Analysis Overview
SHA256
0c45532f97a92d269cd4abb03f3a495c63fc794001c21c93100770e861d1ee35
Threat Level: Known bad
The file JaffaCakes118_0475de00c9bce316241130435645babf was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
UAC bypass
Renames multiple (88) files with added filename extension
Renames multiple (82) files with added filename extension
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies registry key
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-05-15 08:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-15 08:27
Reported
2025-05-15 08:29
Platform
win10v2004-20250502-en
Max time kernel
150s
Max time network
126s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (82) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\fOMIMkgM\paQUQwAI.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\fOMIMkgM\paQUQwAI.exe | N/A |
| N/A | N/A | C:\ProgramData\QeIYcUIk\aCMwYUYU.exe | N/A |
| N/A | N/A | C:\ProgramData\QeIYcUIk\aCMwYUYU.exe | N/A |
| N/A | N/A | C:\Users\Admin\fOMIMkgM\paQUQwAI.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aCMwYUYU.exe = "C:\\ProgramData\\QeIYcUIk\\aCMwYUYU.exe" | C:\ProgramData\QeIYcUIk\aCMwYUYU.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paQUQwAI.exe = "C:\\Users\\Admin\\fOMIMkgM\\paQUQwAI.exe" | C:\Users\Admin\fOMIMkgM\paQUQwAI.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aCMwYUYU.exe = "C:\\ProgramData\\QeIYcUIk\\aCMwYUYU.exe" | C:\ProgramData\QeIYcUIk\aCMwYUYU.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paQUQwAI.exe = "C:\\Users\\Admin\\fOMIMkgM\\paQUQwAI.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aCMwYUYU.exe = "C:\\ProgramData\\QeIYcUIk\\aCMwYUYU.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paQUQwAI.exe = "C:\\Users\\Admin\\fOMIMkgM\\paQUQwAI.exe" | C:\Users\Admin\fOMIMkgM\paQUQwAI.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\fOMIMkgM\paQUQwAI.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\fOMIMkgM\paQUQwAI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\QeIYcUIk\aCMwYUYU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\fOMIMkgM\paQUQwAI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\fOMIMkgM\paQUQwAI.exe | N/A |
| N/A | N/A | C:\Users\Admin\fOMIMkgM\paQUQwAI.exe | N/A |
| N/A | N/A | C:\Users\Admin\fOMIMkgM\paQUQwAI.exe | N/A |
| N/A | N/A | C:\Users\Admin\fOMIMkgM\paQUQwAI.exe | N/A |
| N/A | N/A | C:\Users\Admin\fOMIMkgM\paQUQwAI.exe | N/A |
| N/A | N/A | C:\Users\Admin\fOMIMkgM\paQUQwAI.exe | N/A |
| N/A | N/A | C:\Users\Admin\fOMIMkgM\paQUQwAI.exe | N/A |
| N/A | N/A | C:\Users\Admin\fOMIMkgM\paQUQwAI.exe | N/A |
| N/A | N/A | C:\Users\Admin\fOMIMkgM\paQUQwAI.exe | N/A |
| N/A | N/A | C:\Users\Admin\fOMIMkgM\paQUQwAI.exe | N/A |
| N/A | N/A | C:\Users\Admin\fOMIMkgM\paQUQwAI.exe | N/A |
| N/A | N/A | C:\Users\Admin\fOMIMkgM\paQUQwAI.exe | N/A |
| N/A | N/A | C:\Users\Admin\fOMIMkgM\paQUQwAI.exe | N/A |
| N/A | N/A | C:\Users\Admin\fOMIMkgM\paQUQwAI.exe | N/A |
| N/A | N/A | C:\Users\Admin\fOMIMkgM\paQUQwAI.exe | N/A |
| N/A | N/A | C:\Users\Admin\fOMIMkgM\paQUQwAI.exe | N/A |
| N/A | N/A | C:\Users\Admin\fOMIMkgM\paQUQwAI.exe | N/A |
| N/A | N/A | C:\Users\Admin\fOMIMkgM\paQUQwAI.exe | N/A |
| N/A | N/A | C:\Users\Admin\fOMIMkgM\paQUQwAI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe"
C:\Users\Admin\fOMIMkgM\paQUQwAI.exe
"C:\Users\Admin\fOMIMkgM\paQUQwAI.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\fOMIMkgM\paQUQwAI.exe
C:\ProgramData\QeIYcUIk\aCMwYUYU.exe
"C:\ProgramData\QeIYcUIk\aCMwYUYU.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\QeIYcUIk\aCMwYUYU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIsMowkI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\ProgramData\QeIYcUIk\aCMwYUYU.exe
C:\ProgramData\QeIYcUIk\aCMwYUYU.exe
C:\Users\Admin\fOMIMkgM\paQUQwAI.exe
C:\Users\Admin\fOMIMkgM\paQUQwAI.exe
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IagUQsgA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGIwAMcw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIckcQIw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HiooIEMg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUAwUoAQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYgIoAEc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wOoAsIkk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gyUYYosk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ioYckwwY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmIEAswE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUEgYIwQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rYAgMsEA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PiYwQMcg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HascUQQg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OYcwoMsg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SmQUwAEM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAQAUEwo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqwskAIk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xoYoQYok.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nkokkoIE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bCAMcgUg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| BO | 200.87.164.69:9999 | tcp | |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| BO | 200.87.164.69:9999 | tcp | |
| FR | 216.58.205.206:80 | google.com | tcp |
| BO | 200.87.164.69:9999 | tcp | |
| FR | 216.58.205.206:80 | google.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.251.37.35:80 | c.pki.goog | tcp |
Files
memory/2120-0-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\fOMIMkgM\paQUQwAI.exe
| MD5 | b77394fe4dc873f6abf6c8da8b18fedc |
| SHA1 | 1b78aa73e66cbbc2f7f418f6bf73a3735bffdaee |
| SHA256 | 04d81187ff41505c119f72a7aee5f3bd42e6b65be72f4d6add69a2df5df73398 |
| SHA512 | 29df294ab9c56bc272b288d509ccb02709c0293e77b1ea3bea178cf704ddecbdac71e4849582d194c5f67c9343abdd91a28993242c7a90c0000025d444897fcf |
memory/4880-7-0x0000000000400000-0x000000000042E000-memory.dmp
C:\ProgramData\QeIYcUIk\aCMwYUYU.exe
| MD5 | 7c061af5e510253c45ffe117beceaa89 |
| SHA1 | df86f19f337ca253592b78729c39a1a6a3300fb1 |
| SHA256 | 5daf50136ee4705f0eeb33e0db5b24b964c487a9564a05cbaf3bec6ac347b280 |
| SHA512 | 60ac5654ffd997c77367d92a4593d71191f31ee31007269c02a1bdfb51eebc9a547c725864d430fdf8b6010aa0b27dac2414671a034a6a2b01c266e720742b4d |
memory/3404-15-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2120-19-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4808-24-0x0000000000400000-0x0000000000431000-memory.dmp
memory/1712-27-0x0000000000400000-0x000000000042E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rIsMowkI.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
| MD5 | 4d11d81dc520c49daec13a866ca2a200 |
| SHA1 | d760cbb77963f810c0558f94db6a0c4b0d89c5f3 |
| SHA256 | 6918f0f8f0461f866a849fc691fa5de86db117554fc09c6497f9df363eb483d6 |
| SHA512 | 85de4910ccd7a083239a99218c5bb520865f785fdb08745b19262837c4473a4ee47b5ddf96b7f2a1bb0e06d8dd2712e699e80968fce196b3e31832b48a442bf7 |
C:\Users\Admin\fOMIMkgM\paQUQwAI.inf
| MD5 | 4fae5124a0af394a9522e88985ed953f |
| SHA1 | 333b8aba49a30245a6d279076cfc1143c8ea3cfb |
| SHA256 | 2fcf5baaf42ed914b8fdfd3076da82cd1bd2db7b620b439d501ab2dc8ad0da93 |
| SHA512 | 81cb5dfa3e55caf02337a09b4b14a1a9d97a654502fb0ef65fe7a6dc77597a32987ed27648ca5b94e140bf9b6375615ee654e9c589f40c3df3409b11cb58be91 |
memory/2832-35-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4916-39-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2832-52-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2632-67-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5020-78-0x0000000000400000-0x0000000000435000-memory.dmp
C:\ProgramData\QeIYcUIk\aCMwYUYU.inf
| MD5 | bca5b95e3f3c02acfe16d947e7fdfe95 |
| SHA1 | 07bcb5608eda6841c033c5073e48b5657f330c61 |
| SHA256 | ee2b48284e2b1b8c106c2b13294953dea17432a6868f6c9e89d4cdb3834aa84a |
| SHA512 | 86efe410bc17f985c4b1d186785f2555d376e85c79261f8b8126a7817aebb760f9f8f32843b94c554f13d8cf277a12fa5e9bb1704c39e49551aea4774f19f5a6 |
memory/5192-93-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1592-106-0x0000000000400000-0x0000000000435000-memory.dmp
memory/432-119-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4964-130-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\fOMIMkgM\paQUQwAI.inf
| MD5 | 1d3ab35a1d2a8947440eb0b20aba0667 |
| SHA1 | a55a93d7782d1f1922ccc934d2dddbdf94bb962f |
| SHA256 | b43a0688f821b4a6a8d90d51abe0b9ae8c026def8eae693b9172c951ca40e1e3 |
| SHA512 | 1be49ebe1101949cdfd395788a091c08aa2d1a3392d17a1590a1cc73608de8db634e204acac8e058a063a086bed87d52c5b61dbf830f293cb1b6b6b057337e77 |
memory/5160-142-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4932-146-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5160-161-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3468-172-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2408-183-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\fOMIMkgM\paQUQwAI.inf
| MD5 | 65bb013ecf0b0600f63fbcd5a9a88add |
| SHA1 | 03073775f21b4a4aa5f232dfa2bc1193d13bdde5 |
| SHA256 | 334af1411d8e3f04acd1f71c3d279fba4678c4690340aac7d88bf7d7fe4a0d1e |
| SHA512 | db3efaf88c05cffff733318dad9df1e6f7a41a8690a0a13e1bafce2cdc53c4c7f00b05c7d4ef4b4edaedacc5dd60bf8a5e02fea80821a59197f54f7eaaa91512 |
memory/644-198-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3820-211-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3296-221-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3864-229-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1572-239-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2564-249-0x0000000000400000-0x0000000000435000-memory.dmp
memory/6000-257-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4796-267-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4788-277-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cAQS.exe
| MD5 | 283fb78ee2892c5f7bcc4ae8e7063f3b |
| SHA1 | 6cf5e878f30ebe651a405ae5be747a00c51242c1 |
| SHA256 | 91375906e8f461640378b02a43ff424a9801579c044cb0acbe3f3bc7307191c2 |
| SHA512 | 3de9666283ad983fdfb9ed0b7380461dcc5dca5e7a5462c1416a83967c24435665567cce0a69fa28b3797811067362695338c68ffef09059d427441a59e94cb6 |
C:\Users\Admin\AppData\Local\Temp\cwAs.exe
| MD5 | 1e19f2ff0e0f585f75055a0d30fb6912 |
| SHA1 | d104a9b94554ed77eddaddb3f8220c38b8476259 |
| SHA256 | 2a3a9ea51a736f182ad13cf1303ac755ea6fb9eeceed20c50b7b11d989e53645 |
| SHA512 | 10664fa8d15c244207dfa6c06bddbbca779f1ed49f0911f76ee61b9808f9aa5b6753c16b0306259fedf4b97e1617e79a81f89f24fea944ae70fab2df4a859398 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
| MD5 | cbc8758fc238aca20ad15e32a4787ab8 |
| SHA1 | 7b185f698cd26639a99e5f7c1e7add344a77cbf1 |
| SHA256 | 3d37144c94b50ee67d1442f4ed854abe6db0501f663d60cc948a742eb9a1baa3 |
| SHA512 | 27f629f79eae88186ee864b43318b958fa7478f1546191dd493acfe3d4e1b3112fbb3d7d355690d0d45e9fb15760762f0d9ac670d2de2da6157d4e04fbdb71cf |
C:\Users\Admin\AppData\Local\Temp\iEsK.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
| MD5 | 632bb550df6100f68c2fedcb137e151c |
| SHA1 | e72d199a14f7f14a17c4256e29436ea9732d4eb3 |
| SHA256 | 724cfa5d76dddb5dda2e4b847103f7a1b28bf83e47c78855e93f73c14583553a |
| SHA512 | a23dbdf5383246ccb3922e540e0e0b0df2f83489c8dbc48d45b21a00f7ac190da9165b1f934024d24ed7c65466857175a7fd13b7dbb2db1de9e9de690d3b179a |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
| MD5 | 5860172d67ce8211ce35cb75a00f58e5 |
| SHA1 | 632e0ace5dc01a17c2874bd5e646c0038becf3ce |
| SHA256 | 497db77e48a47c08fd23b5aa640353caae634d156b47981a6c55364697fb7b0e |
| SHA512 | 899d76ea4a85b5886045525723236457ba8c9889d9b9ac743f713846032b9d06328452448f9b58ab4f22fbce6b3f3ad4139dcc3d3b0d056fbd991143873f8ad5 |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
| MD5 | 2e0e16156c9f9312353461706e7533c7 |
| SHA1 | 20f80eb35d9f12e6deebd58dbe5c999fde929851 |
| SHA256 | b4f51e1aede1a9ea84b6d82e20a5b71885bf3c5905b779d2e26446147109b20f |
| SHA512 | eb26de6b1ca8dd9c83e9c14c1fb7888c40c7b8e6c9ee8857a309d8f8863a7a36444eb871c23ea906fda1d1c1e9a8928d4ffdf340f0474274201bb13348802586 |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
| MD5 | 87728cb864fe37c167c48486d118c849 |
| SHA1 | c09430f4f603bf2376011ebc93fe2e11cbd028d9 |
| SHA256 | 7bc0a743a76519c61fc5bd7b330460ca0f450e33b80aa0a236c8a387c7a9483b |
| SHA512 | df4d47fdd9a68796b7809cc9c3a364391ea629a5c29371f9a4538fea91f2aedf2a648667f205a9904218c0028b109ae1855b2e8f199d3c3560a39b249c794d0c |
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe
| MD5 | 18e2354d00906669a8d836d3bcad311f |
| SHA1 | c3707d246f60ea45b5c5399cc22fc23a80f3461b |
| SHA256 | 1b2f964a82d59a3ef7412480413c3bae1e786e69cb21f0eee425808e40f15b5f |
| SHA512 | 55141e7d4cf38d85ce89ad78dcf148e045d0003e2c4bd00786e9e160dfee47c69671110b3e6ec7fac971dbc3bedfa87936f0899a7d202a2a38c92d3f8bc19b6e |
C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe
| MD5 | 23e7f0f74ad222707feb6d8152ad2f7d |
| SHA1 | ac5970edba3862bb8a987380cda22204cf820700 |
| SHA256 | a8571b6c36ed57c0261284a36fa41ed0e8c437c19976f137980553820a85f227 |
| SHA512 | 88f44363df8651f9f6ff7f11a9613780a9770693c23cfbef04b23efecbf7740dad6d0ef87f9d60196b40843064eb738ef85812d107f1b73f9a93b9875a338527 |
C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe
| MD5 | 676c33c0595a89c15facec911ffca550 |
| SHA1 | 45c8883d29d9e6b122cdc31fbca16cb3c8b2abc4 |
| SHA256 | f21de7b6dd26b636a2af39555c67eb20dca43fc6234016fae5ecedde18f414f6 |
| SHA512 | 303b15eb9a5da56ba4eb912b856492099fa1831aed6b382ccc377c8c185c1e764464bcbcfc15f021a5dea149961bd3659e8183dc4a12f87360b475378a1eccda |
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe
| MD5 | 944a80aadea3e924c2da9f1a66387819 |
| SHA1 | 5cdd665c7d22d4f9005c9ee173aef75f0ab8cb80 |
| SHA256 | 245420e2de55e01928b8b72110d249f72df3a33a9f796686bd166640c50048c6 |
