903176cd1ebd30db0fc
SHA1 edcbe5c1fa667f8dce6ce3b6030bfcd02d9a0762
SHA256 fe6b80b80c1edba4b007257fef41f98a5485d9e3a4cf1b589d711bfd2c219975
SHA512 474b114b28758ad124c5f61ef8bc8bcec8338ff37fcf2d5f6041cb9407977b18fdb33d787b23da69915282d5fbe8211e29099f4e039a3bc8aab17392b0c3d4e5

C:\Windows\SysWOW64\kIwe.exe

MD5 ff849726eb3e99bfccb9cad1cea39882
SHA1 76b556e5afcdae231012bf8156ee44034b736929
SHA256 33e3ede82358f44c33bead23e553e19f001a1add8cf19e4cf83c6fd7305cf6d7
SHA512 c36067b33e15fe40859604d5a641df7548397ebbafde5e600de9369490ce8e66d75f110526efae57eef0d13b8d753fa861f87c6c416ea7cfd5f664a5a16d190b

C:\Windows\SysWOW64\UUga.exe

MD5 56c3fd59b15ade5cc54a525a4dc71b70
SHA1 1f42fe4382d9a6a1870f39b4cc1e297c42cb4614
SHA256 ffffa2725e09b74fa10b8d5aa37c3c2b60a41681e05f802e3085e86b0cf0e1ae
SHA512 1f044bd1afc8fe2176bc47e8ce3a9aab12143585e9da86e383b25807485bd418668b7f29fc42080a1de59bbf211af3aaa668b0e10d9301c660fa4ff7fbf475f6

C:\Windows\SysWOW64\gUIK.exe

MD5 22f8d2b0300fac22f38b8cc1b447e7ef
SHA1 b1c5f5ab6465e3b45d990dc46495f2d7434505ce
SHA256 e7d06145de48ffe4d634db92c3556417043e555eefc551914936bbf7cb3c65a3
SHA512 6685ae77362ad0689732075af4ab44fc21948341e39dfc3df8c54c07b14f33b69040f2ff663e5e4e94b32100a9da49837ebd10a75bc21af80869bb8f44fc1253

C:\Windows\SysWOW64\mgca.exe

MD5 d4278f2556810ff0aac945f98fec357f
SHA1 75f6379b614d79359e724e940b8be0d9974d6e83
SHA256 ffbb1866e47fc072458cd6b1232021e3dc4e3daf0fac884846073cd572cafd48
SHA512 8c3fabf47e94a60cba74afb44518283d777a733bece10029bfd888408fccf5898cf90107dde327b70a0be9d9f4a2fbe208e1b2a7ffad5557c53f315031883702

C:\Windows\SysWOW64\yUkc.exe

MD5 3b5aa19ad8a3e439ec617ae7cb7e7baa
SHA1 769a9296fef00835d3f494d42053390b24499360
SHA256 4b36c83dc16859d7d1a6b89d39e6aa4e5a89af87305e5984e1389d888039c813
SHA512 2e487ebd3ffa264ebfcb2151bece50a5208efcca910b9de7060b900d02eb188b778b3c45421a1a2372d045209715d165a7f9555c61a6b167df9c4efcac3a9c52

C:\Windows\SysWOW64\oYwY.exe

MD5 1d2024c9cf3fd604eb157540e96f3330
SHA1 82372e3bb0007dcf5e88296a81de1d3d255e9915
SHA256 c97db39cc8ea6946276ea9c995db3a7673bbc24c479d191939d7333c9949a884
SHA512 46ce88ad78ac7a42836214839ab1642fd643d13bd82cdbc6940d6c9a2039790e26cb4ef8f60b0bf053b860c04b245240d0a4de18394492292aae5d7c96c12c44

memory/3924-899-0x0000000000400000-0x0000000000479000-memory.dmp

C:\Windows\SysWOW64\qEsy.exe

MD5 41aac84f483a7426e8047521062d1de3
SHA1 0e8be7956a2547c968e16daa670568b1d23cb82c
SHA256 87c43851b5e536e36660fdb5b7d47dd789505f7f5e84a353ae4e91904462e118
SHA512 18f0e3db28c55aa852240c02f7e71a90b26b85bb0e52de784775ac948689c190bbb00eeebba5c7f0106c5de737f4e3f8ea0b3f4ddfd75798c14b6791476ea615

C:\Windows\SysWOW64\WUoC.exe

MD5 7a8b50eb8dcd9e95009c134dc144410a
SHA1 9129abe4da4935c98491fa76c3c0488ad5679bdf
SHA256 658fa2e2d317c6cd7f2f0110e5af1c3c828289684cedfa3707cf7da4ef5efb51
SHA512 bdf11771f8fe65f20bb304586a81d1b524457177f09dbaa6bd4b6a17807d06fddbd579d8f46da8c84e35819f8d8a8708c7377e4f1ddf32261ac87ca1189119bb

C:\Windows\SysWOW64\qkUY.exe

MD5 a5c6bc1ce460b8d68f0972fecce92e35
SHA1 491784b2d735f274672848e48c192e876a662609
SHA256 fa8acb88475a751d420771ffe4ee8c4fe3118e0959598cb8cd381fcc2fd12fb5
SHA512 5484d60aa02d42f17f8411f41d1d1e53a56681e336a7c9d8c8e6d9978602f13958302978d1da03ae4e544d09da410ed5b4b07f4577c7e31a031122b3f5bea2fb

C:\Windows\SysWOW64\qMUo.exe

MD5 86b0d6f04c3a00aa558b2f6c73601e87
SHA1 ea99372b2505a229a663e2ae40702156f958c713
SHA256 271d265e9e3815fa5ddf19f3ed1aafaedd8e632deec502c9f48d343ab930d5b6
SHA512 36853c29e73f10ec528291d1816ba5b430571068c2fa8d989c0bcb70d7c2d5c5dcff26be54e77e3682935c321e7db38ad3daef22717d721625ad1a2794e2fdd3

C:\Windows\SysWOW64\Mowo.exe

MD5 4c413c831a08525906fc3926d9419fc9
SHA1 8d011a50906be87267921b99dc444712b0148910
SHA256 f96b6c9e221bd1166f8ee9f44cadc212f91f4f84d686eb3e321970c6023c7e3e
SHA512 856b1654c2da16d28776d0dc1421fba4c7ec8920324779e5b506d0c0f247b013a7487dda8de075ecbe2d522b3a81186d5f72de58db42f94eb74e5078997d3221

C:\Windows\SysWOW64\IgAW.exe

MD5 ac8df4980a761b13521203ce474dd3f8
SHA1 f269327d38a0d59016c1b36419d7f35e71963855
SHA256 1b24c575964b3cd393f4784ddd13536ff7cf32c308385f70698e61421c38876f
SHA512 90ac8a5a0f554032e2c6777a337cc318e8b80ba16cd79fbf030db7e8d384422070fc49aa226e819d58053f6293f60aff614c56f1a801d68e36254f62d2e16abc

C:\Windows\SysWOW64\asIa.exe

MD5 9cb5bf2f95b454d98255c747473f552e
SHA1 f6bc740077efa439714c7654f52774563ffd0cc6
SHA256 d7289209f6842d7b09ee9afad77f70dfbfdc45fce9f74426bce6a2041ca0e0d8
SHA512 63c46a07e3e07c96a40d1cf38a3bc01555bed19c3a8ecfa5fb27a367bfd7c14e0693f473e31a9c0207ecf7c3b4b13b2c387d787bb3614dd0fc966c78fce69b58

C:\Windows\SysWOW64\QUQs.exe

MD5 8e335ca939bfc213ba2cf205b3a5289a
SHA1 9404f26cdaed6574d36af756027332ae36b7be1a
SHA256 8762a7bd65a06eeddf3f45d31f00b18fd7318a3540467b5b80cb699c7e535af4
SHA512 16e3ce2b0671802752162e85d7b6052ec3fc30f1f061f4a2c948d650aea31872b787b17d24ed255c20d169fd3378ac7b5e5271f5af7bcfd022ba733d8ef29c9b

