Analysis Overview
SHA256
765b9de605acc7bf32215d7f7a78f68fada8330839a9c4d89be685eb8e8c1f2e
Threat Level: Known bad
The file JaffaCakes118_04790caa27d1509760e7198453a9e020 was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
UAC bypass
Renames multiple (54) files with added filename extension
Renames multiple (56) files with added filename extension
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Modifies registry key
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-05-15 08:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-15 08:50
Reported
2025-05-15 08:53
Platform
win10v2004-20250502-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (56) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\TUQcIYgM\wiocwQIg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\TUQcIYgM\wiocwQIg.exe | N/A |
| N/A | N/A | C:\ProgramData\hAAQsoEM\dIcgkEwY.exe | N/A |
| N/A | N/A | C:\ProgramData\tOscQQoE\kqQcYEAI.exe | N/A |
| N/A | N/A | C:\ProgramData\hAAQsoEM\dIcgkEwY.exe | N/A |
| N/A | N/A | C:\Users\Admin\TUQcIYgM\wiocwQIg.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dIcgkEwY.exe = "C:\\ProgramData\\hAAQsoEM\\dIcgkEwY.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiocwQIg.exe = "C:\\Users\\Admin\\TUQcIYgM\\wiocwQIg.exe" | C:\Users\Admin\TUQcIYgM\wiocwQIg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dIcgkEwY.exe = "C:\\ProgramData\\hAAQsoEM\\dIcgkEwY.exe" | C:\ProgramData\hAAQsoEM\dIcgkEwY.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dIcgkEwY.exe = "C:\\ProgramData\\hAAQsoEM\\dIcgkEwY.exe" | C:\ProgramData\tOscQQoE\kqQcYEAI.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dIcgkEwY.exe = "C:\\ProgramData\\hAAQsoEM\\dIcgkEwY.exe" | C:\ProgramData\hAAQsoEM\dIcgkEwY.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiocwQIg.exe = "C:\\Users\\Admin\\TUQcIYgM\\wiocwQIg.exe" | C:\Users\Admin\TUQcIYgM\wiocwQIg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiocwQIg.exe = "C:\\Users\\Admin\\TUQcIYgM\\wiocwQIg.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\TUQcIYgM | C:\ProgramData\tOscQQoE\kqQcYEAI.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheHidePing.xlsb | C:\Users\Admin\TUQcIYgM\wiocwQIg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheReceiveProtect.docx | C:\Users\Admin\TUQcIYgM\wiocwQIg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheShowRepair.docx | C:\Users\Admin\TUQcIYgM\wiocwQIg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheUnlockFormat.xlsb | C:\Users\Admin\TUQcIYgM\wiocwQIg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\TUQcIYgM\wiocwQIg | C:\ProgramData\tOscQQoE\kqQcYEAI.exe | N/A |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\TUQcIYgM\wiocwQIg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheDisconnectRevoke.docx | C:\Users\Admin\TUQcIYgM\wiocwQIg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheUnprotectWait.docx | C:\Users\Admin\TUQcIYgM\wiocwQIg.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\hAAQsoEM\dIcgkEwY.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\tOscQQoE\kqQcYEAI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\TUQcIYgM\wiocwQIg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\TUQcIYgM\wiocwQIg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe"
C:\Users\Admin\TUQcIYgM\wiocwQIg.exe
"C:\Users\Admin\TUQcIYgM\wiocwQIg.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TUQcIYgM\wiocwQIg.exe
C:\ProgramData\hAAQsoEM\dIcgkEwY.exe
"C:\ProgramData\hAAQsoEM\dIcgkEwY.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\hAAQsoEM\dIcgkEwY.exe
C:\ProgramData\tOscQQoE\kqQcYEAI.exe
C:\ProgramData\tOscQQoE\kqQcYEAI.exe
C:\ProgramData\hAAQsoEM\dIcgkEwY.exe
C:\ProgramData\hAAQsoEM\dIcgkEwY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\TUQcIYgM\wiocwQIg.exe
C:\Users\Admin\TUQcIYgM\wiocwQIg.exe
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKkMIwYA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kogMYwYk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZKUMoUgI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSAUEcQY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fygkQkMo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eeEYswcE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YukQMsQg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWMEIUYg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\newcYgIs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmkssIAA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YasMEwsQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMAwkoks.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKEkIEkY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JyIcwYwM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IUYEQMIs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NSAMMUQY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TsgQUksQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SsskAYUA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQkEsIYI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ryscQIAM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\loooMwkk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qyEcQkcA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uuEwkQsM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymUYsUkI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMwgUsgE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMwYIUoY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fWUwYogU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OSkMUUAA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cSEMksgw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gIEYYQQc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REcsAosA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEIcYAQM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSUYoUcI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGogAAAw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ukoUEgYI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKEkoAkM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ycgooIME.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NYcUMcMY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jswIAEQI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMAIYgAI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIIYMgQs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AyQMoQQY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iKwsIcIQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qksUQAIY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwwQAwok.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMYYwgoE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqwcMQoM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcQgEYsE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUgYgAwA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sCIkwUsg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ygwcMMoY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWMIckMs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hcQkgUQM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOMUQMAE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mYoIsQEM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ygsgcQUk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmsEcYMY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwksMEEI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYAAQcwM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XgMckYAc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ByQMoYQw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQMcQEQw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwYIQAIc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AgMcEUMc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwYQUkcw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XcEMoEkg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkkokkIA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 1j+bYdKbf0eUnscbttzV3Q.0.2
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| IE | 95.100.98.96:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.251.37.35:80 | c.pki.goog | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
Files
memory/656-0-0x0000000000401000-0x0000000000489000-memory.dmp
C:\Users\Admin\TUQcIYgM\wiocwQIg.exe
| MD5 | 5f78db1d86a96003e4f5241187acfe99 |
| SHA1 | c88098bd8d32bd230028a5173894ede36c65e180 |
| SHA256 | fb8e938d59791b2c00a60ba1700dbb362c80cec30b1f761efffeddaf612adf07 |
| SHA512 | 77fa4165b6b77a7ba10f3faef2ab52a0b0bced355a1a73a36831c3d57f2813d8add3b41a00070fa66c253809bf84d90c65863f965e555837477e87769767720d |
memory/1772-9-0x0000000000400000-0x000000000046F000-memory.dmp
C:\ProgramData\hAAQsoEM\dIcgkEwY.exe
| MD5 | f967f3ebeb56b799838f1af3fe445cfd |
| SHA1 | 81843b6a9a25d5d5b7ddae2c8d78d3e552de9edf |
| SHA256 | 343c4270046a376c2640a575aa8e68a752db1525a524b32b0f83108ddf938646 |
| SHA512 | d3acae998236c41fbf131c805115003e18e4a8909ae78ca18e60ddd34f5890cc9990b69b85296502ebb52d5d57af173d6853cdcc3e20ed267ad703a1932cc781 |
C:\ProgramData\tOscQQoE\kqQcYEAI.exe
| MD5 | 5f173719a478eee1a43671aa239a32a5 |
| SHA1 | 4b851c1b73f5d0bd8650f9ffea612c255f217273 |
| SHA256 | ff3d3841bf5ee7ee57d5d1d34ab68faf830f31c0a3ccabd49e7267eeb7ad71ad |
| SHA512 | b53388418b16c3132e1ac036c9fddfb4247c65d80bf8cb0dee4d09f4ecf5ccffe00e3720fe20fa76c488b477a7708b0df3978dd6355506351159a95d0e320326 |