| SHA512 | edbd027287ecd9a0cc68d0bcd9b270c2f10da1fc8544bf3bcc7031912e7f57732d8e74bfaedf80085928adcdfb6e00c9419788c6c41b6f81cbc6e81e0cff0e13 |
C:\Users\Admin\AppData\Local\Temp\wYQG.exe
| MD5 | d20362a190f0e9fb53a993f5d6b49de0 |
| SHA1 | 93c937e6d72ca7668c5f96194879d32992f662b2 |
| SHA256 | f464473af14c71604b706ea948927dc076c9983586508d30f0e8a9dddddabb14 |
| SHA512 | a52c6b9ce9765e87bbf828d78b756e48cda5e6c68315173ae459f3ff4a47e22636ad84e60de166105723ae4b9a211c065cffe2f4a6de4ab0e116d0b0d11c8d3c |
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
| MD5 | 24d5066529d0327804bdb7f230d1dbe3 |
| SHA1 | 889892a6685dafcbcb5c8061e94e6dcc88320529 |
| SHA256 | dbb757e1796f4c33579527c50932136b6aedced8770aa0951e8b2deb62038c13 |
| SHA512 | 51652d556124c5f0e7618a01975b1a0a3abed0bb469621f0d2c3945e16c992707984b0ef91cd7c64980f80f5837157e1c2bffe90262e5efb8a0ba1c435afe13b |
C:\Users\Admin\AppData\Local\Temp\kYAk.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
| MD5 | 5176e478d968174cad914f8f2f0ba0ac |
| SHA1 | 056c194e6c44cf03a8afe7a59c2e992fa11483c2 |
| SHA256 | c25bdd718d990122d5ac2e52502c6431cd5c72093c7249a7c1c0615ce4db3f8a |
| SHA512 | 5e57275149775a3cf3e0bfba5cb9f594976f7063647cb8bead472dd5691135d9c18d0c32b63ca9c876958b876f4a49daa5a623c97bac5acbec2b71adfc274590 |
C:\Users\Admin\AppData\Local\Temp\ycUc.exe
| MD5 | 9b78777a7256ff0cf2bfc4d6d6845a58 |
| SHA1 | c884bf30b13e1c3bf6807ff1acc58b0357b0fa5e |
| SHA256 | 621644f1a1e9a2d9b35a223f7f8e99d03195a3b9cef421c07681529b4c982289 |
| SHA512 | a39a3cf874917adddeb90d1af90f1740e5394f8493bcceef59ca271db4db6725afc70343d07d9c0e15ab5ca9d6b2ae1ec95338744ff7d886442b64f7e4a58ecf |
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
| MD5 | bd8880d9585733f6caa46c895e493dd5 |
| SHA1 | f43279233f85e9b4044718cc85bf8728524f1d85 |
| SHA256 | be613b3371e4a5bb501e95f70e72fa89aba3f02d98032274c87449cd5f9c165a |
| SHA512 | 804221d0274960148a1040343a00b296dfa1337c7fc68d750fb2565939b982f8c880d7fde27844d3710a73d2a48479bd6925875bee30b4018de45047d0f1cb66 |
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
| MD5 | 01fe45280013437b140ba8500af736cf |
| SHA1 | 1d6ecf93111b3238ca1f1162da5a41bb6756aaa0 |
| SHA256 | 0fdcd032f069426c242d36a5107ccb96e6307e2a408fae7365650f9f73160d06 |
| SHA512 | 68b4ff17d99796d5409e93d4db5ccff56bfb888cf76f8aec10ed4983f921720f372608f72fe6a5c3c012a4262b8662197c4cb427b015ffdd9c936eb50e303c3e |
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
| MD5 | db0428cad087ac22c1faa4f3cbea0975 |
| SHA1 | 1d50efd1b7f363195f9f88bd95ea4654bd2c7bc5 |
| SHA256 | 63119ccf8898780bbcf7596b616b8e3336da10b8bd17a0d87b84aec1210fb8d6 |
| SHA512 | 93aa6287c131a09d616087eabc20f6afa8f75dc667e3f561f7ced7d8a3fae14c8847e1d247b5d16dd893778f65838cd1a60ba7365f9daccb2af17f7c4865775b |
C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe
| MD5 | c71029f6bae36ec250c933b90cd35f0c |
| SHA1 | 09c1cc913eec3a31106cc79ce1bd209539759d1a |
| SHA256 | 1f5a4617c7eee90a187644eec8f20af7f4756d60514ae67b66fe3db56ac8d79c |
| SHA512 | 44d04e8f2b55b7f4ff29d4791960a8c344c5a313ab62b11d93bf6121ea2b3cda5d65e945140f653c91b1c111e65886f24940e7b5f620f8cf0fc9fab86e01e0db |
C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\windowsdesktop-runtime-7.0.16-win-x64.exe
| MD5 | 19a259ee3f45b0e932bf9298ceb821fb |
| SHA1 | 17095c7f1d9c7a2f3b64dc32c641b6053ecb57c3 |
| SHA256 | a792c46ab470aaf72b452815a3daff2f38d076ee11a897eae264357f90f4b6d9 |
| SHA512 | 7e53c7a09274b044e4e3e1797fbdb4438e66e5acaf0b1f5c8f05d0f364ffaeac258b5deedf990961bc5739aad0cf95528ebd2266adcf256d00ed048b249a8ad6 |
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe
| MD5 | 1ad9022cc3290d1967755b3f969c29cc |
| SHA1 | c5466d778b1ff72e1744eadec22a2cb1cc306be5 |
| SHA256 | 12651aa8507b0af67c67f7f0b391a42d24f8d573293811e287bc21dd575ad352 |
| SHA512 | eec68a0af447e00059312bb2445e8f403a17919171d23168c7946564f91d3f7c013435a0122df19c1d19581e196f4b57c27883364fef4f5241376025945c19a3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.91.1_0\128.png.exe
| MD5 | d1130ab3ca33475a553f7ed7c6b87367 |
| SHA1 | 56b542825c3524b854cf968ed87296f6941d6d79 |
| SHA256 | f6112500608ae12886fccc47d8947f8625f29b6f2f5c0356afed7f16be468808 |
| SHA512 | 91bd9f705e445bc3ec37f4e2551074f17261bf47293d640a5f27cd2afe2ff6bd47d7f8af2e86ba1ff0b6705a5f07339be56b6b9e21355868ca6bcba86402c03e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.exe
| MD5 | c5892241a6580da8847bbf55d84d169a |
| SHA1 | 457612215a41444b11a656312f768a6657f468f6 |
| SHA256 | af5e18f3d73db11b507e5af01cda0b788d0e26c7e1a0d7f0a336719b76ccb083 |
| SHA512 | d3808617c37f2174c7369045cca6954aedd1ba6393d1e0c35b6658efa8af3800c40996a0204f6ffa0124d3f30bce2d4691f2ea36b989f08da07f7557baacc974 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png.exe
| MD5 | 1e2e23cbc5d23b42342e4d2423f986e0 |
| SHA1 | dae878a8d564b2c4909ce74028c78701e2c04193 |
| SHA256 | 334ba2be913e59e0da88e7579a3fe2236e93ded29452ab004c49735e1a8629dc |
| SHA512 | b9497b059530bdf8c39c19a9008bcd602de1c25c7b6a2521a8948163bc590f55d0c718de8db68c91e9aede736ba55dca0ae008baddb8681ded6dacfadf171e3d |
C:\Users\Admin\AppData\Local\Temp\iIQS.exe
| MD5 | 17dce9d96fb3702a0800eecab5187f17 |
| SHA1 | 3569a17139f7109594706b46a844f856f6227a02 |
| SHA256 | f4d54bd24433cba555c7dc76de9730c56a41d6f421746e8d96910d19b88854d6 |
| SHA512 | 002d686c621d63095d5c1572b9b6911b5ac67e79c917dc3e2bc8c2a724790c16e0f86e075eee6dff73d9a25fc784ad38e1bae6c268a3e9e3e576e8c2282ab43b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe
| MD5 | 4442c449d97f392849ab2433d643ade1 |
| SHA1 | f9be4c8ba0513821838fa567a86bb14b73be0201 |
| SHA256 | b3f1ff49c1a6d0cc92814d7dcdd81e12d3d469be9db90f38e28753f3045005fe |
| SHA512 | 3abde36654d529ab73ce1910cdd3e9a4edfba82e0f8891e25a766f673177a723114e926c8808ee0725bc480acd49e7f50b851daed7b060d1770dfae72c22a130 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe
| MD5 | 5cf2ea5b7b71ddd242bcd5083de21924 |
| SHA1 | 387bc2072f8eb0b523d148017137455210981b9c |
| SHA256 | 81fed906715b7f84d65ce29170e312521df4687201add5e3752986d76799059a |
| SHA512 | b2c0f363460c6c0603a9e1335a8eb912e34e571b2915ec6a1d1c2f5342f62c2d0353300eeb22f3e8cdb8dfeb4461a39f74e3cec4156bdb65f82f26b71171ffdd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe
| MD5 | f6ead2ae50e7c22fc9411d220153c582 |
| SHA1 | 73abb9fd7f7feb1287033c5da07189c88aceefcc |
| SHA256 | 2a8ffe17e911277cee555f5fbae6723d8a3959ba6f014a0c73a9011691966ef9 |
| SHA512 | 45a01e58407aad612af1320ca9209d07bb7192b78defb232dfd54a0ec20d7a73fbb180b6507701a8dd4981f0fd525c75d277f7b95d0f109389de952c65c83c59 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.exe
| MD5 | 437260c6039e6be3661700af23f61f4a |
| SHA1 | 1eee9145e257c927d915f611c38484c7a7c349a3 |
| SHA256 | a145656148be6531c24c038f6a9ea00e70d086908d44352881be7a30608e231a |
| SHA512 | f64f17ebe2e2ea2ed679b38ab4f4904a9b233a9b588ad76c196d79de90276f30e55d6a8551294508c56dc38dc20ce09745f314cb67cd9b9453c9f2b4676b8e95 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe
| MD5 | edacdd3fa4448faee32d4de8a7347a21 |
| SHA1 | c76fe77c2e34f51dbdce1bac9af07a251e4efcba |
| SHA256 | 2ab5af7253eab5c75efe6d94ae8221e12b92d2c279dabbc2f45aef07fcb90b9e |
| SHA512 | 6ad5371534e5ec0a799058e84f3169e769434b91692cd7c081093bb30204815aeaa3120fba1622b241825446495e29741a40c41d6e89862e235cf9ef16ca47e4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe
| MD5 | ae4a9025a52b73009a057568d1db6ef9 |
| SHA1 | 01318f84b8038e8d7981d65b5206aa6aee2cc39f |
| SHA256 | 5d13dba18894d4e57236c40a1cb3b9e37c9aee7312647d6def7b773175e488cd |
| SHA512 | d85f109405debd308ad88b080ad0cada1a489963fca56d9d516ca2edfa8706db4455ca3c0a868ac89265abb8d7c6fd9ea090e0cc7a21633c98ee37f3fc3f1196 |
C:\Users\Admin\AppData\Local\Temp\ksUA.exe
| MD5 | b43368cee86f858b30d95fe26eca8ae8 |
| SHA1 | 46f4578642b36924a71d3686a653ab76af6bd68f |
| SHA256 | 9613d798478e54575185ad64fe1e1f8f026c4f6e5e9b81b02e990708d3b51c55 |
| SHA512 | 16b86e1299d72a83874d1ad41dd4102d430914654829f691bfffe2a06a3e56e0413049144507e4a2345bf899e73eb28ab9fba5b8dfee9403874336ab89ce0908 |
C:\Users\Admin\AppData\Local\Temp\SMEK.exe
| MD5 | 40e3163d8cdaebb745af803bada13e62 |
| SHA1 | 8b4f9ca5c17d6b795fb4b142d2b39c8860a4b1b6 |
| SHA256 | 7bee26799fee212e1ffea8d2fb35623ea6dc0e20bd81a3cbc49ada4f810433d9 |
| SHA512 | 89cee8ec5951d94638931eaf3efba50ce3e21ba17b865490a44411fde7db418444bc2dfe003f7793111206ecae4a7f22bf27a04beed92bcb6ad4a3ab8fd8a7c3 |
C:\Users\Admin\AppData\Local\Temp\qIQw.exe
| MD5 | 2ec6a4e402ed946b9c4d05d0e4d58bc3 |
| SHA1 | e12a6b961aaf0a468c9e292ec442c66eaaacb2d7 |
| SHA256 | eb74f53543fc97e7cdc0f367e821292487f35af913921bf927a819b186d2aeaf |
| SHA512 | 04fb1b9aee8db238a4318b4219c145771d9fad014052431315e44723ab61c100fc7bd5110be260e570a4a0b0df9b4810c1c1d5b2ee5634b45a8ae882649bf57c |
C:\Users\Admin\AppData\Local\Temp\iUsq.exe
| MD5 | 82a7558c38195510091b3545e9e43e06 |
| SHA1 | e9ce77ac7e5b87cd12dc4dbb71e1eabf0d4279af |
| SHA256 | 7936017baadefef3aa4031bc6d898916db0a4a6adce362346267728f3a238f26 |
| SHA512 | 40aa4ed4d216b4e60dd53f45f73d0d14918b1834d62f45725e4bee216935a1767222f90cba9cef8586a68a9aadc15fb93d483e1e5b665a0903705ca92a4a6012 |
C:\Users\Admin\AppData\Local\Temp\sogu.exe
| MD5 | 3339e456c8c7d22499a34cfe2668f2ff |
| SHA1 | 84260f19336d61a0e77383d85484066e79eae1ae |
| SHA256 | aa4cf336200e125587b7e98c15bf6b28f9c2251873893d899f71d00c4d5a3212 |
| SHA512 | 98e15f258797ec0df04603c1e840110f9d63869fb1b67dbcd185a4bcffa39611927adb06dff15c47184713feea0a274484dd8c78d3e7efc5cef333a01fde8f7b |
C:\Users\Admin\AppData\Local\Temp\AUsm.exe
| MD5 | ea68cb6ca424ac33cb646bbf20e5f7eb |
| SHA1 | 19e255386a98ade291e7bbf7f062e6a41c94a417 |
| SHA256 | 7467179bb4d207e1950439ea26dfbef967820aaab4738c2b28bcdfa347650814 |
| SHA512 | df7ff0fd97f8a3d35041de50495d5cccdcc68b74ef7d7fdbe398bfec4ccfd672a85786ade0c88a4a3bfe3caf5cfd470be1bd621d5b30bd141e0d5edd0374ba0f |
C:\Users\Admin\AppData\Local\Temp\cIoy.exe
| MD5 | f9b908f103bfdd3e4f6fc103840d8d08 |
| SHA1 | 42dad2946738c835436a36dc49d9fe5110868c1b |
| SHA256 | 3a7d05c57ac99427395873db1145ee2b93139ad2e01f0b53c8c06bf6d07200a3 |
| SHA512 | e9827b9bdf1c9b090b5dbff6758cc928009d8c1240275a38a7ea6caf9b50d0cf5d98e5a94354768dac2526e9a35271f2009b32193672039e6958af225c5b9bda |
C:\Users\Admin\AppData\Local\Temp\CAcO.exe
| MD5 | 2944435daedf27f6bd6f0a41697d35af |
| SHA1 | 8aab20280fb4af68707918953f414deb8c747bf1 |
| SHA256 | ea56a6c2847dbfe5f34b6482502102f8f336dd2fe27eb724320b65b50ea10348 |
| SHA512 | d30557e63d2ce85652d950309041bc316e4be4255d2ed1b41d1402f0937ce9ef0b25356c9bf8abe238511e2345187b6c1ee921a410027913a594cfb69fe42225 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe
| MD5 | 035d0c2d82aa6de6ae4e58f85d8d8be4 |
| SHA1 | 912c4fb6fc86b9710b0162431e9c5e9c366bcd18 |
| SHA256 | c032724ab9acaea5fb4813213666d9783954510776a6ebcfe2069089067ed126 |
| SHA512 | d3eb901bb2817aae0777511bf2d0e54232576b1e448f754d5827acdd63b29f7ab94da2a64e318f3c7a11ab2306ff8a272c25597e9f74115fd73cc776ef5c20bf |
C:\Users\Admin\AppData\Local\Temp\eEss.exe
| MD5 | acd4541e21c0444d61dc1b250463c207 |
| SHA1 | c0030550be019fdc826912a396ec4276933ac1bd |
| SHA256 | 2ef65b07d7c83ae789f7917edc712e2ba0f49c9acff211143e875b6075cbb2d4 |
| SHA512 | 39f0f39708e40dfe1dda19ca3d0328ff58dc266a166d332725b0c8a4a035c1f685f4468c8714bb8f3898c5233e65fcdf9ab0721037e183aa5987cc5d00b852e9 |
C:\Users\Admin\AppData\Local\Temp\CsAo.exe
| MD5 | a53de923065b04b87af5d505b697b1fc |
| SHA1 | 39161c02f37fac204e96ca4a321ce63b9d868535 |
| SHA256 | 6279f3db8ca3f733cb3926bcab1b11070d7cf2a30d3409c0316f78d45c433c83 |
| SHA512 | 6364f9657bfd3ea77c00893287514df75e549e1a1686c9177f811defe864e4cd4ec149b100d6efb4ccc273d7597a29b1f184a2028bfab6fc98f43f2bcc83c24a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.exe
| MD5 | b41d701368285a1a81851c7fbfbcb212 |
| SHA1 | 8d50024e0cbbf52b94e0a52ade633efeabb409e3 |
| SHA256 | f6505613a6a18f6c4282d06f2bac0adda9827eb0ea404c7935eeb79dbaf8c7ab |
| SHA512 | 334df95c050b5e75da7ae759c4221e7e4616c892b04f07df326f00172ddd73ef12ecbc5c0264b8cd5297b6cc3773f2694620596cff48b266b71b647d2cb341de |
C:\Users\Admin\AppData\Local\Temp\EEMm.exe
| MD5 | 560d512b189e008b99573d2f19b8fb75 |
| SHA1 | 911ac30b5c25f265bcc8dd78761f1ecb80fea991 |
| SHA256 | 33da9f680a2d61d79a6884c9497d696225eb94dbbae7c538db02037f361c7684 |
| SHA512 | f4703a4ad4fb9303de62dfa43604492d690395e7d7cd85403ae01422b28ea823122963a8a09ca00d2ff0e34e621ad95cd2af071a67258243e523eda003745969 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe
| MD5 | 3e86808749454cc1ffe04d69e7b6cf01 |
| SHA1 | 4967a70c172399bc2c450628c896543205a812ed |
| SHA256 | 292b39f152060fc0124ea6b6416afa490276943917dfbcd544df6dcfb4177d36 |
| SHA512 | 1df32c620b6e46011cfedd81a994c0f05152b25653d6f00ad535e1c9fbcc9ab9eaec7a8aa3ae4a9f5392481063c119905add0fcf47912a10ca3e6db944c870cc |
C:\Users\Admin\AppData\Local\Temp\QIcg.exe
| MD5 | 547474259a30a5b6abc1a49ec1cba1a9 |
| SHA1 | 3e40e3b031ff1948203e90f09dba6c6e4cec2b0c |
| SHA256 | 5161827c719f30b140b133565edab06c08d1392dff32f96a5edb99a397d6ca1f |
| SHA512 | dca724f0196042c49323188bda2c38e19ca10f2767bb61330d9c8397c201a75130f61ad9ff6207293fc16e752867fdb6c217c1b7e2a111762dbb88358cc4a4f6 |
C:\Users\Admin\AppData\Local\Temp\McEq.exe
| MD5 | 1e1e7a26499d88feccfb1c60454e3403 |
| SHA1 | 0605b39f2107138ab9ea1c86dd3a6e9b75700c3a |
| SHA256 | ee9eebbc2ca9199319079b4b8dd49323bfe9a1484899872e9ca017ac5f15cfbd |
| SHA512 | ffaa460c9cacca0d4d915a1095c746672a643c5c21dba373bd7b104b670aa95770e9ea2376b2eb4ba21fd2d881c22363fb439eea8bd3d88fa5733bd410573acc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png.exe
| MD5 | 48a766b58d1ebcbe87d2630a76a59aae |
| SHA1 | 797d6babf6c0eef30cf6f06c3af72b519b3e5bdb |
| SHA256 | 163e51b1c29a031bd1aaaa28bfaf673cbfbf9ca970e67c3486efb2602af82a36 |