C:\Windows\SysWOW64\CAYQ.exe

MD5 bd5ff40fbfc0a005a0e2ff2f296a6196
SHA1 6baa8fd1677f78d9d562e631e81d10dbc27424cd
SHA256 031c8b668d6860875b0fa8570b110912dc05f033ed197bfb6201e661810ec7b4
SHA512 13818c28fca9716581b7d274d030e79ef739bd443a84098acfa93855d978fa666587247b49de7c90b64a7e2122b64c47827e378c4025883428a41efb0dead6bb

C:\Windows\SysWOW64\oYUC.exe

MD5 937472fb583683967190306e887a6209
SHA1 fecceaa47312727e8364fa492f381daf38258f26
SHA256 aac294cfd06f663ea6acddca8fa53c97bfbb99bbeb7e2e94080cabfe1a2677cf
SHA512 f3cd598466f438f0a745a38b4f7ac7bbcea3b8ae5a996b221ed24bcbf21a48e59662abfc7977ae707c6bc5599c7ad39ac487549594c17bab46f6c7e452e0e12c

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

MD5 f17937c400304ef1e2a4ddaec8ebf340
SHA1 a907180f61d2962c7caf7307aa64ddc8ea6a2972
SHA256 a05bf277c327b52211a5cb0573b5088b2038e719d452d6ce5f61d488982675d2
SHA512 c8a0b07907812595ca38a039ab87a392916719bd569ef657741c527569c5e1157116fb23bde1b861adeb84f176f2047dfab2a72942d2f7414b5d0af7ebbaffb9

C:\Windows\SysWOW64\ywYC.exe

MD5 af5e99def3d1c56c2240c6927b7a6da6
SHA1 6791b174b172cb4bac093897909d801db57ef1d2
SHA256 2eed280cfd6bccd5fe71d8eb1a9017305e332f5c965cb996836f4b21f47fb191
SHA512 5d6f501635b55657723e8c19a46102fbb15cbf443351007ca6099d3fb87bbd4088ff708aee63589ad4bf611106969950a930b9637030f3d8439745113e8ccf81

C:\Windows\SysWOW64\gAIu.exe

MD5 8a7290c087b50bef84c9f63de56e1e35
SHA1 2d575b4d5142a0e25b74b7ad754c7dfe10e92707
SHA256 89a61cf34d4026143ed27cb254f89625a630f091bd0caece8db06febf2a95b08
SHA512 8651904f57705b71b8bf601218d8ddd622d67b9a85a7298eb07fc1204b6d0ae22457c250c42fb74857607342d59bffc64941661286b9611064b5cfe9595e98ea

C:\Windows\SysWOW64\OQoc.exe

MD5 10bf96db851b957a313044189a892ef0
SHA1 7d1050080974b76f4bacfe6b139bce810fc557d7
SHA256 ef1a73ab2468be396447bfcc15209ec85f5391ca29b02224043262806a37f616
SHA512 7030fe61086a259c30e9de823014154f30e095999242f41eb776b0f91f81146a73fd53d351294d57de01d5c883c5ae693eefcf421270cc96e345f9c1b6d66ef6

C:\Windows\SysWOW64\GEkg.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Windows\SysWOW64\wowa.exe

MD5 5639f73e1c14dfffc4ec87eaf5b29a7c
SHA1 3e4dde6770453a2848f7c9c28d3de68c9fe6a339
SHA256 75556a72af6323a525d999cfefff12daefb86c5abfde325ea38825bcf3459507
SHA512 96e3bf026e92a31ed9f956d5407ce13e79d818249bef8fe43117bac960d65bba81e221d326fd806c29cad2e7bdb5bf3f6f3ce3fae1994f7f1a5d22df0748c0e6

C:\Windows\SysWOW64\SgsI.exe

MD5 983ea25bfc4748b9667ef84dc1a56880
SHA1 3196fd9d76379fe5d93b8bee49e8e878e99d09e0
SHA256 99c46b4625de6785a5acce392272f51227000e19ff565c972aa81e61bb9f4a19
SHA512 62f3d02193168973b4bfc0a9843d9e1bb94d7025c657e8deaa7379af8e825363364b98efe524f196c2ae94f21609e478dfb1cc79740f03b556c920e8995ed0dc

C:\Windows\SysWOW64\ucAa.exe

MD5 6dec97e1843af358ea797385a1ed87fd
SHA1 785bac9c56a34cdc59936eb66c709780ca9bd11a
SHA256 8568328faa420c5d78940e5d7d5d24751b014ca7dbf97f7dd010784e5ab677b7
SHA512 bed8a7fe0d922cb43fe4eeb48c8a940ea0083d127df2a7b25c4d45523d93642c1f29e0a6879999a9614d3bbf7d4348ea351b2c7ad947f173f57c013a1c588ca9

C:\Windows\SysWOW64\iMAq.exe

MD5 fa190f9371468d20d0cc57f717d55ce0
SHA1 2c07c663f9875ea19191617f57a032533a7dadf7
SHA256 a9280a4d52eaa489e98310130d92e8cc12d4d17bc7bace2e82feaf7d129e3697
SHA512 0a840cdc324e6a253b92113f53773e27ebc82dab19c7e87c9fe0dc5739ca4dd4073b3ae34660ee7d23c4c8152b31544a3f6ce215ad7c2a1c9cd9655e0b9e4dfb

C:\Windows\SysWOW64\qYko.exe

MD5 434934988fb040ea969c002e37040400
SHA1 31dac883189360ef76f77a01b0c99efd1e1bcacd
SHA256 fb6fd96070d91dd32dd29278f97c59d6b758e3840bea0edf5a9b4ed518573d28
SHA512 11df826b5b8e243a09bda9e5425226a798258c0f680568d869edbc248671eeccbd718a7806fcb0d55f8bfdad9dacccb9dca18d4f0e91d930f5d24b19e3750f8a

C:\Windows\SysWOW64\qYkK.exe

MD5 f03e4b1e576abf053550cfa89b056b10
SHA1 2a1d5cea27abe0df2958f19441ed62f65b5d8120
SHA256 8f573382b2e25e43a7e54cda9b6c53d528c45bedd9a58b9dc6f15b1b2186205d
SHA512 14f6ebab40957cb81dd52609737b9e1104b88a9c4b586235342778d7d8c5c78085b76a7b62846b0cabac2ae1b54a58e73ccaad720277d9c68ec265414142478f

C:\Windows\SysWOW64\mcsO.exe

MD5 87caad2f0a55c1d5b1e12f6e7e289d93
SHA1 40d65cff947a1b47fd7c4ccb6dd43432c7cbd387
SHA256 aa99c5f6240b410ddabb992b4d7eaaa371409d613284e1c92a0980a4ce7d86f3
SHA512 095d6433b6633da4764686f667fb6453e996fa3d8301a6af983ba6f840bfecaf78cd347cdd00c5d44ff8cf3f00e9820b52252bbb5490c8117fe4fbc2ef74eb87

C:\Windows\SysWOW64\Owwo.exe

MD5 6832a855a232cbf63c59becfa95d11c4
SHA1 9322ced5f05480c6e6adecfc80103911a1bd9859
SHA256 0fe0fdff45ffd6e65c41ac0016527c6722fbd7b4f77206d93fd9b99d764bbfd2
SHA512 d41c59f5ec6d36d631783baa3ec82c4c8f93a9a5509186f419609bd3e055063508d42eefcc875907853a468413896c40412204dabe8550b936411820d8882727

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-15 09:06

Reported

2025-05-15 09:09

Platform

win11-20250502-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe"