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
| MD5 | 9adaf3a844ce0ce36bfed07fa2d7ef66 |
| SHA1 | 3a804355d5062a6d2ed9653d66e9e4aebaf90bc0 |
| SHA256 | d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698 |
| SHA512 | e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5 |
C:\Users\Admin\AppData\Local\Temp\xKkMIwYA.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\WUsk.exe
| MD5 | 1f7ebcc985865d82b061e599dd537955 |
| SHA1 | e4a76b9bcd2bbe9c7d79ace648f2f0fa8342a46a |
| SHA256 | 0d7b992b3f9e90acdcef82454eee95102a3909637af290f0572033d7fbc0ebb0 |
| SHA512 | 34dba7f02f89bb43a7f84a8416aab46aa2e8b6ebc72768e9fc6849bf03c175431908493c4720d588deede26ac73e6e2cca71906dd48a204e62ba8318181b9c52 |
C:\Users\Admin\AppData\Local\Temp\qYcM.exe
| MD5 | 5a4ffd1b06a36c6f5acc7699c62d9618 |
| SHA1 | 59702cdd2258d09bbc3324ba2cc704726e2d1ec8 |
| SHA256 | c74781a224864765e84d529f0270105b413de9ed4da2bfb27c3236146af0b4f8 |
| SHA512 | cfeac37436e13cbd218d65ae05ea471f69f98d8799a9a7bf986b20d489519a700eeb0aa3ed887f0568a712a96574e9d3ea6b268e2bef432c41deedaf08916bed |
C:\Users\Admin\AppData\Local\Temp\kkIy.exe
| MD5 | 104cef0a5b4e5a51905e412a42ffee30 |
| SHA1 | cc6954a15313c70ff1553f0fdf9d7f84ccad1a94 |
| SHA256 | 07548dc711a7bdd78062db6cb2fce432c50df64100d584aa5a4cea6f05b49f6c |
| SHA512 | 25c707608e6f61aadfd7089efd660270dcef0610c8de8d79f1146b0f1d5c722be2b644916ce0a14dc5ccb342f4335b788be26736d73d38f5261c0e569890e125 |
C:\Users\Admin\AppData\Local\Temp\GYQI.exe
| MD5 | f022300f4bf58cba070b700ac4c60f6b |
| SHA1 | 95d8bb77d86e368bc936a47c3733cd81c89208ce |
| SHA256 | e41477615b064822bd786c9053ec6d33a4fccaf7adcc4c2ec265aad828e474c5 |
| SHA512 | ce18ca56a8c49460a1e7aa1da5d42409ad5878e02a935e48fdc854a0024d63fe17104edb5f5d7e8773f1f8922638b3b37bed44ef047d61bb1fa998bdad8a3302 |
C:\Users\Admin\AppData\Local\Temp\mYMM.exe
| MD5 | f2b7ee3e4e5e52317048af4564ee7dff |
| SHA1 | 6e0d4ee425992079b96483f16b35f3992b316e29 |
| SHA256 | 2a6a906d4edf607275a2c04898d1573bdeb262cccce76de7b746f6710ac3916b |
| SHA512 | 3ffd835b7fee353def99bfafefb8689ada320f469b878dbffcacb15ffa247e530a88779bad1cfcaa58aadab7ad8285976d302301dfe5f62f6d8bac7ff57157e5 |
C:\Users\Admin\AppData\Local\Temp\KUkg.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\Isku.exe
| MD5 | b410b5d58f6eb5b527307554d921583b |
| SHA1 | 5104a6e91f199c32e6c4334aa06e5277b19cbc25 |
| SHA256 | fec9ff1cb84cfdef29c9caebc1b6743212d08dc6562031424e4222871b70bd6b |
| SHA512 | 71c1427846fd15e43e2d30b4ef8536bd2a3c802215bf9f95893f21e1886998290ff81751be50b9ccc90ed427dba24ea0497a37dc7040595b67d4a669014e8cac |
C:\Users\Admin\AppData\Local\Temp\OMYK.exe
| MD5 | 36f06848944c65f9a87081f36c72b5e9 |
| SHA1 | 264f280aaf4949873bb29dcb0f243dc5303265ca |
| SHA256 | 70d8ce106cad1aa20d00dd3cb033b4ebd276f0a208eb88310d28063150636c7a |
| SHA512 | 6f452cefe4555d28d89859c0b147ed2d4bdc789de61fc13c733391f3eed947e8fbe4769adf5203e78441a769839848428cd71a624ab29971e76c8ba17b14e889 |
C:\Users\Admin\AppData\Local\Temp\ysok.exe
| MD5 | 59e6cd7c174da59758497a7c22d1ec5c |
| SHA1 | 4966e974dca708752db5b606951a98cf59b310f1 |
| SHA256 | dba04fb83d19366daf7ccee30942dabedf4a5b892e982d8309bd1a8712dd0850 |
| SHA512 | 9468f0b57d07d4fe3e055a0e3f7b5b486658f53439e485c34708dc43c718950cb620156967cdfda156dc2d1563f472e17c763172ab81c33178e732f202f59f51 |
C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe
| MD5 | 8b0e17de60d7ed5d1f274fcabca427dd |
| SHA1 | 0ceaea9ac5805c4956261f689ee31ce3b0fd5211 |
| SHA256 | b6c810552e2b6b8c9659e8321b635eb6c6a9861c68c4458de43e880e04e5e6db |
| SHA512 | fff52f0874b946d41029ef792474e56a3f90947b26488fc7512cf2143f57173cbba6ee176149065a7baa2b5a3d338ead15da3440aa8f7039969e2efec187405a |
C:\Users\Admin\AppData\Local\Temp\KQEu.exe
| MD5 | c3374a79e36418bf59e00a12f193cd7d |
| SHA1 | 56ed45c9f71a74cc7bfd43d47759246be2223f7a |
| SHA256 | 87cb15f050faa18c635151f592458117a9f97d08db701d67ee7391c146f90abd |
| SHA512 | b50734e842e07db9ed896e56df882d03ad720d4f59aef4ff08e21be4db9a1dc06834724b23405605e699c9b1c293929e8abaa12fa201dc4ae2d9c014149dea3b |
C:\Users\Admin\AppData\Local\Temp\gAQU.exe
| MD5 | 6b4a121b3ac9cfda1dd2ad70445f7731 |
| SHA1 | 8501de15c7f5cd6bee18f25b7d3ed292f21ac6a0 |
| SHA256 | 603b5aa515ded659955a43e47170c68ea07329a6c908b5e16120e860eef63c2b |
| SHA512 | 026f315aec4ada3620c47a6e735918721eab7754fdfd75368ccfccd4012fbfa1571104c3633c231074586a407fd23f25b134506b5a6de5cc23b93866f1197f4f |
C:\Users\Admin\AppData\Local\Temp\uUkG.exe
| MD5 | 46a0ebd15f998214274c76178f89b336 |
| SHA1 | d00ce80fa9731f1ba44fc0c4e9e55e6d5e7b6d5d |
| SHA256 | bc08e5513069784a10f61209de1972a0f555f8e0b819918ebfa17c288642f561 |
| SHA512 | 4020ff0414a7c0542ea6705cb524c9e02a61f000b5e69b427bdd9c56d5e9b39362447daaef09b4ae16be1ae4f47c54dd180bff214f65946a3eece61974ae0e4a |
C:\Users\Admin\AppData\Local\Temp\OYgs.exe
| MD5 | 398f732c489c82432a1747f3bfdc6324 |
| SHA1 | ef188b86441d999b90d2e8c2097353eae1e297d2 |
| SHA256 | cd84c331923e3ea000ea8a93a76136fa6b465bc5de95b68a92e1945483c71e76 |
| SHA512 | 0089fbd98754e06352ea2b35e78514139d33d6a9519db2239dd267e0a88fb2787af492f69303d0991dab248e2593fbbd0a214b54de728e2375f892523323c638 |
C:\Users\Admin\AppData\Local\Temp\iqUQ.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\QUMQ.exe
| MD5 | 4a2ef1a69ce2189fde0a0497abbb0e2f |
| SHA1 | 1a432b6ea23af9c3cf86b62ec2d44576350f3af5 |
| SHA256 | e151042201237584e33b3c34da0ec2585d525080edd27dfb225d39b1be363f34 |
| SHA512 | a5331aa86e101876c2351b7e526b5a294e484a39cdd03965f4fe979f44dcf8c56e4e4225a9dd468e8dab523a1d369232c7028fd20dd6743b71ada5d7e6996f8d |
C:\Users\Admin\AppData\Local\Temp\OAAm.exe
| MD5 | 87e2f52cbd7ebbca9944fda6a005dc24 |
| SHA1 | 9c4fcfff9de59dabec0fd0221b4a15cdcc8f359d |
| SHA256 | 025ba415a78ce1eb161e98ebb8d000e4b5fb20bc52ac28c707177894d45173f2 |
| SHA512 | 868d0be12c51aaa9fd884b06af9dd6ea8e1be6d2ad73aa493932ac9a55c1b934adca4b1fc2f4c91b3ccf455217289d14f1e3c0eca46ceaa66f31cc994b3529c8 |
C:\Users\Admin\AppData\Local\Temp\Ekgm.exe
| MD5 | aef55e65fce8451132016bce66fe8bea |
| SHA1 | fb24cf6067f94eb4a1b7857cda2a5dcdf95a3e38 |
| SHA256 | 0bf53b915b6cb4ff871ac6a9a1cbe3bd01e2d412f18703ebc48bc7f578053153 |
| SHA512 | bd9bd6fb9a8a5e1aa5702c0333f54bf192cb305f1b581bb1b77c781196e5cfa75af94948bd324d6f6c30595fed71324e6f91a7a502a7db0dc63f94e407bf7578 |
C:\Users\Admin\AppData\Local\Temp\OUgQ.exe
| MD5 | 76aceb642926445b0aaf7976126b6740 |
| SHA1 | ab7c00f4bb3e680a69981ae3697fea00fce5fbfa |
| SHA256 | a71301e65de388c6fc1365b6b89e337840c389ebd1b529e4655c25a875dc8ea0 |
| SHA512 | 06f18f4a25cd4d42225b4f0bc4fabffcd1128ad0933df671bac8d6a563f06fe7be742302916bc550bebf0ea9a75cd6d203602962556049618ce4036cfb03de5d |
C:\Users\Admin\AppData\Local\Temp\wQYe.exe
| MD5 | 98974cc6d7d2b2b7064785d3fdee35ac |
| SHA1 | 78f78397dd5250c35adefeabd555d265feb14381 |
| SHA256 | 52f6953adbc126186174315264431158a55b78b244150d1e913b6a9999fc45f2 |
| SHA512 | 159855d84e25469aea5c6502f3cef4965b399ca3c26a1f23fef70bb4d1551529c28736327decf060ee0ba90116f9fc811ba068ac600f605a70e8a6d0f50d5adb |
C:\Users\Admin\AppData\Local\Temp\wEMK.exe
| MD5 | 02b1a3d0b7222c89cde402641bfa9d2e |
| SHA1 | 40cc2b0aefed3b01fa6d8579fb3225035fcb4eb4 |
| SHA256 | ca8c37b16b6744f625f9024ec36cf86c2b3d873d57cf0557da2777dd739d2f3c |
| SHA512 | fa9e5f441a310127386b23b94c48eeb109c81f4f550124042f9ead420107f916dbfc1e809aae7dc80efc81e643402a926bf313f47a231d23c00427690ac0d244 |
C:\Users\Admin\AppData\Local\Temp\kYkK.exe
| MD5 | acbbdf199af4a888a817742dbb5752bd |
| SHA1 | 47dc5516eab62fc72d125ec91c71ffb9908d0ddd |
| SHA256 | 29bbf2dc594d6f73ebf734a8d2b04d3caf497daa4f3e727fa20398804fa70590 |
| SHA512 | f8986f3fdbe5c4a2e55765ee1a5a111a52fef0996cb72d2faa78ac8fe3439f7e024a0075c3b806458b29c5acac75bfc895db35063477c0dfa48577b4d111044c |
C:\Users\Admin\AppData\Local\Temp\WkgO.exe
| MD5 | 80391ecc2c75e0e9c6cbd712461737f0 |
| SHA1 | 45eb940125b03a6b924f6d7b2a802aeaef6444cc |
| SHA256 | 179fb518ce72594c5ff6b3dbb70c3d25453223d9f49469c4df5a51c5d7392620 |
| SHA512 | 3b7ed8aac144aca1d90f26577620513a9b56742860fe73027a219d792d91831ef1ba373b56938794c6508469156f2fdf74043ec9b4af58dcdf17c9309a0a1543 |
C:\Users\Admin\AppData\Local\Temp\mUMM.exe
| MD5 | 4f3f7eb7ecfd4567e7895b771009f54c |
| SHA1 | 1caaa1093df32293271b966c7374e7d525d755e4 |
| SHA256 | 18b762e5c5da1febb845307994712eebf8605bfef0a0bdb97ac9228f550cf877 |
| SHA512 | 437e785c08c823a80f6ce23363cc00f3ca6ef945c8c832309208c3da6b3bdd0e57a13d165aad5dd050402e3ee87be7858d6c1c4291c2c1e37a1298ca1f707d18 |
C:\Users\Admin\AppData\Local\Temp\OsIK.exe
| MD5 | 6431d38cd32b7dd31629949b4b923461 |
| SHA1 | d3783efbff41e8fb540d194f98700dc50bafea1a |
| SHA256 | fdbad839e8f6b738fea506d6ba1e41e701579a08ee1ec921e18616be18e7ffd8 |
| SHA512 | 5d8f57a8034677e22edc2c71879e10df73e6c3f9d8ee4f8601c059eec3c299b6e0005ef4c093860e942d52b110f6565615402b63dd3ffda76f9c3af8b890f447 |
memory/656-500-0x0000000000401000-0x0000000000489000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MYQw.exe
| MD5 | 2531cb3f20096e2b0dae4c8a1c070360 |
| SHA1 | c0c53031119563b26c0ac36f8b0c1f3ca079e751 |
| SHA256 | 58bc806f9da38c8c7ead1bd7d5ccc70fc39889a0088c4d9da0fb6247db91f044 |
| SHA512 | 84e768f9e960a5571e4105e657de3adf08b19621a916278b29761d6d6999b86b62e4ce874b09e8eb754a1fb03cfbcea1a956fbde2ea3db664c3f3dbb29b1c842 |
C:\Users\Admin\AppData\Local\Temp\WgkW.exe
| MD5 | 74bff158bfb987056285ccaf5c36d237 |
| SHA1 | f96362bc965e893a5b13003c5b1052c57057368b |