| SHA512 | 558cbfa8d7059584f06af7a330477d3deea7daab39c8e6e5f7d674f269b476d628fd6dff4e9afb075a34bef3771f3f47074a5ef80da3ec215b7703d5e110fce3 |
C:\Users\Admin\AppData\Local\Temp\EAgG.exe
| MD5 | de09e2afb70483b10f473849f2416373 |
| SHA1 | 13345edbfec874fdbeaf0d66458266fc7abfeb6b |
| SHA256 | 6d4ac440f95ab46943f8ab510fe5121dd376c4e88581537c3462afbcbdae70e8 |
| SHA512 | 96e213b43024d80ab69c07728b214be773c3afcac82a098f1bae21d71ddb2501e8b45c2cac1e238e848eb5694d60047f2543c01eff0903fcc8f6c9d0499a7c0b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mdpkiolbdkhdjpekfbkbmhigcaggjagi\Icons\128.png.exe
| MD5 | 29520f496daa8ba8491be4c6b4fef014 |
| SHA1 | 6b47148767f0b5affb635b6d3d2147c997703e50 |
| SHA256 | 40beef183b5d64a641c6b08009b6e34988b14b4515366f2591aed3d2939d66e7 |
| SHA512 | 0d750d4282eeaba60b4d2e10c5f0c081457400813a47166aa4273a57bfe6ae6527d878bc7f737a55b8d5ed05c87b0e5e0b4b9febb41649b56a80d1d532569d99 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mdpkiolbdkhdjpekfbkbmhigcaggjagi\Icons\192.png.exe
| MD5 | 49b89b95153a55fad3a61415e308a45d |
| SHA1 | 24d0cf6ad3e0576d78f0cbd9a1276b4e9712de2f |
| SHA256 | be0585b53b32c777b57c358ae4201edd80b7a301544a2d070c2f9c5d1316814b |
| SHA512 | 6b213234dba56df4cd450c39ac91e8c7724081ab598681d9c528f70ae5fae6d518b463af7d114e8efe65e8c369e185d0dda2356b7c82b2a30c8d7b17274b6caf |
C:\Users\Admin\AppData\Local\Temp\UEMo.exe
| MD5 | da908efc72506626626e1c62faef060a |
| SHA1 | 0906597b2afe17903b8d83e6df121e43ff46028e |
| SHA256 | 32984604627843e7fa20a5bfdeb8b9e82e97d1a5202f0fa46fdd24148981c74d |
| SHA512 | 9c76f29762e8c02f64697baa06e52f0a8f87b88cd4e74e67b7159a2a91e9ccba40a0579b8c6b135bd1fd57d802477ba9ebd0c9851d7a4a7684df9db74ea4013b |
C:\Users\Admin\AppData\Local\Temp\SUco.exe
| MD5 | 252a45d6e6e3e7eed07a6c1119b80346 |
| SHA1 | 9120d4f6a08b2590c63af3a01918d00846168c3e |
| SHA256 | 5ac374c3897c8885451d3f4eb94013c778cbb1b0053b4af0471715159990db54 |
| SHA512 | a48715d9b88715486a4db46d39f6cde615d740854329ae9ec14030bfd96c4ab1cad8ea4ee4f245e3bee058106233b459be49a85ca9489560b85066100e9cb9cd |
C:\Users\Admin\AppData\Local\Temp\gcMs.exe
| MD5 | 1539d115eec0194a21ca03c55781c6bb |
| SHA1 | 61d5546df14d641580ffff044f9a88fd7425d1ca |
| SHA256 | 070e45666f32c554cd4e4ba2602dce2834ec126b9d5541a8a837ec5629e28b84 |
| SHA512 | 0f9d83831658d881ed1cdea3cf3550782b6e280f6011af13e49a17dc897bf0311a6e42f82898ea86f5c215d5a2f7fe59a42715589643792093046811ce58e481 |
C:\Users\Admin\AppData\Local\Temp\MYks.exe
| MD5 | f3006ef3a0e07065baf0479afb6668c9 |
| SHA1 | 0fe641b221b194481b8839a16b0d1ad8669a8581 |
| SHA256 | d2a23d544a91d165cc82c1f2bad78d7c8b2dda2abd9698c2395cbb0c2e3a6d5f |
| SHA512 | a245a044ca41edd6e396abe6e2f8a3ce56f4739b76dfe2b2ca0c5029d9e64e563a18ca7a6f0b8b2261434bd6a5dc2b739feba11e95088d4c6a5703376ac9c114 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe
| MD5 | a4a59976b761df9331263b33c442392f |
| SHA1 | dc3521d6018cd44455b9bd405392a13a5a4088ac |
| SHA256 | 7a79fdbd385e3a61a672d3d666f6998c342de1022b76946a4ce447a7a399e72a |
| SHA512 | e5186725c61f7793b71f4b5f2ed564f651f897f8d46b40a0430ed96d53514bf621ee6e79596d5d21b02beb6f6bf5ff11e846e812d150b01bd1c2ce3f60035600 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe
| MD5 | d1a49f373d0388bb7731d472dbdaa1f4 |
| SHA1 | 1fc04a33a8fe9fe5f27447a55111d34792a7ce80 |
| SHA256 | 932282f2e65e0117efbf3d8238d473e8d6705cb24f2b6cdcfa37d3be0c180f85 |
| SHA512 | 679a51c114727818ccc314430d97206aa49046fba0bfbae8f8d9de414ad644946c1f71bdab8e7852bcc25d9760cf04f940364d6ce9d9a20cb3901a76cd2ad929 |
C:\Users\Admin\AppData\Local\Temp\Icgk.exe
| MD5 | c1d60114784da971d67d75dfc5eab317 |
| SHA1 | ede3ae3e625d0961a424c8dbfc9c4a02a5dbbcce |
| SHA256 | e0961550bd5653f337b8ef6f839dc349df577d02f78b16631b2bb3699fcafcdb |
| SHA512 | 30451fc52f893e4c40793f37a559842c7be98b70856002e89139c924f98857d465e454ddc5085012a723692f5a6d6770e13b25991b45922075bb617a78764ed0 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe
| MD5 | 66ea2556a2cf0dcb3fd9f4542c08fae5 |
| SHA1 | 93a50d918eaba5667ecce61fcfc34c9324f35a45 |
| SHA256 | 7370a6dc7ec824c8e7d20a1c9b08d16d3766a618045a750600fb16130a59a925 |
| SHA512 | 31354463e1b200d064791ed014c14d23136065f5640c9ede05237530e441dab78b962408f615e82fa40e69170cd00fd885fa5b3e053e9cc164400ca8a77b4c2e |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe
| MD5 | cbcacca51a40716641343ae239ec3ab7 |
| SHA1 | 05b28f99f5521fdae42b42874aed5df22f17ad70 |
| SHA256 | 8877d41fd31b733c8536471df7dd2f8d2a591b01d570a10d971c2a69e2a4487f |
| SHA512 | b0e51cceadc6ae4511fac67e56500fa1bc089e34b2a68970cefe4637d96026f924991c4b19078ff2829d877a43c849b290755f8f48a60cc82da3de6eafd03f4d |
C:\Users\Admin\AppData\Local\Temp\QQka.exe
| MD5 | 4695318abb916c9280c83ca1ab6f52a7 |
| SHA1 | 43ce1aeca3017065e68285c19c54400dbfcc586b |
| SHA256 | 90db4439ae345a4fc866b9c29267cdb6372923a36dc01dff1aea7368a53d5862 |
| SHA512 | 044ecfab25b4ec3bc26ad6e507f4f02102324e79182693d0e1adb2edbfa5e71229f51d290a479d79eb1b0b01c2b95bc19f65bcb11faadb3dfb38316759c59d67 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe
| MD5 | d982ae7b76de177a25f3236673ae3855 |
| SHA1 | 3351fd941f58772fc6c6ea0e0b9ca3181848151d |
| SHA256 | a27cf6e248c393713c2a85a61d0f56f40bb5dd54691524a44bcdbc5a0dc6f95a |
| SHA512 | 33f7b44c96ee4a54d08df8f185e49e4702cb8866ad8902d6a736b5f286590aea26dd0b73d9d150a35ef6e41db6eb58145589d681fc34ae4b3d6172762159e765 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe
| MD5 | eff6753b30eb93afc26eb3e2e3c66c07 |
| SHA1 | 947bb65a9efcf5aeb122a39aa3ad1d5468c01e8b |
| SHA256 | bb177f6b0d063d35d0a0a2507beab3e85ff8b1f71bb11435b33642f6384c0b60 |
| SHA512 | 6438e6289aad247fb30c2e99cefa13f9bce08147da304275054255c4ad76f47773cb7d6bbcaf5e59b9950007c5fdbf7c37008181e3fdaaf855b46a9e85e78974 |
C:\Users\Admin\AppData\Local\Temp\AgoY.exe
| MD5 | 6876751bb48f66f5cc47e07f4e162c3f |
| SHA1 | 12fd3f031237d54c84eab8fad30d9dfd05708a2a |
| SHA256 | acf1b81844dadcbf3a892d130ccb31270f5a56ebc84615e661c5676d1efa6103 |
| SHA512 | 2b47069afd2f349a210ff76f20a98c1b221348f2089bbe3fcd3b382b2b9c9b0f21914fca81b141de7ed60e7f843d1046555ad0a22e64e4adf184db763d56cc3e |
C:\Users\Admin\AppData\Local\Temp\KgEa.exe
| MD5 | ae2c68934d748edc1304f69a0f097878 |
| SHA1 | db0f4c228b8b645ed1d2f781cdb6d1a4fbbcb3d8 |
| SHA256 | 7ed41c49d3c929c7626a228d9f53ea2577bc9d36c2186b106e9d16dbdb6b86c2 |
| SHA512 | 24203c9a7826e9fa18d376e24d61a38e715125988c7429471a0edd860ab39212675843ec57fb3f77bc69f3f9784cb354a1f9679e601ed40a8ecb6549985e6770 |
C:\Users\Admin\AppData\Local\Temp\ioMi.exe
| MD5 | 636ff6dc8c54a1fd447fc553debcd4dd |
| SHA1 | ed67cc906dee96fd1f4765f80a4d36e4df383daf |
| SHA256 | 78f363e52f7d9fa4a59849e9b160f1d30bddd10cd69673776b7b693ccbdd2ebe |
| SHA512 | c20f68794fb3a80b1343ed9a3937fe0bf3fd07d0f7cf0a9a21d440b14524bfcc99850e7508d46d8945dd4e984ade673272e1004fa84393398182d9d1354af058 |
C:\Users\Admin\AppData\Local\Temp\UoUg.exe
| MD5 | 4b203336bda4afee2f1212251aebb0e8 |
| SHA1 | 3ca92653b5de1c0ea50d9ddfc46b013407f29f45 |
| SHA256 | 43eb9058a9cc9e767f3266186d5fe76b2d3dc641609c922d09191469e861adf2 |
| SHA512 | dbb75d90c7e68b2f916661847fd439560ee453a78188f9d033a2e46aa3b0797b1cac93d0723e5e3d25483ec445077e864ab43894776a60a5a3e1024b404f917d |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe
| MD5 | e84a777daff20e809a5035e50ce224ba |
| SHA1 | b3a0330848d213d1db195e7a5e11c6012039025d |
| SHA256 | 20b8dbcfa85a0190a5812c003152f81f269703466a5a72b06b979c3ef35fd51b |
| SHA512 | 8051ccaa597367a7f2034d2a82915a5d4cb0a8f84e5fa9a6d3b5c2cc2483e9e19752411a0b623fdc936759708ea72fb08337061728bac2e525bb2cfdc0e4ec5d |
C:\Users\Admin\AppData\Local\Temp\GwUm.exe
| MD5 | 89a135b06d471a7f836d002e3a41a81b |
| SHA1 | 6f42d3036148859b2b6b1434ba46ad5f9f4a8700 |
| SHA256 | 33451b661165c5bb356e371cb7cf24fe7d3d952cc208dbd7a957e0db972f8cb0 |
| SHA512 | 9aece098ab668db99e29612f75a3fb1a8be8ef217f8f3d4ca4911142500342ef1068e459a7ed4fb20ec731a4f1c86b2c1a222042160e2f38a2c8ce730c4362ff |
C:\Users\Admin\AppData\Local\Temp\KQAM.exe
| MD5 | 910096f3131b8802c1bb76405d525754 |
| SHA1 | 420da7c38286466450bd6bb77c3fb9c820a32c94 |
| SHA256 | 672ce7a197f4ac1d260b07173096cabe6caa4d5e9d9a2c44e92d660937c3245f |
| SHA512 | 78f0350e22efd0baa84ff112c277d1339e6acf215a83da16a55c4ce64baa3cf4111ea59d8bfe1e7dcd7a94c101a4f4a8345ceb1c1dc245e5bb3d14a78d222db7 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe
| MD5 | 60d3da97f325ec6344e5600322a65aaf |
| SHA1 | 0f7c413acce1950e52235616ba677cb44e6e80d3 |
| SHA256 | 5796fbf6961a5db1f0e4102e25f179a43ab08c519c870ebad272bd2802455541 |
| SHA512 | 04d7790126878896ffbfaf5faa94408e4e85455d63ba0541390f2850e6df421164065bccac05100a157603fd3cd3a651d6adde27a5ae2f95492a8f64d447a1f3 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe
| MD5 | 5d18d9d4e065546b8bbdee83e026f993 |
| SHA1 | a0376edb0ffbbaebc58b6fbc105ec0797e2e78a9 |
| SHA256 | 47a29ef9ed08bfa13714577a308c8479d5422bbb2789f806731e72272e8df1ee |
| SHA512 | 7fb33e767894afa1db853ce88aa28126516201ae1dfee297371c92e2dc08df29e7ec9b00f780b9c3205d4bc38e0204feaa427fbd69ea9cfe87b07229c003b7f4 |
C:\Users\Admin\AppData\Local\Temp\MsgQ.exe
| MD5 | 59e316ee7e548f949576ee7fddc9bbb2 |
| SHA1 | b40bfaea1547c7d46fec4ca5f97e37ec76415ce4 |
| SHA256 | 662eb192c97446cc361b03403ec16399257874aee9e4edac1bdf4c53c08ded9d |
| SHA512 | 69def93bff7731c1d51912f8afd593beccab57c1d0aa3a95774cac49448dce48150d114891b7a3e643f174278749248f5c2d825983b46638c8ef22e68d4eebff |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe
| MD5 | a9cf68bc40c1bd73d824219cfcd9bc82 |
| SHA1 | 9c4e2ac8bd2f3303854460a0c5070f875fa4b4b9 |
| SHA256 | abe125964ad537c413e7f2ef67fd93b0fb2e50406944828732339dcac5a1b782 |
| SHA512 | 69b474aa1cdd371d226074999c59c38e44e3ca4bd7e672c74cc2887978a05a18233d61513bd628883712e360613abd29b02d13b86b030e4e886d0aba06a520d4 |
C:\Users\Admin\AppData\Local\Temp\KEkM.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Users\Admin\AppData\Local\Temp\MYYm.exe
| MD5 | 6c8a24ce460e16608a0a1910c09d8831 |
| SHA1 | a267c6f6639c965c34068286d656494f71e2d9e5 |
| SHA256 | b13b6a57a58e96a4d366068c68cb51f657a08dae7e2a4e3bb435662891f44dfc |
| SHA512 | 71f43b99ed7c1024c391fdd4e3248a821b2f9bfb31a0f257a04f7cc769799d13ed02b8f01dc5ed9eb6c0c943811bd1906e61eb5102c66c49769e397a58789d00 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe
| MD5 | 94ab334b96d5c3e126aefd6c123ea6f4 |
| SHA1 | c13697ba4996934e6e78f19572287a0cfdb8bd5b |
| SHA256 | 7fab5b944556eff017a785b07d787b5358098acfa7a7a93c22cdc9f1c24fdda4 |
| SHA512 | d3bc9adec6e9f1ed44c527d4cf3a3f1eec5809f418cc3a311d67448c81944b1a61bbca5df1251691a658f5d1c5b9b26f9b41aad9dfe2d794d4f33aeeb62ed3ec |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe
| MD5 | 44f6f04c7e6610801424ac3ed9248793 |
| SHA1 | f7c3dfbb367b8eaaab193aa6e719998b12d69123 |
| SHA256 | 525722e54e96e0a7f5daacd6a115b70dba724cc334dad177acb1f492afd79564 |
| SHA512 | 89b830226f3de38ea45c33165a237eeaef94553f72a51c61d3c7dd99f1967661c246ee41c8f3f3257b7b4cce18b56575397b27915b2360fbae9d66eb57a99d5c |
C:\Users\Admin\AppData\Local\Temp\WIAW.exe
| MD5 | 500fc0ddacec84809602e691080c6034 |
| SHA1 | 5d820e40dbcb4f1fe3ccddd351734469b4248475 |
| SHA256 | 1207b34fad7a33645ca60817d2d7c74b87d141ec5759e0a3d16876534606c8ed |
| SHA512 | 73e9114a006d9d5dadd8b1e229e932d7ccf26860f1d24bb9f00caa0b2062a050185a3b5a67ee032f20c2f0a54ea071158cabffdd8bc13787f74ffd5c8a12114c |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe
| MD5 | 9efb7ddcee14e569f7bd936e33588d74 |
| SHA1 | 9e455d31df343a1bbf162b8302aca49b2e3f4123 |
| SHA256 | 27cd070e763cc61c535aed0e1339054c97b1f456be6072fc4139262d3fdaa6e2 |
| SHA512 | 108595dbc2115150204960a54085a799e9806931236fc3008088c6fb2ae1913d3922a29e6df5cb3183927dc9ccf10d4340dad9106ffc5662b2e99160e79b2604 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe
| MD5 | 4d837652abe69544a3cc5a61735a7c91 |
| SHA1 | 8b3e9adb9f728fab0eb494c2b8734cb94aad6836 |
| SHA256 | 3ce188189b930860e441422b840e8d294c4ad2b8e710bf72abbb5fef24cbcfba |
| SHA512 | d1a9af77871c7845d4e53eaf9e22b2e264f42355653aa1615cc3f97280baf45204e612ec2c55aa052d1f5da931b21597f65492d72128e8e8465b7eb6d46e5445 |
C:\Users\Admin\AppData\Local\Temp\EMwm.exe
| MD5 | deb295c06e24af054660e2d1e111fb9a |
| SHA1 | 5f5ee5294936bd79db39320df2c502d184aa56d3 |
| SHA256 | 50613475fd5401cc8eb2713e18ab67e3a92e0aa570d4ca4ddcb6b35ea7be4152 |
| SHA512 | 4f093066ede9ef5a1a667aae9765925efde47402bd260c187bcd5a5ca0d44237ce5403f5591993534b36f1076ff80b8789ba80bbc1ef2599019924668c2c86e3 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe
| MD5 | 52a7f695dd12e35290fef8a6046bc0d7 |
| SHA1 | 98388529945559e0f07b130991c97f70f808940a |
| SHA256 | 3fcddd5d98434c2b3a67c85393b145c3103a6bccf23daa947bc51fd40710f925 |
| SHA512 | 48bc7aaffb6276582c118443a07570d1841ade16427bc3b1c0e79a9d50a1f48f8670a9f498ae904c68337c0b1af4de6e07f2eebc62ac2176182e2ac3e2c6372f |
C:\Users\Admin\AppData\Local\Temp\escG.exe
| MD5 | 5bf45650b8c4ca7ae03b605e01fbfb16 |
| SHA1 | 7ac9e909ba84865c4c3cb6cc0a03fff09152024c |
| SHA256 | 287fb424059ffc5b740bacc80fd597e508caabcdeb6d85a352f817cf03c3b624 |
| SHA512 | 856c51d426c7ae426582250521c526f1fb11f6964934c231b4b99cbb44ac0add9d281ee08725b42f8670ac8437626d8f194f2ba76365e5c8e7c911cd643bfcb5 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe
| MD5 | ebacdecdf283dd80a7e13b905574b746 |
| SHA1 | 5f9e072ac1a1c7e15d4d64559e4f6480de57924e |
| SHA256 | 7bf277f87e09c795cf61e3b62036de18eb18881c45ac0d517a2d39381a0bf762 |
| SHA512 | 0114c317bd4a04a2cb0362d34d1c30371e1ef7adee27a313ccb5d86fb63cb20b015f2803d9f8b3b7fed8bd49e818db5620bae9a2256f70b00464aa2623e2af04 |
C:\Users\Admin\AppData\Local\Temp\CUgY.exe
| MD5 | b2dd930994670ba629e96ca22aa0f54e |
| SHA1 | 32686aa45449b338f7182b280d87f826f826f6af |
| SHA256 | dcd46f0eab125195ab9845b51657428f1db834d828724f6b684e8c7dc585b50c |
| SHA512 | db3ef13fd0ae36182b667503b4e802cf1aa7bb1a70b81e60f83448bdf48759fa19f669b229f5af5d89d0d99d27ee5019aee694cab7c642fc378af7a28055ef3e |