Signatures

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (56) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Run\dqQMQUUc.exe = "C:\\Users\\Admin\\BokIcAUI\\dqQMQUUc.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tWYMwwQw.exe = "C:\\ProgramData\\BUkAkoEw\\tWYMwwQw.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Run\dqQMQUUc.exe = "C:\\Users\\Admin\\BokIcAUI\\dqQMQUUc.exe" C:\Users\Admin\BokIcAUI\dqQMQUUc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tWYMwwQw.exe = "C:\\ProgramData\\BUkAkoEw\\tWYMwwQw.exe" C:\ProgramData\BUkAkoEw\tWYMwwQw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tWYMwwQw.exe = "C:\\ProgramData\\BUkAkoEw\\tWYMwwQw.exe" C:\ProgramData\seokUMsk\rgUYIoIw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tWYMwwQw.exe = "C:\\ProgramData\\BUkAkoEw\\tWYMwwQw.exe" C:\ProgramData\BUkAkoEw\tWYMwwQw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Run\dqQMQUUc.exe = "C:\\Users\\Admin\\BokIcAUI\\dqQMQUUc.exe" C:\Users\Admin\BokIcAUI\dqQMQUUc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\sheWatchLock.xlsx C:\ProgramData\BUkAkoEw\tWYMwwQw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\BokIcAUI C:\ProgramData\seokUMsk\rgUYIoIw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\BokIcAUI\dqQMQUUc C:\ProgramData\seokUMsk\rgUYIoIw.exe N/A
File created C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\BUkAkoEw\tWYMwwQw.exe N/A
File opened for modification C:\Windows\SysWOW64\sheSwitchExpand.docx C:\ProgramData\BUkAkoEw\tWYMwwQw.exe N/A
File opened for modification C:\Windows\SysWOW64\sheUnlockRegister.zip C:\ProgramData\BUkAkoEw\tWYMwwQw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\BUkAkoEw\tWYMwwQw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3848 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Users\Admin\BokIcAUI\dqQMQUUc.exe
PID 3848 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Users\Admin\BokIcAUI\dqQMQUUc.exe
PID 3848 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Users\Admin\BokIcAUI\dqQMQUUc.exe
PID 3848 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\ProgramData\BUkAkoEw\tWYMwwQw.exe
PID 3848 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\ProgramData\BUkAkoEw\tWYMwwQw.exe
PID 3848 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\ProgramData\BUkAkoEw\tWYMwwQw.exe
PID 688 wrote to memory of 5488 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\BokIcAUI\dqQMQUUc.exe
PID 688 wrote to memory of 5488 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\BokIcAUI\dqQMQUUc.exe
PID 688 wrote to memory of 5488 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\BokIcAUI\dqQMQUUc.exe
PID 3656 wrote to memory of 3192 N/A C:\Windows\system32\cmd.exe C:\ProgramData\BUkAkoEw\tWYMwwQw.exe
PID 3656 wrote to memory of 3192 N/A C:\Windows\system32\cmd.exe C:\ProgramData\BUkAkoEw\tWYMwwQw.exe
PID 3656 wrote to memory of 3192 N/A C:\Windows\system32\cmd.exe C:\ProgramData\BUkAkoEw\tWYMwwQw.exe
PID 3848 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\cmd.exe
PID 3848 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\cmd.exe
PID 3848 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\cmd.exe
PID 3848 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 3848 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 3848 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 3848 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 3848 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 3848 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 3848 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 3848 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 3848 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 3468 wrote to memory of 5292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
PID 3468 wrote to memory of 5292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
PID 3468 wrote to memory of 5292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
PID 5292 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\cmd.exe
PID 5292 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\cmd.exe
PID 5292 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\cmd.exe
PID 5292 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 5292 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 5292 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 5292 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 5292 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 5292 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 5292 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 5292 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 5292 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 5292 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\cmd.exe
PID 5292 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\cmd.exe
PID 5292 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\cmd.exe
PID 4496 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4496 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4496 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5092 wrote to memory of 4964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
PID 5092 wrote to memory of 4964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
PID 5092 wrote to memory of 4964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
PID 4964 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\cmd.exe
PID 4964 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\cmd.exe
PID 4964 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
PID 3016 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
PID 3016 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
PID 4964 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 4964 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 4964 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 4964 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 4964 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 4964 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 4964 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 4964 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 4964 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\reg.exe
PID 4964 wrote to memory of 6004 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe"

C:\Users\Admin\BokIcAUI\dqQMQUUc.exe

"C:\Users\Admin\BokIcAUI\dqQMQUUc.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\BokIcAUI\dqQMQUUc.exe

C:\ProgramData\BUkAkoEw\tWYMwwQw.exe

"C:\ProgramData\BUkAkoEw\tWYMwwQw.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\BUkAkoEw\tWYMwwQw.exe

C:\ProgramData\seokUMsk\rgUYIoIw.exe

C:\ProgramData\seokUMsk\rgUYIoIw.exe

C:\Users\Admin\BokIcAUI\dqQMQUUc.exe

C:\Users\Admin\BokIcAUI\dqQMQUUc.exe

C:\ProgramData\BUkAkoEw\tWYMwwQw.exe

C:\ProgramData\BUkAkoEw\tWYMwwQw.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSgwsIkU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKUkkcUo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YSAEcIco.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WMcksEwg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QwwMUQgI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BusIAQcY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZEwAwYow.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOMkMoIo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MyMEswwE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WMkcMcAA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZqswgMEI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMQswcUE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAogUsEk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HkkUggkI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mCcUQEIo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WaEgwUAQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EacksUIU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUkskkAs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMUMwgkU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HoskgksE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgkAkUsE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awMMUkcs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\igAggAgw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ASowkoMA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWAkogco.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FsQUoMYE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqwsoAYc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wioIgkgU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIMUEMAo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oakgQswY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HEUEAQgc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fEYsssAc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zGgQAMcc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEAoUggk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEQMsMgg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yuYwAokU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKcQQYcA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgEkMcco.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIwUgQMM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jkMwAwIQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSsUQoEU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmsswkMY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sqoUockc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\quIIEoMc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QOssEYMQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mIcYoQQY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zswUoUEw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PQcsMQQw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TsYMYgkk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MGowYkgQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\guAEosYo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ekoIcsEw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IKQQUosw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqIUgAwE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nesUYgAM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGwkkcgU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PocggkMo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYYkQwco.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UiAgccEI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UiooUkoc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KewQEgAE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NSsUwcEc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REAIIIkQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NAYoMcwY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vccowIgs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iecIsEQg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAgkMMsA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGokMkwI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMIwMskA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zEUkAsIA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwkMAkwY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcgQUEUc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOIosUAs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYQUoUIw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CkoUoswQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSEogMIc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fakgkEsM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkEgooUw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RKEEwQAY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gSkoIYAA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smsIUIQY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMwgkYkY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqskwAUg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
FR 216.58.205.206:80 google.com tcp
FR 216.58.205.206:80 google.com tcp
FR 216.58.205.206:80 google.com tcp
FR 216.58.205.206:80 google.com tcp
FR 216.58.205.206:80 google.com tcp
FR 216.58.205.206:80 google.com tcp
FR 216.58.205.206:80 google.com tcp
FR 216.58.205.206:80 google.com tcp
FR 216.58.205.206:80 google.com tcp

Files

memory/3848-0-0x0000000000401000-0x0000000000475000-memory.dmp

C:\Users\Admin\BokIcAUI\dqQMQUUc.exe

MD5 a688a2bd6a1d51cfdb87f202a4a1e010
SHA1 d0b3a012ca860629d231f9cccb1639f9063db5b2
SHA256 7d74359dd0bb19720ee9ab91785ebf4554ad4f1d63510f8395b90550162df4d4
SHA512 046566774aaf2938d51204f9ca6790b3278ba2a3c0396d67bf11cf620dde4b6fa20fb84d3308d32aefcda38db2f49aed864ebe830717894f1a4f7f06c16eac04

memory/2820-8-0x0000000000400000-0x0000000000478000-memory.dmp

C:\ProgramData\BUkAkoEw\tWYMwwQw.exe

MD5 7de6a31a2950e97b530b1617c1dd4b44
SHA1 338e3e086a94f1b8083d055e9fe2276fc3df1455
SHA256 0f3bbef79d371dcc222c288fdadde7dc37a9f139c33bfee24f25dcb02fdd7f22
SHA512 58658c5fda536b1816a338ed3bd401915ef888a5c635fd1bf43772d7af401a42461363f3eae93d2bb10843cb7015868da7256ebce8995c2277ba9b61b63556cb

C:\ProgramData\seokUMsk\rgUYIoIw.exe

MD5 bc722107270b70ffde4fd2def40936c5
SHA1 dabba5f1301403040f13d75298dfa99a1d87ae42
SHA256 b54fab906e4e4a8f746ea9d1db8e5257a6e6eed18e353c9d1d92f1fada159739
SHA512 b9a554d752ac060965c84e15d654e5cdd2119387b474a272f8959bda53c818f1dec796cb511757fdcabbf4b001d1a0be8f8a29723769850a55e91a64b34bb5c1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680

