Analysis Overview
SHA256
6b5a1e427536690c978c3b6a543f0b73fbcc03e3112c18a0bb01402d12bda757
Threat Level: Known bad
The file JaffaCakes118_0486b28f85e1557d6a69822e24c10660 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
UAC bypass
Modifies visibility of file extensions in Explorer
Renames multiple (56) files with added filename extension
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-05-15 09:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-15 09:50
Reported
2025-05-15 09:52
Platform
win10v2004-20250502-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\VEkUwsYY\\XQkYsEgA.exe," | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\VEkUwsYY\\XQkYsEgA.exe," | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe | N/A |
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (56) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| N/A | N/A | C:\ProgramData\VEkUwsYY\XQkYsEgA.exe | N/A |
| N/A | N/A | C:\ProgramData\nmwUkYwI\OowUEMoQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| N/A | N/A | C:\ProgramData\VEkUwsYY\XQkYsEgA.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XQkYsEgA.exe = "C:\\ProgramData\\VEkUwsYY\\XQkYsEgA.exe" | C:\ProgramData\VEkUwsYY\XQkYsEgA.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XQkYsEgA.exe = "C:\\ProgramData\\VEkUwsYY\\XQkYsEgA.exe" | C:\ProgramData\VEkUwsYY\XQkYsEgA.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aCQckEcA.exe = "C:\\Users\\Admin\\iiEQckAU\\aCQckEcA.exe" | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aCQckEcA.exe = "C:\\Users\\Admin\\iiEQckAU\\aCQckEcA.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XQkYsEgA.exe = "C:\\ProgramData\\VEkUwsYY\\XQkYsEgA.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aCQckEcA.exe = "C:\\Users\\Admin\\iiEQckAU\\aCQckEcA.exe" | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XQkYsEgA.exe = "C:\\ProgramData\\VEkUwsYY\\XQkYsEgA.exe" | C:\ProgramData\nmwUkYwI\OowUEMoQ.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\EcMm.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File created | C:\Windows\SysWOW64\ocYi.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GyEw.ico | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Wiwo.ico | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\KcUg.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File created | C:\Windows\SysWOW64\OEkK.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sUAC.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kIAs.ico | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File created | C:\Windows\SysWOW64\yUoG.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\YcYa.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\eAwE.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File created | C:\Windows\SysWOW64\QMws.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\UYUw.ico | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File created | C:\Windows\SysWOW64\mwUa.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File created | C:\Windows\SysWOW64\EoMi.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File created | C:\Windows\SysWOW64\GMIE.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File created | C:\Windows\SysWOW64\CwwE.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheSearchUninstall.xlsx | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File created | C:\Windows\SysWOW64\YcYa.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File created | C:\Windows\SysWOW64\sIsS.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gWAA.ico | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wQwA.ico | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\EcMm.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ocYi.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File created | C:\Windows\SysWOW64\soAU.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\QoMc.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\EWII.ico | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File created | C:\Windows\SysWOW64\qEII.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MIIY.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aMsg.ico | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\CwwE.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\eIgQ.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File created | C:\Windows\SysWOW64\IAcW.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\KMkC.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mYQE.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\uUoy.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mosm.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File created | C:\Windows\SysWOW64\oQwI.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gCkE.ico | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gYMo.ico | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\EoQc.ico | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aEsk.ico | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\AKEs.ico | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File created | C:\Windows\SysWOW64\UsUU.