C:\Users\Admin\AppData\Local\Temp\ysUO.exe
| MD5 | a80d4d7af988bf6365220e7fd636f2ff |
| SHA1 | a6dc66cd638821ea6cd2024d35e19a1e4d721f92 |
| SHA256 | 0e2ef587c503006450cbb8d8d9503fd00c63e0b5f331e6b6306bf76cd461e313 |
| SHA512 | c0380f5b32cc074a521f37278b0d933bff1eb5a6bf33b46e83f5b8d377343b571c50be2611afc6ab4bd86320e724f711d3043748f1b79ca8bea236e2704b771a |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe
| MD5 | d163e5272a86da3d496f616f40591828 |
| SHA1 | ab2e595a30d684750742bd7c8e5270af53b21043 |
| SHA256 | dbbdb2ec247dc915f0aa5f3ed087ae7ac889cd8b88f98841def50096ee473e63 |
| SHA512 | a3672579a6e4ba8338c0d22dabd2f8ec4006286165d00235a615077c95a7188046b2dda2e6f65f67a2590814ef106b7056536212a15efce82f5a31e2c47aac73 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe
| MD5 | 011bbf9de0f1d9266dc041d1387c695c |
| SHA1 | 744cb2ea296bb18bf6c9df03a080dae84a3785db |
| SHA256 | f4c0d74561d9d5e544ac2420bf1a127f33927b4b81ce39fb5717109231f5d5a1 |
| SHA512 | d3fcf75ca20802bc4030cfc779575ef3a1f02360c917f887d9a81715cb21849f5c536ec5eda64860582cc29bf1fc6392c3a932c04e91462b7653d3178e1cb959 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\D6HMLU87\lockup-mslogo-color-78c06e8898[1].png.exe
| MD5 | 7f74408d5cf9eb2198583791be2bfa2f |
| SHA1 | 6e2441637dd4b48c92b4d43c188db243604bf408 |
| SHA256 | 766a366aa0e014059dcf4cce74b1a3491fdb04d90926e3865f522645c7bfb656 |
| SHA512 | fa2e11f09c0f5ebba6311a1c5cb1e2a935da3a2e7d15f71427178c09cd75a3d94e47031241a004be75ed768768d0b99df81b3ba9f7b65e1a8365c0a757ec82d1 |
C:\Users\Admin\AppData\Local\Temp\WAMu.exe
| MD5 | ad797c16433706414a97bfcc5f573627 |
| SHA1 | b67798d2df4384c1f903a8e1e1a702ea0a483e00 |
| SHA256 | 0dcb3284e1b2b17ee9c89c355ac8e11a4020e75ecacc422698391144ed04bd91 |
| SHA512 | d375a1d18a05a9230cc233d525506ff0d74e6c04381adf1d27621264fdcfde3b33a6e9c1936a2ee95e526ae4a642cd2b1fb02729cdbd365588eafb332e7cb3f1 |
C:\Users\Admin\AppData\Local\Temp\McQG.exe
| MD5 | 6f42b3b398c66498d6854176add26b15 |
| SHA1 | 69a908001db769b961f7c9c1e75ece663689d21f |
| SHA256 | 2ec3bf0bb2adc57f1d02117f0b477e3d74c4ef767779017d1d8be8faceaf3312 |
| SHA512 | 571d5c91ea962a063617b6e980a33018874f4f408d32fa1dff8c492bba74ca6bc923bb01709a3edc67ac673a67b70bac0c412664985d4e276569056c3b8c765b |
C:\Users\Admin\AppData\Local\Temp\GEEC.exe
| MD5 | b48882b485c639bb61324d22d082d42b |
| SHA1 | e2bcec0cc7f1685825709a504ef21eb4e1ef7bc5 |
| SHA256 | ca0e1fc463382b1d9c11f5c2b560cb6cab5be45e383318ad8a693af53d1cfe40 |
| SHA512 | ce7c07a3f5fce6e0bdc7e3c0f595b1bb892397382fcae2205e61b861549bf2f9ad2e73cbc6634f16b7c3ff87e87073baec6a0b01ffef822a0185fb286d49a73a |
C:\Users\Admin\AppData\Local\Temp\SIoE.exe
| MD5 | fbdb4d448ba16d9064b47cb30a9433ed |
| SHA1 | 162ff51c7035784bf0b86228b0e61ecb3d2a3b86 |
| SHA256 | 6eaf891f3db719607847ca48fe4694d8155db15572bf20056d7ac98ca6fc21ee |
| SHA512 | 8e215ed2ceec1354cccdb033425414ffdb7ccca9604cbc6509effd0f8deb8fa02f3eea7dba6f4805f998e9bb5bbc3d7bf8410861c8312313eef953246b3d605f |
C:\Users\Admin\AppData\Local\Temp\ukww.exe
| MD5 | 74cce73c08451d983065aa32c6994c3c |
| SHA1 | 7ebf181aef0ccc839be1a0b611de319237a37f3a |
| SHA256 | 2a62143d0380e818f7cf535a7809434b6f4da6027317e60792f0359c27884148 |
| SHA512 | 44531c05d134505151ec6e39c1d48e73c4857e210601e38ed2ded31abeae0493305e6684bb863a1535f1f91f472d0920f5e68d907bd3b8fbedf9600de6a55658 |
C:\Users\Admin\Documents\CompressDisconnect.xls.exe
| MD5 | e4dbfd361e630483b9c84ecb834fa10e |
| SHA1 | 5d135fed4a37561361aba6e80069e6db92a54e7e |
| SHA256 | 661cfbb132e1b2959fe916c9018b82c461a42fa51115bfe02f53bbdb6d3377d5 |
| SHA512 | fcb8b439c8d7dcbd8fc8cf11897330a7a0359c6e200ef5bd94dd3e93ac0819e91d19c638277148e6c900b7b22bd0942968fb628fc1d0bf2ceb57b3c8740f9120 |
C:\Users\Admin\AppData\Local\Temp\msMu.exe
| MD5 | 86a17c89bff72675a83357da9ea36e5b |
| SHA1 | af8d6f1741ea6d5b02b457555990d59ca74110bc |
| SHA256 | 8f6c40129f3f699c93acde6786105463a439ae452f1835eb54120cc124bc3c7b |
| SHA512 | bc7ed29d7a15dacd22265523c18867bdf01690715e43cfe4ab3d7112fa293d5dd7835311ccbd99b7adf9d47326c6c3a947f3bfc24eb852542fbedd5b7349c534 |
C:\Users\Admin\Music\ResetWatch.gif.exe
| MD5 | 841b7c3c0fab5a85b57027e8c4e04094 |
| SHA1 | 58f5193596abb00816dc710ab94888b27259c09e |
| SHA256 | ff3d3f3e27bcd1b102a6f60b8196bbe16555e0bcaf0fa28005383bbeeab90004 |
| SHA512 | 906284b8011835fd3db7ac714fbcd153aa0d643e8d565c53188ea5f27bf94d1c99c41c6d23b8942e6a250e2aac5d0491197b2649aff364f044cce0e1745269a0 |
C:\Users\Admin\Music\RestartUnprotect.wma.exe
| MD5 | d2904e5553485b0aee2abebe1f852c50 |
| SHA1 | eced923461e4c87e274c18e119149c1cc168d7ae |
| SHA256 | 652b81cc1dbf0f27967ee06740ce427265252673281bc57dcaf82cd11a3178e7 |
| SHA512 | a64b62ff41bab392ed48e25e3fd64a77203d2ffdfd174bb75f8f3f5619ede22afe5b031f81cf23b16a707e18233e498c6ea26a396201b729482cb18d19a3ab5a |
C:\Users\Admin\Pictures\LimitUndo.png.exe
| MD5 | 440a31b26c38755c1f51d7c55e9755b6 |
| SHA1 | 783b6e05807f94ce22812ba317338a947929c6cb |
| SHA256 | c658956c3067f957ccc7b831463cb316c4f93d0bd9beaa643e69de92d7634a0b |
| SHA512 | 40676c4de25a6fd828d3527479e6827b888023037166db889449e85eeef8e29fdd7623b59b136a725b4536b11f36d4063eac5891cea209b0afcf0abb9e013e55 |
C:\Users\Admin\AppData\Local\Temp\uoca.exe
| MD5 | 43300112ddc36a9b2d41767ed2a06272 |
| SHA1 | 7c9102b468882ebdd9d5622b2fa5a928e1a98f74 |
| SHA256 | 6e2ec9f0e99f6e3211defbdf6fcf69881dbfcf118b88c5af61a6f3b9e37a6947 |
| SHA512 | f12726c8d24993fb4de4b222cfc6c5faea22e624d2ed77dd5942f8cf1aa17581e7b3f850259763d95764a5b40732c12135a998beeec50a0206775432aef04ed8 |
C:\Users\Admin\AppData\Local\Temp\Cswu.exe
| MD5 | f3b99312f7301fd75a051cf90ae2a139 |
| SHA1 | 1a16c662cb266a77728edb19a9386c24193796a3 |
| SHA256 | 1773d6b3637a745439d008fc60d9346efc389bd8654a7d3130b3a9f988aa2c67 |
| SHA512 | 8bc3967390b33694bb726cceb4675db1e59c2105243be566bce2f1497d8b56558d204b1287bf83e58575a9d3c0f4d3c018080a70635ee76f295a901fcd01d1ef |
C:\Users\Admin\AppData\Local\Temp\Swcg.exe
| MD5 | e4e4266b21410cec38f0126a25e7867d |
| SHA1 | 6345ef1ebeff7f62b12cc204f1f1d759e1fbc5d5 |
| SHA256 | bf84533b43779750e6a47eb3587084ef416923aab3f23c0841c565ae169c1c98 |
| SHA512 | 4c1a43fe3e5fa3372c08e68536f0bfa21cd8acd36db64337ca00be3867c45b4fa14e69483d07058d278539d7268d2a1e3d9d5242c976864815bf088f731cc760 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
| MD5 | 29138332d08dc47040a87214b15cbfa2 |
| SHA1 | f02772827274535d772e72adc2526f477f93deed |
| SHA256 | b8516192d7e1b089c038f0d0d7c10a4ac3cd3c42132591cd2e06a7afb51f5196 |
| SHA512 | 899d51cdbe496ecb2cda8b595ed0b6c3c68ee927d507778961e59d3c18e5d5757e29985d4dd272c0dc28341abe6e8a69375db342798bd6304dc8f87a13df46ee |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
| MD5 | 6d2d1fda61b20af0f70aaf6d1f8129cc |
| SHA1 | 30aae50c3a82d9821873245828315fa6d1d2a0a8 |
| SHA256 | 55600292796ddbc56ff200d1901680873ecd523336a020b649f95f1b0e9a29cc |
| SHA512 | eb3e2057e3521412841b38cd929847b746fcaf6f0b609cfda47dacf7024003f84f128511edef081ebf308a9bca86461cddbc3907bc685e4d0358515def7147b7 |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
| MD5 | 311d35567c74613d5f45aa4956911b25 |
| SHA1 | d7a86be141e72d6d8090203e337434d1f91a8d7b |
| SHA256 | 3c6c544fa379b5f8609d97bb6e34410e16e47869d8351824c8c4ef497ddf326e |
| SHA512 | b01effee329b99d500934c5a57b7dad61686eba8ecb9b920322e43a7f140115a065c33b4892e5362432f59a8e06970b7c14c94d19b78d29237c67cdc02e615d4 |
C:\Users\Admin\AppData\Local\Temp\igQu.exe
| MD5 | 1ba8871c924a88938531f24e3bfca5a9 |
| SHA1 | 011a989c6764cbd8777d5f09bcbb4f1f57dc8089 |
| SHA256 | e3a11fd8a5cc54e5753d584c34dfe41276d5a7469f50f955fda4e4a1bae62229 |
| SHA512 | 824f9ea129d52fa3b118cbb4a5d9aca84aefe260bea5297feade0b76b377b8c34dd0df1b2d71456227bceb6a22514e07f44751dec98b01c458eed8f8a1554bb5 |
memory/4880-2032-0x0000000000400000-0x000000000042E000-memory.dmp
memory/3404-2037-0x0000000000400000-0x0000000000431000-memory.dmp
memory/4808-2046-0x0000000000400000-0x0000000000431000-memory.dmp
memory/1712-2051-0x0000000000400000-0x000000000042E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-05-15 08:27
Reported
2025-05-15 08:29
Platform
win11-20250502-en
Max time kernel
149s
Max time network
104s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (88) files with added filename extension
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe | N/A |
| N/A | N/A | C:\ProgramData\ecckUcQw\XagEsYcA.exe | N/A |
| N/A | N/A | C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe | N/A |
| N/A | N/A | C:\ProgramData\ecckUcQw\XagEsYcA.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Run\WGgAMcsk.exe = "C:\\Users\\Admin\\lgAwYQEo\\WGgAMcsk.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XagEsYcA.exe = "C:\\ProgramData\\ecckUcQw\\XagEsYcA.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Run\WGgAMcsk.exe = "C:\\Users\\Admin\\lgAwYQEo\\WGgAMcsk.exe" | C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XagEsYcA.exe = "C:\\ProgramData\\ecckUcQw\\XagEsYcA.exe" | C:\ProgramData\ecckUcQw\XagEsYcA.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XagEsYcA.exe = "C:\\ProgramData\\ecckUcQw\\XagEsYcA.exe" | C:\ProgramData\ecckUcQw\XagEsYcA.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Run\WGgAMcsk.exe = "C:\\Users\\Admin\\lgAwYQEo\\WGgAMcsk.exe" | C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe | N/A |
| N/A | N/A | C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe | N/A |
| N/A | N/A | C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe | N/A |
| N/A | N/A | C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe | N/A |
| N/A | N/A | C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe | N/A |
| N/A | N/A | C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe | N/A |
| N/A | N/A | C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe | N/A |
| N/A | N/A | C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe | N/A |
| N/A | N/A | C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe | N/A |
| N/A | N/A | C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe | N/A |
| N/A | N/A | C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe | N/A |
| N/A | N/A | C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe | N/A |
| N/A | N/A | C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe | N/A |
| N/A | N/A | C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe | N/A |
| N/A | N/A | C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe | N/A |
| N/A | N/A | C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe | N/A |
| N/A | N/A | C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe | N/A |
| N/A | N/A | C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe | N/A |
| N/A | N/A | C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe"
C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe
"C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe
C:\ProgramData\ecckUcQw\XagEsYcA.exe
"C:\ProgramData\ecckUcQw\XagEsYcA.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\ecckUcQw\XagEsYcA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQQMIgQQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe
C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe
C:\ProgramData\ecckUcQw\XagEsYcA.exe
C:\ProgramData\ecckUcQw\XagEsYcA.exe
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAgUwIgY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eyEAcoko.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meYUksUM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tEocAgAM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUAsAAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nccwcYwo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asQogYsw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEEoccQY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oOEYkYEg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYMQcQQI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XasAAoAQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zuosIsQA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pQgEMYkg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vigMsQgk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CYwggkQY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IUQogwIQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQckEgEc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgUMwEcE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pKUckYYg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rGckggMY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LIUQYEwM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUwUMkQs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eiIEUMQU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iOkQEYIM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DyEwsYMo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rOIMwgEI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWskUkUw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWIowocU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWoAUcMM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aeMUYkEg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmsAMMgA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FAokAwAA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZkckgUIY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rsogssoY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGggcQMA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OYcscUIg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SggAYAUw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mywoUAAM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUEgUUIs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VcgwscQo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmscgYow.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fWgokggQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iuAQgEsU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ogIMIIso.