| SHA256 | 6405da0084126b4ed65705a03c0f8574797c0b056331cd6fef5d5c06fc55d925 |
| SHA512 | 06c259a156959efe57ae45113f75edf51d0b25c8270c1990b3c07809db25d2927734c4b88882e06cbde50a09966c2b15d80efc955026dd52894409a65c934569 |
C:\Users\Admin\AppData\Local\Temp\QEkG.exe
| MD5 | 687aad4202bfcaa1a10b9233ef51700b |
| SHA1 | 358941979892927b37c56d998858ea2aa92ec9de |
| SHA256 | e9da1a8982a1370062b16f6c4d9ac854f0883ec16fd1517d760147217eb98a68 |
| SHA512 | 9e2b9a37da957719c440aea9d988fcc4aaacf0d7259fa2f74d6f54ce69ac6c6d5acceaebb4c09a9c70bf0ffdc7b560ea7201ae140bbea926e72f48d0140c2bab |
C:\Users\Admin\AppData\Local\Temp\uksy.exe
| MD5 | ec13652c5dd551ec939dfacb7729cf3c |
| SHA1 | da8253b2d9c23a6c3fac1fa1f81290c6d54e8593 |
| SHA256 | ad549abfa6def9ed764e637c731da3592271b715d7025b95c70f0e6020ec4a47 |
| SHA512 | b20cc4a0de8d904643640fa576d1af546327ae6478e91af34ffa716f0f20fc5ffb39b17f430783a23a579d87f61306948bd243e58c0740516c6c7312d55d92e2 |
C:\Users\Admin\AppData\Local\Temp\kgoy.exe
| MD5 | d54980d317c555387260ba53e8cb009c |
| SHA1 | c0e56ce9a91d836eaf5d8f2fdb18181eeeaa6b83 |
| SHA256 | 16c5337dc752e18290e3cd9ac4ec9a000b59a2727613d5a8d8629537687c4cf8 |
| SHA512 | 2331e03d8563489778f8deda97c2b96a2650d1c4940799e4c2fcb8cc30cafa621c753744459894badb6484f2f2e7f621a0eb9a0c6c709f5294242edd21362936 |
C:\Users\Admin\AppData\Local\Temp\yQAW.exe
| MD5 | 183733fc196e0d2ad56c6f5db24530d2 |
| SHA1 | 26c61c51a3b8af9e7144e5d611471a5f047e100b |
| SHA256 | abf3cc5257adba2462b493ad78c8a6bff3c60b04de747ac2b6ced747cfcacb0d |
| SHA512 | 97b3803deeac9e0c43261b82d3ddd4c153930cf121e286ed3ea80433c2f655deb8d3f417ae2c3b2c4f1e78c9a293383cb22a8394235e151dc1635e19787cd658 |
C:\Users\Admin\AppData\Local\Temp\yskM.exe
| MD5 | a9cbcd20755a3b6926ed172e66a4176c |
| SHA1 | f0b65bbeb23d68b230c75bc3299a508edbc38875 |
| SHA256 | 766268463be93caf6a2acf83e9d30cf36a3d958c6fa3e0378fbedf6cb0aa3e99 |
| SHA512 | 53176a912dc7b01516a39b8e61623041168eb297842fa1faf6aa97ac591bebf14928db67dc1f226103e9558bca5ced33756dc09b2b6183b1f1df134b1cc61ff7 |
C:\Users\Admin\AppData\Local\Temp\OAcK.exe
| MD5 | 8308e4d03b17843ab75baecc2d469749 |
| SHA1 | 314de70e85d5d77a91c37867865d7eb95219eb77 |
| SHA256 | 3b4e51d99d0f2d31ec684a4809f47b8be4aeb2b78157212ac5306753c9a0a474 |
| SHA512 | 96e1d9b641fddc4a3ed3e5308bf581c006ff7855569ce2d9c5369269efd756bdc4c7042afe2ee047955a843829e26646e5b81374c40d5e5e89acba16de9b7a24 |
C:\Users\Admin\AppData\Local\Temp\WkEA.exe
| MD5 | 40ec629db5cfea4551de12e6b24b7700 |
| SHA1 | ef7f2d423d383935106e8f0dc89f282933071485 |
| SHA256 | d67d6f62a9e0392251d7378878555d1379a310a350c0cbda9b4b3d56e094b21f |
| SHA512 | 8a6825b0e681543b9d414a1fd599f24d676fce45a5e74379469d927a4e13f13d2984c440677b118582866d90ab336e6dcdb79f30a83b774a4f41b056f181faeb |
C:\Users\Admin\AppData\Local\Temp\SggY.exe
| MD5 | a047bf44e16a025d217bf4e8c1714beb |
| SHA1 | 23184f2cfba879049235c1b3c2ff4ee29fbe6d5b |
| SHA256 | 8c7a4245c6d6c9602b888d5a0515ed20eefb1a6dc582d42f35e24e60a08504f7 |
| SHA512 | 782ad6ff98f6ed8588470f5b6f97386575d7e006be9ad26feabcb54404a48ed1cf625689fa3fa9860ca4ca9950acf94031104264aaf7171d06d6c05dc6a91f15 |
C:\Users\Admin\AppData\Local\Temp\YAEY.exe
| MD5 | f14b2c81d991a0113518a2003d7a5fe4 |
| SHA1 | 7cf23eb96e208b10d585987f9237852727ca1d75 |
| SHA256 | c64f77a7b7e48331904b03d6c4fef5ee5aa4e7660e5c0bab860930630cac5626 |
| SHA512 | 3bd85fa066f186a6cf14c1c631a4a87aa22bc23dad9678932d02148ac335bcb1a6548d1385871bdef65064a73765c3965bccc9ab94946a3b3f85c1b34a3feb05 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe
| MD5 | 0cc013f47d113052baa74d3ccef6257d |
| SHA1 | 10f2bfcc0549e6020c802b3b68f13a3c301b73aa |
| SHA256 | b596aded87c4d75c02eff73242b58e66ee86df05e2fb14fdfb808ec9169f369b |
| SHA512 | d4324df9a53d85a049a0cc13c31c9836f3f0284abf2f7148f0ffe088050123e9329f880af68667f95ce98184b54050cab03157c9a33d2689dea945afb5173f93 |
C:\Users\Admin\AppData\Local\Temp\uUES.exe
| MD5 | a9b925efd1fa748a4b882e504f39d938 |
| SHA1 | 22cd0880bcaa94d9dfa38c6cfba803b53b0e4c91 |
| SHA256 | 7b8baa65aba668e71de2e47327f398b5ba712ac692093d44d0b1b89c6e8dd91a |
| SHA512 | 88b65a40881bd356e0fce90ef87ae4f07ecc5f8a6e85e42e2023bf9e6c975510c0f7862373923b7c33e6a1748ee409e3227fb2c73a1c7fce123297178d95fe6f |
C:\Users\Admin\AppData\Local\Temp\uIUi.exe
| MD5 | 81ac63abc7690a2f4d3e0e134cb3a78a |
| SHA1 | 6645c67867fbfd36b44b8b769df0cd6c5d514161 |
| SHA256 | aa04aa2eaf0cf049d5347972737cb2e3f75ed75b948b09bf78222dc0097bb29d |
| SHA512 | b91301f8485a4cde14fdfa91091ec2257d7a9e067a584d21806e0ebd827b2850c9743582c67684a6fd50ba793dbcedd9edfaf4ff46493681a0bf77045332340e |
C:\Users\Admin\AppData\Local\Temp\uEkI.exe
| MD5 | 19b2607465078224e67430c23040a0aa |
| SHA1 | bd01c9b70365b32ec5ffc533201ee448ee64cb38 |
| SHA256 | 017c34e0b767cb8894e0ebf6b9f3b891ddf25eab5a6f553b1e4f4f33ec182446 |
| SHA512 | 7ff10a6effbaa36207b3169992e106c4342bbe76721995106cd890de8c07ab6c566e2eb9e30aaeeec4eb18be1eed54383c64d6f35b036e71cc261bef10d1ca20 |
C:\Users\Admin\AppData\Local\Temp\kwIQ.exe
| MD5 | 731d83753d5eb0f45a62d49fce33bc8b |
| SHA1 | 0e03373b94d7b752e2f78bf13a6a3c81605ab550 |
| SHA256 | 6d97d9bf7732fc8141b328f058fa421e1832f01a4821e2d3879aa9ee20926578 |
| SHA512 | bfea46afd3510d84860f67a8a91f8851eccc94b0b0245baf6205ef6ce2672dde65f27d8e2afe820d48d57d2bb666b62fa1a259c6e171734e4668b62663d06fda |
memory/1772-714-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UokK.exe
| MD5 | a6a83004621298c1259f2b606efc9000 |
| SHA1 | 36af2799b57b45f46b19667f5d08eba81a76f5da |
| SHA256 | 1f17222b0c8d906183da8f21cba73f90f6feedb4b234eafeaf36eaee449d2833 |
| SHA512 | 563b76806550f28300959954792ce0c7a1233ed2ff9c1301ad58bb20546bacb7494093708fc2de60166abe70f7639dd4b1c7878394e64769a183e3d1ae4c2fb3 |
C:\Users\Admin\AppData\Local\Temp\igwU.exe
| MD5 | 6b752d9c563c223ad61ee4b7fba29b59 |
| SHA1 | 86fa931aaed7355cd280730458e57f9ebaeb37c4 |
| SHA256 | 4623935e4094f45f3ff40e6a4351617cb1fdbdfb8eeec68e0af67b7b49470ef9 |
| SHA512 | a40045a6882ad8c62ff7ab08811e4d15522897ef5ef499e3fdf8fce039535b9572707e976221a076fba83d3ba25aedcfdb12106e39415b940d65d309e2ba44e3 |
C:\Users\Admin\AppData\Local\Temp\Igki.exe
| MD5 | b6e78971b5ed67b11f36e94a5f90b6eb |
| SHA1 | 6fc6989484e9b532e9161056e7d0f1c93735179f |
| SHA256 | 4f2b27d4e74599069f45d802ec381aae99ed643594df8b5f562038598bc282a2 |
| SHA512 | 4830259b500da80819c56de8fc7e908e9810dadaec07507b779015901b49b7a70d4616b09f380ba416e3cf8140803c3495f85d4722a07096f58d46b2d05a76eb |
C:\Users\Admin\AppData\Local\Temp\QYUa.exe
| MD5 | 3ae174a3555bc670cb779db9b66eb964 |
| SHA1 | 87ca26baaa9a254ae8850c1e7a4b01b1c913d731 |
| SHA256 | be2c778b32549905e7bd56d1063eca1739016b8e6a73c0aa6c8fe208bee48818 |
| SHA512 | 3f42e8747b40e3e470c828d8bfc3397f54d7acedbeb6d96bfa8da3a4f24ee665bb1bd0b9673c0c11e09ae20279099ba1eda17fb03a86c8f08a016c7d13f799f9 |
C:\Users\Admin\AppData\Local\Temp\qQMU.exe
| MD5 | 27bee0843de8e7f2df233c00a76c33ed |
| SHA1 | 1ab7db2b905bb33e90caa20110ffdf91ee344744 |
| SHA256 | 84516bb43cf5d9a3209fc96dddcf8c3062f591f8c08d88380f284c4d99ec894c |
| SHA512 | 4dc26142de24eeeeeea4d1ff2438b6465fac7c14d69fb5b075d508b73665e935196e790cc4b46598533fa597d8abcd1f2533d795010d9ce5523db5e910a63f38 |
C:\Users\Admin\AppData\Local\Temp\WQkK.exe
| MD5 | 1b1cbdd861e53cabd05033825fef17b7 |
| SHA1 | a8630a2653e5eccd0fc82f5c23b5fe789adf92f2 |
| SHA256 | 20b9ffddaa83ff8bc5c48e718ab25428c94e9619f2bf24dd5c70f67b32bdef5f |
| SHA512 | 20daf31b4584b967e21400ae73e3f50532ce587c8b690764b6fcaeded2baf0f0e45c0d1b457adfcac82642fc62d1d88201f0685557fbf37118f547a3b17b9e14 |
C:\Users\Admin\AppData\Local\Temp\ikky.exe
| MD5 | 408511347fa6e9d74deb50a15c1890bb |
| SHA1 | 9037f4d1ffcf6a5fea1756efe4d7474ded97d950 |
| SHA256 | 8d8c2a6cc555bf10381a219d1f2a5aef05b83777a4a00f11862f95ea9fe417cb |
| SHA512 | c64c98053ecc5ad85b1a70d3fb33cce5f45fb6c7ce2308fc97fccc55fdffc773df7135f7839bcdcc64bbe6377cd5f84560efd5e69de667d94352864606c49b80 |
C:\Users\Admin\AppData\Local\Temp\QAwY.exe
| MD5 | 9eb5b2d722b766108b1953dec2a1595d |
| SHA1 | 69f5f2197700ce493327f7e7176ca65c4d93df7b |
| SHA256 | 4ca524773a352d131872d8d82097bd03e9508773f425db120655b7514d549410 |
| SHA512 | 03ddc1b3d47e5871f71ad900434f5d7d605107d74a1c1157386c09a5c82b48af6991a663d979a3a4111726053cfe191e45f8cabed54c0a015b9f39133bacde76 |
C:\Users\Admin\AppData\Local\Temp\yYgU.exe
| MD5 | abaf86f42784ba5bbc1f2a6caa44c704 |
| SHA1 | 2c94137d57d4050b33ba01874c29a22b2726ef9b |
| SHA256 | a5085adc84f88887c6ca558cbc3eec04027228f2e2b5d559036ed41b517df7e9 |
| SHA512 | 68fd8c913826b951722bcdaa1becb9fcd31a48bbe1ca067dab2e1fc5b723d1a734118b9f67bb17150bd62a1bca91c0716c4afaa49c0b8cdd0861e93ec6dd1673 |
C:\Users\Admin\AppData\Local\Temp\kYok.exe
| MD5 | b392df7236d169be5f0be608ccc9ff49 |
| SHA1 | 42442e26d3af71cad9eae56df5e7427ba9b1d7df |
| SHA256 | 1a44fc7c7776e833c3e43edaa396c491616a9a9162644a0a9ce7e502b7ead761 |
| SHA512 | 66c75bd1b56b8f9d658d214ccecbb59286d15ede596d5fab11622c5f48792f23f4faf240dd15b729e4bcf224da0eeb79aa3d953afe996485fc25519e73863acc |
C:\Users\Admin\AppData\Local\Temp\Woks.exe
| MD5 | 1e942545a7960d8bad81110c572a0340 |
| SHA1 | 37578907f7e5c62670060285d86f29c626208e21 |
| SHA256 | 3a1e4de5f1d3f50da91ee05fa4b2f7c1fdea024e684672b959a883fb45f79353 |
| SHA512 | 63dd81c153137286da56b5140016e6d37d979e009188f67143aa5357ae27e01e9e821cdb2d8043db7bfa37c768ec095ef6ba26d6f7bafd9563ef5cff11ac2308 |
C:\Users\Admin\AppData\Local\Temp\GMIg.exe
| MD5 | 5425a1d069ea69929df61eacdd8b5151 |