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\CAgy.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mkkm.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File created | C:\Windows\SysWOW64\kMQC.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ygkc.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MEgA.ico | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\EEYY.ico | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yUoG.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File created | C:\Windows\SysWOW64\cIwK.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File created | C:\Windows\SysWOW64\MgYs.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\IAcW.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Moci.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File created | C:\Windows\SysWOW64\QQou.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\OEks.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MgYs.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\UuMQ.ico | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WQUU.ico | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\KSMA.ico | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File created | C:\Windows\SysWOW64\KgEG.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\uWUA.ico | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\qoQc.exe | C:\Users\Admin\iiEQckAU\aCQckEcA.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe"
C:\Users\Admin\iiEQckAU\aCQckEcA.exe
"C:\Users\Admin\iiEQckAU\aCQckEcA.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\iiEQckAU\aCQckEcA.exe
C:\ProgramData\VEkUwsYY\XQkYsEgA.exe
"C:\ProgramData\VEkUwsYY\XQkYsEgA.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\VEkUwsYY\XQkYsEgA.exe
C:\ProgramData\nmwUkYwI\OowUEMoQ.exe
C:\ProgramData\nmwUkYwI\OowUEMoQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\iiEQckAU\aCQckEcA.exe
C:\Users\Admin\iiEQckAU\aCQckEcA.exe
C:\ProgramData\VEkUwsYY\XQkYsEgA.exe
C:\ProgramData\VEkUwsYY\XQkYsEgA.exe
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCIgoscY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKwcEoUs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SyssYkYY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OIUAUUEQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWwAUoAI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XIIsIUoc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RkUYAUQo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wwIsIAYM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwEEYcUw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYwQwsYo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ReEEMoEY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOEoIsQc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUkEcIsI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SmokcgEU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YuMYIgcE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYgcsooI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WYQoAgoM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKUAUQYU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsIkgAwQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tIkoUIAg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUEwQoUI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mowEIMgs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAwYUEsc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pcsMIYIc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DigYwAcE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOYEEEkA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gaUgUIQc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nwEAEEMo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgoEMMkg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DyEgYkgM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEEkwQkg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCkwIsQc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEoMoEwg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FssogIsU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fWggAMUc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYgcUIsk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYsEEosg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIgEkQkc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IwokckMA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sgwYgIUU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lyEgAAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOgoQswA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 128d254a3e5719f0b0eacc59bfaa5319 iacK7xVHxkW0Th4DIdwJ+Q.0.1.0.0.0