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YaIogIgQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kIUMQccw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUAcgkQo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vMcAAYog.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fmMUcsIs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKcgYMcA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckUcksAE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oIIEowYA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UuwkUwUw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vMowMIcw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LgkscUcw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUIIIQMM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZscgIYIY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cygMIkwM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qsAccUAE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oKUMwIEs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uygwwAQc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMwAcckI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fmYkMIkM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIAscMIk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DGMAUUAA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMoMMYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mwwQEEoE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\maokcEcg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwAIEEsw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmwUEQYA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pqcsgAIw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQIMoAwA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYgscIoU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EOUsIYEQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSsEUAgc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqwUMkYE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOIsMwUk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\voYAQAwQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LEQwQIoo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FUEMkoEc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYswUwUI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MogoAkgM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCgkMogM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEcQEMQw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JQQoksYs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xaEQgwoo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkMggYoY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cEQQosoo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CeYEgsoY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kaokUQYo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqQswcUs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYAMowYo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIcsoAsg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PIQQUMUw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\suYokgwc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MYoIUEkA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwMgEQgc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LosoIQAM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqwYYYQY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEMAAQEM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tCIQQgYM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWAgYQgU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCwUkQgA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMAgowMU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FeQAsIEs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\locYkkMc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkUAsIsw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\huIoggwA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWIMcQAs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkQsAcUU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YSwAYoEw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOgMgcYM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naYIokMw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DokUswow.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEgwcgAA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUkoIAgQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IGUcwcMc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EyYgsgcI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WGgoQoME.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JcUoYoUA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jSIEMsYM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcgQEAUs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SssssEcs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IegQQYkw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\esEwIgss.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkYkMMMg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCQoIMEM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fucscEsQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XUgkQEgw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VcoQAwQc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCEcIIAo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sgwQUEwc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| BO | 200.87.164.69:9999 | tcp | |
| FR | 216.58.205.206:80 | google.com | tcp |
| BO | 200.87.164.69:9999 | tcp | |
| FR | 216.58.205.206:80 | google.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp |
Files
memory/3012-0-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe
| MD5 | ed0f22d0ab676bb1e52b350c9ccae92a |
| SHA1 | a932209152148c7e65b8969d4789f3c7298c028a |
| SHA256 | 683199d2991cc7ccbd933843cb915ebade7e6c52c826296b3c3399cd89308be5 |
| SHA512 | 38ce81043a53e78cd7f151755f39ae1cb1a42fc8f9b41fffbd64a39a52bbd464589bfa26c32d9159808b85da97c6822905ad7cc4cf1007045c7c58442da1d8b8 |
memory/4624-12-0x0000000000400000-0x0000000000433000-memory.dmp
C:\ProgramData\ecckUcQw\XagEsYcA.exe
| MD5 | 1b4297016311b71c785455ba35cf2251 |
| SHA1 | 44020e50e13fc9458833f5e10ae859bf4d76a4fc |
| SHA256 | 970b71866cb59faa76135b52e77dbb7d49ccbbb850d139963c043a1a03f3e164 |
| SHA512 | ef8a1b5d5a4a0af4024143b30b9551a44d1252cadfe50dfd4c92ec07e90b5a0dd877833e518187336b85a6014dc69c7eef42cb41b13c2cfa4153488213635685 |
memory/3060-14-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3012-19-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bQQMIgQQ.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
memory/3648-24-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf
| MD5 | 4d11d81dc520c49daec13a866ca2a200 |
| SHA1 | d760cbb77963f810c0558f94db6a0c4b0d89c5f3 |
| SHA256 | 6918f0f8f0461f866a849fc691fa5de86db117554fc09c6497f9df363eb483d6 |
| SHA512 | 85de4910ccd7a083239a99218c5bb520865f785fdb08745b19262837c4473a4ee47b5ddf96b7f2a1bb0e06d8dd2712e699e80968fce196b3e31832b48a442bf7 |
C:\ProgramData\ecckUcQw\XagEsYcA.inf
| MD5 | bca5b95e3f3c02acfe16d947e7fdfe95 |
| SHA1 | 07bcb5608eda6841c033c5073e48b5657f330c61 |
| SHA256 | ee2b48284e2b1b8c106c2b13294953dea17432a6868f6c9e89d4cdb3834aa84a |
| SHA512 | 86efe410bc17f985c4b1d186785f2555d376e85c79261f8b8126a7817aebb760f9f8f32843b94c554f13d8cf277a12fa5e9bb1704c39e49551aea4774f19f5a6 |
memory/4456-37-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3688-50-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3032-61-0x0000000000400000-0x0000000000435000-memory.dmp
memory/6020-76-0x0000000000400000-0x0000000000435000-memory.dmp
C:\ProgramData\ecckUcQw\XagEsYcA.inf
| MD5 | 1d3ab35a1d2a8947440eb0b20aba0667 |
| SHA1 | a55a93d7782d1f1922ccc934d2dddbdf94bb962f |
| SHA256 | b43a0688f821b4a6a8d90d51abe0b9ae8c026def8eae693b9172c951ca40e1e3 |
| SHA512 | 1be49ebe1101949cdfd395788a091c08aa2d1a3392d17a1590a1cc73608de8db634e204acac8e058a063a086bed87d52c5b61dbf830f293cb1b6b6b057337e77 |
memory/1332-91-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3044-94-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3044-103-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2164-104-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2164-119-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4628-130-0x0000000000400000-0x0000000000435000-memory.dmp
C:\ProgramData\ecckUcQw\XagEsYcA.inf
| MD5 | 65bb013ecf0b0600f63fbcd5a9a88add |
| SHA1 | 03073775f21b4a4aa5f232dfa2bc1193d13bdde5 |
| SHA256 | 334af1411d8e3f04acd1f71c3d279fba4678c4690340aac7d88bf7d7fe4a0d1e |
| SHA512 | db3efaf88c05cffff733318dad9df1e6f7a41a8690a0a13e1bafce2cdc53c4c7f00b05c7d4ef4b4edaedacc5dd60bf8a5e02fea80821a59197f54f7eaaa91512 |
memory/5084-145-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4064-156-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4788-171-0x0000000000400000-0x0000000000435000-memory.dmp
C:\ProgramData\ecckUcQw\XagEsYcA.inf
| MD5 | 278c09403a3b905562201b6915b484bf |
| SHA1 | 3af0eb3d868223515c3f039c9379bced1007c166 |
| SHA256 | 90bc71b2f8434a263dda39cf4047381473292e0a6e83845cc4e30fbe136e21b2 |
| SHA512 | 94d347bfefe1c6b73bd1309783f503955348c45d9e9411a26cf016b0921ee17fc5bfe4ab907c4634ab2b4f5c4fc3ba465d6211ae70def6b940fe8a3a1eedcc89 |
memory/5196-184-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2040-197-0x0000000000400000-0x0000000000435000-memory.dmp
memory/784-208-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2360-220-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2164-230-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5060-238-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1520-248-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2228-258-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3032-266-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5552-276-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3592-286-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1828-294-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5044-302-0x0000000000400000-0x0000000000435000-memory.dmp
memory/752-312-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4936-322-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2664-330-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3372-338-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4004-341-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4004-350-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3276-359-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1640-367-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1760-377-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4908-378-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4908-388-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4348-397-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2120-396-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5096-402-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4348-408-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5096-417-0x0000000000400000-0x0000000000435000-memory.dmp
memory/896-426-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1656-434-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5104-444-0x0000000000400000-0x0000000000435000-memory.dmp
memory/984-454-0x0000000000400000-0x0000000000435000-memory.dmp
memory/6140-462-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4248-472-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1048-480-0x0000000000400000-0x0000000000435000-memory.dmp
memory/8-490-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5584-498-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1444-508-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3080-518-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5056-526-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1660-536-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2724-538-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2724-545-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3876-555-0x0000000000400000-0x0000000000435000-memory.dmp
memory/6080-563-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3092-571-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2824-581-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2316-591-0x0000000000400000-0x0000000000435000-memory.dmp
memory/324-599-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4512-607-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4732-617-0x0000000000400000-0x0000000000435000-memory.dmp
memory/996-627-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5904-635-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5680-645-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3688-655-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3940-663-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1704-671-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5876-672-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1704-682-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5804-692-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2252-700-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5044-708-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5676-718-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1048-719-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1048-729-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2516-734-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5180-738-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5280-743-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2516-747-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5280-757-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3184-767-0x0000000000400000-0x0000000000435000-memory.dmp