MD5 a137db26123ef0010b9a5a32a99280dc
SHA1 5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6
SHA256 ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd
SHA512 b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

C:\Users\Admin\AppData\Local\Temp\QSgwsIkU.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/3848-151-0x0000000000401000-0x0000000000475000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aYUQ.exe

MD5 32785e057be2b214a603d48015d75e48
SHA1 19e44f167f7a9b762301212e868119e605ae4057
SHA256 8cfd17213ef67999f547d29b897bfe8144fe7b3e979450e35998199fb5be887e
SHA512 7518155ae45379f17336f1c6c78c765d6501400b78af470084b0e436415510e795b51bd9cd2d012c1953a29a1ca2ace3b28325c4dff35dba31a70e4f115d3e1a

C:\Users\Admin\AppData\Local\Temp\iIwe.exe

MD5 0efec6845bf9a3190ad20adca8fa171d
SHA1 e5a794f016db13d2b1b8b107b1261ba4c6923da4
SHA256 40b3497ade38bfaea902d27fe7f8dbb926df022e8c00c5448dd73b916bffceea
SHA512 abd996a3776e21e0f4972dafcfcfdb217b49e25963643448bc5c3f5cd04331c8c79298f64016fa9bc25312b6b28c7395cbc64acd0d71e2ed0dd45a3751e84c16

C:\Users\Admin\AppData\Local\Temp\uUgK.exe

MD5 44cb4493afd5d8e6c6a452ffaeb56164
SHA1 119e4fb81f090f3bbd8a9375d30126c314d45e6c
SHA256 6063f2322360f62c3a062e3d149457b1c242be2a68d9867b89a15f5e014d231f
SHA512 1873c010e91851c1bfbcad4263b0122370e1848c9a7943d82f91d1a4f0284fbd1d4301685033c040f0816b4c1e764794db3b677f31e098ad46f85cc6a8c203c2

C:\Users\Admin\AppData\Local\Temp\yWQw.ico

MD5 9af98ac11e0ef05c4c1b9f50e0764888
SHA1 0b15f3f188a4d2e6daec528802f291805fad3f58
SHA256 c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62
SHA512 35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1

C:\Users\Admin\AppData\Local\Temp\AQoG.exe

MD5 9ee21a4d7c15050c8b152a40ba76f6d5
SHA1 24ec3819cc20131624753a67ca187fb85ff5d8be
SHA256 d867a77738d7cf88220835335a7d3ac6c0f04bc9446451db01d342b0545eb9c3
SHA512 80dfafbe340c039e597fcbafd589d3cc8d45df7a69c07ec3ae14f8e7b31320145a99db3a8e472e1fb7c8a152fd97fc61922bbcb1bb4606dcde880a395ac71622

C:\Users\Admin\AppData\Local\Temp\wMsE.exe

MD5 cde807b1ad611416f65d55b0a4eb4c86
SHA1 9a4fd349f4ebed891a3155d65c1463c573335186
SHA256 f7b3dc2216a2333e8d6e073945d4cffb2ab36816aa966ec20a8b405c65578613
SHA512 2cb36a26d91c5623ecbe2bd9e201c503186cf3f95878307fa486149b3e38237a1ef3cbd1f97231c61d4fccf7274f9aed9c1f4ed27f503d1bd2fd310659673f48

C:\Users\Admin\AppData\Local\Temp\wMwq.exe

MD5 01514118c95ae3382b046c24d29578fc
SHA1 d4284436b05f5491c9ca20994aaea7eef10a8704
SHA256 70ef39b3c012481ee83185c67ca5e4f048ae9516e0ed5ca6b766adb4d63124e3
SHA512 1138ac54ffff96039b4ab0c87d7b0155dcb973c3797d2ed8dc8401a2c73d612c9e5a4e74a5175e1577c4df5db218139d03671b966c8d5184c0a6562d2fc8b328

C:\Users\Admin\AppData\Local\Temp\ogYg.exe

MD5 562120ec77ad69536a16c65cd019e184
SHA1 6cb25aaaa0db949a964f00711be10cdf04cd9cf1
SHA256 9c49c56afee3c1f1e89be838eb48b89513e5129515b31ecbb0eadccfa8434e65
SHA512 1e64191188193f8c1ab63f5094ec4922e247ea8d33c05c07b9504bcbe5a67ec40c7a0e9be10317c5b10f09115888b5d5f4cb39a59e2d4659adfab5dd9df35729

C:\Users\Admin\AppData\Local\Temp\MgQg.exe

MD5 7a634f124f5ed6d6e5ba5311e9baae39
SHA1 0fabf578465c06a6aa2dee74b5b6b92162297819
SHA256 214c01955f8916f173f185bd9b5c145db01eade87656107aff4b6b38ea132033
SHA512 746e9e01e72cfa17df9415c924ccc05604ab93435f8a1e28922a5e8fd3330ca001d3bdef32e0aec1b6ac9c6ee8216639542e3fcc1484abd53abd92187edd2c60

C:\Users\Admin\AppData\Local\Temp\GkYo.exe

MD5 b9ef69c9f34f4b2e688c0e269027505e
SHA1 44e48f0d72bb6b4f0c2a41f8ac0634ad44a6b541
SHA256 6f7fe9a7f6a2a9b26331f569635e04d9d42467e824c4f30b89357856cd31879b
SHA512 bf1de4c61c7afdf1300fd0992586fd6f609f11c3999de54d56988b950a56879911eec24b9d6f166db1a85eb3da4db4fac66de55868f533052676c690afe76b63

C:\Users\Admin\AppData\Local\Temp\UoAU.exe

MD5 1a55d188ec40a3341e5db0f7f2dc7762
SHA1 880219cbd740be8fed32e87ea6ace515056ae8c8
SHA256 607c276d302061b8ddc8ca5956871e06fc43a4e0537278cbc86b17d45c321c92
SHA512 91a8abe24a000a2a14555d83990026456d8ad80fbba3f6282acfd93fcec88f157f8627284f099d35b5c93ba9f70352efc9aab25c0a04533c4b9f82bf068d24ee

C:\Users\Admin\AppData\Local\Temp\sQEY.exe

MD5 ef8b2abaf1fb83a035805626756d86bf
SHA1 7d72ab9207f7e176011efca94df7dbcfa3a5c7b2
SHA256 ae3dabb87877512f5282bec34431ec9ac2ac43fa49c3df8b76b4f675f17534ed
SHA512 fb4cf042cd81a6a7b2e445b635bf00dd4c477aa8301e3be884446ebfbc739515b22a16b8e1310cd15e9d1a545514227d2367c96178e4e71b632012c760ae2a20

C:\Users\Admin\AppData\Local\Temp\EkgE.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\iIcg.exe

MD5 069a89246d0f39302b8194834d26b1b4
SHA1 2b17b76d624214afc8db692d1b8ea07072e74cf4
SHA256 74437c27a9b4dfd82f9a5ddd869a2d5588fb0a5d7c7dba757bc52bda3662e4a0
SHA512 65ffe95e77b963cceb7922c5e516d904172ace99d1a24ffbb51fd8ae3886ae9dde5c020b66d66e3e3ad01e9de2175989906a1a976d42bcbc02acee95a7281d14

C:\Users\Admin\AppData\Local\Temp\ScIK.exe

MD5 687886fab9105839aef4055ff39955db
SHA1 1ef2ee9d60ba548869af5d2fac306f2066957e68
SHA256 0b728d86f9cc156e2607bc6ac2e3e424d1edf00dcc288633d919cd736347f352
SHA512 eb776776685e33d0393604d1acc3ac1321fcbddcf46a3ff45518382d01e28db332dcb3756ecb4721cb8b1560c173c80e441e040b9a995e3f71db2d3bb855f564

C:\Users\Admin\AppData\Local\Temp\CsQy.exe

MD5 aa32f52d63ca24e29bcc9b906f40c320
SHA1 e872d8d296e3d89f167b40ef3a6f131669080a64
SHA256 8551fd899938e80bcaaa58b5d31e960318abf97b70a8804f711f86cab341dcf6
SHA512 7bffc6de710b5ce16c295219c3d6f03d092c2064424b1e7ab7c9a9235fa4612c340629a0731e8eeb66413f04fd0bef5429a5e48a3c1e903dd8a169154f3d14b9