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcAYsUgI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkcIIAAo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mIIkgEUg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EsMAQEcg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qqEIgIMM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NeIgwIws.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vyMgEEQo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSkQIQsY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hsAYEwIU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgooEYgM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yKgsQQMo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAwIkEgI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgEUUYoo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgkAAIks.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HWoEsMIA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYgcEgEM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIEsAcUU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMsQccUQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMogAMMw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\niIowsUI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FusIscQM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmoIwQoY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKgkoYow.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mOIgEIoY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMQocowc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmsYAwcI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RsYggkgA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcgQkkEA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMUYsoYo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EskQUcss.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YyUQIgks.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syEAUIso.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCMMwcwg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAMsccks.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xioookwo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv iacK7xVHxkW0Th4DIdwJ+Q.0.2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | google.com | udp |
| FR | 216.58.205.206:80 | google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.251.37.35:80 | c.pki.goog | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/5460-0-0x0000000000401000-0x0000000000477000-memory.dmp
C:\Users\Admin\iiEQckAU\aCQckEcA.exe
| MD5 | d6e0ba831a58835550712b616b5e5bcc |
| SHA1 | fccb200123e2bfb042b2104a090dcbb283fcc766 |
| SHA256 | a1422e8e2b7dc52c429c5f438a9b6c8721327cb2dbde306a8bdeaf3cc5a6ee07 |
| SHA512 | 972dd4cdb996f02be9ffd58b5b7abdf0a7108cb9d6cb6bc6eb33a234219b02138a68adb6a4eb9310b58f5dd0010bc9ce25397c4e3ce9750524dbdafb89c06228 |
C:\ProgramData\VEkUwsYY\XQkYsEgA.exe
| MD5 | c4185fb087dee162655ec58ac0fa131a |
| SHA1 | 1681e564099f9911fa71a08757d9a82056d091c6 |
| SHA256 | c12ad564bb043ab365c4cb3145659a8140144e7f86b714f230e05a838d95a55c |
| SHA512 | c438a272dbf9bb4c86849735399f01037abcab6020e33e427b63164f529384dd70f8250605760c765ab66f1f794c57e63a5980407f1c54967d375a98ad10bf78 |
C:\ProgramData\nmwUkYwI\OowUEMoQ.exe
| MD5 | b9dcfa54a10daa61ff49f6f421106227 |
| SHA1 | 837e604720ec01708b84df12cc717f25cb9d903d |
| SHA256 | c37295013ec7e516113c4612828ca672a4af4a73d04f4def342259a56f391099 |
| SHA512 | 33472676df04e68c306e20957efaea24bfdeee444686d5e0e420697450cf07b20a1b04e4b975c33352bd3f8d6b03b281c89c1b1bd48ecfe82251f08e1a1f17f6 |
memory/6072-13-0x0000000000400000-0x000000000047A000-memory.dmp
memory/64-6-0x0000000000400000-0x000000000047B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660
| MD5 | 672a1f1de82c3076688c129d2c89d0e2 |
| SHA1 | 02e8f06ad6888c9fb28059f5eac065b7bbfdd365 |
| SHA256 | 1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363 |
| SHA512 | e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90 |
C:\Users\Admin\AppData\Local\Temp\BCIgoscY.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
memory/5460-142-0x0000000000401000-0x0000000000477000-memory.dmp
C:\Windows\SysWOW64\SEAi.exe
| MD5 | b527f099d0131b3497a9b738ec5a5f1d |
| SHA1 | 4751618aa8c80d899a1119e554200936692b630f |
| SHA256 | ba577c97c2aaec2d76b7d8f1a0605a7552a9c32f758fadbf7330c760091f1469 |
| SHA512 | 3a75f2432218f38a42b03566837a207d18870bcf95c7a108fd493cfea264d972978bd75c650b6098a443015ca62e072765adc981223ec82ba8fb24494b4f39c7 |
C:\Windows\SysWOW64\iskA.exe
| MD5 | ebc64d4a9a91760ee13c2cf471fe5aaa |
| SHA1 | 83bd84a906cd32bc29aa5b82d6194a89c99c70d3 |
| SHA256 | b8663c250bb221cfcf004be6ef772b34957fdfe12f1f13a6f039a308a5ed54c6 |
| SHA512 | 697d7604807f63b4c8599e8ddaaf73dbab1d1929811b17ec15e560b60c961da3b1deb4e771422e74c90db94173a14e20d13f876e6156f38a9d3b4a3d850b460e |
C:\Windows\SysWOW64\qoQc.exe
| MD5 | 5ac689cd2f341cb5fe3a3f65a3fc4092 |
| SHA1 | fd4da947b952f1c9ec4fca31db8d94f50bfc349a |
| SHA256 | 20344f42411ddb7949fa169998f79e4e7a6f2925392b78c9fc96cc3f0d29f912 |
| SHA512 | de998b0d3387f4e8248dff97e577e9eebc5a72a0315b21d952810cc8ef8134d2971f68357ed3166e1eb978a181f5bb5848316a83d4e923040f37eafa1e0d1508 |