memory/768-775-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3076-781-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4624-780-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4300-787-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3076-795-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3060-796-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wkEi.exe
| MD5 | 310303cea0d059aafea2d0522ad95423 |
| SHA1 | 76f038bb44286e886f376005259a99c7a53b9fac |
| SHA256 | 619f0442ac18628621ad62bd20c6b5d5d7928e8080dcafac5f6dbd90515cf767 |
| SHA512 | b4954a2609160b9808dc1ecadd87e2be1f28fef2af23316f33c8b9ce57d2251065c54427025ebb97f5070abf53e91134f901ea8036be564602add3a581a61d53 |
C:\Users\Admin\AppData\Local\Temp\CQkS.exe
| MD5 | 50e51f75812ca97a4f2bd6a53de74d66 |
| SHA1 | d8c7aa55cef37efaca03f6d4bbab1faa1465d398 |
| SHA256 | 4fd67c817402f4e1beade2d01a6ccf570a59db8817ac7a6d94ba58bb08f977c9 |
| SHA512 | c0a9f3f7421614dec6f8abf9bcba7f511030fd0ef1076529e51bfcd2bb60257b45af5788b67cfdb9b171bf149bed824df08dee46a0e2255866f77925e380e7f9 |
C:\Users\Admin\AppData\Local\Temp\mYsy.exe
| MD5 | a0fec21663394c4f0a9c87e9a82c9c15 |
| SHA1 | 9dc01ad0693a6309d10fbdc3457d37996cfb6c11 |
| SHA256 | 06ea404dea4345d64052110d1ac4f51ed6c582f64008dc1385da59db0a868023 |
| SHA512 | 9c08537c6ac8bc3a137d49500268a60d21d0a00af35cecd8959b4fe626e29c2b87e603a249d6d40798aed9c91e38c354e5f6718d64c9656e06281f9f5d9bc9f2 |
C:\Users\Admin\AppData\Local\Temp\kwoE.ico
| MD5 | 9af98ac11e0ef05c4c1b9f50e0764888 |
| SHA1 | 0b15f3f188a4d2e6daec528802f291805fad3f58 |
| SHA256 | c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62 |
| SHA512 | 35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1 |
C:\Users\Admin\AppData\Local\Temp\GUIs.exe
| MD5 | 41ec1ac8c3fd89fd1db310926fd83da3 |
| SHA1 | e5ef9cf36bd04117257f88cb019693256a8378de |
| SHA256 | 1ee8a8a7cddb5c92eb1260254096db632be7eb43cf9ef331cbc663c10da1a92d |
| SHA512 | 3184e43a5be71c43396d6c5cb5d9e2ed6cac8c4ccec8196131637accb78840e3ae26e3a5c7fe761868477f7275537672d44f0e813180282f813e21f95648270b |
C:\Users\Admin\AppData\Local\Temp\SoYU.exe
| MD5 | 8aa3a8b7607f162dfb73a78844d8830a |
| SHA1 | 056c9c7a1353626aa2ae60c84782cdba5eb27d5f |
| SHA256 | 423f7a3dea9bf33f86d1c8b3037dddb5fd9ce3a927145d0cf4f633e0f5043952 |
| SHA512 | f72dff4203c55e8b54a72ac91eb8ef1c99f4e22005fa6b861649ed4709d6b293cdabe01289fc85bf58ae20c283e54ad4d8b96f039fceda0d5434082af6df9171 |
C:\Users\Admin\AppData\Local\Temp\sEEe.exe
| MD5 | 39c00881a9f3b67a0c555a9b9b964185 |
| SHA1 | 5b532d60cc8d1f994d6c86d2284d80057984e4e9 |
| SHA256 | 72edb8af137a771a019d0cb636285ec88e885f66a36d2e6bca35413b9502661a |
| SHA512 | a58741b66cf212c12819e27d6b3a66210a52b63c54c68a24fe5c8cce4c174bff19113951f043f4830423b30181f3ec50d2a87c3428523171d6bb5831876cecb4 |
C:\Users\Admin\AppData\Local\Temp\eAoa.exe
| MD5 | e291daffa56a8ec58bfe0508ca333051 |
| SHA1 | b71cef7188861b29fd538df01d82b7efe6994559 |
| SHA256 | 96c26c9a32006531646b276d06c3b6ede6cbcaf3e42414cc8a45d55521c774b3 |
| SHA512 | ef96c1ae7de29973e387b8031e08306b50bc04705018a7ffc2d2fbf5344bcb8fdad4abee046522bdd55f2ca063f034010aff59a81124bcaa841522e79184b17a |
C:\Users\Admin\AppData\Local\Temp\AMIe.exe
| MD5 | 292d51ea3b5af4cc8f8b2be10d412b08 |
| SHA1 | d554a08deb5817cfc47c681794e1efd869e9f432 |
| SHA256 | b0b129bb5bd074726d68da61c5eaf78d8d0f9fe85aa3f40492a8ee9794138425 |
| SHA512 | e4d2dad82ad3d7a642357114a059d55d75f658a396af51980d6fc008a79e7bcfe46443ad0a03178571759470406c48a446a75a879d766721c75528fab273fb5f |
C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe
| MD5 | b6b4af8fbf269febc0926d02d698f0f9 |
| SHA1 | f9fe6585b8f9ed7de0d51cb2c10dd732f71bcdbd |
| SHA256 | 4745dbccf2702d64a339ff1a3ba38aaef5a21eb70cc1bb87fa881ca6d5d729e0 |
| SHA512 | 65cd453737d5a8a5f53e87029e04665f6c40fe5677f2c7d950b2101e80d18c7cc3c5a72c70b7ba2e7190c6b52248de217467313f9894b12c9c27d4247108c5e2 |
C:\Users\Admin\AppData\Local\Temp\cQAw.exe
| MD5 | c1a7bcedc26b5e9966c4feb76a371133 |
| SHA1 | e9e137ff46274cb06c9786177aca2451f7e7708c |
| SHA256 | d819e52be722e6637719be19f992c1d3bc686ba7940e48de2b9d473941abdb9c |
| SHA512 | 351dc8d5f245d88dd6278f2a722f41023e1ea893d281eb160326434892a0176544d01e6a0cee05660eaddf904d3d71ec9c99b361e917c3fdbb1346ed45f83e10 |
C:\Users\Admin\AppData\Local\Temp\EYES.exe
| MD5 | 4b68649811afc2cd551aa8deca743da5 |
| SHA1 | 76670886a9e8f0471bf9f6ab02ed92fcc4ce1ab7 |
| SHA256 | f473a47fa55ca4962bd4ac612002621144802bda20cde173d86fd3c24cb8fc5e |
| SHA512 | 184c77fa844aae6be72e7860f2fed3396341a3a14f3563194f8e09b54bb7ef14eb320f166788d307cf7084e5207a5545a51aa72438d0d26246f7cd0e64d73b61 |
C:\Users\Admin\AppData\Local\Temp\AoUY.exe
| MD5 | 1e78bc9617dcfea27118639640cadaa0 |
| SHA1 | ac985d96d7d4291ff4a18584a9a5f13b54551dfb |
| SHA256 | 8d4d0990bf9b0aa6cafbe095db5a31e8d9c2c8eaf5abd0e1a0693f071005d87c |
| SHA512 | ac78272768ac6c06586a2e7a4f0bcc139cdabab8222c0a4854ad1dc481821d896cc431e1e4803dc2e70c96baaeca2f9797254df28fc1fbbbc8e9d22a89cfa34e |
C:\Users\Admin\AppData\Local\Temp\EIco.exe
| MD5 | 530faecfd0aa624a9e01b28665e0d038 |
| SHA1 | 5910aaffd4627cb3154b5f24f3e9ce9c7b80f1c3 |
| SHA256 | e273d15b13ffc489ba2dd77c501af17beea4932e4c6c7f4de01290f23cc9f403 |
| SHA512 | bed75b551690dbac731b66aa8d61b67e1c8c095927bddac655b90e785a9ed1472a5bdc4c61b112f12cac7207bb5fed09ff5a7166ab8aea907967f74404ab7e01 |
C:\Users\Admin\AppData\Local\Temp\EsAK.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\UQYI.exe
| MD5 | 87da79a8d33962ab77b67346074f7d51 |
| SHA1 | 2e18116e3cc60339b12c4a6a18119ecc26b1f0a6 |
| SHA256 | 0c6be238638372da93d195ad99e678c025c3e4b8cd0b33ca10534d73ffd569e2 |
| SHA512 | 86f47e268e59efc9e99dd8a16db77dae6e34098c3d8951cda3e530403f8ab0201f5c63b1d328ca20cc31f892a0a99e5a439f5a618321a2811c9dd160d3020edb |
C:\Users\Admin\AppData\Local\Temp\Kwsm.exe
| MD5 | f033794c7380971b76bebb45d262a724 |
| SHA1 | 2db4b6d71c76a44bc54aa361ba0e86630e76b2d1 |
| SHA256 | 8b08c6a4d84376cdf9e109e84bf796d321be1376ac6539ad0e152e47a669af58 |
| SHA512 | 654f9c9ce01ad380f1f1d12cff092aba5dfa5d58132a5280cc1f693238f2702e22ea64ee3eb8668d11a2524d72777e2e4e2cb8f1ea45b7da8acc8aaadda4aa5a |
C:\Users\Admin\AppData\Local\Temp\iUgK.exe
| MD5 | af24577575b6fa2f3da1e634593404c9 |
| SHA1 | e39560fa344ef6bca58cdea29a777e6aa3b4b402 |
| SHA256 | e878001944cd824c525fe00c9ce6a69a10d2b4cc3a33ff2b110debcfea674219 |
| SHA512 | 3a5ad9974b22dd4d11c4640f32206bbd3166f672910444907963ff0af36ce6606e38a3130a050ed3e3bca0dc5f866f6ef1a8f8e1af79a3292d19452f45df51eb |
C:\Users\Admin\AppData\Local\Temp\uEwC.exe
| MD5 | 411302a4fe8d5cf723170f234937f8f9 |
| SHA1 | c909dcc313d3813aefb444c9ca78cc0bd5ee68e2 |
| SHA256 | dc0db7ed4ecd9d788cfa743fee3ac1004a470c58d2a255f3393b5f30d68a6936 |
| SHA512 | b16e21b6e020d05bfc1a793d116116b2b6ba95e091be9d1fc904853b6c1277bec4286ceb35eac455427eed3abb23254cc1e118af310e10a854a0ca67624b6880 |
C:\Users\Admin\AppData\Local\Temp\mQcy.exe
| MD5 | cbb2c535e32e308c03c3ae41d33e5465 |
| SHA1 | beab03339438cbb894d32303de1d3a32e83b7e6b |
| SHA256 | d3d2c384edb464922b197db6e7ed67b409bb6da98f5245ad9d8cc1523b936c69 |
| SHA512 | 4b95e1087a7588452ffc2262848af00a24ca807f2433f5a73cf8d12038174f33dfa48ea40222024980a18358c5d2194db09dc41408dffa3bf6ffcb5d5e65b6f3 |
C:\Users\Admin\AppData\Local\Temp\oYkW.exe
| MD5 | 401b6273a80908da8d3775e4738fde1d |
| SHA1 | c6da11519f25af0d2410beea25b76b38e211f50b |
| SHA256 | 6469d46df92e3822a491eb7a21143da268921158c08280517bac07e7925655f0 |
| SHA512 | 4127db48e4f9a86100c7b149b3ff30caa333f8f537c3e3433c77649541dd790d3f1789e9d5a2ad2f6aa6f0a6480f2ac4eef0eba3fccca7b15c1d72430cdfea6a |
C:\Users\Admin\AppData\Local\Temp\Ycoy.exe
| MD5 | 19a79cf5aa16440c0d004f4eac056373 |
| SHA1 | eaeb1c5a464e4c890769f906ebb60ec8d393a0a8 |
| SHA256 | c083943c35e3de652c66664d9ed060c7775f64bb9312427e3d16865f9641eeff |
| SHA512 | 55dc8a3c01a21f6ce0f70cc1ecbdb4f9516e4bf69ceb76d2a1663c8438441215ca4e0e7fc2567598997c4b8da5c2a65fd9d7ff6731145a5caeca3459804422b7 |
C:\Users\Admin\AppData\Local\Temp\iAYI.exe
| MD5 | 80377822b623d18b29cdccfb82c13f88 |
| SHA1 | f25c9ba0b888c6ab139cda02339fa86e954de300 |
| SHA256 | beedcec9877ec93d0fb0aecd2961aa9c6af9b3e7fb4fbe810c187eb7dc84e2f2 |
| SHA512 | e31669c28f395fd0de32aef446c4e045bed2a6c732d0207210632d65ccf8cb9325ad1e971712d0c728257e80c4103e7dadbceffd4eecf4806be22f7631704b37 |
C:\Users\Admin\AppData\Local\Temp\ekEC.exe
| MD5 | 2e502a539db36212f79f205badd06a22 |
| SHA1 | d3bfe3311ed78cc2dcb174e0e6ea95060404caa8 |
| SHA256 | 1fcb30608465163a687de9d084e57cc9931a16340318620d15c1eb72dcebe19d |
| SHA512 | a1911a0438c81ac81172a69e0bc7bbec589b7df1a8a515dbdfb073fd3ed05efdfee5afbc3c5209ee027b30912f29a601a0035b7f35c0e62984b2448ae6c65319 |
C:\Users\Admin\AppData\Local\Temp\Ccsw.exe
| MD5 | 620caab556777832e34409d6e54c0792 |
| SHA1 | 90f8c5e937c0dd22176070dda89870703bb7b96c |
| SHA256 | f9203382b58dfdf927ea5e0120caa8d27a6c5d89b54d7ecb0db06474781a18d5 |
| SHA512 | 864d4fabaa59ef3f9a59e5933cb1c1056259a8affd7956c8619ac274da941231f3d7a46b9e80256e950d2afa0228c33061e5b6235759d93c3336f3a2ee797239 |
C:\Users\Admin\AppData\Local\Temp\SIog.exe
| MD5 | f9b552f9f8656b162c203675a40eee6c |
| SHA1 | 836d69d80ea3fd74de96c9a3718c38a768cc8faa |
| SHA256 | 06e860a3e17624d3ff8e91ea0542f50467a109fa2a95f8ac63095317e42481be |
| SHA512 | f008323f12b497dfd12cb11e5950197728bedcfce52d5c86b4dfcd5834cbd56ecb4fa33d85c4b17647609ef62fe2943904f1ceca389427b2c3c9c933e4154e52 |
C:\Users\Admin\AppData\Local\Temp\CwsA.exe
| MD5 | faf027ec45f61968db1855be22e4e2b9 |
| SHA1 | 7a40356173ffd6d3d3a882a346b15b1d0cff039f |
| SHA256 | 3ad09d3e3a49b59c3ffb2e7fddff93e0de569df5400b8ec5feb8644624caf0f9 |
| SHA512 | a527a985f977de39b5658107fb0168ead22dcd3fcdf8be63ca31c404d7fb2bf8ef22a40b4dba92ae4ab40cbe0069aec98c761f4956ebdd37ab0cafdef187ef0f |
C:\Users\Admin\AppData\Local\Temp\CEMk.exe
| MD5 | f61a0553803a4efe04821ef4f8568ebc |
| SHA1 | 7329e57e4b93a187cc0e3458e396e70f86a2886b |
| SHA256 | e7b9ae4ac1dc7a0964cb531ff5acd27f6504ffdcd81352bd81731518f6330f98 |
| SHA512 | 66b09f61826fa03cb603e5449511a0a96814fd27cd4960aa97f64e42f6e3e207de4235f069a7f8df5ea9cbb19e210850fc831cc96793d4d2aef7b4da4d4d5ca9 |
C:\Users\Admin\AppData\Local\Temp\sYsK.exe
| MD5 | 3ba5ce050332b3729b238fd6658d41ff |
| SHA1 | 98ceae85edadb37ab59df351fff4632479e1a8aa |
| SHA256 | 67a86a2595d937fd8fcac0161172339b583e1cc3e1e0a8a454e2d65e3e0ee6e6 |
| SHA512 | 2d8b353caf3d86f76f62a46b614ea7e6e0f9bca8f1ea6502944c69e06451ecdadc79bec8e7bc5dd8bbf64ea8fbaa6ffc02077f28966087f3156b9583717e0306 |
C:\Users\Admin\AppData\Local\Temp\kQsc.exe
| MD5 | 41ae052b6214e698729e346ad86bdb41 |
| SHA1 | 66d029312e33422ad467f1dc50e8c6993d4e808b |
| SHA256 | 500e734cdb44ced16ea1126d7dc8f667828f5b195e4bb9a4dd31a855d1bcca3f |
| SHA512 | b99433c6c3d57946e0f35a52ea6e2517bf09c847dc5dc51fd1323603eee9bd686a89ee99b060ef86b0aa1c4e294a79c07e9f739d14a58aafac034ac6afb0fc97 |
C:\Users\Admin\AppData\Local\Temp\Oksy.exe
| MD5 | 6aa258db865d015dfea80fb06bf37040 |
| SHA1 | d7884d39a8190855fbb3a5a255f3003d96ffaa0b |
| SHA256 | f8dc885c78ccc39f490afabafc89d3e75742ebececf415c2c71541b744418a79 |
| SHA512 | 1cc7e2f8cff764ed661a676c6555aefe1f27c635f29b7bb5cd54bc91f18b73ecaab8dbea4e27dc5d439bfcfe9734c25b58fd837c99e85fc77b9a265730a63017 |
C:\Users\Admin\AppData\Local\Temp\Mowa.exe
| MD5 | 1c63c583b8d01312dde8128bb5924f17 |
| SHA1 | df1833af41ea8962fa7d5a399b5fc6923b443aeb |
| SHA256 | 9075b2c753c8acbd4d4ed69018c6d9f622bb39ef84bb61350a83c21c9d453bcf |
| SHA512 | 5cac4771e84d0f487872a6c5dc07615bffba27410853ae7439a1d7befaed27aa9660b88ae2a7faa7be9e12c33197eb8e3cfbd1b42aa98f2a98614328ab63185d |
C:\Users\Admin\AppData\Local\Temp\MEcC.exe
| MD5 | 6301a8acbb1dd144cb9da6926c3dbd04 |
| SHA1 | fc08df734bdb4052e87c8dc49330e1620590f188 |
| SHA256 | 38cb518d855d820cb08f4953035da49d9209721b092cae2bba90fcaea25f0a60 |
| SHA512 | ecbef072c94bed6a31fdd732d0c55dadcf7b802c07851ceeaff129aca16fb26832c33ed20f857985ad216a0e6423c106a677931aa56bceaf2aede3a6a3525937 |
C:\Users\Admin\AppData\Local\Temp\IoAg.exe
| MD5 | 66faf493c42f6c393cb19e2d5d326625 |
| SHA1 | 59f533982426876449624596af66c3a506926419 |
| SHA256 | 5dca505818c8634e548f545a55b9360bfa0a25319f9873f7156bef3e968b941d |
| SHA512 | cea13d5818057e4f67d840f3a3273ac5fb70b9a691a98806865c9bfeb7bd9df25ea1b145888401b88b505a091721f0b16f1d2da86a792c9d96c1a8cefef001a2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.exe
| MD5 | 4b33be3dd7ee1fe2747c4370adb633ad |
| SHA1 | 9320f68ca8452ffe47e6d3daf0859bc589d38fda |
| SHA256 | bf83dff04390325627fe3f523b8f52999c9712c262ccf1816c9edcdb8400f5ec |
| SHA512 | 9738e8ab23a9513db4b49a71c8ff163f5779f1323f684196e9aeba0159272bd8a1f6c9eaf7134349376bb36c44aeede29f20895658929c18129a0a4e45faa8fd |
C:\Users\Admin\AppData\Local\Temp\aMUa.exe
| MD5 | dff648f54532c5cfdb384d4805343062 |
| SHA1 | c738e868fa3bc47a2d35bee1c6ddecba2bb06dfb |
| SHA256 | 8baf88b65ff91ef079c5d731fdeb51bb8003870c3c7e66db2e8631dbe3bf5fd9 |
| SHA512 | 11a3777a43bd4f9393be4c2d0695a1242912789d19ad70e655bd0c414dc6b4c17b32b08a38b060138332a9e2f3464e87cc28a45a77cc134c6cf922b5230b54c8 |
C:\Users\Admin\AppData\Local\Temp\GMcC.exe
| MD5 | 2c604c7dec240322f28dd813eb5c6f9d |
| SHA1 | d4b5e7c89eff3eb7f9c74619d0165272e603d3b4 |
| SHA256 | 0e5fd956651aa520b257b0799d9a34a9a3f510ad8fa38e2ff0d54893646e35dc |
| SHA512 | 1b881433af3ea0c4a1e1aa6ed5c5e3a77f915484052c45f14cfd43d544fb024b1a5b39ed3770bad8f160ac8b0fe69bda2c63a15a4b9e456a35d6a43be9996790 |
C:\Users\Admin\AppData\Local\Temp\wEMu.exe
| MD5 | 1e0cb751ce578d44048c00b4832b30ae |
| SHA1 | 1c2dbce3b76195c692576462a052fb9aefd069fd |
| SHA256 | f4db30e0f871c8b819d6847160066751e936c3c31b0735e9da05e735ac0eecbc |
| SHA512 | 0b051860a25c553735bcd36ef2aed121245e076b1ddf86732781ebadacfdacf36ca19492cbd161f86645a9f7d032beb4a25d7e6beb346b617645b70eb4480bc2 |