C:\Users\Admin\AppData\Local\Temp\ckEU.exe

MD5 236d0ae557dca94d580e44404ae300a1
SHA1 b08c30ea217404d4c3a9ecc5e10444bfd313268e
SHA256 c46ce91b5fb7c5dd78a6a76b6506c99510307e880e282ce82e9adacdbbaa457b
SHA512 0b8053f28845ce9ce25ebf0505389c59f3c33caa6bcd589b3ef2918348e258fcb1c688262c0a3a6bcdd0442040d6f3adc54558fd2490d2489369695068633738

C:\Users\Admin\AppData\Local\Temp\UIcO.exe

MD5 19125e7758d51da84ae645bda000562c
SHA1 5bd0d657f3c5850d851b0ab7ef50ea001fdfbd9d
SHA256 22a6abed6f69c0f2f580a14fe5a174b7faa17ef62647ff8fa21c27ed7e91f62d
SHA512 5d568f2aa458a8034454affdab19738ed1d33aadb3a0a6effe5f22b4a5d75ba4826e6b4d9b61c7c213b26e0a82e1b27e02057da8de9ba77104d0e9b024134020

C:\Users\Admin\AppData\Local\Temp\aogK.exe

MD5 127166c55a0121dd7d7fc1caca218906
SHA1 c29dfcda085efc5d92626561840c324893b603e8
SHA256 f08bcb8e9f8a4c36d111c1653bcd9516f5c01f644bec2adb91f71ceac2f9d480
SHA512 c563c70f45bb1a1aee26065bbede48f2ed97245213bc8ddf1c5afb7fe96377f34de5bb9f0f63f895876b9019aa04dd8d041fc992d679bef0b75c576f8422943b

C:\Users\Admin\AppData\Local\Temp\wcsq.exe

MD5 69dabebd786b7903746aab89008c89c3
SHA1 f4d9efd00de4b03bc0da0983a1eb17e88a44971f
SHA256 9225f28f3ab5d4b3fb72d923a50d8f5d31030fb5b369e0bb81d06f59e0a33024
SHA512 453f2a27ce8ab0f99ad91d12dbecffeef6dbf6d159d5c36ae61ca7842049a876fbd7ad496754a1e6ee6f8e27c7534f8420fb84f36e0efd74d73f180632c5bca5

C:\Users\Admin\AppData\Local\Temp\CEky.exe

MD5 e89253a1dfc9ad66753b382571ef6008
SHA1 65e3740be2c9f1d972df08312804ee72b25977da
SHA256 c3c1c7a8f183aed50c0ac0f2b50ce975aa7549aaa5b15da46727aab65fc6ff34
SHA512 4e013d5b70670e9c5ecece6035bfb777f0c769813215fdc5a3db860d296e23cc47c3f388855a6285d8ad3bb5e872b09f8d532d6962405e4c7d6ab2cc558952bf

C:\Users\Admin\AppData\Local\Temp\cMIq.exe

MD5 7c9c77ef14b9c3b449d452781d4f8a5e
SHA1 495f022fd6616622493eac7223a6e5c5684f8e95
SHA256 21eb8d95e0711252c3e8b954cd8d7b0038aebed248917d48cbd0c65e3be98380
SHA512 7a97b133d1f576300b86787bbea9e31a0cda92bbbeecaabca6811ee8a999c27fe1f7e77210015510a7e274201aebf63a01a1090643c88b0df20a053b8accacb8

C:\Users\Admin\AppData\Local\Temp\YIgw.exe

MD5 ccf89a621ab92bd89060c24957238073
SHA1 3cbcfe01919e084beb327cd544161ebd15c8d967
SHA256 64d1a3f26229de73f8a421249275a4d10b246a0023f564a1240e85394990fe41
SHA512 d19dca535f6acfe6f8666377fe75d53bcd446fd4150b8251b094f85a4eac12fb6e4699b10ea443df1b431b4819437be0ac3736edf5afd0a44658fa95a23d3008

C:\Users\Admin\AppData\Local\Temp\AEwq.exe

MD5 41ad60fbb4c43fa74fe4676af786eb53
SHA1 8f4023fe5ede6675543665e11048ad696d649c94
SHA256 1397983e63923cff2ce3713ebb45c7fd02890476789567a32509b1a0fee0e8c5
SHA512 4dda3ecba179baf3a9dedec7c31fc275c65841257c2ca4f17be94339475ad635a7a1cc53d3cfdee37a1368f0549eaf95d7cd74262dfd928a13c830b64e480a7d

C:\Users\Admin\AppData\Local\Temp\UowO.exe

MD5 66a3dfbd96b55a6bfe7cdc36420463c6
SHA1 52316c98a55ac221a62e7162065c453a1eb75101
SHA256 842c448c86ad9756c25255e94c06e50ee6797ca4d78a9b34fd8ba9baf9066438
SHA512 865e20f8bd3ba25152b42675059bba5f75e353b5a3233740b1e7f55c84c5b8d3e1e8abca86b9ce11a8ef3c5f5f4fc752f18c0f2e06c8fc10e04e7edea35e94df

C:\Users\Admin\AppData\Local\Temp\YowA.exe

MD5 4abaabb68a6f01e4ee878460a81cf43f
SHA1 7cef352e2acfc642602e5f158d6c554b678497e7
SHA256 2f90448d5d757eaed06e631db19276490d6a04443f8d10f4fc9037e6b1a0b86a
SHA512 c5635270437ee012d282834e535c6c62a3ac521e75209807ca7770bae81dbf52f1531232672f0ec8051766570019bc0e4e91098617da1b32399d45ce4ff18d9d

C:\Users\Admin\AppData\Local\Temp\aYgY.exe

MD5 6f59e1de8fcbcc6c3fb0e61070a82fb1
SHA1 731d725b8334dcaceaa29ef7aaf751eff4b41083
SHA256 a2eeafb57f0547b7fe5ae694a2e743b19f5784c0c0b6bf5809738e64f21d2790
SHA512 726a9ce3c49fe7cb6a158d45a5caaf05fd135742e2accf6280a61231a2200e0fb044e877c6ce78403bf7a803b634e0dbdec93ca09d7626043a18ab106e63762e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe

MD5 577cfc8fd6c77cd8f73c83e125f58e72
SHA1 a0a74a4d94a6784e76b3521c478832759b8f95b0
SHA256 202129b66e37a5f067607ab8a417d84ad0c99105e6bc1f4edba1abac804ac4b4
SHA512 e89e2569a37f47242a25c8078ba2c9018c0bf8d151c243372f84d6202f828baed960921a60c48a56a660c82596dbeaf0b9e413584730fb0194313f886b87d7e3

C:\Users\Admin\AppData\Local\Temp\aYUW.exe

MD5 2a89394a01503f30516016be43004896
SHA1 844179bbcb9b4df5fb0ee791ca5a5830f93e1709
SHA256 3448d9d786f535274ab88753c450add763a694982437805bf261d19096d06d4c
SHA512 38d4b42183aaafe62e104df83af9441e7283867b67f0dfca0ada263b009dd67357cdfcefb131f71598685a8abaf921e48ee6b99fd04a8633f47f570e2ce84337

C:\Users\Admin\AppData\Local\Temp\wAEA.exe

MD5 c3cf23f3057a250d873fb3f3b24d95a7
SHA1 5e71a26f1587a9af3755aeb8e0b61751fac56b0d
SHA256 658e688e94142688aafb3b81aed684af61bf5796a4b49e0983fbd35ec10ca6ee
SHA512 32d2d16f9d4cab135fa9e35321e389911f92772d64284a5d760c30de67e1aa90f94301b21b565b2946c08918754aee1622d534de7550b99a2ec713eda602714c

C:\Users\Admin\AppData\Local\Temp\qoAK.exe

MD5 1205aa90f539db86ee2e7a0e2689ea4c
SHA1 47a0cbed73990c914e3349bc5fc46f090465a5d5
SHA256 6af651ed6f50ff8b54bcddeccf51b0dfa1c9ac1d2c88be1c0a8cc9ad75b48cbb
SHA512 e4f7e03356aded8fbd47ec5f53a7c92ba80b30605bda88bea0b4917c950ffe4a8d901ba9532264fde41b7af445d5bb699d202022d29ce0e523db74a40c7bdfad