C:\Windows\SysWOW64\EoQc.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Windows\SysWOW64\eIgQ.exe
| MD5 | 1696ac70e2d910813a58cd2324f3dd90 |
| SHA1 | 7b1f6f1c263300c35844ee7baea0ede67a2639bb |
| SHA256 | d76a26c7811138e4e1979429ade34b9b62538661f196526114a84ff6ae952498 |
| SHA512 | f2f777b9aab6d7a0b7432cec2e7474bdcca37e91e346e72f1c6a68e8dffac039d4db040884dbb5ea5277acbe91f9bb810fcc5c28b4666eaff72d48606025ccde |
C:\Windows\SysWOW64\oQwI.exe
| MD5 | 62064f0b2a70452bac01d94af9154d61 |
| SHA1 | 43f318a8b16fdaa697d153ff16124320d2425888 |
| SHA256 | bfe1f5d3ad9f88783daf766e3769a4ee31d5f5306ab2844b497798c4b1b16e7e |
| SHA512 | f01f39afc6cc6fdaf76a8e07030b044bbf5f2f039b3b1da47768fcbcb21b201619a265c3480b37ac2e1e2c2ab26747ad4f353e5931a0f40c3f8cfb6347f2a2f7 |
C:\Windows\SysWOW64\mwUa.exe
| MD5 | c0c0c23613f1b0a965ec6f79073639ab |
| SHA1 | 1fbab05fe9af27aa29bafbc295086941c656b14e |
| SHA256 | 1d03e30b6de642955d046946768e5dd2df45c6291c2912c6e08c43d6f65c1d4f |
| SHA512 | a9568a9eed50bd7de05966af8410629e3aaf2162669197180623f3e7090537d800f123e40ec1621084e90bb108f523573c4fb8f8b3a36efbdc03ce5e8790ca9f |
C:\Windows\SysWOW64\Moci.exe
| MD5 | 4035affd40fa37b0b29376864b921b59 |
| SHA1 | 1f0de14ccc07a596033b91ca375428d79f294553 |
| SHA256 | a333729a9303e53e5db116f9f5f32df0141021e837ba45aa31cdf978856b79f9 |
| SHA512 | e7326050c7bb6b87b71be9f11c170ba79a697641462c5ba11e32ac21f4067ae6a08972f4b8b742f361d33db3181605ba3f9a37a9f20138db3e89ecc1f30df010 |
C:\Windows\SysWOW64\qAwg.exe
| MD5 | c6b4f00f33f96e38b8c9f0758d20dbc6 |
| SHA1 | e11c16a1bb26b124fae6257e42888f6c37eb4b4a |
| SHA256 | 6e1a4ce01e4826605e96c42f8a91f6ee50e9478a77cfebbbecc59728aa9e7a9e |
| SHA512 | c3fa05ad8508fbce5fae3d22e4485851488cbff45d44a6d32b42b4b811f39bc8889a71d68d0fc67cf27948f6cee7e346e936f67fef495fc68429ac501bb7770b |
C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe
| MD5 | 997b610669905b4b7dad786cde15a084 |
| SHA1 | 8736195a2a7cec51fb5125d14c368e473d074fc1 |
| SHA256 | 060582e1260ef162baca55f1e8ee218fdc747aa790d6e3f9654cb8e4ee5441a1 |
| SHA512 | bd1564f355bccfbd073192e291ad405b2996adf1a62154831c07207aa2421fb371fed1eb3c28608208c9a3d2320bccdaf423ccfa869564584a165a0bc9f46ffe |
C:\Windows\SysWOW64\qIIK.exe
| MD5 | f9146704b58e5124573d658414aca858 |
| SHA1 | b0ca0d6f490b6ac0cfb52526e4e6924087e7d77b |
| SHA256 | b76419358d79b50f7600a931ae2f8565aa378f114c05a4c4213381e59a2e246a |
| SHA512 | 99f8c69270e615c21139a0a17d823d3f9c99039f8982356c8913fa951069b79276ee0a847d1801e18a3c9469a7689341799e9ca2b7ab0872dda2dc8ff7633333 |
C:\Windows\SysWOW64\wkUq.exe
| MD5 | 8103ebe2562aeae6778d0befaded48ae |
| SHA1 | 1ef098f6cd603531d36f161b41d579f27d83c9a4 |
| SHA256 | 9d0eaed853b932f2da7fc7996238135da063ea29f6ac9d05942391a4e790dc23 |
| SHA512 | f896d18dc9bfcbbb9c65a7caad87ed3609826b5fbbc4f08d394014a069f9a8799dac09c946f88f30cd0a421b691f8a0411b722101dcdcb2057790b5318e85b41 |
C:\Windows\SysWOW64\sgUe.exe
| MD5 | d63936ffd8a869d204d835bed56ba36e |
| SHA1 | dccee411d44d5124a0595334198ed75b6256dc6e |
| SHA256 | 59e24100012433bcb60ab107018b087d04b99c9ca760ec847cff19031e2797f4 |
| SHA512 | 50ca8d3b71958534902319058146436631e6a6e664c74add6ce01790c979850d924ad31d5d019eb1f6cadc1b827c0c6355662a8043bf91d20fce19bb846f700d |
C:\Windows\SysWOW64\EWII.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Windows\SysWOW64\qEII.exe
| MD5 | 7ad6c40b57037af509a02ed69a7f921a |
| SHA1 | b09679f51399b1a92b97ed1548a91de7307e7b29 |
| SHA256 | 5736cf700b8483c9ffdf2c305d934eb4e433fd6e5957f189cebe5abcbc86bc44 |
| SHA512 | 3ba3beef1d729a988516528b7ade8947017f9b3e8fb2e4bed719dfee0175d539763ed5328413d587c3641dc9a0648c13ad3e307ba5e215c7217e66ada1d39be2 |
C:\Windows\SysWOW64\CYQy.exe
| MD5 | 1cdb4092c6cec50d107ba1f017807b8d |
| SHA1 | 6aa60a6410f885f5fb63f4e3329c1e0e41d7915b |
| SHA256 | a9cc7f5731f9f196d1f56fa46406f761345a3e027d920e7165b7f3c93cf67aec |
| SHA512 | 1df2a79a80c64c35d6bf9c9c1c73baad4402026a12a486c1dbb1f7904a21bfe3d24324f04b67aad37c13ebc8a8b4db89abe57f439ec83d968077c9a2656ea78e |
C:\Windows\SysWOW64\iYYQ.exe
| MD5 | c64ab51fd2bb092fcdad614ebdb64a7a |
| SHA1 | 604e668ff3fde559854cac7c42094cade513034d |
| SHA256 | 96ef3a73a49f8983b4f00729e5878d401c18bf91aec7a7670b1c9d5c7784a4d0 |
| SHA512 | 9eb57530b0e1e2953cdd96212e5a8b60b903b546152bc41e6603412bfb0eea30d8fa491c00092f162411df3a9e687ec464cf7f1b4ee79659bdb51a73233c7344 |
C:\Windows\SysWOW64\mcMS.exe
| MD5 | d64bff449c01ad4653cf41813d81b198 |
| SHA1 | e7ba3a8bc1169c948a7c6bf39712ad0d51afb2b0 |
| SHA256 | 8eae34db75ec3467df300833303ceef61fc9d21641fe6f89019207ec7e4facb7 |
| SHA512 | f72e71dd3dda227dbf50e611a0fe3ac37638427f0b34e21b9c51c7a9684e75d2f6602894cdef05a14322c0af76df4fc48461a4c4a4ff336cb14dd0de10b0af7e |
C:\Windows\SysWOW64\aoQQ.exe
| MD5 | 57d7162e44214ae9b3a1b93477bb9be0 |
| SHA1 | cbff916d43693dd4fe82cbad89448c8f0a33240e |
| SHA256 | bbe81692a4fac1c5925d503eb2f8e0e8c40cee4a0563af09521fd3ceed8840a9 |
| SHA512 | 5487be690b93c4be58894e1df4e6fed8d3b2ad12440e0ecdcf5c44901870243aca9fee2a5fcfdf69cb034eca9f435268ee17d3077b21d911ba1d3384d750c406 |