C:\Users\Admin\AppData\Local\Temp\woEa.exe
| MD5 | 27482b005d4c5350fa31b774fea8024f |
| SHA1 | 7f6609f637c2e8718e66c1068f6b2b8728445069 |
| SHA256 | fba97dcf5fb88a99669f2966620b11729424ee1a9cf1c9009f072bc14a880d92 |
| SHA512 | 6222207df0c29ef96b70d935e507ece00040e5ba0611cfcecf289ef93060c0d2077255596869d03211021621cfbba3986c93317396b9962de0488aa337b4e167 |
C:\Users\Admin\AppData\Local\Temp\UUcq.exe
| MD5 | df9a6fdfbf8dddf5da70acedec5f9f11 |
| SHA1 | 1fcf8d834b764f885320beff3901e784dff534e4 |
| SHA256 | bf3c2296633c0245ee46fc4add4926129f5d7f94950aec4185afa090b179917b |
| SHA512 | 8cfb68ea6dc2cca59f8aeb7cc6e50a4f842d5690701265ba9ad6ae17f16d820cf4883012b31ebb8465a3964e2dd331fdff912ef47d9162cbf361a81a664311d4 |
C:\Users\Admin\AppData\Local\Temp\UUce.exe
| MD5 | 7ab61a868ada92b85e2ae46d58b9dc39 |
| SHA1 | c78cac897e20a5bc6d293acd0663a1b892682fbe |
| SHA256 | d457f13fe38cdb3899d775f24ebefacb946dc964dd0b90ac1b308715ebe73041 |
| SHA512 | e9b91ef0263cd2d86541c400e304fcb0522ad5f2cf813cfdf3812c2ff26af84c5e98cbc32fcd7702c69de61a9e5a66760ccba33b949ba503835380682de0b70f |
C:\Users\Admin\AppData\Local\Temp\WAom.exe
| MD5 | 8b9d3967d71bc9c8c890235862d3b636 |
| SHA1 | 3d1245d0be62c6dd0a050f3ae73d2d0a3bf0b0c4 |
| SHA256 | 534c5128663a6aa7c5080324a6ae2ac0a2ed7512430ae88f9c15bb97e8756cac |
| SHA512 | 9e128e2adf7ccd8d5dd770e716479d53757cc31dd63c2b3bebe574cc1615e39f826ca2b00b704d85ab005c79410be1e423f23930e89016b805a41391b9f740de |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe
| MD5 | b4b02aa56df6ffa364c88734c73ecead |
| SHA1 | 28d684bd3bb86fa109e93808a31459479921943c |
| SHA256 | 660dfa29c304724b13a201552fe077f8314c36646ab1190f3e2351109414607c |
| SHA512 | 4bfb3a2120b34ac2b5ea458dc1babb9e9c9175f5ef290aab9e759e3209d87c4717f9f47f332e6a90e55e04a18dad959566fb74468d33dd5dc6a6f7e579f9fb8b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe
| MD5 | 081a10c206feb0b5756da0f8fff15393 |
| SHA1 | 1e397d606e44e1bcb64e5a84ad51fbeab78102a4 |
| SHA256 | c2acc217f2c61039ef6830913a9b68fb77f1ef7dcca51cb0a3e1137107fb5b4b |
| SHA512 | b9651e9faf895264cdae282274666cfd0c754c792ae55376c098ca41be0932d06785c41b2da2ca41e523f5f938cbcd429b42f16579b415d8f75431739adc72db |
C:\Users\Admin\AppData\Local\Temp\WoYg.exe
| MD5 | e7c078673fe04072e5c025cbcafb71f0 |
| SHA1 | 76a64d05fe982f921e0cda8699363f64070a5705 |
| SHA256 | e4702869e35a49b493f70eab5142db482b8247623c0d4c10fbbcd6a0a2ebeb1d |
| SHA512 | 8e55c9a1503bac3fe4b5112db9b18ac5f3378d3720d1dee8beeba4db2072a9f155cfc34eb75e85ebdc52bc850049e244cdf02ad96250b80fef36c256584e4530 |
C:\Users\Admin\AppData\Local\Temp\SkEk.exe
| MD5 | 9a325406463c4db6cb57d6d2da755fb1 |
| SHA1 | b60675c16956504809adf12f1cba2f17b9704e33 |
| SHA256 | 128fa92b55372157936821e3cab51cf9aef4f244e6ad0a9b01d9eb8a3cc8b339 |
| SHA512 | beb643a494d5ab1cd8c9d2d8ada823ae063da990c2b98b9b5aa5fc50dd595018fe0be3e02394fa19355f9798d2017d615efe29c0d2b2efa0298cdd85fb91cf02 |
C:\Users\Admin\AppData\Local\Temp\eMcO.exe
| MD5 | 379f01dc6b5a244ea36534e5be4fa36d |
| SHA1 | ed40a43c2e05a76b6b2c57cb0654ad35f64ad191 |
| SHA256 | a91346b2cae859554b34bea01106f738f5577d504fa7f320484a3c30a1a1c17c |
| SHA512 | 7d456eede480456e19dadd4894fe2ffeb618336b9c89041862ffb01bf1351e15248c840de0dddcf17095806da83382caad080d6325fcd6911905d453bb7c7059 |
C:\Users\Admin\AppData\Local\Temp\wIsk.exe
| MD5 | 85b57f4e9157d9ca3701d83ac7967874 |
| SHA1 | 1757bc0ace5f3defa6fa8f2941b713b5e77cc064 |
| SHA256 | fa745073f9feb02612341251d1023cd761ba488ed8ce4910471040937e886c86 |
| SHA512 | c77b25eacb8f29253f31273edebce201581d9f37dd8354e39b7a0e51ba3845995d5128be74e4bf6f0063d893dc664acd0f4b355e6b0aafc757b7e32dfd1bff19 |
C:\Users\Admin\AppData\Local\Temp\mggI.exe
| MD5 | 5563789076e808f98c230b8b03489e90 |
| SHA1 | 405092c829be14e68c079cbb2bcee238bf4f95bb |
| SHA256 | 38fad0a34fc8c6eda025509259653f7649f4fb4fc4d839e567d1f8511d7fe312 |
| SHA512 | 49ccaf9ff9d294b324237ad5a7c5c19493c13ac66c43882bdc48529609f6287cad522800077755f59975edcc600b8610a6834ebe2c9d11c6cafb8e90165557e2 |
C:\Users\Admin\AppData\Local\Temp\SwkY.exe
| MD5 | cb95fc763fc5e515ec66fd50b1092918 |
| SHA1 | fa8e7a35df6e01bc758e3712598156ca099e0afb |
| SHA256 | 1567e66c75af6be65487ca4d9cde3bc71e3fa0559c1aed3b222d924d01768a58 |
| SHA512 | 56c55f1db96efac9e5d3d508c4781b669bfcf34d2fe4ced7543b3c4f4ef44bf105e157ac46b9c1c6a829b4d2020a8c725da0553c39de506e1ffe9d7f0009c32e |
C:\Users\Admin\AppData\Local\Temp\yEoM.exe
| MD5 | b428f675a000e38c2e092857a0525a5d |
| SHA1 | b58801b5e872906bcc0e6cbe3aaa5578646df720 |
| SHA256 | c62470bd32ca3d68ce16164dd6108d025d29bb081de614d18d618cd00ca90791 |
| SHA512 | f4a6c27007a5985bbfc583f8c87bdf03fada9bea435448d2ebe5d1b99bee7b8834a67de042d2f1d66d6d27a1541eed1a6a71cac9f301a540a48117eef52d99c9 |
C:\Users\Admin\AppData\Local\Temp\kMMW.exe
| MD5 | 382cc7b33212252180ec658e9c60c6e4 |
| SHA1 | f4e4245272dc251400408ce3010f9539606d31e6 |
| SHA256 | 5f62c05e4bcafa20ec887d24602297ffdb30333230f1b6b36bc1ca07c29f8dcd |
| SHA512 | 0cae4772390afd1a9370195ba7e8090362f2b4a2387904a8b2dd5af75ebd786733c3dd32787213280749a4d4c3c3422af44ae449cdb20deded0fc9c4afcdbec0 |
C:\Users\Admin\AppData\Local\Temp\gQQC.exe
| MD5 | 3797847903ff62fbb60525b6e6aeeb46 |
| SHA1 | 500dd185605f42ed7f592b300c112366ecde32f9 |
| SHA256 | 678d844bd94f32c0c43e0f2ef69d6208ba26ec3ddb96eb1d96c97d50352b8d91 |
| SHA512 | babcc6cb418ae7564630fb239ad88178d66ed2ca1790e2102ad04ac44bfca45132e1544f157c626b85789557a8560664ae78217134af328a4e90cd875c23601e |
C:\Users\Admin\AppData\Local\Temp\mcQe.exe
| MD5 | d10d7319d546575e820b3cada19a0458 |
| SHA1 | d7748288513fff7d4f6814c7193e50c97744461c |
| SHA256 | 5bc1c05f91eab6eff668960d320a1ef986cb6adea36378a11dcc8092b092b447 |
| SHA512 | d8a70365e0c4fc39da4eac05e0474177df249c21edea8feb0fde7fac165c55f9bc21441dae8dc91b6bca960aa0982d5afac6050e01a004be32230bbaaf361b5a |
C:\Users\Admin\AppData\Local\Temp\MIIQ.exe
| MD5 | e7904a425b39e14796357667d9815685 |
| SHA1 | a32edece0c9ff0bee4d25658427058626f443ee4 |
| SHA256 | 6cfe107492559deaadb065b8aa122c7bed5508fa15f2d121dfc4a5dc9ae29ed4 |
| SHA512 | 918349fd0f65fea6234652b4d17a2771b4f0b0f7222f4faaeb97d76abead74c762cb9dc39120362becc05e8b49a30934451028392c7b77b2060b18674b32bf07 |
C:\Users\Admin\AppData\Local\Temp\AYAq.exe
| MD5 | 1eaf596803fca8341f5057d7c0a6b06d |
| SHA1 | cc4efc31ef9ea8f84c0097bd5f45c37fd43f5cde |
| SHA256 | 87234e1789e6f22d28ddfb44b4e7efb6a3545ba365749b2c91c947012494142b |
| SHA512 | d2a81699700414e4540f57e0c6596783ce99352591b38b14ada1899688da9fd77b5c669b1cf847990645af8386dc912422052232bd8f3b42e61a1286d0952102 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mdpkiolbdkhdjpekfbkbmhigcaggjagi\Icons\96.png.exe
| MD5 | e830cf2a926b107d5d438c6dd04ed6de |
| SHA1 | 019e527c76018660319aa56e9151329bd73c22b6 |
| SHA256 | 90d11b23df57c175b375da317b04fb926a7145deddd9f0b70ade899c674d683a |
| SHA512 | 207f9cbc370144b66191321d54b1581da7c4571b5e4296d8983ad4f8497943c5b3f58a8fcdadb6be59d11d3d898f7cdf57d1548d178ed591423c4a37a3d72784 |
C:\Users\Admin\AppData\Local\Temp\wYcu.exe
| MD5 | 08ffc3a5fe2d8aa068a97bc8690f6a02 |
| SHA1 | d77aca012a4b776e3841b05d26299d8ec100c075 |
| SHA256 | 9cd2b9126c9429ad6dd13dcae7bb1af179428da1a44ca029445a990fbbd40f20 |
| SHA512 | 823c4959d354b56bcf5f66f8a025a7cc4450a787b44052ba4a5e2a8b917415d0ecce489720829f92f5202fd94b5540c37952d4bf8adcd5fe19e89325f991715c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe
| MD5 | c64b4e901756465a030661bc3c8d1eef |
| SHA1 | cdd8cc6fecdb1b953932d90a827e92d7c1c6a5cb |
| SHA256 | e08c580996c26cb3f1ebe15fe1b9f6837694cf57a9b8bfce3a17a292dc7eff6d |
| SHA512 | c275696850f761c191cf479a37b3139f00a05e41457f11ffb11e6056bd69cc9af653267f3a82451cbe722e19923c5e885ffcdca1c660a7c392c2204e1ba4b76f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.91.1_0\128.png.exe
| MD5 | 791463249b095c646ba6543c70a18c99 |
| SHA1 | e97f68fe665decc59c64966843944d3ec9f876c5 |
| SHA256 | 8ec9254d01d901c4f1ef0227015e2ec6ad0ae45b242f85301fa4b7b719333c49 |
| SHA512 | b5fbe9c4534bd907f7c4b53ed5eb5c984da6ffd50684cab312967301026a604b265de5411576de546ba844afdb625d80236dca9de92851e32d5d9572aa7817d1 |
C:\Users\Admin\AppData\Local\Temp\SoES.exe
| MD5 | 382fe7873f36550995452b9c3585e84d |
| SHA1 | 7eb1f0236e23782919ef0db84840ba7331cadad5 |
| SHA256 | 88dd0ffd173d0ceb483d90b1b9af931b927bd00ad8b77d24d3fa5acc3fff5e50 |
| SHA512 | 85dab84f0696d64f259efc1d4ce7cc76146c9d3b538af7a62fdd04992509b46b9bf3c1352a4a831713c8c19f55093df9387e7f466b5cad864e162054e6a4b884 |
C:\Users\Admin\AppData\Local\Temp\wEoG.exe
| MD5 | 83b8e13253f068cd050ebfa62a6e4bf8 |
| SHA1 | 35685dc4b9c11fc64ac9274c1d55442963c7758e |
| SHA256 | 5cf5651822f5a227f7523a9563bc5d17ea38eb905891746d6512429595512f5d |
| SHA512 | d57f3c59472714ed8795eb31b65069d0dd171fbe357d4d14ccad9842f1901fd8b88d7986a1299160ad82a957c7d0d2704ce29d910ce80fdcf5c5035178393dc5 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe
| MD5 | d74f30803430bf7b20da8ae7f1168ce1 |
| SHA1 | ada6ea259dc14e6b53a9619088d9667a714ba647 |
| SHA256 | d14c6aaf22f0c13fcb051e5f2427085728e78847cc4f88e49aa2d09147a39633 |
| SHA512 | 8e3e4a9c794ea1b7b913a312137cf161a232c6c811c641892b3e95ed9271074d2ef7bd83489ca1417365da0153a79d8b87d74c5a4b85825d8b7d2822a1bc2160 |
C:\Users\Admin\AppData\Local\Temp\iYcc.exe
| MD5 | c8aca5c4af27e65dd22f643372b913f2 |
| SHA1 | b34da2967336f7dd800aa7e192e417098b70c4c8 |
| SHA256 | 91a8cc7d8af85a2e8796d4527619334a9110f9ef07427c54bd9b1c6429d1b98c |
| SHA512 | 762496b909b128598e84af8533df72d6cfee4cb7c47b2b3a49d9cb84f6bfa1d475dfd5a31c0482d8af3dc22504e8bf11c166e8263fe95421ce56bf9f402b367a |
C:\Users\Admin\AppData\Local\Temp\cAcA.exe
| MD5 | ff62d9043dec50a6f3d701c55f3416a4 |
| SHA1 | be9bd7e5965452aced1dfcc6eb4dd2a4faaa2897 |
| SHA256 | 33a0c855d7663cab5f9323ffe8fac2b37035bece7646a0ead6b6d7e7f27771ab |
| SHA512 | 2ac8fb1b940106d57a52442b8012039bf0d204dde43f9ca5428c82fe5b913d9a0f4b4284711b260dc7e770ee741e45a2656045e7f1d8a74ad571ecacc2bfa226 |
C:\Users\Admin\AppData\Local\Temp\gAIm.exe
| MD5 | c9c716dc32ccbfd17eabe29066a0451c |
| SHA1 | 5073b03caab6977fcae0826df57be187a3c94c05 |
| SHA256 | 1686f094c93616e6e31d84b7276dc53da1a126a146205ccca6e61419f9933dad |
| SHA512 | 6a862695cba87b1a8966093bd03a7b9c550d4ab97d084ea85e36dff38070052c51b54800b471da7f280f7b48e613fd7a12599bac24ad41477a1e2eb79b38bf81 |
C:\Users\Admin\AppData\Local\Temp\KsUe.exe
| MD5 | e32b6749742261be96fd701469dd7150 |
| SHA1 | c2e5cf470c2f0b456808c07403439d191c02b0ca |
| SHA256 | 9caea9f18bcea6f1ce4f19d855ed8a5f0644af16eed6beec12f990c8cd9526e3 |
| SHA512 | c7774cbc920983509091b6a3812ec643c3378ede231c4dd56b57b7d86cdbed181bbe9d1bbe1eea98a609b37e35884e080db1d2f64b9cc46d6726cef4a16f8583 |
C:\Users\Admin\AppData\Local\Temp\gkkU.exe
| MD5 | cc054503125b99176d9c9b49bf4dc81f |
| SHA1 | b79663feaa4d6c8f63628b9886af93c34eb6477f |
| SHA256 | 9781f9a48a41648680a93f9d2c2299e0c2ba7312f79ac11df4fc17b1c36e2472 |
| SHA512 | c811b9d56579d28e826b237a0db05260fea80db84dd464bd935d4fdec4f62005d1d7dd5833721d392f189670965190af018c477ad4cd1391b2205ccc18af5678 |
C:\Users\Admin\AppData\Local\Temp\GoUo.exe
| MD5 | c80e8b39ff6d2b7b7b34c6086c91028c |
| SHA1 | d3429e481782befc4d1b4e0f3fd64f8f702b75ec |
| SHA256 | a52f0b7747858198086e9ae149feef0944567026010cf159d573f2ca588c5722 |
| SHA512 | b99d55ed6ef42d0ea5f905be8fe9773f9d676706436f1bde78265ba34ae89602962b0ddb5494f5025e272bd5be25179eef404414f63f6cd271b76d028cef667a |
C:\Users\Admin\AppData\Local\Temp\QcIc.exe
| MD5 | 1baf7fb54f0b3f0c813c94b528951504 |
| SHA1 | 72821c021d6f6edcbaac1bf9ef61eea158372e8c |
| SHA256 | 1ad0b313b52a0757e7fe1398e7be2cfa31671b8c320b02c8b4f56bd4d8a7e952 |
| SHA512 | 52cee769076531ffa73b0ec0d9c99bd037622818acf50cc96fcd62e73b14dd9865600f28826dfb0234ef90dc99fb0bfdbc833a0209d0b4e674b589e4121cf698 |
C:\Users\Admin\AppData\Local\Temp\aMYC.exe
| MD5 | 5a2e427eb109396a140a6e2fa46f5baa |
| SHA1 | 82aaafdc847e2ac830cde16674d6c3fb689c6e26 |
| SHA256 | 7e7d4c230bee27ab782c434ac9f55d3ec8d9f59cb74f94e9d801810ae01dbf3a |
| SHA512 | 30b01543e12e56233c2fc9e19b3c887bf78487fbf59a1173550906a0c12db753159bab86a11e2474e39d5cb0bb09f821c14955db6232f4c2acb01f5f117d64fe |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe
| MD5 | fa28803eac5b35d3808a2bc777c80cfe |
| SHA1 | f3f2c10c3d3418afcc02153829ea37ec56d33381 |
| SHA256 | d49ee97811a3c3e60f0c501d9b008b94c7ba01e11a34e2ec4e84c8d2527644ab |
| SHA512 | 369f4ef980d9a17de5757d27291b02b643293fc3f3cd4f61d9a8fc432ed689e6bdd2d60c329c94c2fce0bd6811170016e45dd293c794aeee96f4d99867984436 |
C:\Users\Admin\AppData\Local\Temp\qwEK.exe
| MD5 | 5686a143fba69ac77f3b36336e589616 |
| SHA1 | 927cdeaf8e60c07ca866bbf34393e00d6a097b5f |
| SHA256 | 53a21fad6f6a36bfeb082adc33968dc9e0e00fc14cf0532c545a631578d0ffb8 |
| SHA512 | b6ccf0998d7af59a3a437b78fb7b3aaddfd21364f81132b67794ee4d236b78687af739ff811d74536ea673af1b41501145ecf32b67cb1debeda23dc0691767bf |
C:\Users\Admin\AppData\Local\Temp\UIAw.exe
| MD5 | 6e79ba98b5af4f0cf7df530509638267 |
| SHA1 | 3b7fc22d5871e581b4a6c7b4aa563352728170fb |
| SHA256 | 6a65fa2806462f821e2d5d1f784b1788b6c3967ce54930bb18d42f5c53efc776 |
| SHA512 | bafe98441fd8b8d4f3f21f219ee09bb169279aadd9880b7b1b3db10c895db8b83b4afc32d30f5c658a35f87adc5e20f3e737fcfaf41bcd7c6da2b76cdaf17539 |
C:\Users\Admin\AppData\Local\Temp\yUYG.exe
| MD5 | d5f2f08443d3ea94c07041adcb57a728 |
| SHA1 | 000cb285747bf1800035ebfd23025c940621694e |
| SHA256 | ff0df25c8dfd76495c80dc4d4c1ee48e7c9e5117d440ba088242219bd02ba199 |
| SHA512 | 9a19d33eddc688c475bb0e5ee653d33d30f3a2d7dbf661aa01a88e7dff1175e264efe45bddc6916fa8ac26f440cdacaf615bad21615a359b2788ecb5c5fda807 |
C:\Users\Admin\AppData\Local\Temp\iAQa.exe
| MD5 | 31e0484b58120c751b5e82038e835144 |
| SHA1 | 19d45c8438c8e020836e9f581e9de41d667b8702 |
| SHA256 | 815a924eecabedf9f7322e347acdd9d2af0035b1b1b33a5d30debb64e714b36e |
| SHA512 | 93b7344614163d9a0f1b19493efaa10882f6b130e76d738e7641fef27e1864a6b8dc6438ba72855fdb62b51791ed0a5af81467e4f113aa6d29f438af3a967184 |