| SHA1 | eb7347c016c04d7d9360d8812ce78fb0f5af57e9 |
| SHA256 | 78284b9e6c050fd2fc465d498e60fdecc76167a2219be47b0f3c7d27db8ddb02 |
| SHA512 | 68d8422d0c87bc3fe511993f86fa3c00d4e3caa0ab68037c6bd254dfd4f4619cf5102a2689dc0f4040eb143644b3bebeab82accb61d80d4c6c133d77d50b11df |
C:\Users\Admin\AppData\Local\Temp\EMwG.exe
| MD5 | cf877ae1b9666e1910954638d71c6642 |
| SHA1 | c61a439c6476741923af7684c80265123fcf84cc |
| SHA256 | 051904b26c049bcdba2e7fa05996e80614fb00c3d34100e20209d1ba1fce9b6c |
| SHA512 | ac7c353b7ae10b707d83f54613954c3c0d6b3d9df7898fde3650b71c12da59e96422a69f527bf067d82b645bc3e7aeca8005c6fa376521a543befc722bc2fbc4 |
C:\Users\Admin\AppData\Local\Temp\KIMG.exe
| MD5 | b73f7231fed8b1323f83467073e26a6e |
| SHA1 | 4266e44c99993523809fb4ebaaaf272e0b58e913 |
| SHA256 | 4023360fdd26c28e94595bbe7e99d0148a15317ba3a87e055bfb00646b8d2975 |
| SHA512 | 779d0e2dddf16b6845c8e537f293d9f19dfd525319447a56c5f1760887adc9847b30706443655efeeec41f49854fdfc224638bafec03e0ecd8ea2287462c3e5a |
C:\Users\Admin\AppData\Local\Temp\ecsw.exe
| MD5 | 4196f514b9ae63f2921339871bc572aa |
| SHA1 | 8c0cc7a1eec1e93511f2967d68ed87bcb0a84738 |
| SHA256 | 4c15b4247e1ca3a9fb4309af7587c9bf4a28d199fc12269e202726680769bf29 |
| SHA512 | 796b838941dabbafe724bce5fd9cddfa4913e33c9cb96854c56cd8426e1219659cf9e3ffd7ee1126452fac07383a53797b7070bf4c888fadc355e25646bf6c64 |
C:\Users\Admin\AppData\Local\Temp\sAsW.exe
| MD5 | b1da3aeec13bf1622d03a54b4a43b094 |
| SHA1 | e5e473907f2c00065ff9639e99925a4710cd07f0 |
| SHA256 | 3305ca892bdb8a845d85c877b0b70c696521fb82a21e401f46c87d304e162c78 |
| SHA512 | d0d19b131e07643a8053fde061a5973c05cf54f95a16c314790ba076426d90744c51b4ff7eca072eac8236d728f58c34ea58eb66abc84ae36420fdc15ce844b1 |
C:\Users\Admin\AppData\Local\Temp\eYAc.exe
| MD5 | f888bc40eb33ce469a14aa6507b80ef5 |
| SHA1 | 45d671fd7f66375d21a9c7d9ea10164e9134d81b |
| SHA256 | 0ede798ec18d45c97633c692cb5c44f6d7b2dede3fc7c8f5ec470cd2084dfd7b |
| SHA512 | 4617c77cf8d8c82d5b62a07bf261ffe6018f0c8b6b3dfb896bca989cf096796572961fa052f748e737c3f7f5c61a99f20b7463215cb84c9b6ba306b8a125835f |
C:\Users\Admin\AppData\Local\Temp\MIkU.exe
| MD5 | 3c3cbf696b871cdcf5839e2ddd36fd87 |
| SHA1 | 313e0f3d53997037fbe7e0447162710c7f0fefa2 |
| SHA256 | 0cd0619f40d7861713fcf6ca0bf2c040507a72ec753b8ae77af9388153935a74 |
| SHA512 | fb6fe4e5f6d1290d3c66946da57dc312f5e73f44cddd6ddf886f6ff56b36b4432e9e53aa943f51d05a33d3e648cadde5031e0c37353777c07678442f16a96ee6 |
memory/656-984-0x0000000000401000-0x0000000000489000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iMgM.exe
| MD5 | e472bbbbef8ad9a51f321d5e2c725688 |
| SHA1 | f630502d9ee59c203afab7e983e45c560ab5c8c7 |
| SHA256 | db461768467bd071d336d76eb5151c95adabee6b747a7107a12ed579179a152a |
| SHA512 | ecaf563a9db06de305c4bf00f953bf0cc0c67c62e971724cde825131ac13b237962d07980f832c5f3f8d091d15936d9a5664ba0fa41358096c2aeb1de0d0b960 |
C:\Users\Admin\AppData\Local\Temp\aWwg.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Users\Admin\AppData\Local\Temp\QksS.exe
| MD5 | 92c9bbf2bba8281601e091bbeb740be2 |
| SHA1 | 6233fcff37fb7f26231713deffa70e1b68e8c0b4 |
| SHA256 | bc1826f23132b2129452e5962737e0145e581f7db57b5ca96a47312207f16a5c |
| SHA512 | 92f9abc4a1b4c2d2436618e8a37e5081bf884f44d695953599af2bb56c4e3eb93cb37e7d607eaf81df922996f6f7e22f38a4bb3d0aa926ba1a48631d381f3afe |
C:\Users\Admin\AppData\Local\Temp\kwMk.exe
| MD5 | e819b05166aee9a6e9de20029b861e8b |
| SHA1 | 0b0a2cfd1ffd96d7a081583ca1b1af1b5beda7c3 |
| SHA256 | 72f82a0a8ba1d14c74a5e6f89f37307fa77b5a593d244dba5413efa64fd8cf85 |
| SHA512 | f6e863237af03872b87dd315a085aae4f70f4b30774bf60afd3273773bca202c29f2540ab0a31948eca87f7d63325a5eb06e3147806579a916b946269f1a9448 |
C:\Users\Admin\AppData\Local\Temp\yssG.exe
| MD5 | 198963d3bf848d7ca48389df39d1f541 |
| SHA1 | d4263a2b9b1b10e356d6e325429d022cf373d33a |
| SHA256 | 56cb5c84af0ab3e01f44f6ff0728004f6d2a9c7f43204b67adc70db2785c7cae |
| SHA512 | c650b4223699ad26a745c60e224591d15286defa25000cd854385ab5c8452b54df3d959e236c32290fb386098dd34d57d92da0f3114b45cab3b20007e7297c6a |
C:\Users\Admin\AppData\Local\Temp\EMos.exe
| MD5 | 9ad32b2f3d51414049f5d2630d9b8eb4 |
| SHA1 | 033524eed11f1b437e5f181abc1e29cddd46627f |
| SHA256 | 0b3cc6676252e2ab152b92ebc2f2966dd43e2864676fa5fb90ea8b68f80c52a5 |
| SHA512 | b26dade85f409e1c8ddd6c0be3e115033f65cdce1815073808b3ecf1e7dbfafc93c5dcfe1a134150fcd495d6f2cd283c3f3c396ebbf09c45ca1341b3f8e1a8ad |
C:\Users\Admin\AppData\Local\Temp\QYEm.exe
| MD5 | e2b95b91635028df61fd3d07349a4cd4 |
| SHA1 | 88ff7b564e832ded6477d50dce64145ab0271a79 |
| SHA256 | bf036d5980bf7f4772d1cc19d337c377dfd119cd87643a0336e2da8868551c06 |
| SHA512 | 81dfad741669f000e514cdf78af4a7ee782c8abe73be381dde768037edbeb93cf349d253624c6778ce666e25379358c4c2bf020b36817b390e323be3e42f0c84 |
C:\Users\Admin\AppData\Local\Temp\YEQO.exe
| MD5 | f2a06e23351400658e8adede82248107 |
| SHA1 | 18357bb71f06c9dc8863fcc0fe0cf57ab78a5104 |
| SHA256 | 564a6dcb5f5097b01e6690b854a751f94f59aaf61ea8ee91c81ac0a726f1bc6d |
| SHA512 | b03f23df8274d5624794efdb1f24a0a43799b463856f61d7567dbe9440f4117c3d4a87fe745704263a55ba9c7b3af6a2c159dff61128afd01cf0ef549a626112 |
C:\Users\Admin\AppData\Local\Temp\UoYQ.exe
| MD5 | c44f0173ed2677bd4bb66361c80ee1a2 |
| SHA1 | ada28be6fba10f776d8ef3c9fe37048aa0df2a36 |
| SHA256 | aca39f3d38a88bc1637674185f953aa66fd24ed77c27edf11df3ac4c7f075930 |
| SHA512 | 474043efbfb2f29c386c81d38b82db1c9c43f95d3aa724b3325800f6f44d5405391a9a9cff94473f07243232d95798b6898294c94f341aafc2e4a014e89cc5b8 |
C:\Users\Admin\AppData\Local\Temp\cAQQ.exe
| MD5 | 4b4e4b7750daa1a492d6eb1a89a6423b |
| SHA1 | 6f81a236cbca247e9563f7959e2a91346c2cb416 |
| SHA256 | 5ac2f19857ce77863c3ee5be2d7d88758c71b210d0f2922a0fd35f1961ca99ef |
| SHA512 | 572b7277a62de8ddbe00069fc4949d147dad707780beace0cf1b0b86f73b1084b455fb4992efd940fb90125edd6efb22264bd81825610779d353177530975018 |
C:\Users\Admin\AppData\Local\Temp\oAoo.exe
| MD5 | 2fbee1b20467d058de2cee7e85aad5bb |
| SHA1 | 915273384bdc9c25b935ac29e3dd98efd76b594a |
| SHA256 | 2506c041ac3d71a5dd973eaa29e0332ca60cfe6072e690b5e4d12826b78b6308 |
| SHA512 | 8ee227de4620e870b94b627b06c9e246e59e87d068e6e78d9caaf5c625117d6992d4e9c8f2f1920749f3a66de34ad04695b284cf719c9002b02c9a287d8ab912 |
C:\Users\Admin\AppData\Local\Temp\oUEA.exe
| MD5 | 3c605b8038bc7a8ecdd948af8bbda279 |
| SHA1 | 3d42b4877660cb6f9df2e035bc5f7c2e3b823183 |
| SHA256 | 65379888cc39d5fa714f2bacc4785d25a6ec3a9df0ddd43ccbf31f1a7c5716e9 |
| SHA512 | cd9c83c673f2c8bf9bbd8503e66c51f7d2f1f0fa778719a9941471fa4c0f2bc43210374c584c713d09ae4e2f2313f757c454c7f2243e9cfddfb256ecb891417f |
C:\Users\Admin\AppData\Local\Temp\AkIg.exe
| MD5 | e3638cce4535a30c6ad83039247bc71a |
| SHA1 | 9a5573ac6c4836ea481052ff14fba968bc673635 |
| SHA256 | 60b9aa6a2e49afaf9081fa0561ea4cde73857d6246f36f29668897fa987c3db1 |
| SHA512 | c721855a4c70e2fd8f8f030404ac2c0c02efbf19faa010f7a0b9f67b498dce5629056b1615bbd97ff8974a8d0cfd577f0094b53a23d4c4b5e929a1243128ac11 |
C:\Users\Admin\AppData\Local\Temp\qwkW.exe
| MD5 | 2963e0c56dac15f7513ac1ed1d4bb3d7 |
| SHA1 | 5b8fe2815f0a31f1b23146169bbc09a161b7d91d |
| SHA256 | c04ea4c0f9d362eef8c93d0f827a4d653fcbf83860d88d0bee19f7ee59500d19 |
| SHA512 | 575eaae278becf1b9bc6fd6b9f067001b06d22347478b48b25870bd4be8eb62ada876feba5a51facb967c980f118f2fbc683b0c453c7bfc055363001e10d15d2 |
C:\Users\Admin\AppData\Local\Temp\oQge.exe
| MD5 | 45872381fa824d62870943d93c84d711 |
| SHA1 | 124e1e0f3308a0659f071c675493e3396ad80b97 |
| SHA256 | f64824e4aebad329cdfc1236cc6b8e46f5d2f3df3bdcf8e978bfd0a6a45b3741 |
| SHA512 | 9b70c73eb9d82081aa1dcd9eb31b21a200e7d734dfd1bdaf25d0e9eb0d0aa51b7233c5d90bf39f340e6c654fe06f01d6af938e6de70ce8b63dd23c41ffe6ccd9 |
C:\Users\Admin\AppData\Local\Temp\iEow.exe
| MD5 | 9b2c87f4fb11bd0ad63fcef7f2cfded1 |
| SHA1 | aec77d8844c0a264eccbf719a8b496f0918e4f35 |
| SHA256 | fb2f6ddfe0c3f6dcf85adcfd110f227172eb0c6d6660726828a99278105359b2 |
| SHA512 | e12902a6e158097276e653815369e50660a73bd9b964aed596bfe8c6bbfecadf8c7868c42eed2ac8bb7534dbea9bccb1a8246e0217fddd1c62b68e69f50aac88 |
C:\Users\Admin\AppData\Local\Temp\QQcs.exe
| MD5 | b9f67cfcf98292fd8fe917817c90680e |
| SHA1 | 19f0689cc7b6477562eaf6494080bf0295b8d264 |
| SHA256 | b10f9b175010d23407c06fae3de9a0ca36fa48aa9d22ce4c6b9e1910b6c20c04 |
| SHA512 | 5d3218da75c072416b2e5b8b2a768790ec138777c5bfd662424c769044d9a926cef68717fedb9374512ac987a37424b053451a5bfb9f8be12d9053352d76e170 |
C:\Users\Admin\AppData\Local\Temp\KAkw.exe
| MD5 | 29130226464879f729bbdeb8080a70b2 |
| SHA1 | 4ae1d57d4f56cbcac38d37a3195cc6887db4a76c |
| SHA256 | 3dd315a742d09fcedc0d21b39a4a01abc8ab84c7f2dd6f7ea16346506b384ef8 |
| SHA512 | d86b6b40bb39428977cfd63270b47997ac3c92e20e13b049d34f447d6671cca5691d8319c079c654fc40c0e06b5943d1c318e8bbf2fac06711a37fe99fbd0d3a |
Analysis: behavioral2
Detonation Overview
Submitted
2025-05-15 08:50
Reported
2025-05-15 08:53
Platform
win11-20250502-en
Max time kernel
145s
Max time network
116s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (54) files with added filename extension
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\xOUgoYAs\rCoAEokY.exe | N/A |
| N/A | N/A | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| N/A | N/A | C:\ProgramData\LqwkgQcI\mUUgMQIE.exe | N/A |
| N/A | N/A | C:\Users\Admin\xOUgoYAs\rCoAEokY.exe | N/A |