C:\Windows\SysWOW64\osYO.exe
| MD5 | c56b44189694754f5bd5307605f4a1c4 |
| SHA1 | c7722bbe2216ecc5cea7d274661919b2e6f20195 |
| SHA256 | d296a8e6f585ad67ea86415e84c9e6fa3af50476cdf15e1e0f727fee8cf5a61c |
| SHA512 | 1956891285b24513b3e5cf18a46b210555769fa0388028b316d8729f3b34f5a8155a97f8766325a3fe052a0eba20f0c0f2ca01911e13b282df6a6ea0a250e773 |
C:\Windows\SysWOW64\asUw.exe
| MD5 | 8435d5738abb74aa7441ac5d170eb9ee |
| SHA1 | c1c2bca228520f01763d84db9d045ec5f48c2e4b |
| SHA256 | 163aa23919a2015f6f469e88e9fd1c2d253cb7ea1a8062754ed2e28a264f875f |
| SHA512 | 67730aad4a0fb76962cfed0f9562db5d05325f74531bc0d6287fa913e1e5831563da67287d44b9a49bbbaadd4ef0f854fb1b7a03b04204cf81541e7855c43be5 |
C:\Windows\SysWOW64\QgUC.exe
| MD5 | 7312354e9812affc2f08ea7a04a74448 |
| SHA1 | 0aaee734fe5c166b74a2b762510a5e3eac2600a1 |
| SHA256 | 47f3021cc912f170ccdc6bb0e7b78889f6d89b406dc3c792c8e22e7d78c9344d |
| SHA512 | bfe5bacf13c69ac899e04c750e605b107401bed7db92cfdca2a639ffaac1962b05db785607c541bb62682040690fc8262cc1edf7e9af9377c2727c94f5291a42 |
C:\Windows\SysWOW64\EoMi.exe
| MD5 | 5334b7403bc5c4b23effce91efd13c42 |
| SHA1 | b27bce62bb7dd525c570fe58d64fb51279d65f59 |
| SHA256 | 9906c804f7558765f3dc14973ae386378b3370a6e32735aaa716fa9081e0b3e0 |
| SHA512 | a233e12e3cabef9e3d6dc5283b3db097a5c1ab9972eb5bce4aa53301cda352d26ee2a6bac4d64f267fd1de9610fc693d0e86585fe5c4dc8361b1878a46f0723e |
C:\Windows\SysWOW64\KcUg.exe
| MD5 | 8a3636d12a8c8592184128a388a21627 |
| SHA1 | 9bcb4f69ee62a451dd0bf768a06f08bf3b198490 |
| SHA256 | 9e76966aeb06b0d38ad3d15dab90c3908738770aba14721573fddd743ea89c13 |
| SHA512 | 62b8b3586f0ab5042d610c016f7f2b6d7878e8b68ec079f1976acb2ece733858ef6556050fc96581b5a5eb3a3ac0c49648a3c9d0f39e619d6a2416353b559ee8 |
C:\Windows\SysWOW64\YcYa.exe
| MD5 | d2c4bf317e221fb2cd1f121ae4ba4e84 |
| SHA1 | ef2c07f827f7d729e4ed52f3aaf2331f397bfa72 |
| SHA256 | ab94da41800828ccb88b57ccd7dfd9e2205ca35269922b8e611cc30292cb6047 |
| SHA512 | aea4c2475785d726043c5e517ce0cc16f4621d94e94210e4ea8f5fa138549ea83c73ca87897f7fd0e934a8da54094c8218a036953cd9a57655fddc7156f52f7f |
C:\Windows\SysWOW64\MIIY.exe
| MD5 | ce98da2646058145b71e49415f7920a2 |
| SHA1 | 5d59bc0fcd93527739e1775985010889bc03672d |
| SHA256 | 44d80073919491d5d9379f1f28370aa7d000fca524cbaed3ddb767c9d9dfcbfa |
| SHA512 | 9583c580e05004ade33642e0ee545eefcf6b9493e68ca25713127de2c9141e269e0b4fc9196e67e9eaa02752803ae0ea7e6ed36de8517482da88c71eff774e02 |
C:\Windows\SysWOW64\QQou.exe
| MD5 | bc3fea841bc5de4eabed3deccb397208 |
| SHA1 | 5527774c3390e38e0e2d70abef0ebc54d29faac1 |
| SHA256 | aa95a246318c680dc962094e4d41fa3598d819a86b8200fc02dcf01c36d1cf5e |
| SHA512 | 7a332bbfc3e775492a115cfe20b5f9814c1e2e7287a7cedd6a011a535e6cd879d66b15e5de203fed9220baf710c39fa719c85ff56d8779e2fb7dbb13829b1909 |
C:\Windows\SysWOW64\ooIa.exe
| MD5 | aacdefa5b2efe1eb6cd7b0f0aa630733 |
| SHA1 | 457f4ac318b3fe7b5fefbafb8a57628a3c78c719 |
| SHA256 | 0cca422be2e4e1ccdcc5255a704c61f2f5d96a34b2012c1015776730d06b71dc |
| SHA512 | 5c407edf7a17b467fe466eb8a67ad612501e59ade564a9f9fd6f1b3d51fee2c7a402169784ba217261ccc0284f0d213f2ed3029fe20bfd6fb1c848fd662e6f02 |
C:\Windows\SysWOW64\sIsS.exe
| MD5 | d7d7b21287d7f3353ea27a7a87d49486 |
| SHA1 | 15add4970acadbaf5a29a044a06c1638ccf34035 |
| SHA256 | 1dec4fea47ac587754492219fdb3bb13408f594d9a3014d9c5de07670d8aaa1e |
| SHA512 | 8cbe918a7685c68eafae0a50a304dd7fa92691a2e62cc20fe400acecc963dbee4fb2562c6d3cef8e2d3e6ad6fb9535829b2f7385e289dd531169a1a528dc563d |
C:\Windows\SysWOW64\wkYE.exe
| MD5 | 2762c715124aa0d5ae35e01b435ca720 |
| SHA1 | 86405885089b9c235c4d645561ef3a5e85925973 |
| SHA256 | 2255f7e02ebd19594aa2503089ab54dcec7f3d7283b5a3c181185550ca9673b9 |
| SHA512 | c1cf74f77d931a3dd359236db67c424a0937a8a7695e987d246608ed9f2b8a2478f97e67dca8c0fa30ec9764a1df6505c151659e2e548559d5e6b21ed9f076a7 |
C:\Windows\SysWOW64\yYEu.exe
| MD5 | f72a33caa6e35f0fc51cafdca2480806 |
| SHA1 | bf0ef0132fc182b441f44133bfd84d812db406ed |
| SHA256 | 55b65ec543767c447c2efb8eb1a28ae347649d70d89fdeaf013561d1f6f48b3e |
| SHA512 | 087318f74ed2a0f8d4808b8ac8b73f6af180c858536ea4307bb1091aee552198c3beca592c2abc88601e8f76c107c54102513a9d5b366f4034fa6969c4532fd7 |
C:\Windows\SysWOW64\uUoy.exe
| MD5 | 3402bab2dc453fe5d1c426a2c68b6540 |
| SHA1 | d223339cda45df39e7e0a5541b47e26dcbf5be33 |
| SHA256 | d956e24a6bf51d29ef04b4c1b04ec768d03845b84d96447df8dbcf010cf8ee14 |
| SHA512 | e11c2b7b66b0b14b3aade05caca1c97dbe7e6bb892949d0449619b140556c1e940917c830fc204bc05ca6cdebccc0c19ac8126cf50d8a5bc87adff5376906af9 |
C:\Windows\SysWOW64\GMIE.exe
| MD5 | 2d2420cb35e238389a195b75a7db2b92 |
| SHA1 | 0b7e719abce496e88fa41069b4d2ca82a260bf20 |
| SHA256 | 393af1cf5bbc2dacb79219a6daaf08e5459f666afaa30cd1ea8c509dd930cddc |
| SHA512 | 0ccde43c43a43ecc88a06f4423ab749705cc409d283c0e13d37d503efa8463c2b00139b543283c4b7d245b91e600ca3df65e86028c7aa0a2a177718262396f7e |
C:\Windows\SysWOW64\ogsM.exe
| MD5 | c245d2b4c19a1e651e4e68b788c463a4 |
| SHA1 | 058865c7c557f306301a04a4103e7cefa3a203ff |