C:\Users\Admin\AppData\Local\Temp\UMkg.exe

MD5 00dea0e890459b35c3ed7d7db5fb5ce2
SHA1 1388ffdc2ecc06ad69129e731637c0720efb7eec
SHA256 b527bfc13204c635c885c2b141676eaaa70add526d061956197562d7074be338
SHA512 f618d1455a6907f6207dc1851411369139151f610b5cb427494161d0f2e69c8e620e78c1b6f528acdad3e6d1c242b05d407cc605058414baf760d556a77e37a0

C:\Users\Admin\AppData\Local\Temp\skoO.exe

MD5 b73f3754934840362479331b7d9ec9d7
SHA1 a0731003e500b39689aa7ea086c3420a9fddd5a6
SHA256 888edc056d18c4f53cca7aa279891d03177a85ef7e6def5214b7facc0e751403
SHA512 de409756c014560f201dbf8d5b2eb0d62a0c50adc0be1d89e8afb8690ff7b4251ff98ceec6f8dd4336206ebe05326ceaf3d2c9bc826bc8112578c3937dec5d48

C:\Users\Admin\AppData\Local\Temp\ecUE.exe

MD5 4b9f9d716d26951c9f2aa7ad5f5fb8c5
SHA1 61d8e932926053798e772ff176906967f4c3f247
SHA256 ec1fcebe76d22a3131df3d8310f32c4972f3d9fd119af72019d156211be887d6
SHA512 766e6acc0e9acb0f9c2da65e438d22dacfe3626c6aede7b94abf445ca7f7fec5085f502e4ec7860a2802bfdbe305559e5ce19e9bf2281c12c020289e7261cd8a

C:\Users\Admin\AppData\Local\Temp\IMAK.exe

MD5 1e4e7862612cf883b5e9e6241768aedc
SHA1 ed83f26dea64ca54342f8bebb2ba64ac542b1050
SHA256 b271504675c53dcbd3334438b04601665ee413176caf34906ddcc7e1612ef99c
SHA512 e9d56c09d4f48c485e8014124b4e3244a2e500d7674ec86c1367e20b3caad8e12b8c1846535ab78359a055b37d3af39a3162d84d933053712fb657016378d93f

C:\Users\Admin\AppData\Local\Temp\SMoQ.exe

MD5 573aeb5caa8b8a585c53c0a37efeba8b
SHA1 911492f94671602a655b9b9d5172ac8591d143dd
SHA256 6c4c53407032e2c25ca431c5b9e44711a0768ab76197130143d5bb066699819b
SHA512 62b02900c6b59f0a68345be179d7b9d2e85a725d96404ba01da0b0fd5839b5d024961a694c2c84962278dff9f5403d8c679cdd19067f447b26c410d7fb84bf83

C:\Users\Admin\AppData\Local\Temp\owwQ.exe

MD5 c189c13c57d70f9f272cfbe1cad0226a
SHA1 8891ea0067ca54c4bf1534fa765d32353e0c7e70
SHA256 7726187cb3423afe8cb9255167ab313f9e67510354b2a1eb87288bb6b590e2ff
SHA512 bd3b914993eb4e27809bba9ffd5ec47d41dba39b8553a0468dbcd721120bb0fba313dd90531e2f76d8db0f121a3dbdf0f19b9023289174ffe05e414bdb2420c3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

MD5 1c8e401eb11f86db17644ec16a01a1de
SHA1 210cccd578e2ed31fac6d28b647b57f89a40112c
SHA256 19641a6ce4ce88810cb517c22b78d24e9d0e048c3807d699f877779f9c90d221
SHA512 6b0434398d7d367b1122c6a84f0a9630479efd1ccda9bcd67f4dcd5a48a2d8d058dff956217e78031cb3ae50700c915e9d46865f649d7729d2eea0c8df0e28b9

C:\Users\Admin\AppData\Local\Temp\QMEO.exe

MD5 8c83154658f487a836bdd6847bd05929
SHA1 a2b3eb14fee18d90058a32ed7f8151be266075ce
SHA256 da1e57e1f828074f7cca1dbe3d3bf6842ef2d9bd47176c3552ca69318da701d7
SHA512 c89861ef25b8600675b3363410fc2713a64147d7da2b509062adbe40d78ee4a846dbfc877b76abc8426e34b18684f87e7c02d93a57779926f5f89989d9c45da2

C:\Users\Admin\AppData\Local\Temp\kswe.exe

MD5 13715bdc49e4c6e9bc98b1f94a09e4af
SHA1 171f990c75922918516d4ac69d4f61361aae6bf2
SHA256 ee1d21da41c550ab0958d0d79e4e1c2f4bbd5562ec26e6d57f6583d732473ca5
SHA512 d24d86468d961cde1bd014c7f716d0d78b40436693a424636aafc25e3b12e7f18cef6468e77683d1d7c2128dace2dbbc170a72cfbe383d1d7e79ad6fe564d6ba

C:\Users\Admin\AppData\Local\Temp\ckAS.exe

MD5 1d1d02688f5a74f05140e9fa017877e6
SHA1 e6e77590c461b8e41806bbc92b508ecdc0ca7954
SHA256 894200587d501ecdd47488b3bb780c7b566a03b3391cd9f2126cd07b15e55a76
SHA512 7c4cb73318d3930fd88ad20bf4d5b3f21ed7505fc759bc051e4f7624d865a25cf559bba9d5e5844f29b0b2439dab7edd90263eba03fd8e04f777f4bf8579ddfd

C:\Users\Admin\AppData\Local\Temp\qYkY.exe

MD5 6feb76d04ab7216acaf0f67f401f0803
SHA1 be488f428133df7e115fac1fe57268a780044740
SHA256 25bf96b705c625a484ccfa48d989b4b979bf5904a38fcf2f40339420b0fbc2d0
SHA512 b65bfce0bce8abc290e880d0c7bdcb0b959d4b27bd3fd2cd034ac310e0f741ddaf0bfc8836a83dfb3863eb48ae0753a39963a1340a6065e204c17966bec49144

C:\Users\Admin\AppData\Local\Temp\MEIo.exe

MD5 e0738ad9f8d1e0a14a61f338e2294100
SHA1 f07b9a6de639cec4a07e082f3d38a8b3329f5f63
SHA256 b90a9ee0dddba95881569ddd223b4a9cdd117bf533f34a46d8c705908a9e5761
SHA512 456cb020e1b3d239af7dc0a8c5cd5894568c3adc56121fc2b77d2059fabac937e1d3312851f837f17adbeb80a49f34c01dc2b931725d0dd5f062ee709d6d84e9

C:\Users\Admin\AppData\Local\Temp\sooa.exe

MD5 fa7e5cd20980782dc9f542dc897a6d65
SHA1 c3f2f37437477e6b2d8bc8c986d830a575b00caa
SHA256 306fdc455697c13ae03f363d638a5b9a000bf4e4cec3fbe290e5e2f354801d55
SHA512 3b641d4bee6bdec40e8297e4a812a45347512737b9f026213c82da2f8f7248d4beed0835ab4dd05b1f6417b7436bebbf6ac446a2d3513ce669b2e28f8fde61d9

C:\Users\Admin\AppData\Local\Temp\eQsg.exe

MD5 e70238fa809c907588fed4b67b1e8e61
SHA1 968965ea38540971d3a1ae2121538acfd1c5c888
SHA256 8214f97579eb3892e038f4d180bd4fb3e401cda85f6b9fc2d39eb1ca704921c1
SHA512 afa939b9329640beb0dd7907dee674f22798b9f791788788863581e4b01b567d1f2e2a29462e885da761dc92cabd3d30786b1e6d87a53ebd6e19c859662042b0

C:\Users\Admin\AppData\Local\Temp\IggE.exe

MD5 9105c6d1676801fc7a758e5e1e9f6d7f
SHA1 58954da3e88324a7ce7adcde2140ccd1b812ee40
SHA256 b6f4ec3d627e6a0851cfd11f52ee373f760f43ac7a878941a9ad749dd2573399
SHA512 47b299bfd561cd085872352c8a4839cbf00b4443ceeea6dc040947f8428cf2dad167eb969e6447b2179c99d406cee2f411dde19c586cf156d01f8fd6129c0885