| N/A | N/A | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Run\rCoAEokY.exe = "C:\\Users\\Admin\\xOUgoYAs\\rCoAEokY.exe" | C:\Users\Admin\xOUgoYAs\rCoAEokY.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kuUggYsc.exe = "C:\\ProgramData\\eGIUckQM\\kuUggYsc.exe" | C:\ProgramData\LqwkgQcI\mUUgMQIE.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Run\rCoAEokY.exe = "C:\\Users\\Admin\\xOUgoYAs\\rCoAEokY.exe" | C:\Users\Admin\xOUgoYAs\rCoAEokY.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kuUggYsc.exe = "C:\\ProgramData\\eGIUckQM\\kuUggYsc.exe" | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Run\rCoAEokY.exe = "C:\\Users\\Admin\\xOUgoYAs\\rCoAEokY.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kuUggYsc.exe = "C:\\ProgramData\\eGIUckQM\\kuUggYsc.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kuUggYsc.exe = "C:\\ProgramData\\eGIUckQM\\kuUggYsc.exe" | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\YIEu.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File created | C:\Windows\SysWOW64\Qsca.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\eMsI.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mMkC.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ysAe.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aKcI.ico | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\YIEu.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\YIwM.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\CAcE.ico | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sYEU.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\SMUU.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Socw.ico | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheUnregisterCompare.rar | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File created | C:\Windows\SysWOW64\QoQk.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\CkAc.ico | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\eAQE.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yUQy.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File created | C:\Windows\SysWOW64\GoMK.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\asgU.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MYkk.ico | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\OaoU.ico | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File created | C:\Windows\SysWOW64\csIA.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File created | C:\Windows\SysWOW64\skIG.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File created | C:\Windows\SysWOW64\mksQ.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mksQ.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File created | C:\Windows\SysWOW64\GEUy.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\QwMM.ico | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File created | C:\Windows\SysWOW64\Uscs.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File created | C:\Windows\SysWOW64\sYEU.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File created | C:\Windows\SysWOW64\AMgQ.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gsQk.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File created | C:\Windows\SysWOW64\CAgk.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qkcm.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\xOUgoYAs\rCoAEokY | C:\ProgramData\LqwkgQcI\mUUgMQIE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WQkW.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oqQs.ico | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File created | C:\Windows\SysWOW64\csgu.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File created | C:\Windows\SysWOW64\QAMI.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\EacA.ico | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\SIQg.ico | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File created | C:\Windows\SysWOW64\cgAU.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GEUy.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GoMK.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File created | C:\Windows\SysWOW64\WQkW.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sGso.ico | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GcME.ico | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\uAIs.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yock.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\iQwU.ico | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MuII.ico | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\SYck.ico | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MIAs.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wysk.ico | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\KYEQ.ico | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\eyUA.ico | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\uAkc.ico | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Msse.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File created | C:\Windows\SysWOW64\aUgg.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File created | C:\Windows\SysWOW64\aAEm.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File created | C:\Windows\SysWOW64\KgAu.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\KcYK.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File created | C:\Windows\SysWOW64\yoYW.exe | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WWss.ico | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\McMA.ico | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\xOUgoYAs\rCoAEokY.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\eGIUckQM\kuUggYsc.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe"
C:\Users\Admin\xOUgoYAs\rCoAEokY.exe
"C:\Users\Admin\xOUgoYAs\rCoAEokY.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\xOUgoYAs\rCoAEokY.exe
C:\ProgramData\eGIUckQM\kuUggYsc.exe
"C:\ProgramData\eGIUckQM\kuUggYsc.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\eGIUckQM\kuUggYsc.exe
C:\ProgramData\LqwkgQcI\mUUgMQIE.exe
C:\ProgramData\LqwkgQcI\mUUgMQIE.exe
C:\Users\Admin\xOUgoYAs\rCoAEokY.exe
C:\Users\Admin\xOUgoYAs\rCoAEokY.exe
C:\ProgramData\eGIUckQM\kuUggYsc.exe
C:\ProgramData\eGIUckQM\kuUggYsc.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OIEUQAcQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUUEEkYU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NsQgYwcA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UggEgYUU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwEQkooA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYUowQQU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMUcccQo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bmkUEcYg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nOwAYkoU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKYcQIUQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEAYEcgE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RksUkEUg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAwEIsws.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCEQkoYw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SsUYAUww.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IcUYUwMM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKwYgssU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tKMEIUYs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmcQksgo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\isEgkAYI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\niEQMAws.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUMkUUAM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuAUMwMw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEMIAYwc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEsgsIUs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQcgAowk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nwcwoIsE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vyoggMAE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEYQEwow.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yagcQUMc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwsgoEAw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ugoUAwIY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEEgwMEE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQcMEAkg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEooAwcs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIoYsoEk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KeMgIcwU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGUEwAEY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mOEkMIwM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\neMkwsIE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TcckEgsk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rYoEUMok.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LakAAYYI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SyUwcMQQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kiwwAwgA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUkksoAU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HkMcwUQE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xCskokAQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\raoowIkU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCkEwssA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ceQQYgkw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwEIUoUA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWkgQwoQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nIQgYssY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYUoYoAc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAQEQkgE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SoAgcwgc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SUgccoEs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUQMUcQA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZGkwIooU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQwIsckk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuYAgQMA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMUwcows.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckQgIMIM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mcUAIoMU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCcYswUU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEwkgkEM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWcoYkEw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LugMIsEc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsswIQAM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KsYAsccw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ooooEAcU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