| SHA256 | 3fdbcc690da682a5c069e7bddbfb40c0eccfd5881d7bccd1f16d8be4fe18a02c |
| SHA512 | d0669ae5aa7b862329b99896b9a405d96cda9829100b93e9b21ebc6b4bc9c2e29a58d4ecad724784d8a0bb500da6eac7649600eb5519fbdf4b7b8336bfac04c8 |
C:\Windows\SysWOW64\eAwE.exe
| MD5 | 76d24403fd1d917950da71433522b5bd |
| SHA1 | 9387202d8490ad798a5b71163ce4f57d68184b5a |
| SHA256 | 85b0b3dcb000a1d55b65bb949b9ef5d63514c3f0ed4797313cb5ad86b9e3c415 |
| SHA512 | 07428c952bc9a88fe6bda2fb279d302d8b799fea4ef127b63b9b121fd6177b69f22d1c445c62ce05097584ee3a59b34ec7b6b5f86bd5b02a38563b77ebad4a4a |
C:\Windows\SysWOW64\oMoC.exe
| MD5 | 4218d5fad004ef00cdede8d72ef2c992 |
| SHA1 | 89de08349d4ddbee67589b47e57c095fba5fc352 |
| SHA256 | 5a384840bc02bc79927e86ae27ba587c1fa9a99d2e21d318cbf73cc191aee9b5 |
| SHA512 | 413579b92ec4b354fab19d623f9c81a0ac9513b5fa29dee50727edf12539843400b3405865e6267b95d11e14c4843f9b8deb1b1b2d17993371a63485f554da96 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe
| MD5 | 77e6e63e2257f466872feb1de0b29324 |
| SHA1 | 52fb64de9eedd3a936142119d9ca1eebf58ab552 |
| SHA256 | 357b6c2c5ada3ef3407e69778e75e8c6a2708c7bdabc5d5eca92758e38dcf735 |
| SHA512 | 88542c0674c024c5a39bbd6d40b6c09e642f3d260bf4a1caa5ceb4814af1ca0a1ddc2bc6585757ae4ed1e32dd9e06d90c1a0b8869a79ae38c8b25f497dfef849 |
C:\Windows\SysWOW64\IAcW.exe
| MD5 | 8e72f3025de62d8cc1bc56dfeee36316 |
| SHA1 | 83a7f5005ea208b02084b4f945d6878d5170c885 |
| SHA256 | 4f6815f7911e14436e7ace595031e89a24034e2ff9b5e69a2828bb081b7d6085 |
| SHA512 | 99a86290579b89d379131f38cec7c4f873d7642e599a5bf3d41de76b723d830c418e665081bcc08b3849ee1475c052a3613c25af17b53152d0f0e7dff44880d2 |
C:\Windows\SysWOW64\CEYM.exe
| MD5 | 943bb3dd3bbe43a88ad56b0b2e2d5716 |
| SHA1 | 72691cc7f8f7c4e6e4b92768d0a4d9432e712ac8 |
| SHA256 | f2aa34f81479dcdb4ef04e92143ebf66f5668caa05e2d0d77cacbcb5091bb096 |
| SHA512 | 50e0e26f23df3dbdfcc28c2523abe7c060ef81d563c670dc97438a2bc52dd09c47e854dc9f6adb2843d41949e49120134de84a39688c9cdc912490e7aea4a716 |
C:\Windows\SysWOW64\acQI.exe
| MD5 | f3d428feab2c9c3b4a9f6e9c1288455c |
| SHA1 | e7d2194fba087d8cabef137e78e59d4fd8504277 |
| SHA256 | 9f6d09663a1906ac467da0b73b950f71ac2c10c51c259735183795a59296f9f6 |
| SHA512 | 77f5573f54daffc9b941d47831857ead4bc0c996cd684c6ff62150bb6b1576b3434ae8bb56bbdc9c965dfa3ee966d88d80e7f554c375fcd35d3dad1d19ec9bf4 |
C:\Windows\SysWOW64\ukcC.exe
| MD5 | c558a79805e7936b6a5b8f863bc564fa |
| SHA1 | 7a0d46bb935857c9e27e26a8d814741eb61e531c |
| SHA256 | 166cb5bca9ea224bcc7075e8714e77560f17f71d0e11dcb765e7c898659006ad |
| SHA512 | 7c5c886bc19afa69cf78149127a83d1a491a018486eb095cf5f3274835e242f93e788264bea2bf8536350a3b34d28ac2e34b8297285c019e1d448be90c55b382 |
C:\Windows\SysWOW64\qwcg.exe
| MD5 | d3887211cb7d56fa577a17cb0179bb09 |
| SHA1 | b8de2e073697a987bcd334068c31b0d58cd69a91 |
| SHA256 | 4f1ef132405e011093adfdbd8c7eff6fc4b7effc7f1666885c6b0b81ed8cc1fa |
| SHA512 | 4d1285abaa16b95c32a7250fafe234976c30f57e5ebf04df551dc0bab5c316e6fe74dc3610973b0b9eb82f731d8de195e878d362c48e86a606073ff4ea7d9186 |
C:\Windows\SysWOW64\WkMQ.exe
| MD5 | 22a197db12493e66acbd833e2840e630 |
| SHA1 | e9677d043c075207799ce8b7570518d31eef9117 |
| SHA256 | edb1707da2dda53faccd62776b39f80974925b99d629a63761e45d2087661a08 |
| SHA512 | b44775ac78cf04a332bbe3eb4cce2b7827b648dd89846b85b576154156ceff40ea7acee1becb76a1a27abd3a7d582fd47719b9418b977bcde6a4f23ac08dfcbd |
memory/64-851-0x0000000000400000-0x000000000047B000-memory.dmp
C:\Windows\SysWOW64\MYYY.exe
| MD5 | 1f18cd3b34dbea0e2abeb6d7b0e14f7c |
| SHA1 | c0fb4b4522c9633643f0572f0e2615c4613ea1b1 |
| SHA256 | 278a46cb2969589ec870b1ee2e219347f054137b25114926f1dd65744096056b |
| SHA512 | aca74f090043d0ad2e006300573d1cc1f35bbcc754d6546216d3ffca0159a8f8af6f361562149e4603b48cec5ee0a41a2a02f4069c97c7bfa66a82fbd346e738 |
C:\Windows\SysWOW64\EcMm.exe
| MD5 | 61a74c222381fc4ff9f0bc33e3b743be |
| SHA1 | bdb86bc0edd7744438ca63628e4bad911535921d |
| SHA256 | eebe24c54105010189e14aefdbfa905efbc127a2954b25f462df5d6f7a621904 |
| SHA512 | 923e06e44d5174ea27d540a0d3cc9178e5a75c1c0cbd9ba06f1d4e51afdd48691080fe46665f511c58c0c44f5c7565e79964bc56723d58979d9de49eee820094 |
C:\Windows\SysWOW64\ocYi.exe
| MD5 | 858d33b539e5acd9637264f1c5312fe8 |
| SHA1 | 291745006eb6ed08f9a5994601ad4453e32791a2 |
| SHA256 | 430327247d5f0e46f572ebb4419e53e31e4517cf3498fed0fb16645b8d789f7a |
| SHA512 | e988634dddd8b1216b15e52d0fa4c64df2516ace252991b21aa75932b6a2282907d7ff3d3bd1a029f712f7614fab315d09f0212c5eb52525ba9a06c42a5bad6a |
C:\Windows\SysWOW64\sUAC.exe
| MD5 | 14dbeeb1e16a015ea2f9aa48f8f4b4c1 |
| SHA1 | 9f0ad33132c9e4d56ccfdc3909747868f7d56dc4 |
| SHA256 | cdfd4d7156d47526b68fdd752fbb353fdd923c5c7264c9a79cfbffa8e199b587 |
| SHA512 | be15833b79fbc5ec2a35da863a780ebdaf64b748575394f513d5e89967ed1a2d9547d29e66fdd163d8c26187323c28d580c88bfd153de9a63d3f635f33fa60c0 |
C:\Windows\SysWOW64\cEgI.exe
| MD5 | bf11f31ca50355ff01f75ce7b2e21652 |
| SHA1 | 8396cd5320c2abc2885ab5760f2053109c983ee8 |
| SHA256 | fcc342d73b9b4e0cbf95850d7f4ce031893234b3be487ee508eb6b2f57c4889e |