C:\Users\Admin\AppData\Local\Temp\OwIE.exe

MD5 148cc61dafcf00c22bc1031e263eda5f
SHA1 f5413a0ca907702368bf0bc19ab12506c50b4c48
SHA256 9e849cf494fe5462bb30a317bd1e46fa874d697f398c09180e7a5e2f5598873d
SHA512 91129d40b1be6499be41aff5ec71f12c4c5387e55a7a48e972ae821e33ba3293a5bf57779a344143fe10eab309276ffba321c1504aa4fa7e5a1e109d070a7887

C:\Users\Admin\AppData\Local\Temp\eAow.exe

MD5 2e66552ab795d38224f40a905b92ca7d
SHA1 490c0a8939ba39453e7f657cfe725c2e27a348ee
SHA256 06c0bf85948c7c60680c55ea418f9ea42ba2cb9964c0da9948ec3b07c5149078
SHA512 a8264ef3bf03b58fb0cfa8a374472e7a89b5f340026ada67e237f509df8e1e0eb0d6ddf620f95a25ed7f2de7c48935bc9602c064561e9c0376e2bdbb018e6843

C:\Users\Admin\AppData\Local\Temp\UIsE.exe

MD5 30328f72f5da4424238fb94eebf4cc7f
SHA1 25caedf6699090aba1f132bd73dc0831c1926f2d
SHA256 056c8dd3206ae518f0ec880cd1aaa051696ae3e1d8f384e344a86ad4a2bf652b
SHA512 79b9ff43167f1952400abdb98200ce6d36d9a1e36d1d80b61e707a277a6dc6ad6098e2a867ab4f7a32618685f09218333cd483c96b7edbae4ee1d254b9db36f4

C:\Users\Admin\AppData\Local\Temp\Iggw.exe

MD5 74da53d2d58fdd60a13b27f784262787
SHA1 9dca8a5c46d0d64478f8f11ff1b646acb07a7f33
SHA256 b6773e3b2be5357d857ea3cdaa8701ea6fd891c583aa510033df856c207ef00f
SHA512 c2e8cae7170d7b93f203b41ead51dd71cb899bb751d5b3d452fee860e0b57c27df0f3693c16c57c1ae87c4a239750d9a5a331ecaab0649bff6e7a1b22c7a0973

C:\Users\Admin\AppData\Local\Temp\gkQk.exe

MD5 4ca811278fd9665379c155dc3b29fd82
SHA1 56d45bafba55b22fb079b4c2ed42dc8fe7162529
SHA256 d3b7e178bce574d1e6368b31e3dd4573b6c10ded5b38c166c625ef7bddbc8692
SHA512 837bc34457554126b24c7b6d0a6a5717c6559250f80fc3f8737f79eb557b112489a0c3c7e03b87af382d61353ec7f0a3d0e0fab4930b9a700501834aa9f43a59

C:\Users\Admin\AppData\Local\Temp\UoUc.exe

MD5 aa0b1d037743bb15c658262f270f1dd7
SHA1 289e95d01fdd6168b1927f670b15869c9e9ae287
SHA256 3e944c024f4114add6220de2c0384d2cc0e66378a55a20419b96d26930e50e30
SHA512 22adde2253b93498b5df21f8bac9d7e41cc8d3a1033a266ce7f0a7434c2c97120d646a0f7a5fef177138e6127e6866e56854186386a69014e5825d8f4a7b4fbd

C:\Users\Admin\AppData\Local\Temp\sogU.exe

MD5 f759182f9d308e1f89de6a8d29ccf82b
SHA1 88998a3f3d2481787084f2da85229456abfa0db2
SHA256 db84f7633a3b1d13b3ec6d9c1e49adbec68ab4ea9b919424eb6e7f73c961153d
SHA512 3d4521f6387ec38c79d1897c926840ea1ab3a8d4cc3c510c1d64855e206c89db3c502f292ec37b1a74c4f3ff14acbca812703dfa4cfadbcac6de793f4c91aef6

C:\Users\Admin\AppData\Local\Temp\SksU.exe

MD5 00bd27af653883e937bdd0ffeed4f39d
SHA1 5e2c3420ebf4e4a7722de1f448738c22f1f6aa0c
SHA256 bba18886e6a65a8ce9b95a40c0d4b04029ad3a616628943abb5554afd74c7906
SHA512 15a4ed358bc98d350b8b03c1fde8d2b1ff86886c3d0cec38a11d495ac17b4e954a2cb86f6596bea3f72a03a3110ceb68522b5541a51fcb8f542d61da3d50895b

C:\Users\Admin\AppData\Local\Temp\OIgi.exe

MD5 562edfcf4af02246e8f7b95729127104
SHA1 2b04ef16b78a4d4460eabcf48cb1521322da33be
SHA256 4a11aa579509fb4566294740f5c692bec516ac1250bce8bb5265e533133ca855
SHA512 9f8862709c528485bbee92d1caa7fdf991112494feebf96ca5f24821eab850862dcbd67bc6d65b98112d5258b98790b26cd2725b441be4a6ccc384e8967cf8d3

C:\Users\Admin\AppData\Local\Temp\qAMc.exe

MD5 0bd3a38ed90ecb9139d49e26203aa35d
SHA1 0a4debfbc90ec01ab47d77bfeb668412a091aa88
SHA256 405b424314286e30d40c8f2c7fd23b78a41206fa53ee1d1470dfea072584cc58
SHA512 75dd84813201cddada5d9054b0aeb41c1cb608d3b7ce1d5bb4f04dfe43bf1eeabf39aea97b78747c528ad3b395971ca5da7c85ac2aa3ebc6d04d02677e7a3d99

C:\Users\Admin\AppData\Local\Temp\cEUo.exe

MD5 d8a12e184b1eb18581667b99519eaa8b
SHA1 5c09e5c29767fc0f818e97875c9818d57d601d01
SHA256 222a85f57a4731cb11a4a67d68e05b9e12f4c7ebc6461cdb6f834033ae0b4b59
SHA512 4688490bb5db9112d703d9987b48fa8565567d91e265e3dc78370fd138aa851ccf481c1097af4070e60639f60870c7297510d337ca513920bce352e907f06e0c

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

MD5 68a4428713a06dec7b233fe182977151
SHA1 06807417613aa0a2b230a778bbd1399f3a32aff7
SHA256 2766c1419432c611616533b23071397108e56af1bdf7d0eb46404edad4cb4384
SHA512 2e1796240faa27dc8ef770fbda7ae9caa1a7653f9c201538752d0f3699d8320998f07cc7b415289a82d0bbae3fccd1c459d0bc8e34cef355b64f9abc23863b47

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

MD5 df58047715a2dd042b4ce260b9f9b8b7
SHA1 47dbe6725e4482a9b4e66e11bdcd4405a86cf45f
SHA256 4a3e7895fc545507f27dfaef746b970805458ebc4a2874b3fc2ed3ee642c6c2d
SHA512 c71801eee99f3ab80430e7329f6038ca916b4a5a9f8b0558e9f8b7f743f4500d3d13b1a7651f23370594f258c2bc2064682d8932819bddf94f13e383181df28b

C:\Users\Admin\AppData\Local\Temp\uEMO.exe

MD5 7121f4bf48309cf4d31eacd6251ee8af
SHA1 3089840c26dc9c25b470bf12ed232d70ab716b35
SHA256 b4290a0a2632ce2714e4a6ab0870e550af8c1a25f8eb28fe3d6c8c4b3f982958
SHA512 12e39f43832430db553bc4674a3de76c4d2f138eae8267b0f5b391f1ceab4092c1403e5b73180e0a57c25c86ee29b95d19458b403c42f5922a2c9e9a9d4e19de

C:\Users\Admin\AppData\Local\Temp\MQkW.exe

MD5 0c9e1098a7b2009de7e30bd0bc296e88
SHA1 386f8c83b1ca85052e11974850a6d0fc5a91c713
SHA256 4267405bf6e634cbe87707d8434f7becdfe09c16466500aa06b906ed16326acf
SHA512 30e10845a1563114d66997be8ea685f584c5bb548cddc0772465f4021a14b3d6e9ef16b4f1929da58a0d62c01504202dcb3499942f249a4576e12efae2285df4