Files
memory/3364-0-0x0000000000401000-0x0000000000489000-memory.dmp
C:\Users\Admin\xOUgoYAs\rCoAEokY.exe
| MD5 | dcb3c5883fd5237d9c5fec34cd6c3e4d |
| SHA1 | 74ae398551229ecd91db101153c7b994abc4902b |
| SHA256 | be515777c73d0a814c0de8b676f05c1be9799d9731d83618358dc930a46e5c88 |
| SHA512 | f076db9e55ae81fae161e33693a9cc7bae62b28696b3b73b97a8b32a35a6c969d359994121751243a3347deb019ead213f2a8c588b704d36e4edffc98a16a88e |
memory/3400-11-0x0000000000400000-0x0000000000470000-memory.dmp
C:\ProgramData\eGIUckQM\kuUggYsc.exe
| MD5 | c062caa4828fc26ff9fea5ebc6b139d1 |
| SHA1 | a925ac15017e8bfb10306e30855a57b87d90ba53 |
| SHA256 | 8ffeee9cf3e8e50b90e908bfc93cc2c28bf46f8eaa9167b0af9bae8f80f99b4d |
| SHA512 | 53ea3b2a919ae5f18ff572bdf9eedd9ee7e358d8f82cc73ba540a9099cbaa100de72da247c11cdbd087c5bfb11a5675d7c1e9741cb7b8fcadd482344eeb1ea32 |
C:\ProgramData\LqwkgQcI\mUUgMQIE.exe
| MD5 | 0b20d2035955efa16e3e94342355a61e |
| SHA1 | 5704cce6964a48aa2aed0aa80529994cf2f01bc3 |
| SHA256 | 0ef854ec589aea3d6a091b007eddab2b410f5505dc61c35a912a455204839cfe |
| SHA512 | a799c2cc108b12d5e1c95d4ef27c3f6e51a7b52a33bdbc935f2e78e0a44c648e24d760dacf24308e6b8b8f04d55bbddc729ee5359d6f3c54e5d6b7173fb105b5 |
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020
| MD5 | 9adaf3a844ce0ce36bfed07fa2d7ef66 |
| SHA1 | 3a804355d5062a6d2ed9653d66e9e4aebaf90bc0 |
| SHA256 | d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698 |
| SHA512 | e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5 |
C:\Users\Admin\AppData\Local\Temp\OIEUQAcQ.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Windows\SysWOW64\aAEm.exe
| MD5 | 79c44d350d402530c5c5bf4ec092d05e |
| SHA1 | 0fd1c8110584238566ff04e4bb14567a0b1da2d2 |
| SHA256 | bf270cc76ef133ed0f8d39d8e18a5c6c96f8895e33e3ce587656c507caee9484 |
| SHA512 | eeee932633e3d69928c873a432df14881955939fc2881b0aca9fe6f864980ae8526e3fef2937a72f53351614e56af5f41b53f30af35ebaf72ce99b43d9194a7a |
C:\Windows\SysWOW64\acEU.exe
| MD5 | 2a17b2c4fc6ab20e5442af1d142b4829 |
| SHA1 | 67b939d10e1180e1c1d44ca3abbbe360c235a513 |
| SHA256 | 86b4e756adab792510952950575c82b05c4c32ed0bea1dabae5a4c4600d10773 |
| SHA512 | 4f03f47306b1e9ab809b920f12cb4dea824faab97f162715c77c64a726a16547ad52013696f54952acb2727e143be4f26803ff15d03d4280c4cd35180148287d |
C:\Windows\SysWOW64\YIwM.exe
| MD5 | 8900fa69133ef5b833d1b7457a1e61ff |
| SHA1 | abb8999c92e38e4f7bfe561dcbd374f85cf93512 |
| SHA256 | 8c05d858c4e8e5a022cef977a959c609f3585855ef0dfc59c55d672920d4c0bf |
| SHA512 | ae523cc58a526ee9a9709b5739a1480ecddeeec9f70cc7442568a4a990c38698024479ff6c154fb62f166caa610102360cc516e045bb883a2d2b36f631e828c1 |
C:\Windows\SysWOW64\WQEo.exe
| MD5 | 416f38e3f27e2a488007b665fc2599fc |
| SHA1 | ff05bf2b80c4bbd889ba3345d0152d16a6756e20 |
| SHA256 | 5d1a5d5ded370a306face4d22516a29664f82b28f0b0c0a817319cc83a6d4322 |
| SHA512 | d9bffef7182d45e9210d4af8e2bbb5980393e054b4cd7ff59d973708c7b6d965aa40e8d857ea848a77572ac5fffde1f1625d7479638525d939112c49379c7e48 |
C:\Windows\SysWOW64\kMAo.ico
| MD5 | 9af98ac11e0ef05c4c1b9f50e0764888 |
| SHA1 | 0b15f3f188a4d2e6daec528802f291805fad3f58 |
| SHA256 | c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62 |
| SHA512 | 35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1 |
C:\Windows\SysWOW64\Qsca.exe
| MD5 | 91de6f890b009e0fa4d26059ccd7a064 |
| SHA1 | d462a8bfa72d8e1c01eeecac796455a0f8a01a22 |
| SHA256 | 5f8c58d4c5aa44b2a92fae8abdac235ab8edb326372c759037241041a1486d4d |
| SHA512 | bc13ae6314d6e21def765a019a2e7b25ddc959013af7827a08d84c14abb6605f259a14885f3fcb4693911a8a032d48cb3576d1a62fbc4b2cfcca392851e481e6 |
memory/3364-217-0x0000000000401000-0x0000000000489000-memory.dmp
C:\Windows\SysWOW64\GQAO.exe
| MD5 | d3528ffb38827881b0f803805d319d32 |
| SHA1 | 531a06287876df7fcaf8b81c1be45945c96db049 |
| SHA256 | 637e48dad829115a4a39b55d8283bd5a81355e3bebef8a1a84b51e95182d3083 |
| SHA512 | 0fe3b58d317dc68d44acb403cee7ddf99932734c528a06b7fbb823e1f2c8edf6369044bb2d0a36b08a260191d2d7d41755f23b1981a499d7866ddf628118043e |
C:\Windows\SysWOW64\GEUy.exe
| MD5 | 21b4a0e691613c08c37a63ad99147c74 |
| SHA1 | c11ffa762de457e75fb55496206600b0340b4499 |
| SHA256 | 52e1c91d7fef17b3dd5af140f2ddab43a6543cf9605c402b7436384c2f945b5e |
| SHA512 | 28d03fd969e0c26aeef8e94030034f988de58b2e9f41fec6922640f237d4aec7bf4b6f109408bf006e6766965646bdaad728bee805db983e306e564ebe47a215 |
C:\Windows\SysWOW64\wEQi.exe
| MD5 | 8ec83976ee419695cac6aa37a9a6d76b |
| SHA1 | 80d9ad1d0857deaea6eb9ccf53a2509f806d7b37 |
| SHA256 | 6d90d3c0c17c490e0e7f93b1786634ffaf2053d2a472663cca40dac8ac022749 |
| SHA512 | 97d5709287ed76020b9d84a189eea88f0b39ddca0a89082ea0a76b13873e8fe72598e2757f09b9c591009e1d9400e2b87c4a1b7c856f10aba9a89b14dc946edc |
C:\Windows\SysWOW64\GoMK.exe
| MD5 | 41ee740f5c01a89e79ff80ed494edda0 |
| SHA1 | 2ab9c4b19aa52c643d4b1eeb10e1f9d39223743f |
| SHA256 | 0c9322925a7edf517152fc2b4438a2644e05bbde9c33cc4d18ea4e5968e7cc12 |
| SHA512 | e810dad9dbe8f98a5347cfc71ede61f4dc1087c65520581b89359776b40f5a7998f38dc1aaf58821fda7867b2318c28fd8513f0d89ee187a778e3346b59cd624 |
C:\Windows\SysWOW64\QoQk.exe
| MD5 | beed4f70f4db481dbc247398fd201fbb |
| SHA1 | ddd5d875056e2ca6ba794acfb819ed8b744cc7b2 |
| SHA256 | 2b3a48dc5da4eabedf9d69944a1bd6a637de3e6252ec749fc55fdcf3770d9353 |
| SHA512 | 29610edb1efe77a89588cb10e495b6f8fd967dded417ef80c8655164f543f52e5f673ec9acbaf0b7a650cefe8094e93018d98ddd11b2c3e45e31779f3869629a |
C:\Windows\SysWOW64\KgAu.exe
| MD5 | a63c403db05e7b394cd9b75ebb2ece98 |
| SHA1 | 08b0ae8611a7c476f52c5bfeef2376d77c47691f |
| SHA256 | 82c0849b0e53b5dfe4f5e104efc39cafa092f0d6e34a0761d67300444f676f14 |
| SHA512 | 96114f4eba106dad1897efa4fcdf6a69884e8feb0c2b4bcd5b24bd8cda1f9ee41fc49f0d1293aa0843a354ebcd68af0b094c6350177c7be08fe84a66132bfda8 |
C:\Windows\SysWOW64\IMks.exe
| MD5 | de00f1acc014f0570a016302b41fded6 |
| SHA1 | 5c9959cdd7902b3fa094aa4f66408e163b6d0c25 |
| SHA256 | 86b5604d0b9a22df8929002248c45429e29157012fb42b2370f9f7d96cfb17b4 |
| SHA512 | 302b0b2a4812707f1674d606c183616c0fab4631210f2d68a5cab0afbd055a1bb72f3e8fef54a73a284bafdb11e001bd7e4d31fe34f129958c7fc22d95fce07d |
C:\Windows\SysWOW64\KuIo.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Windows\SysWOW64\KcYK.exe
| MD5 | 96746da06424d2d7b4f262e4ab419764 |
| SHA1 | cc143ad6ef64dde73a185f6ae99a08302151763f |
| SHA256 | 54e35927cae02554073a4b1a4fc2a5bce0a177afab255c753a8ee860f54ab42e |
| SHA512 | e0905fb4b874e05d9fa195f676b68c198823337186234c27f7d18e9c32e4e2837768350fe056278e274981bafef0dc548ee350e8d7e235e59e66f3c9e07a587f |
C:\Windows\SysWOW64\yoYW.exe
| MD5 | a68561be14863b126a49b6ec9f083757 |
| SHA1 | d41d934b61dd85a3efbdb7ea4b34b82772b5f11f |
| SHA256 | 6dc474e5d1ad14961674b11583e8073ecaeba084f2fd89a4f8020b6b0769410f |
| SHA512 | 200b32c19d1f00350a618e8f38d0fb7d83c2bd842695c5663b661064dbc7d09c722a51cc9a2c4ffa52f92ddb429fc5f4d80392448ddd9cec14dcd035d51c918b |
C:\Windows\SysWOW64\aYgC.exe
| MD5 | 88911ea609846ab8f86c30dcf206bdfd |
| SHA1 | 950bc911f49f47accbdd0ef7dc7756e5c7c3d649 |
| SHA256 | 82285259ed9125e3ed0d2d74fdf773c001e642b90fcbfc8b0efa3acd95257026 |
| SHA512 | f1a3785753ba3bce9db854dac84da6f579dde4659ce88eabd02e5d659bdd0ee71c699e9ae8b1695101148876b10842f31a00b37007da81d671cafba842ddfe19 |
C:\Windows\SysWOW64\IIUG.exe
| MD5 | 0480939b42c3da34c1f106b63775fe40 |
| SHA1 | 63c21e52840e5b9e2f150a1ea463c1fea9e46b3b |
| SHA256 | 656b3a178dd91fda9cd7f2805efb377e169c11463b5da11a7eb9524ba2bdcc0c |
| SHA512 | 659d8d763bac2704660f1fde9f6d38bffad326b1afc3e25a80d42c4f9ed5475fefb0d0ca9e14fc9c5c33e3487e804fbd5ab85ac97c195ef4cbee1eb24a300973 |
C:\Windows\SysWOW64\MIAs.exe
| MD5 | ab035a68fb2779bd627a20173ed6f3cd |
| SHA1 | 50c2101cfd190c493d448fabc96752402236dfbc |
| SHA256 | 389eb1aa2183769af1addf49e71fd2240c304babb1be74ffe1a963a7926fb122 |
| SHA512 | 1fc1d69014e21901cb123e75e5b9dec98623723da813b319cbe3162837539f02b4f46e96e9763ef5404214f1a524be6eafbad051481fd8e8aace91051dcb2032 |
C:\Windows\SysWOW64\qQgA.exe
| MD5 | 758ac19bda8ec070cc3f1b439771cf56 |
| SHA1 | 412333c52cf9f583ced10e9155a6edd9df7863d2 |
| SHA256 | 2b7e256b372bdacafcb78bbcbd6b3a17893b1866dbe1ebab74be82412f43fbb7 |
| SHA512 | 6f6ef78e36c3ec7b21b0e38730c6c5084cbb97d97a8650ed624b1d46c2994ea117f2c27070ccfda49a139b6fbaea8676dfd76bc7e0191bb7897b413f1dca2e67 |