| SHA512 | 84725b6dc75859ddfad376a77b8ea185bf03f5ad60c7b145f367c73f1f48573e0db78e880b22fdfabcc3a0e429ea35f6d47971d87eb352f1cb3fb5411428973c |
C:\Windows\SysWOW64\ikMy.exe
| MD5 | 42a80751938b27ea556ac7f4bedd351d |
| SHA1 | 5d66fabf04c3ab98ec3664b073d9585d3b186de8 |
| SHA256 | 22d1b412044b51ef06e799a2750a536d1f3e59d1b6c6a17199d164337e9200e7 |
| SHA512 | eac96f4e43ed5e19e40bae955140141add2652737f802ef3b3a3a0fbcea9637ccae22ddc6e96ccac0dfda9889383057851912a109a57d86046467f45a08697fd |
C:\Windows\SysWOW64\cQoo.exe
| MD5 | c62a9e85f7388a8564a3dcb9339d5452 |
| SHA1 | c31d801e1ac1d3be83cd3419ba81176da13aaa96 |
| SHA256 | bddf219ec2fce0eb89996bb12ff849072613105476c19547d3afc09ab4ed8c69 |
| SHA512 | c9e4e8da349495e0d20057ae5d3407805aa7958f6f1cd205fe24dd2fa3517054a82c38941fd6b7b707cff82930694901cda30136812de1f039a607df8d557197 |
C:\Windows\SysWOW64\CwwE.exe
| MD5 | 2d57a77d0a1f8ba21604e4f886617b87 |
| SHA1 | bac8a5f871d8f1e901f22a3598a586e1374917e1 |
| SHA256 | 44b84f8fd1b9b4fb260fb9e1ce8b419a09028a5e1c9b1cf32464734fd51f6696 |
| SHA512 | 3db81deebc009d94eb746c33882393eed6fd4ab942acae3ef2ea2be810c81ac3d3ce86a95671b8a3156677774c5aca44da67bc6fb61a093d4880b90e325ee4e8 |
C:\Windows\SysWOW64\EAso.exe
| MD5 | 042a0bcec006d9b942ce16ea8f0c120b |
| SHA1 | 4f5f29e28b05019c0b97177712776793594d41f0 |
| SHA256 | 2fd3037487f57d66aef531417fac4766192d2455a3349f63c3b99ed6739f5efb |
| SHA512 | 16edf301a8f965ded2fb026bfb70df1da9ef4378fa76c00693d25e78b418b59b3410296edf98a7f07807ffd84499b1dffeea0d9dd9b6e9ea3c26cdcd9eb39fdd |
C:\Windows\SysWOW64\msYG.exe
| MD5 | 347c579280ac852302f608ad8eccaa79 |
| SHA1 | 38ede826d934d7c5069dd5e3c5943e4bca6d9172 |
| SHA256 | c71480d8073d45771d0ae35df9b772400b93382b4da256626e57e48c46ba32f4 |
| SHA512 | b91e4505728584db863aaf0415929fc658e95c07062411e66d08270919aa6b3dc484964ecf0f7ba026f517fdfcc967c149f985530a4f6d6df940803cef737799 |
C:\Windows\SysWOW64\Mosm.exe
| MD5 | 6cfff71bef6362b8b8a3780371c1e01e |
| SHA1 | 6683a673e4f540f0f73e96b0963087325cdad1dc |
| SHA256 | 9e187da9cd1a7487f387e317581e89abeebafdf6981d937089a7e5727cb684a9 |
| SHA512 | 05556d7c5c609c170f2766aeb9b7de87255094ef09597f6e29547904e28d72f043a641c2e651d04e170587b912af3c8857e9a947bb54d8a0bca136f91504a285 |
C:\Windows\SysWOW64\yUoG.exe
| MD5 | 9d3a15c03d7ee45d24f546ddb462c532 |
| SHA1 | 8523316dca05a11f5013d0801f73037fea7216c3 |
| SHA256 | 6fe6a9357468d5b8b204b67f7116a4a151a21d36feaa25d99502b77c0d144cd3 |
| SHA512 | 1897bcb8b98885bfe3a755b97775a598722921b6c3c293bd5af1e4b441b86d04e5f1719d2a655f1959b39d4c49366d350f60a04d8fa522fe875ddf55fc96dde9 |
C:\Windows\SysWOW64\soAU.exe
| MD5 | a7e9d325d5e0fb85d206357d1c94cef0 |
| SHA1 | 43162a6ab0188f8c27ca43ad2b72af91f2a87101 |
| SHA256 | 99e1b1cd7e54057949845ecbc3af6d3f8f555cadf2fad1368d54f39a509ad0dd |
| SHA512 | 6a5f6a8ee1c617fe1fc630beb265e98f2a339ce6c2c911dd5380683cee28e48e344fb304e03bd7158cb999215483cb5e9f06ade26547a5f01f12a43789ae6088 |
C:\Windows\SysWOW64\QMws.exe
| MD5 | 15dc3975db5785c571b8e6d4d1a1ad4c |
| SHA1 | e30f1a2cc55a06da044e821b0f409413f03984fd |
| SHA256 | c23de6f8665f42ef10e444da722c238aad7765159d08e91842509dff8bc7781c |
| SHA512 | c0bef343060ad2065078cb905e58cfe5b1ce2ad58dad014705ddee4b7747b8500e044d5498cebdfe93025ac49ffe61305010001fab96b06aa224736537a75c5a |
C:\Windows\SysWOW64\OEks.exe
| MD5 | 4c8bacafa6ddba0c85adaec0a948a80c |
| SHA1 | 1727115144723ab178dcb23b9a22795efa37684a |
| SHA256 | 5fbac12b2a4d23d3005388500bfbe5ba2639bc984480f60b8b2ce365f6134155 |
| SHA512 | 5fd7db2dc40b16f4338901df7d9f5b4fc29aab1783664059df5384cead67ab7efbd980066b1e61324adf7da6c805e5ca57adb5a736d9e1961699643c540e9cd5 |
C:\Windows\SysWOW64\uocg.exe
| MD5 | c196b7372ba3691ab3a0665c0dc4a44c |
| SHA1 | 6e813a330559ecea70be05e8cd5f1e0db935f681 |
| SHA256 | 6bf0d26a4e3ade6aae5af91c567f3b9ec497ef7f7627b04b0cfe5a0ea666ea93 |
| SHA512 | ee9783730197aa2a446731d2c08205cd07f57bfbbbeeedb18e02fd8d0b39c5db7d06c51c392df20fd797ed5ac6e3d6bb75e0fa92a9cd3eb68ba4e2a555cf7e9a |
C:\Windows\SysWOW64\KMkC.exe
| MD5 | 831533e2ef9d123ae3526a363ca5d46e |
| SHA1 | 3319672c8d5bfaf1c7f28d5c436f242ab762d7bb |
| SHA256 | 20184f92ed35f9f29c17aa257123e007530887d5b256506f87f1c4fb8803f807 |
| SHA512 | bda9321d13f7f24584d4947a3ac761a3765e1b2b43be6967a95f3a5889ca7575a60ad851f136d6cc00aa028205bdc28d911aa4f5d2a27761928a627a48837592 |
C:\Windows\SysWOW64\SkQM.exe
| MD5 | f64a7982482815febfb0aa6f24a9d065 |
| SHA1 | 80c677251afe05462b1f0dcfc60598ea207133e0 |
| SHA256 | 75b1e8e7d0a4c5a9730c6857d68ea49efec9b0cd92110ac81d8826b75c1ed4e2 |
| SHA512 | 1f5155025fb61c45716866cead308f23604a0d41682e96ba2dfd955e86fb0d1e1c6d42b0c1c154cf4845d09bec93ac260f4e930db3a4ebaecb92641a3a999890 |
C:\Windows\SysWOW64\cIwK.exe
| MD5 | 118b8ce6f9024a09e88ff5a170e9a993 |
| SHA1 | 1ffe59a17d499b7d7b681daf4eaef41bd94235cd |
| SHA256 | 6ab89183c70e3f5ffbc0826ae2496a97d7163baeeb4122b9f190febaa932732c |
| SHA512 | e34a529a6f31fab89542496babae57f54c6bdbad727515a2579ab64287cd78d80db5d81c00e86b7fdce32fd5793896f99bfb18744bab0cc6b0900656e98ab559 |