C:\Users\Admin\AppData\Local\Temp\uAwM.exe
| MD5 | 4e9a42315a89059f27f3a3489834a631 |
| SHA1 | 9bf3bd374af27824f01f4920ff281ee7d2134aa9 |
| SHA256 | 4fac6163a00d941ed343be43fb99edc33a6cbeb5a06e53904805371a7da5631d |
| SHA512 | dcd32f9ca25ee1eccb18245fccc2e279480324e94fb426c7d3656ee568093948fb4da63c23f4aadf3169f9bae761b86a3c5132784511527d480fe9b38db3d16b |
C:\Users\Admin\AppData\Local\Temp\kgYY.exe
| MD5 | 3e598803bbc32b814faa66f6cf7dc700 |
| SHA1 | 93deccd5b221c938ef51cc59ad91a41e74d14611 |
| SHA256 | 75feb218e65824ee15b888401c12012f9e574cca1d566bb3c2200d61199de5a3 |
| SHA512 | 632ae98a9583557badf8791714dd03f96dab85a080f366b4eb5ae35b618c97b165ffac838b8718a6f77d87d2eff98705bba4526cb24d45c5006b514df9f80d16 |
C:\Users\Admin\AppData\Local\Temp\wIoi.exe
| MD5 | 44fa7af5c02581eef551ba0cbd59ca1f |
| SHA1 | 7a1bcf3e1a7fcaad2a9a99531b259fb0203ea29f |
| SHA256 | 4d0c5e808b00ae44ab6d2d4022d533f5a0b0f9a0dd864874d3b71bcb4e6fa60a |
| SHA512 | 3e2ee81e1c1aea2c358586855310ea3bd76d4a1eb3016df956f06e1147f098329146a08962a5c9bb4a8e17ce91aee21419780fc3c32f67557e76b975dc7b1f07 |
C:\Users\Admin\AppData\Local\Temp\EIEE.exe
| MD5 | 2c51168fe170a4768a0d9bfc8964dd5b |
| SHA1 | 4e64451798251923e9a9f1cf9d0fe6e8ea6db75c |
| SHA256 | 45bc4cc6473e34afabed071ca0a52d85e38b77952256233e071de3ad320f611b |
| SHA512 | f573db54ca3bcdff30915081f2b404cef8599a87a8ea4bd3bffaf462070903b86ee6c9fc51d2895cb08c5e0d2ca1aca9702f432944311aac3f3041c3bd2ad124 |
C:\Users\Admin\AppData\Local\Temp\WQsS.exe
| MD5 | f0c7cc43cfbbdf43df7184842d046cb9 |
| SHA1 | 4514aab10c6869c1494b5f6a97473f55e35218ba |
| SHA256 | a3c2edacaeb2c7a400d42f4ebe7926a8756ad10060014fd6d86a16977ed405ed |
| SHA512 | d45ccb2d72ef049de85362fbbe17656d1678be65875f1d52165ff48952b0eeaff4505ab386902d80de0a0f6be4e4b1ec6f0c86a0dfd44e2fdf3749acd8672f9a |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe
| MD5 | b28a974f2b40285e1fd7287713e7f84d |
| SHA1 | a5ab701520f9046f9fae95559a1a7a3a06df9ec4 |
| SHA256 | 8bfe76af321658858137e258970730b7e9f46b2cb18695ea7418abeff1573d33 |
| SHA512 | 123164952ad13586f29693cebf7ab79351f7e328ea9fe54fda1dcae2803fde58172b63ab51e3839818ec7ff868e63a71e033de272ef5066aae11e84591e86ca3 |
C:\Users\Admin\AppData\Local\Temp\gooQ.exe
| MD5 | 713b48a05a3caf4a7dca38010c60283b |
| SHA1 | 6842f9f9be2b8674e826f5f64ffba86b7dffb6d1 |
| SHA256 | fffd33f6f8562fb1c45722ef733d820ef338844a88881456fac7d618035572ad |
| SHA512 | e04b631ab735a1b663f3ca2d2b00c4ac10a860e2ee7781ba0ec3b2bf710dc10216145c75b3d49dd6473cf9ba882a779a377bcf0c6f7f80d578a00dfb60332dc9 |
C:\Users\Admin\AppData\Local\Temp\ssIM.exe
| MD5 | 3ff813177988d0527000295b66087054 |
| SHA1 | 646a3dc0edbe1090fa565c259b5301777f4ab312 |
| SHA256 | 3dbea21c6e28c2c1ecda43e51e3f6a6b4e39ff2fea078e8051d2e2d4d2bdb922 |
| SHA512 | 6b12448d10ad4593ac911129bd208167557720c53313ea34e6c434991aa72496f3efd18d530a6b4e538a235ae1b88afeece4a29749cd6a659ca5f7654df8d528 |
C:\Users\Admin\AppData\Local\Temp\wQAW.exe
| MD5 | 3bd4a4c15e9f340d47776c57e64ee1fa |
| SHA1 | 94acaff0f36dd256351e75423870e7eec6458a18 |
| SHA256 | 04893dfb86e18b3a99843a19ec1c1bcfde71edf8198af6bddf3293b4c66bfd69 |
| SHA512 | ba8dcb0df1e9d690401f7be5bf1b4cc49a4e502662e20e1e3e8514b8944687c061de65968a8a899b4648daab11b7f42b6bfb48f7d99b68ffea5356dea30c227c |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe
| MD5 | 15b6549b568c1b56e2b7f455e10bcfcf |
| SHA1 | fe8b0c58ba11ea72711d90e4560d4c9744f05f2d |
| SHA256 | 1de874fef56e507412d543f7e24f04594f1767ff492b5cdde51c9e960e5b0b7b |
| SHA512 | 9f5bcb00b06baabb664eb8db29a85695feaa80301054863cfecedc574ed1c63945ac06238e26c52cd6a9bcf5ee9fd928c4dd66bee77389e5dd6f863ce1619a44 |
C:\Users\Admin\AppData\Local\Temp\cMQu.exe
| MD5 | 01f5152adfd904d640f5890383ff0043 |
| SHA1 | 22e413a69087c9ac10e1965a2882bead148aea16 |
| SHA256 | 6ea79c9c0b061dec6f35e217c654fe7688cdc48586eb8e2d09b6f911580f4531 |
| SHA512 | 080fa2bde1fb772380d5672ce5ee419b6c8221980b3b0bf3fa897f6b750734e5cbac34cbba0a57c83c3c122db2a54362f8a5aa68092a578e0d72c6f9bd36dcd7 |
C:\Users\Admin\AppData\Local\Temp\EgkC.exe
| MD5 | cd9e5d3bab6b2305186464de067d06da |
| SHA1 | e6f3285554fc74f3aeaab2021e949ba47fddb810 |
| SHA256 | b2060bd5ffc415429daac607c044f98e32d21394cc25f3694de44900c19f5e5f |
| SHA512 | 0ce13937e52d8a5c1d9055967272870d57b8c8c1bf563b2551c694e9dd3cec25744d6709818833b5021bad6d8244760b63a5666a3b9a51ef4b7322bacc2528e3 |
C:\Users\Admin\AppData\Local\Temp\WssK.exe
| MD5 | 9e67f61c7f56384545c67707250c176d |
| SHA1 | d93ea08fd9d5b7a072515003f2cb0139512a1484 |
| SHA256 | 3983db52e67851abe60cfcffbb2929a5777578804b6ded8fb2126ab1d6732f3d |
| SHA512 | 8426180361ef8fa498aa29c64c824d04fb4267898a25e48414dbe4703991e0540c07836799a002525e4ff1acac6eb85c01f5a9a7b3a0e523fa3477f27de53189 |
C:\Users\Admin\AppData\Local\Temp\KEwO.exe
| MD5 | 3ae54058b67098ef0635c76063102c18 |
| SHA1 | 92f2bc66df9adc5f710c6db112f2bbe887ef37d6 |
| SHA256 | 43fbf26acb5a8e1f5a24094dddb9b44ef159ab0a12dbc950aa670edb2a071353 |
| SHA512 | bd07301ef2c0a639d3e8829371f3ed56e155b6cc331079d3039746aad3f7e72f0fee62e8c2183270733d4b4fb5b4262085b696ae6f311653b0418eb2b4bd30f4 |
C:\Users\Admin\AppData\Local\Temp\Ysgi.exe
| MD5 | a16e264654c1f19fe15ad3da8f6d4fb0 |
| SHA1 | 6995eb218f6b06c5f400f99c943f01d0a2a0fb6b |
| SHA256 | a1c75bac0ae8cebcc4373c007882b6fa2071e6843b442434b852b7d5d45116d3 |
| SHA512 | e43a9afa2a21d2bfcd1288f11e7a5f58af15336e3d8e7fa30ce508daf72d8f272496d36bddc5440a596f205bb53add995c647c6fe980d5443b33a82ffeaebdd7 |
C:\Users\Admin\AppData\Local\Temp\Qowc.exe
| MD5 | 795919fb54f186c137efb62ece2b6411 |
| SHA1 | a5d03458e4724fbc6b6314b2166f0a14c6b6e9e8 |
| SHA256 | c1f668fb7bb0cdfeb9bf8ea2ffc61585ea205eb2ec96064d387810b356ab9c6a |
| SHA512 | 6e81f7e5f8e932ea1fe48caaf2e5927791f5d3e324549d9e089fba45cb8fdaca998c0e55a33efeb1a92c0f9c31b0832c7aba802ebc7720f26aeeb031bd364233 |
C:\Users\Admin\AppData\Local\Temp\oAgw.exe
| MD5 | ca5f6bcad900de7b0c929d0d3fba38af |
| SHA1 | 2dcfae0b4b8614902eaf76dfdb91615c6f1357a9 |
| SHA256 | 15dc112ad0ebc0e720e36a05c11d23be7c63d8bd202b4e68aa25994c9394e217 |
| SHA512 | 58c2f2cec08abd6e131e48d363e7929d3b7fe12bf6c8e7498a0da4c4a7b5506d411df9de1316405195b22f0264aeafd1c5a85adea2fb314f9090a9f1ab74e05a |
C:\Users\Admin\AppData\Local\Temp\IIEM.exe
| MD5 | 7aff7dd4c228800cdc8da899487b0c45 |
| SHA1 | c337208ce9f989eed96fd79b1a3bbff34e6626fe |
| SHA256 | f7f5ed7838db3a121e60a19f2e16d441ae10cd48a4125e03cf32a4a05d664d94 |
| SHA512 | 0684d0d844c20aa42aaad7cf48cbe3f2a6b78ead4f3aac415077fa6ca91c89af7172aea2d4e8ca26cc2ef89cf2ee93965d057c3022a362b63c8587a43fc9d6aa |
C:\Users\Admin\AppData\Local\Temp\wwcA.exe
| MD5 | f944d5cb25f839a73f6fc73db6bd5d9d |
| SHA1 | e0f68fc5f1ed1c632c2d31d042f8c5d7b328d5bc |
| SHA256 | ea337294b88d853da5adf14d5cc7d107a96589aaf3de4fe486314e00cc739241 |
| SHA512 | 7f2b44813df04e6024a7af5081349a51507da1a101dfda48bfb6eb3055e0f368041d56d13b2d4afbdc740f27588cb777945039ab5d1732acb419a6df1ac342ce |
C:\Users\Admin\AppData\Local\Temp\iogy.exe
| MD5 | 7c5407217a9fe03a84bdd8324d96f12a |
| SHA1 | aaaf4db420f60b99a9cf691dfc8ef2c7731c7f4e |
| SHA256 | 658fa2fde9c6488d8ea3f7ce6177fde931ed748eda31b6b20e642ee747e46bd1 |
| SHA512 | 72a3dce8c9b0bda92d388df4933958945b8163a14f3b527152bc2b8b2731976bec56ec920974139826ace5d7309492b2f5352cd5509dcbec2366d31bf81563ea |
C:\Users\Admin\Downloads\ConvertToCopy.zip.exe
| MD5 | a8b8c6e538feb2140042b8bf40451006 |
| SHA1 | 1c82e4cdb4f9686f7aa5a5443dbc89be4715b0da |
| SHA256 | 2e0ce8905c81e771a14f0cd3455ab87a78d98eb5223336fe14fb1cc7bd9d2f94 |
| SHA512 | 4a1008c5fd5599272845760ff5eb6c435b6a5fe842d91f3ce234359a77e0ef02cc2826985836f1d79b86ff435aa462dce75ac8a01351cfea7b303a775c4c12a2 |
C:\Users\Admin\AppData\Local\Temp\kUoy.exe
| MD5 | 2d33268298bd7262ae4cb7f8f54d7c8b |
| SHA1 | 419c52e1a81d749586a022fe6468cd1e2cb0a6d6 |
| SHA256 | 07e680c10625d6f34ba48802eee8ce828e01a44167d546faab392a6923c9ed95 |
| SHA512 | 74bca695ffb71322d09a1d0d6fd539289c0ed1658725a748033ce6112ba4a0ca3aee3a06f68859dff824619fe21644ca06e505775c31eaf6a911c363d751ff11 |
C:\Users\Admin\AppData\Local\Temp\oIUg.exe
| MD5 | e61a85e745f63d028937935517aaae01 |
| SHA1 | 8d0196d8ce8d63128343174da9446752aadbde28 |
| SHA256 | 9a6e1db7d9877a6f9cf2b1b5126153d07b9874abd2de10fb5d0c393f735f4dbc |
| SHA512 | 2ddcebe7f5198816a89e7ae153cbdf04d446da7ae33a7a8143d90e11ea8a712ed2d3a3a19cd82c952730444ea84d864a0b6fc72524f248b6e60d6d640879367c |
C:\Users\Admin\AppData\Local\Temp\wAIG.ico
| MD5 | 34460862c89281546603585eba87f992 |
| SHA1 | c00e6558b839be12b54316e87116042454cccbd2 |
| SHA256 | bcb253ea3735a0cf0a8c6ee06c14c884937c64ddeacedb17240e40d403577620 |
| SHA512 | b21fbe3ba5b0a15dfe6d5797dd72fdfed7798748b1acc8846251ff1f58e164380a0bb2ff40a110f2b86fc6ba76abbb8cbe7a148eff697ef39a5dc4d1448bfe67 |
C:\Users\Admin\AppData\Local\Temp\YEsC.exe
| MD5 | 8c3135f31fc8beb29a8821d14c857a90 |
| SHA1 | 50b1f8588850805d883971721777bdf76d659591 |
| SHA256 | 3e932a09bd715af75df08bc2de7b2692562bae9970a39d42285dbd2708a3e1f0 |
| SHA512 | 7f58525fe54b8db848d5c18c999a92b1f3afb8477a4ef7c15336e1164263e7ac530acf9d3fa1568c95a573af58930ccbad2fd0ff3dccd8ffc802a73b80b544f3 |
C:\Users\Admin\AppData\Local\Temp\QUoU.exe
| MD5 | 29686d1f5f4496ca3f3b7fe9ad8af11b |
| SHA1 | bbb2377fab0ffc573decc17a656e1c9405048bfc |
| SHA256 | f9650efd526a2ba94bfa625a83ec2422d45b11e81697df9b1ff9bc445efda1db |
| SHA512 | 6211a65aa33b47e2aedc9dc6cbcc62fb2032f4e2632343cb78c6702e452aaa4720f6f12e8d7495e4f1b147e2307df2c137c062c46818f652a8649bf8e6fdc903 |
C:\Users\Admin\AppData\Local\Temp\QwAe.exe
| MD5 | be8ba8ac4e1f7484e284363bfcbb63d1 |
| SHA1 | 43767ef456f6daf9ae1d3131a9259a421ab69cdc |
| SHA256 | 40b29b39a3fc2c51f235dce6dcbfc7538cf27799a495092d12ea33e39a6af031 |
| SHA512 | 7866dbae1b6cb9dfabe970713bf9a874c7dbd0689ae318bce0042e38c4746fce68639fd10987874297f2e7142897af0fa2708f00fd42bae3085c4112a4b7a935 |
C:\Users\Admin\AppData\Local\Temp\sQEC.exe
| MD5 | 2f9231ccf446682ee0864818167f5383 |
| SHA1 | 92d2ef82ffa635cb1e7ef68e25f89b502950ab7e |
| SHA256 | 653e3d0fd154112bd150f3c18123e364b0419953569864ba90c39e5d0797f030 |
| SHA512 | 01e475342e28d7c267d42b8b527fff0493ecb4f0f8dd8ad215d57fc284a4f6f2a723fd401788571e32723e3c7e6372f652c9e40282e786aca304d7338696c3ca |
C:\Users\Admin\AppData\Local\Temp\YYkM.exe
| MD5 | 9fa3a27b76f1d50a14f452a02080f3d7 |
| SHA1 | ffd9cea84d9a14d7cd5e90090298c41d43ce83d6 |
| SHA256 | 58ee30f0d487214218ff523a8bb36253386e7278af2aad679bcbb4273a5fab2b |
| SHA512 | 71bfc1f7052c49127344cc51b855e7555a7115deb68f9e04e998144cead8e46805bfdac6b50029354bb5a45ea8208d83b3b2ec915179a4fdec5501c4e8e75260 |
C:\Users\Admin\AppData\Local\Temp\ywcG.exe
| MD5 | 487e473c074e9ad724bd3eed93cfeef6 |
| SHA1 | 225161ff5ecaf89759ea3f37cbfc91f093224532 |
| SHA256 | 6b0b29abcb1a8ed0898c52d74a91149c8fa49a0af48c978d100917fcf5147e4e |
| SHA512 | 37da79ad418dee0ba189315ff4ef5683770eb096bdad0cd06536371a48fd855df9ede1657251fa96890d0cf8237fd4dc6c4638e6fcf01128cba413a73e63456e |
C:\Users\Admin\AppData\Local\Temp\skoK.exe
| MD5 | 27db95137b39ebf1a2dff163bfe6f929 |
| SHA1 | 6527481391174ca7960c2edcc0ff6ac81d428a0c |
| SHA256 | 9c241dc990e62ad02b55c1e96089df384977dfa440ecf057a7c755c407e92ce7 |
| SHA512 | 0f5116a69aadbdeaedadccbade3f2025b0ef01264df8a1bd2a420e81f72e9c19ab82be7f064500af232c6c63d10cb1443b49f215c4d76c622ea31c42c94d6b57 |
C:\Users\Admin\AppData\Local\Temp\KowS.exe
| MD5 | 02b7760cda4ff95134d1850c00291dae |
| SHA1 | 9bb8ec16fa8f68c64aec3930d1fbe59c1bd07da2 |
| SHA256 | c9d883998780db7778d93ba997635e66919dd4aa8012db3bfdabbf3ff5f55405 |
| SHA512 | e345578ef3e1fc2d2de3885dd98acf21fc6152ce47e97b8a2f54974e532acbcd8bbc2c1c11a667b56b0e24899a401d58efef738484f9d0bbc6072842986eaf9b |
C:\Users\Admin\AppData\Local\Temp\eIce.exe
| MD5 | e0899a1ed2dbc090e49808166526f263 |
| SHA1 | 7aa0a606207f625d849eda13765f8f53a1de3dde |
| SHA256 | bbcc6973ce885e21a82123870fbc1fdc7f44bef875ade4d573c2c22ecaebf492 |
| SHA512 | 3fd7183a741f3def2ed9276fd9f5127275336305770481ce5ac3a465dc9e5e83503723ff1d718c7dd3101180d47fd1ca7d0e4ddf6425e7b84a76ec749d8f3f78 |
C:\Users\Admin\AppData\Local\Temp\IYAg.exe
| MD5 | 623493de8b4ba5c64f1ea2ec42859870 |
| SHA1 | 66593ac81eb61e0497e83e170a2b3fe8a3e37d4d |
| SHA256 | 06e832081b8de5b0be0668bb1b9e2b80885f0edbd15399877261c4934498404a |
| SHA512 | 8153b2e063c2deba566f7a51ea0d13e103a5406d1b9754c262d638b6ffc98e52686a2a270a58eafad641ae9e937ece66dae0c2948ee61d6266f982e91d38a832 |
C:\Users\Admin\AppData\Local\Temp\qkMO.exe
| MD5 | 376ce23236c51f0b2d3495eef1d0b859 |
| SHA1 | 5ec561898ecaf88cdd07369d3919e8941be60d38 |
| SHA256 | 9bdaa4ea536797d2804a10a8bf4bbf8aa71181a623073d932c8c557c7f9e3e27 |
| SHA512 | 3f284ed6848e4ce381bedd515bae9a86794ca768522d214e4b709b4547cf3d289a66be03ce79c7de5de80b6646a5fa08f25678637d3ca743654f5dfcd513afda |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
| MD5 | 9464c51ffaf740f1ac1a6b119d3949ae |
| SHA1 | bb0da744705619d0357fb818c21ad276b8ea82c9 |
| SHA256 | 594020bc94e1b3a1b08affeb7b92f14aff7e38d0680ece1f476e6380207c3925 |
| SHA512 | 2c751e2587d0bddbe39440d906aa7af6baf04641be3c8565f22ca1a7ba078a271f95d8d7b9cca1872f441392a40edf57d7bdfd4681ebc81aaa61e10f37ec5bde |
C:\Users\Admin\AppData\Local\Temp\Kccc.exe
| MD5 | 33428aa1990d4e6279bd3184de0426c2 |
| SHA1 | 50721443c6e20512db24dc619b4d2702f9f8a4e2 |
| SHA256 | ff65694c616333197250408a9e484964c116630d43e6e2b7b2b98290be734185 |
| SHA512 | 1e0e6122527a27bc4f35dac4342ba7c0f1b354bb7a0764dcd7bd82f694dc65c1f4f455aff146b986f6fc08561c0d87f32277a93600520fd3a97612cbd3921fb0 |
C:\Users\Admin\AppData\Local\Temp\QIEQ.exe
| MD5 | d7f503b44da072320797335ff44fd068 |
| SHA1 | e1378ca696d43577edf65d9bf1ab78cdbebb4313 |
| SHA256 | 9a0d5c231d4c09c9118add9ac1a2d6c0b3abf6c6b24a5689efdba74881e0ca7e |
| SHA512 | 777d7b52e34dad402bef0aceb70b02b0fb8da77014aa15207bd21a494ef6d6092b4ac6e04150fd5c353d280058f582880baf395cfa232949e3dcc37f7ec1641f |