C:\Windows\SysWOW64\UEgK.exe
| MD5 | f59d4ddcd7147c79d4ceea7ee4708a96 |
| SHA1 | 4e345341332bbf682ed7802f31df5a4e39fd2959 |
| SHA256 | fc64c3058c8c88c36be614e6bb7a4e7bfda116ed5201081c0fd53c16030dfc84 |
| SHA512 | d3ee13785db4c553623b0ddeed5faca8fb72386cf5b5b59958a1140d66cfc34f1092e7aef0f6dd5d421fb74331d5fd4722fcb345aeb9cc6c541c5337eb9c78c6 |
C:\Windows\SysWOW64\aUgg.exe
| MD5 | e0e969d42d80b3cc8ff6571a1e9f31e5 |
| SHA1 | 09148e648500aba7cc0a8bbf36199118cf7de647 |
| SHA256 | e3a5a019956e73b97ff7a6f513d8affe77fd1355606000caed76933ae73c11af |
| SHA512 | a992ab2550571d14152a7e1e0ae995ffc85f35385fecd123edeb2f096e3c85445678980cd67fcb756c1853325fac4eafc837112173e26b2102eef1407e08d660 |
C:\Windows\SysWOW64\SssU.exe
| MD5 | 3acbe5eaef98853d2e1a91486c6f692e |
| SHA1 | 8ee6f17e8f53464233750d9b5fd25cbe42f4602c |
| SHA256 | 2eb309b0ac7a8e8783218ab0a03dca47178b357e2939f81a6e97b2d9047ff07e |
| SHA512 | 3343220cf604a258c26811056e51d6758094582595b26d0b5bd4297bc33cb04002ddca8e584119b167c3b1fdb45b964930651898d0502fe212379a158d478448 |
C:\Windows\SysWOW64\asgU.exe
| MD5 | 00d461a78666801df44322c08821082b |
| SHA1 | 23294e132d94dbf312078e46133bef51ea92e49b |
| SHA256 | f6d1897686914121744e994c4dec5050a53d27851339135e6e3e92ff1494f5d7 |
| SHA512 | ed3e084b48325323bc2a647a5b51ddff9440723ab095b2c65a347857bcc69c767a6384212cb8a8bfd7edac3980b1cc6517c1d26846d9bf404cc52495bea514e3 |
C:\Windows\SysWOW64\AoMU.exe
| MD5 | da0bda93d9bcbeae0d69ae874328d9d1 |
| SHA1 | ecf3b074af104ebd35f184113ebf10babdca20e7 |
| SHA256 | 9066739251143028b60c83874aab2bab0d654d6e666186afbc8768cb272b07a3 |
| SHA512 | a3111694b8a73d8fc433d1981b0cc7935bf56e521470b305411330864f9cc317167c0670ba0aeae00e2a22441d22acf80452c7aa07d2c3fc4185e5e4e00f26c4 |
C:\Windows\SysWOW64\WQkW.exe
| MD5 | b2db5e873a2652beb62291176cdc1ea8 |
| SHA1 | 26fad2e4d85ce1d416ad7fc086f3ded4891982af |
| SHA256 | 1e12cac96f0a44b8b0133b911586c91e75044a14f2c1cbf61f7242fc8b7cbe2c |
| SHA512 | 35a65f2bd4719b1422eaa063fd877eb58a508e89f325683430abfdcb54cb462e742ac60a83bbdb2944396850b8d48bc74e08527b4a9df9f18ad18e9c1973db29 |
C:\Windows\SysWOW64\KMgw.exe
| MD5 | 982e08c2c9a3091dcfd723a8d34f5d00 |
| SHA1 | ac3e2978a6d625715b1a650ad354b01243a0580e |
| SHA256 | 0fe5bd4bf7e7605ef122a5e484cac03a0b2ce0cc761538e16b29757884323900 |
| SHA512 | 6570c1907872b2d8d795d996baf5fcd7dc0f32fead739f2e45bdaabeda9be9e51b75211f23838b3cd11bda42b0d77f82eec5bfd24c7c2b7d5e62999b65946ead |
C:\Windows\SysWOW64\sgAo.exe
| MD5 | 5afa1b0e30cd452346630e49066bb22c |
| SHA1 | 87f3a6cc27d19d56f742f52c59f974f5ffda7269 |
| SHA256 | 5352f0620518fa8f9bd56959cc2abe8626ebf5ea57a2b941cd66c42d36ca789b |
| SHA512 | ed6e17662861502ab509303854a4c9a44a400755be489557efb2bdea9244be0f272e9067a4e54d745056fe9751b00d02307bd94c795f7f73477bc0090c9a62c7 |
C:\Windows\SysWOW64\MYQW.exe
| MD5 | d6730b5b8c01ee4cd38ce886dc363a18 |
| SHA1 | 050ad05ab288728d78c06a9a79dc8ceceb43e63f |
| SHA256 | 759d00624a7311a464719a803022543cf77daedc9f780b78fbbccf4bbc9dcc79 |
| SHA512 | 3569ef55c7eb77bc0a4a1eb004217ef254c3feb74821407bde919284c42960fbad9f2b3482c4551140380430649af7adecd68ae82242b381ef2f993ecf91aedd |
C:\Windows\SysWOW64\csgu.exe
| MD5 | 5e5a6af3277a0f45de373c2b3046231a |
| SHA1 | 5227874916a20751540f1a435227aa00ea2873ac |
| SHA256 | 682a9736f462903d45629a1e6758723d372427afe13caab32fa34caaaf5319fa |
| SHA512 | d35134684971f5005c84f62e2697858a1d18c69d0177ab197791e3b6e364654cc504471b6051ec64d5b08402db01ec17576762221a7b4d2ab5f5f498c056a93c |
C:\Windows\SysWOW64\eMsI.exe
| MD5 | 67841524371976dd6d7bcb312a677e60 |
| SHA1 | e2996f57c8e2a2b2d0644d4a2ba81314d9d1c634 |
| SHA256 | 44529022e728f882047e26fead895a1ea1a9fd40f3909db2b99e7a603f70258c |
| SHA512 | 2b881a026acd6f40bd3ab538bb1e83f98b9d3a5c4ae2b5b1188c769b3591f18576336da2a9b6c7c250c4a300e4805e2c738dd7d7a2970340d0689e5780d129dd |
C:\Windows\SysWOW64\QAMI.exe
| MD5 | f8e4f2ea8e82ae2fe0d8399a7a4b6cec |
| SHA1 | 11458be0bee9b767a44f89713f733177fe29d19e |
| SHA256 | 6641158d2a228c6aa7ed0f8e91e044c311b17a8d858001b965ea7bba2375290a |
| SHA512 | 0555a50194131dd5874781da10d517b527e97e556d62647388e2f76c9f8953d77f78afb7f3619040be748c4ceee9433faf77e6ad24ff277d7a27ce98ef652767 |
C:\Windows\SysWOW64\Uscs.exe
| MD5 | f3c01346b929328497c32c38b879234e |
| SHA1 | 84c793a84a9cb98ded89b12607b3c75c8a2030af |
| SHA256 | 6bb83b89284ac73c4c3a5cfacaa73d73129f42ca3bc6ffbe982bcf9731e4a043 |
| SHA512 | a3d4f6149fbc82ea738d814112a40d1e63ddb6e91937e946fb52643a2d99ad89553472132a30a7ccc3eb7e39f8d92798994dc044dd6fc3d95b523e63f4d537bf |
C:\Windows\SysWOW64\sYEU.exe
| MD5 | e9fe678c470ccc4a626b8d68c408b11d |
| SHA1 | ba906fef05c83ae89518a24cd15f6b957b3b21e5 |
| SHA256 | aeedce03c7398ff5d8a495a6fb924cc7fbecb213e80cc44b4b97ad529736471c |
| SHA512 | 3b05ed4bb3ac96da2d88b847f7e18f3b1c8a949d38f242b9d7a1ebc303bda5bd6f2e00eabd0407d324e6c1819703d47636e9eb8e34be508a9d742751728579dc |
C:\Windows\SysWOW64\AMgQ.exe
| MD5 | 4da5f41fce558dde017b3dd6699713e0 |
| SHA1 | 5fd8d9458b6e86036ffeef46971d21a727ad1396 |
| SHA256 | 7c91045fd30db5da13fed9ddcf151811351ac363894a9476333d5e2e580485d2 |
| SHA512 | 3bef6c7a5baaf0ac7e8dc7c994a3b3b8010dee0260c0de78166f93c6958f0bb041a4d20faa8cf08ab042e5227a5a434c8673b554fdd13c7b22ecc812f1a8fb0d |
C:\Windows\SysWOW64\iIQk.exe
| MD5 | 896373e87aeb5faffec22eadfd73bf80 |
| SHA1 | 957dd54b3d77083bcec030ec3c0b8dd86c29589e |
| SHA256 | 53c5fada8f045ae4b7292de8dd3e47ab7caf3eb5fa19d0b8dc50598fff7bec3e |
| SHA512 | 6d15ca69600262d1df32e7a589a2f25519d282b7754c64c9b898434fbf44bfaa670f0b53cf6c3d417fae30bcf944d6f995bb58ae0022eba86e867d79646a1a02 |
C:\Windows\SysWOW64\uEAU.exe
| MD5 | 83c15b633d989d43f82405932a52455c |
| SHA1 | 132896bad4183d14f868807735283bab598b33c8 |
| SHA256 | c75ff4dcf6264e44c991d6f831616b7556ed45e6c8b669b044a1eadbf2e74d90 |
| SHA512 | ee811cef748ca6b29afa8d8fa5fd719c61c68e4be8bad06729d239b7da17ab2aa57f25e4bb4c4bd11df91036b5d7a981c7c6080f700a5e9e24ccce37bdaebeff |
C:\Windows\SysWOW64\qIkK.exe
| MD5 | da98c49ce62f453e26b289c960674f85 |
| SHA1 | c95ea213c8d2bd9ca1f5854ef3e310fcd71de176 |
| SHA256 | 7d096c7ee2530cf57b1b4dd36894cf9aadf2694214ab67b20254962f9f0fff7e |
| SHA512 | 2a2dd8fdc3c8506db104c6371b460a0d61ee61cf9e2abe2d38fb179fa6e21f67ddeb85123d2d7c0c125af6b96be3954bb3661fdd41d5c77fe48be2fae0e79346 |
C:\Windows\SysWOW64\mMkC.exe
| MD5 | 0f66b6729af11941a698650bf11e1b68 |
| SHA1 | 2d7afae7888b1679f9a80375738efbd2887290df |
| SHA256 | c56ecfc4bffe25dfac5aeeae68a6f48c5266ddfeff5590a164b6c90e58c6af03 |
| SHA512 | 30b6b22969e89f5849b8d0c3da0c2805b6f6e62230930b0909b29469af33c3ef82a980bb89c5f4948a17be50ac8672b35bf622d2fcb4b96850781327ae3fc91c |
C:\Windows\SysWOW64\AkAq.exe
| MD5 | b6abd7b146377ef937236b0ac22fdbf0 |
| SHA1 | 755331c59495212542533cdff23482d76e737a1d |
| SHA256 | 027295c0d15a94c6e53a611c902b8467eaaadc1417444a227d44631e221e7a76 |
| SHA512 | c758c38656a8f8ddeb9d3eeda07b1d4cb65b768a96a48f090c9c75ac03513dc27baf9cae2348cedfae4804ae603915827e3a785a784d75424add550147384f9a |
C:\Windows\SysWOW64\wcoI.exe
| MD5 | 82054292c89ecd12a566bed3318138a8 |
| SHA1 | 0649bf3ffa5ac80a449e968269233693bdc27dd5 |
| SHA256 | 86679bbdf8f7d51ca707739d0de236dadd6f8b197fd8c15ad95159adc40f4f1e |
| SHA512 | 3eaa25855c868ea1e01cd5c7b7e1dc796e70e846a05ff1b2eaec8ad1cbadea04b61dcdfcb401eeaffe83a2ded17c625e03b59181cd4748e7999a75a5bfcf4275 |
C:\Windows\SysWOW64\gAEW.exe
| MD5 | 6bb4ca6b0ec37bc8f3322ccf7c556715 |
| SHA1 | 99abce270bbabcbd3fceec48827eb5d28ccf2615 |
| SHA256 | deb6fd43f7dec97c9700330fac3d1d6fb14be86627afa2430433b6d71e488dee |
| SHA512 | c5f267df21743c9d05688759c528157a626da15b5bb860006735ff1883ef8f3ce518d89756684dcae30fbba1b01e2dbce7aac438291b2749da9541ba212d846c |
C:\Windows\SysWOW64\ccQu.exe
| MD5 | dfed79477b49655590bb02c44f8a15dd |
| SHA1 | b0fc7ae8509b7b04471c8b735d6b902bf2078658 |
| SHA256 | de12c5457d00e36a1a1fcbc4697f581b1db91a52408288f3eaeb99a6c1a820b5 |
| SHA512 | 1d6e6da82d129d9d3ece7bf7c930519d2fb16e682440b69b8248896af858c4448c694c70789c84a0d8ada2c5204dbe1f03e78300eaf407587e8dfb0c253102f2 |
C:\Windows\SysWOW64\eYQY.exe
| MD5 | 42c81788298d8a8ca865fecb139ac0aa |
| SHA1 | c7fa0aacb076e43ce3b328950563adfcb57f83ad |
| SHA256 | cd1b3337546a6a255767c077f3d370d90db407920956ef4f1df72c3f04bad670 |
| SHA512 | d39c3ed4c0a08104015affad62f36c1585a0b733862bcdb3b5f586a9a7b4852a24910346360cbe6b6fc8134f50963e1976551559fd9a28827ec1b69edb1badb7 |
C:\Windows\SysWOW64\gsQk.exe
| MD5 | fda6711862b0ca036e44759124fec77b |
| SHA1 | d4b56efc9f51253ca33d874836cf0dc8dc0031aa |
| SHA256 | d5c1b95746e093cb4ea7b61d8aabdd140890f6b247027cbd6cae4137b497a298 |
| SHA512 | 7d5323ce7ce99e3d887733b426cc3247e2eddbd0e1caea5ab7e378766fb37b6414a42ef8d8cad105afd3e735a233cc4089f53a053786a3554d525e0140b256fb |
C:\Windows\SysWOW64\SIcA.exe
| MD5 | 77d5e9bcc79aedf8ccdb069e0727042b |
| SHA1 | 5610fbb24f3194acc1ea4be5652dd9247dd18507 |
| SHA256 | 235adbfa0f7e08b79500becccd3d5f54494764dff8cf2387e6126d067818da85 |
| SHA512 | f6d2accf1d48d5eba0266de472646fb6dd87d5483484cb92dd787a515ccb260710f04f354478d3e67a3373be3cc1907474ff739a2c7bd2f6978fb821c8070b3b |
C:\Windows\SysWOW64\ysAe.exe
| MD5 | 916a632dd5fc899e36bccd458272468d |
| SHA1 | 34e7dfeb0bfa50198465c6350ad4c88ac1115071 |
| SHA256 | 29ceed5db2cd285cb589ada736d0cc0ea6a26ef73dbfbb0e70d78fbf3fcd0483 |
| SHA512 | ba885edd5fd0461eea0ea673c9b30063a30809c156d671bae2d00241cbdae4966a940fb25d547acbea8d281c3b3903d8cd0034fee8a8e684c9104d55e2383dfe |
C:\Windows\SysWOW64\eAQE.exe