C:\Windows\SysWOW64\oMkE.exe
| MD5 | ef337eaa710a9e4e0af584b2a93a93a7 |
| SHA1 | 5a3c466b7af5bc79170f732b9f2469e3eb5e3dc5 |
| SHA256 | ee434f9f535ccc61e95a5179f828108e0d14ea43ee1e0802d4ecb49b217fa90f |
| SHA512 | 8dab94e97e518b180434e66507a7ed655a3a4bf27665255679b49d49be993b93b7963215a53d42bfc9a0da9df625de8a15f6d33baf7793c7f9fd663dc5ece934 |
memory/6072-1156-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Windows\SysWOW64\WMow.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Windows\SysWOW64\MgYs.exe
| MD5 | 24587d56767b2e3a42c480e3792afc77 |
| SHA1 | 08d98cb8d12f1d01627544e74c3a340257e77491 |
| SHA256 | bb347dd4a1c0706c270c7ed1d9abd349c9c44e1b2a493505c172e7880db40b01 |
| SHA512 | 8757be0695835ba32357a18bde48a6c5f20814b61f287331e5045118b178fe9677869a829ae48c9b6f4a9b9a21ed07ae18c59a2318a0765e36e1a703690574ce |
C:\Windows\SysWOW64\UsUU.exe
| MD5 | 07710fc353f3c9ea0ec852b28149a70d |
| SHA1 | c2d5c38432fff6146616785e72bf646df9e433a6 |
| SHA256 | b183845fa4a1aae3dfeb78d8441345d4cca54f13307204fd4bb414df4c982de1 |
| SHA512 | 33a2d475974c122d9c118f466e2b5794b1f433276d4da51e1dc0b8c13ea733ed93f879aa39d41abf1e8d0563576857d702e025090303b5c3fc264d33672dfa58 |
C:\Windows\SysWOW64\WEsy.exe
| MD5 | d619c4d8091e402cdbf96444192a0a4a |
| SHA1 | 69582e5ce5e49b7a1aad5b46f82aafb8ea1ede0e |
| SHA256 | 1270e83bbde550b964e15ce7bae0264a3f5c875072e7702ae94a371acb36d97e |
| SHA512 | cb8a4b6b0f77d888c6d5796e78861abff8c5230acbc0fa95c0c803f3d7b883028f2d2872731b8f639c2bf55da31aa589fc8d31b866d111b50dfc42197e814863 |
C:\Windows\SysWOW64\yEsY.exe
| MD5 | ba8baaa7a4682cec8cbbdf840c92c014 |
| SHA1 | 750616069133d7797e7bdc33bcd769f962f81852 |
| SHA256 | f9846fcf68392efd9388759d59b7c9675051028524a4cb473d595810de97aa6a |
| SHA512 | 364f71e88b932162257b95f159e60af4393f0fb8c297d79181a39c1d676e5805ad1f110961250e91433bb576a6368c2b91e1915b5d1668d0ddaeac06906cd1a9 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe
| MD5 | 9aaf54d2b407b0c66f29f793f1cc3242 |
| SHA1 | 31220e8ced4edcf2c47341185359c053c118abf0 |
| SHA256 | 4ae005399e17880a1bb80dee48b20cfd2a7d1f0588f2cfdd6f2bda82f1433df6 |
| SHA512 | 7ae308d331441483450e8c3fab1ed943a1ce59bc1459fa4c63b1cd5607bbe8fbc41fc3e36b1f2e9128ef1d7217b44f1131fb746f7ef16c1af8987978043e3da7 |
C:\Windows\SysWOW64\KgEG.exe
| MD5 | 2ecfe9c6e3900ca44304925723f1f623 |
| SHA1 | 3fad79f36753c090243c4632032afc9457d649bf |
| SHA256 | 795f95072f45879bcd50c8112d57437a31c78b81cacaba99355bcb931aab5149 |
| SHA512 | 5c602875aec5daf85cefcfa1cc118d683a89c4dcb977577fcdf05ee8a69ae208543eac0000f0ba35d8356f59b23a0df197c18719ba180c83a926b7a7e3146534 |
C:\Windows\SysWOW64\QoMc.exe
| MD5 | c80b62ceb9bd6d0fc5d4e310704adfe9 |
| SHA1 | 23c4c0894ba292addd3f8c4280ad7e2a3e87e1da |
| SHA256 | 331bcd939f0871443432b0aefa241104293c1ed7629cd19dd49798dfe1e6f31d |
| SHA512 | f68fd19a9e1e50630eb3f037f2a7e9e3551a78c4f5e503ff887cf122af18f96af2a11acbb239fcdf4aba0679cf0c56eddb9e7da8e9af73dcf4ee9330a40209e9 |
C:\Windows\SysWOW64\csMY.exe
| MD5 | e6130e452eb97fb1b703ca7b1c0a3b1c |
| SHA1 | fd470e1ff24ab3eb115ffb3c66d09c4d2bf6c414 |
| SHA256 | c375dc67437541e2935c05b002688124ff36a562b489513d5150e093e7242e25 |
| SHA512 | c0fc2494492da050a1bca4cce0a6b0161de96af83cab98af8480be8d48a0f77814407adb0fdddf142b0c9982e2089d232c55ca397295b8f74c454a0b7f6159f6 |
C:\Windows\SysWOW64\CAgy.exe
| MD5 | 233bb177715b0e776bd29cdc4a248f2e |
| SHA1 | 296dd87dbff6c3b91cd80ffef47bc52e9e049397 |
| SHA256 | 4f0eef6a49ee2a6ea3103816379640a7cb1a6066d2e52b3db40c213751a7fc3c |
| SHA512 | 6013ba6532dbe4d156d5b4671ce5bc67188bef138613dccf323d89bcd1d1c52306095a73479db8a180ae1010e4cea9edb9ab87f396f6356c5ee34c6bb8b6e1e0 |
C:\Windows\SysWOW64\GUUM.exe
| MD5 | cc1a47246332d5f55e2216142b633647 |
| SHA1 | a5a73040a150bf4c94fde1321d5c9009bd46dcc4 |
| SHA256 | 8fe3dcd6f5c87fd5039a72c4fef6fc9f763b730a12ae1115056f7ba890bbc480 |
| SHA512 | 371dfe33bb41e3f15d4046ed461d5fbb61e13617c826ea75b3abd0bf72da390da72fe74966ae864c7fd1cf9ab2004cafec7ba6e41a6eb9dcd5df67a9e5398634 |
C:\Windows\SysWOW64\mkkm.exe
| MD5 | ccea885a7df51924bfbc63be995e0b7b |
| SHA1 | 5c8278ff5a269bfb2ed88e47df5eddf663d62124 |
| SHA256 | 1c2e8b571ef39bd0efd88add1d079cc2854a577923a9edc04e05a7e8cdfd6f0e |
| SHA512 | 643d06b10114845a96bd4b842b2f10f048d17783f40e9e9c27edb1b927c84c6169bad6f932204437862d8ab587c490335696a63cf8e3a7b72879ef9d1a37bd77 |
C:\Windows\SysWOW64\MQYk.exe
| MD5 | 55be586c1c822907fc6c46999cc32ecf |
| SHA1 | f938e092ab81a7e760cd29a87d738fe4ddab39ad |
| SHA256 | c2677d84639e7589e86ea7f27cd30651629ac86be4037b6e1a2606286c849a17 |
| SHA512 | d4184479a8f7c28133b4a19cb649b9c78323b3611cbba907d1e5873375c464366f5d5425c67d352b1ef8650c5d196b6d8d542662e21340dc111194c14c7bed31 |
C:\Windows\SysWOW64\mYQE.exe
| MD5 | f01d4c8c4a367d8d1a650e260adb1aa9 |
| SHA1 | 214a41d978b58a7d2515727f3af04012e78d9022 |
| SHA256 | 91c8411de17bb34b4f564215ff28c8c7ac52f51e3e43b997a00bee84ee98a348 |
| SHA512 | 8f33bd42c06826434f4bf73600d7627ebccf800eb7312a1b3180491f1fcdc7c1fb3153d7eaa512d22e6dd6310087bf683ff0f8e2d9c2de39428a71324055d553 |