C:\Users\Admin\AppData\Local\Temp\qwQW.exe

MD5 0d74441f83d7ccfe4f9f1b7d1cdc772e
SHA1 063f13faa067af059a50a5a51724f51a29cd106b
SHA256 420dbacf69185d07c01cdc5bbb5314941387e2b110c8043baf80fcdae75eb6b1
SHA512 a0c6b679da8eb5d9a385bdf7e3775a506c59e8dba9d528d3168c5fe832f1227db11de1c591a3bca9983240397ad761da7dbc6899b7507c3319ff2fa87cab70d3

memory/2820-1102-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GUoe.exe

MD5 8b868b04d5a87bcdd5c56494a117231c
SHA1 dcf3326a3598ecd279ad9533f9c0901350eb3f6e
SHA256 53a71e20a6c430033ebba7fd07b6e0df9bfba1e94443496fc46269554ce374ca
SHA512 037b531210102ee34f476bb35f4d5cec82fe599414c219fe9b0790ff54293f4dc4b9d880e88a7ee5bc49e63a370402157501352fc2c835ebf4c0bffe601c1437

C:\Users\Admin\AppData\Local\Temp\yEEw.exe

MD5 c76e2c1f68f69b4e650f5f849592c841
SHA1 0d7ee8aa9e06561228b2332451d11d260ec0f26f
SHA256 784ace69285cbac3571bc6d974d2478f98fba28a8a1c154337cbdf159798b43b
SHA512 9def9c86fae07debe903a5f8376af46986ef0683614e7d3d6f8700c464134ad56d0d4311f710359d4fedeb3f5ed2ce81cfa8bd35ac7b2f13ad3424be7c85b3e9

C:\Users\Admin\AppData\Local\Temp\KIIi.exe

MD5 bbb97ff7fa622a1e0217379c9f1e4451
SHA1 f43cf72ed2d0bb2d76c52b5dc3b1c19321799d3e
SHA256 708c2bc9803588a67d137eaed41f3e42d11a4e5bb5a628666ae9d470abded34c
SHA512 52f30e464c950e8f1f95cedafe9def8b98445b418ce664dde2d5aeca4a90c36ad27d3eed11a2b332bb7ec8bbe100438b5f0bdcd21b9c6fd8e533cb8b939d1346

C:\Users\Admin\AppData\Local\Temp\mMMI.exe

MD5 dea49d6a750bffa63f9613d56a583a64
SHA1 d8b735754d67d89bd8213b5f2798eec9772e287c
SHA256 ecdb71c9b135b0a1d2a7829b07e66ccc2e04356841227fa37c46f543785fae37
SHA512 2656cca01ccb133abca8f4202cab9bcd12020cccc3a1d34ea0712b8564eb7fdccbfe5af25368e941f18f8eaf82cd8dd8ff7c908d4bc58cdb9fa1dd47406cfc21

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

MD5 a6e98037cacffb411823764d6899cdb0
SHA1 3324b639f3133c97938541ec1f8be5b7a4b438f2
SHA256 88a6f69fe4b5a1899c42aa2e76e93ebee5c020d205fc3dfabe886e33feb8d651
SHA512 b330dc462d0422a4dc42ecb8327d89a752bb22cafaab44f7a2e06146324e8af41fa2aeaf4792270c3db49148471ab56662dee4d59fe0d5c8a9fccff2fd64afd8

C:\Users\Admin\AppData\Local\Temp\kQsE.exe

MD5 9ce116ff24f1183df63a1003d93c4797
SHA1 f7bbace850d4856b105bcae6bb96874507177a70
SHA256 31055e9b83ba581d4e9997488d961d0307b6f4448ee61096d868160e57a92108
SHA512 7f8118b3f08c6d12545eb7a0a8348e350f0a7c1568784edf71a50daa69455ca5725667a86965b9d1f84bd89e71ab3141eb66707ad027a4f6674457aad56e25f3

C:\Users\Admin\AppData\Local\Temp\kIQu.exe

MD5 f72e53555e80b6ed732500c62dd086ba
SHA1 9a9fc3683c0f5a68c29aa82032520d42cca4c765
SHA256 49e599b3090533e349964b4cf1d9ceb64272d3f3926950d8a1c80d024a3385ac
SHA512 5800911b381362f11e57e085715f883639e958f66b47b229559bb9cf62890f4389d4bfe880df225206e5186ca035f7f94a14311664ca6d567caee9cf9fde613c

C:\Users\Admin\AppData\Local\Temp\OMAy.exe

MD5 a34888d8dad00e288da108caab53e763
SHA1 11407ed953907c4b766d9d296797cdbab51f938c
SHA256 4732cdd316f13bc4ed7af4e1c39a8f2ae918d902d9fdca3ee75e004a4f1c783a
SHA512 663ef4bdb5f9ed5a700ff8fc9bbbf43028eadd4ed2254adec400de0741ef02b6b2601752a90abb3c9850ef6c4fe3e0b17640dc82eae3445e3859817847d419d6

C:\Users\Admin\AppData\Local\Temp\CEgE.exe

MD5 b2906ba94ddcb0f7b9e48b63075b6865
SHA1 f0db76ead0f15605250d9c1e47177b086770eb4a
SHA256 121831af9b5d61e3d2b9d65fea65496a9eb7a943cf232fc336840e6a843b94cb
SHA512 e3915378b6adcda0ad2b89b1cf8e73e1993cb46b8ea97f4cfd86fd7196d055d29365e930a2a77f4bad691ec316717e525592157be7c3694cd4c0f9bf28787254

C:\Users\Admin\AppData\Local\Temp\skAS.exe

MD5 a5bd09d9b10f9d312a975cf44504f758
SHA1 bae3bc193cc3107f56e167b0c59c533d4b117d78
SHA256 9beeb3586f29fb663eb90e823dfe6199565d06cc9da8830707a5e34fa9bc1e96
SHA512 5bc2078fe3b9256af8889704f4e23858d3780de8ac3175a2495e0005e8eaf06e0e6bfc726bd4bc1644a29edae5d38dff65e52f0329715910ec137a1e6070e35f

C:\Users\Admin\AppData\Local\Temp\QUMo.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\Ikow.exe

MD5 ad01a32f50f51349a3fe23deadb5c232
SHA1 09e716b13bf4a32a77faa9b5ebe0ed200436ecae
SHA256 10fada8c871e651451b28a2d39ceb7f1ed38d03eba9399c442c7c84de8fc91b8
SHA512 f6b68c97a3cc9ca1e6a007e6ec1d0ead44b7fd9437c05f4f35ce3f2b30ab842c982ad7c0b0c2af513dc416663211d6d98181740311c845539f5bf414a50c8f9f

C:\Users\Admin\AppData\Local\Temp\CkQc.exe

MD5 492c2685418fd96c9b473f44b8abaf1e
SHA1 57a1677b0fb63c0060e4d93eec503d1662268244
SHA256 30dae39552a21b9f528c56aaa12653e20557080ce1602fcdd78aafb8f28739d1
SHA512 b241448d559bb60bd9ab559cc7f4245319f67b1eda177698e702f16532bc4ed86e3d7c80111b07fcefe0ef434943b9b0bea4b0905fcca93951c1be6128656eb7

C:\Users\Admin\AppData\Local\Temp\KMcE.exe

MD5 64e6ac0d2160c30b1c9b1141fc4c318f
SHA1 f177f57d81c6c86e2fb1f129603928aaad7fca3f
SHA256 e4202c152231e9c7cbd95b1605bed55769f18a9f741cec565756e50214246fe6
SHA512 39178c75e306512c90397046f2801a4f0633d9c42aa5a3eef5e3f6ab743d107154690a05d283d2768f6948303531ff6244d6f6168abdaa2ae54d93e2ae3ee56f

C:\Users\Admin\AppData\Local\Temp\kUEs.exe

MD5 1f4b21d1214b6fd87656739266b7a6cf
SHA1 a1ed0323ac86669a5447311e8746de8bec004b3a
SHA256 ea58132aae2be66ffd06e3c4a8b661ffd4ee2a19f7c5965c42472c6a054d5621
SHA512 47c1078969ffe70912e01742be753fdb7fcf52aca1e6c3a90d46774fb9939757e0a095d5f5d470e24203a20a3b48194b28edf7fa1ab5f4a9c721ef1180285bb4