| MD5 | 5a050d1dd9bed19a9d5dc4aa70b190ae |
| SHA1 | eaeee866b1d363567283e4526ba894b3259bd2cc |
| SHA256 | 62ae7f2266a0b24370526a868cfcac51a8293b858e29fb6271c5af3423ba6179 |
| SHA512 | aa14d9128f8e3cbda96e2bd544530d0ef3cd72da2f745de87edb3f9b3c9d8e18c0777cd8e5761536ba0a1dd7104a3a7cb45ca879c53c7205039029ae6367dd9d |
C:\Windows\SysWOW64\cgAU.exe
| MD5 | 4546abfad3e2a198020b07ea6be0939d |
| SHA1 | f098dea311b754443a1648ad6513071b49b911e8 |
| SHA256 | 671f05379f87159c53718cf9ddd84cd374f271403c7d0ddc4d1a1da5d441d6a5 |
| SHA512 | ea4de98e73f9226ba6537fce30038200963784c0e92fc29c1f63524a44d796f3ce7871ea7746973d9637cf3e4306831b1bb0839f75796fd4707cc77ac536134a |
C:\Windows\SysWOW64\aAUc.exe
| MD5 | 807619b62a7fd164018e1449bedc10bf |
| SHA1 | 034c9728080df404c495d137b6d4aae1316e5966 |
| SHA256 | 1e3ee4e7c0a341685a89e825014798031f1d28dc5f4301d67be6860a8577754e |
| SHA512 | d1de99a4fdcf263ab99b3983d23051ef34b6b606fd272f0ea1af2a278493e4e1391c72abddbc6d34a6dbff30d9390805a25b2849561013d91659515dbaf07621 |
C:\Windows\SysWOW64\SAYk.exe
| MD5 | 7c0e8e10d4324daccf208ed158bcf4c0 |
| SHA1 | a13e9fe6529d6f0e3aa2cf5d8af69529cb117ea4 |
| SHA256 | 3c55e5908918d52cb15797d4b28ae9b1a85ee9305459aa3a48e20171d9ffa75c |
| SHA512 | ee0bb563d5fc7c88b86927e7b2a98013040f58489488bf519907b2e059ca43339ed784a94c6892486a97b861d2dc7bf43449186732fecbf935aabc52579ef57d |
C:\Windows\SysWOW64\SgEK.exe
| MD5 | 6fbe109e9f959afd79d69814edbca7ce |
| SHA1 | 899884a16a3452df0e2a9f1889676a4604762d72 |
| SHA256 | 1d7bea548413eee1fe2be1b1ec4ffce7082a78f95e4e235567b4547cf0c10fe9 |
| SHA512 | dcff17043d246395436168bc9b22e0a3784926ed3535260acac95343cbea56e9816261b5d66b92ba57b359cda6cad34d4beaec9e203c7b2451ece79ea66781e4 |
C:\Windows\SysWOW64\kIIA.exe
| MD5 | 617b65d8fddf544b60852aeed9f6272a |
| SHA1 | 6ad687a43b72a6414f9814663cc0408ecf2e69c3 |
| SHA256 | c56926e55fea9b7a84351e1852830c718b66b02d842b79b59bc4f8f5fdac12fd |
| SHA512 | b8a253f9f5671ca3c7cc11db26c39a13589c6dad512b3021e0837c6aaefa8bdbc2d1c7bcafbd257c454d09ac8a576d034d54b7c61f46374ed123d8355a9d4f7c |
C:\Windows\SysWOW64\uAIs.exe
| MD5 | 69d5ad2dc79c347961bee7403e8f50d9 |
| SHA1 | 506d3fc7af471b1610b2aee4efd873dc7fbbb60e |
| SHA256 | bd023a16d171acf46c1b5bbfba281a5e466d8f8f0066104d054066ce45e74391 |
| SHA512 | 883fd1231a81a80bb8d65d4ef63c4cc9c51ad7113e984751bf307f28e697e51b9da82807279f491a90e54910b4dc8e7f53a022ada14d9b24ca67765cd827005a |
C:\Windows\SysWOW64\yUQy.exe
| MD5 | e3a04a276f00f693c25f0ea817f95f74 |
| SHA1 | 3b14f931f62007d46a04b954081050db6e581191 |
| SHA256 | 734a2b631fe24b7fb917f4999c33546d7fd67e51aa9852a48276a86f1645e595 |
| SHA512 | 9d394f35675cd20ba8fd8ed4e92b087f3bad5f678dadfbf7a7a32c3d735d42217601da64f255803f8ff8ba2c4b0c559ad0b4b70d66f778fbc77fd2218fdc4c35 |
C:\Windows\SysWOW64\uIwI.exe
| MD5 | 79dc1fce061bb3eef4fa7f4eca691886 |
| SHA1 | 37bc72f839bcf7bbd17a295497de8052e5059f0a |
| SHA256 | fec813aeaf9e585dcba23bd07659ea7c0616a34f2966856a4c31bdf264e621a1 |
| SHA512 | 0489edc8d02f828c34d2f77768d8703d4ecb379d3a47217c1ff2c77e91405638bb921eed3de874088a7935ba20049b5e2b28bad9b1f688e051efcc99fee920e7 |
memory/3400-961-0x0000000000400000-0x0000000000470000-memory.dmp
C:\Windows\SysWOW64\KAUE.exe
| MD5 | bfb8e2998dfd69666bedf9a037ee521e |
| SHA1 | ecc8a7b5b104797a3756d6beccfa7d869f7fcaa6 |
| SHA256 | 62f083c7d9d5ce5c24c1b7ade943f1c117e77f81b54b6430ab38d3a330e86619 |
| SHA512 | 9687644b1ba00e1bce8a0817c4091df6ef05933d0faec48a630b219026109a8371c973ece01f6d42fdbec1bf070a2ff8e44ace603946acff3c70e2a9b63072b0 |
C:\Windows\SysWOW64\csIA.exe
| MD5 | 98bb2d4f157bfc83e85aa798a7dce340 |
| SHA1 | a12de0423f6c757a7a2963ee956e5ab1951dbdd7 |
| SHA256 | 9066a78afdf1bfeb091f615930c3e4dde74cf3008263d018894416d738e3a6c1 |
| SHA512 | d31ee80b2f3569393fac84c6e24d820cce9c49b1b41e38d6727f76ed313194cee6b04ab6aaf19bf0f45313cb14249e64a8dd9192e46a73de33fd13cb5be934bc |
C:\Windows\SysWOW64\uIoE.exe
| MD5 | 5110678f6b4a1bceae1fe669dd88faea |
| SHA1 | 8d1c4e55d17bbec270198f6d3d522401c58163ad |
| SHA256 | 0f2f3e3c39b793d22b677ff286958f1ac19786fa6d7633694d73700a72ddd60d |
| SHA512 | 16f3946f091216083c937f228c35677a1704858eb72d7bc053fd91b6c4c604c0b6c74547cf512ad25ab624ae981bc5953130ac1929c524880642bfd5e40b2292 |
C:\Windows\SysWOW64\skIG.exe
| MD5 | d7513a348ec4ee641355518ce8689745 |
| SHA1 | e79227ca78e3bf8c691d62ed942ba31b0333da60 |
| SHA256 | d35d3328aa28119e3c41974c0b7515ca484c21cc3019bcc5a00d8d35ca71954e |
| SHA512 | 3f29569c8bd24986efd8a384d8bbac4171f4b5ffd9d129840b93e3cb80b0b15adc15f7fe177d23316f77d5f3557c7205a6798f073056787c25977d115ea9190b |
C:\Windows\SysWOW64\mksQ.exe
| MD5 | d150767c1b0a193d07f3bd49a287e55f |
| SHA1 | ec7f60349e1697d43ec1cdfa48d5944ecd5fd4ce |
| SHA256 | 71b762fa0c0ca573bdf4542a484f483a0441df613228c079e6ada4a43623d3a3 |
| SHA512 | 2f619468e94da5b9fedcdcd3923386379a814d3bd5754956edae2388b5838e4c82a46d1259be9a0f81f960c6e7fd86d0f7a7f42f071017c41e2f69d8d96a3ccd |
C:\Windows\SysWOW64\CAgk.exe
| MD5 | 0fdbfc023880ae88d8038a7d49509f83 |
| SHA1 | 37fc46ccf86f210b44d66baa49744ee5ed30c9c2 |
| SHA256 | 6154be1fb400b41be4117c99ec40e4ec55ba74fe3ae650ae6fb4fcf8c6ad8f76 |
| SHA512 | 80729d46954bb8065e99fd1dd0b0dace86af2b1d1fd7952ea6eed52e13249547b573482f23214f75903074aa9940b61c03c994ba78662b0c02202ae88f7e6433 |
C:\Windows\SysWOW64\KEYW.exe
| MD5 | 89a4ec6dd5e1235492b0456c4fb7350a |
| SHA1 | 7972b5565eac4b8a20d3cba37bd99c62720566bd |
| SHA256 | eee63bd4e50567a9b1ad7905b61ed750034313777dfd7e8a54d97336ca6e8f28 |
| SHA512 | bff8c5d386b95b6c548f70bca8b8cd43afa0d0ab822648666539e6fd38f50a543cbf34e8f0e77baa6526c6b010bf3fe3192c3be4944190911238f28e6630e22b |
C:\Windows\SysWOW64\yock.exe
| MD5 | b9a47e09b14d28d6d16b8a4b38abd28b |
| SHA1 | 9fc1bd72d4ac794b71f15af2b14c42b9558528dd |
| SHA256 | a22b603a78fb5fc261779de6e11bf7ac981df1057b8104d9c82e02c3e6a228d2 |
| SHA512 | c8f6f2b5f20c7d7feb26df9085180aae01269374481c6d358ebacd7b85e8bad5f251d8702a607c4b1f68e0d2432b877b98d1742701d0e87eced5fc6951a20aa8 |
C:\Windows\SysWOW64\Qkcm.exe
| MD5 | ef843e9b1c582b7d1257eb09ff53ff68 |
| SHA1 | 430d4927ab4f13419e2b272baadde3a9ea1d03b9 |
| SHA256 | efa0e7f055bb9ac2eddbf48ea0525d524b9141bd7e64530e1b1f0d8e19ecb128 |
| SHA512 | a6ae8381458c5438a5ce8c858ff24be2dc544fea717a7a4ff6840714a5bcbf25ba7c783f36bc9821e2c0af4e42c93858e828c4330110067178ad980def2a9d29 |
C:\Windows\SysWOW64\oUIk.exe
| MD5 | 2bbaf5115cc5d730ff461f8d890b71df |
| SHA1 | a23838dc865d5e56fe562f84cf4d8a1a57733dba |
| SHA256 | 82e00d1c17b18ee929156b18da463b7a8d637d843d57b9fa056a1fd2461e5669 |
| SHA512 | 61acd665179862e72868ce21c66923528dc2dbca06acc481b630f16d0e4e85932b0a692ac57e219af0e448af83e2b6321c9c00d60efb3f87c086557a5934ef80 |
C:\Windows\SysWOW64\sMoc.exe
| MD5 | 959c33c232b0920159af98180e40cb37 |
| SHA1 | c21a13065f253504a2ca646e49d46bf661145e66 |
| SHA256 | 8215e35016952aeaa8fb1e1fe63c32f231941b0750378e1fe6ed2579451cd260 |
| SHA512 | 670b1372272d2be4565ec6c5570e318fc68c1cfdc4da20334db3dd25123145822c4b2f8bec8a5f02ca6f31c851d20472fd1938719799e23065215ecc2e3020e6 |
C:\Windows\SysWOW64\ewsM.exe
| MD5 | 5a2ea981b31781c83ac1dbbe96c5305f |
| SHA1 | 9bdb9c946f5ed1063df49e87c2bbd542bd6dc275 |
| SHA256 | ebbf5bd9c52c993f785880a05b5fc812c4b12d00e2e1adfa560597ed50f9dc9c |
| SHA512 | e80822d8a54ae717b7b6b9ef321323fd2e239a645ebb72a62723a1cdb61e2d551c27e1d12a24407e6f84028220fe9975f061a316c7458ca799e7a9c221c76e69 |
C:\Windows\SysWOW64\wogY.exe
| MD5 | 675cc1752026cace6c6075ac8658fdba |
| SHA1 | 804676521c5a82c5233320a108696309f90bf000 |
| SHA256 | 06590e35d16c0a983b1e4fc71892b241db0b1dd1a83c2b5aa4d81f903c9e58e2 |
| SHA512 | 722e7000650cd84ac5ed802c78497b11ee85097f2814183ae39cca28eb49b250cc80858a5bc0cab9642b86039f832d08bdb9962a72c1b09112089435b762e08a |
C:\Windows\SysWOW64\Msse.exe
| MD5 | 8bc844e4855c487ae59410da6cea81d3 |
| SHA1 | 532e97ee8ed9bf6ac9f23c878841f6c292ac3773 |
| SHA256 | edc278e49e0f488eee390cbb456018508d5031fab5f9f48970bc2ba00b071404 |
| SHA512 | e28ca5743b3bcb5095eac2bd3b560462f926daaaaa3ec90e655923f671e4a1689b37e13ac36103a2efd294654144fff5dcb8f75875ee19f3510fa95814c5041a |
C:\Windows\SysWOW64\CUwQ.exe
| MD5 | 25ce87d7e4d847a6bcd1e10c92682dc3 |
| SHA1 | 539bb1008ab4351feb60131caf6a5455670faba0 |
| SHA256 | 1af78d29ed08873a0cc0431057e16a5415503bd49276dba28233d2b582bd94cf |
| SHA512 | 190dee9d4bfd5b315cf4a06fb10dd2e5dd1f66b086efb5d8b5ec242b7c15faf4eaafdde946cbdaf9d2967349be02e677a5d46d95e3774525ee52b1819be68fd6 |
C:\Windows\SysWOW64\cYkI.exe
| MD5 | e4fa2dc86169c544101bf91d66a40393 |
| SHA1 | 631cfa19e3d4ba4e6206e6686e159941d87a0bb1 |
| SHA256 | 4aaaca5a584577bb890e0af6a682e9b46700c6ede4cecdc4318e58f9bcba7301 |
| SHA512 | 090fa614ec62bbc10de6f14098a5a181191cf0f7411da6ff12ad7e2e1f0d31442919474516bbc2c2d15e62e85828bf974036dad31d60b445d7a43b93f822e4de |
C:\Windows\SysWOW64\SMUU.exe
| MD5 | 0f68fcec189be73a6d3540a0cd65a5cc |
| SHA1 | eefba0d9d09869f5a74f37647623cfd2a1661e5f |
| SHA256 | f2bf1b6f59d300c8ca6de1b3ec4464c137dad657e4f8143cb9608f7a03393149 |
| SHA512 | 3001baf8047c0826d2a841255784bae16cdc3be0b631ef634f9edf41934489fac7b74b3c90eab8cb140babbb16e3a494c1dcc4cf90a9e9034e0f816de4d795af |
C:\Windows\SysWOW64\YIEu.exe
| MD5 | 1fbab8b2182ac35260c8b795e4b28373 |
| SHA1 | 1cfee6e12739f65049829ba7099683af58f03a90 |
| SHA256 | 2736d9f20b62543a33c61767a70e9f6dd40892aeef07a18e06fdaab0ba80e582 |
| SHA512 | 9ee5ce58f0361154241a771d8d13b7cdbf542dbc80b02558c5fedbe0396a88caff925a4c66a14d089ff0fd1799947f64ccdc4dee4a907058d9e7e510b12520bb |