Malware Analysis Report

2025-06-16 06:30

Sample ID 250515-lty9asdk9s
Target JaffaCakes118_0486b28f85e1557d6a69822e24c10660
SHA256 6b5a1e427536690c978c3b6a543f0b73fbcc03e3112c18a0bb01402d12bda757
Tags
defense_evasion discovery persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6b5a1e427536690c978c3b6a543f0b73fbcc03e3112c18a0bb01402d12bda757

Threat Level: Known bad

The file JaffaCakes118_0486b28f85e1557d6a69822e24c10660 was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery persistence ransomware spyware stealer trojan

Modifies WinLogon for persistence

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (56) files with added filename extension

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-15 09:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-15 09:50

Reported

2025-05-15 09:52

Platform

win10v2004-20250502-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\VEkUwsYY\\XQkYsEgA.exe," C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\VEkUwsYY\\XQkYsEgA.exe," C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (56) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\International\Geo\Nation C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XQkYsEgA.exe = "C:\\ProgramData\\VEkUwsYY\\XQkYsEgA.exe" C:\ProgramData\VEkUwsYY\XQkYsEgA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XQkYsEgA.exe = "C:\\ProgramData\\VEkUwsYY\\XQkYsEgA.exe" C:\ProgramData\VEkUwsYY\XQkYsEgA.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aCQckEcA.exe = "C:\\Users\\Admin\\iiEQckAU\\aCQckEcA.exe" C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aCQckEcA.exe = "C:\\Users\\Admin\\iiEQckAU\\aCQckEcA.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XQkYsEgA.exe = "C:\\ProgramData\\VEkUwsYY\\XQkYsEgA.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aCQckEcA.exe = "C:\\Users\\Admin\\iiEQckAU\\aCQckEcA.exe" C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XQkYsEgA.exe = "C:\\ProgramData\\VEkUwsYY\\XQkYsEgA.exe" C:\ProgramData\nmwUkYwI\OowUEMoQ.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\EcMm.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File created C:\Windows\SysWOW64\ocYi.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\GyEw.ico C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\Wiwo.ico C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\KcUg.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File created C:\Windows\SysWOW64\OEkK.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\sUAC.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\kIAs.ico C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File created C:\Windows\SysWOW64\yUoG.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\YcYa.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\eAwE.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File created C:\Windows\SysWOW64\QMws.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\UYUw.ico C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File created C:\Windows\SysWOW64\mwUa.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File created C:\Windows\SysWOW64\EoMi.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File created C:\Windows\SysWOW64\GMIE.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File created C:\Windows\SysWOW64\CwwE.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\sheSearchUninstall.xlsx C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File created C:\Windows\SysWOW64\YcYa.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File created C:\Windows\SysWOW64\sIsS.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\gWAA.ico C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\wQwA.ico C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\EcMm.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\ocYi.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File created C:\Windows\SysWOW64\soAU.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\QoMc.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\EWII.ico C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File created C:\Windows\SysWOW64\qEII.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\MIIY.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\aMsg.ico C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\CwwE.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\eIgQ.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File created C:\Windows\SysWOW64\IAcW.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\KMkC.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\mYQE.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\uUoy.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\Mosm.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File created C:\Windows\SysWOW64\oQwI.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\gCkE.ico C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\gYMo.ico C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\EoQc.ico C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\aEsk.ico C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\AKEs.ico C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File created C:\Windows\SysWOW64\UsUU.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\CAgy.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\mkkm.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File created C:\Windows\SysWOW64\kMQC.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\Ygkc.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\MEgA.ico C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\EEYY.ico C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\yUoG.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File created C:\Windows\SysWOW64\cIwK.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File created C:\Windows\SysWOW64\MgYs.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\IAcW.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\Moci.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File created C:\Windows\SysWOW64\QQou.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\OEks.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\MgYs.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\UuMQ.ico C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\WQUU.ico C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\KSMA.ico C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File created C:\Windows\SysWOW64\KgEG.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\uWUA.ico C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A
File opened for modification C:\Windows\SysWOW64\qoQc.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5460 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe
PID 5460 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe
PID 5460 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe
PID 5460 wrote to memory of 6072 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\ProgramData\VEkUwsYY\XQkYsEgA.exe
PID 5460 wrote to memory of 6072 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\ProgramData\VEkUwsYY\XQkYsEgA.exe
PID 5460 wrote to memory of 6072 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\ProgramData\VEkUwsYY\XQkYsEgA.exe
PID 5460 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\cmd.exe
PID 5460 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\cmd.exe
PID 5460 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 3168 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe
PID 4956 wrote to memory of 3168 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe
PID 4956 wrote to memory of 3168 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\iiEQckAU\aCQckEcA.exe
PID 5828 wrote to memory of 3236 N/A C:\Windows\system32\cmd.exe C:\ProgramData\VEkUwsYY\XQkYsEgA.exe
PID 5828 wrote to memory of 3236 N/A C:\Windows\system32\cmd.exe C:\ProgramData\VEkUwsYY\XQkYsEgA.exe
PID 5828 wrote to memory of 3236 N/A C:\Windows\system32\cmd.exe C:\ProgramData\VEkUwsYY\XQkYsEgA.exe
PID 5460 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\reg.exe
PID 5460 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\reg.exe
PID 5460 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\reg.exe
PID 5460 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\reg.exe
PID 5460 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\reg.exe
PID 5460 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\reg.exe
PID 5460 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\reg.exe
PID 5460 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\reg.exe
PID 5460 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\reg.exe
PID 1820 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
PID 1820 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
PID 1820 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
PID 2724 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\reg.exe
PID 2724 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\reg.exe
PID 2724 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\reg.exe
PID 2724 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\reg.exe
PID 2724 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\reg.exe
PID 2724 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\reg.exe
PID 2724 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\reg.exe
PID 2724 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\reg.exe
PID 2724 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\reg.exe
PID 2724 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 4892 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
PID 4688 wrote to memory of 4892 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
PID 4688 wrote to memory of 4892 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
PID 1500 wrote to memory of 6116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1500 wrote to memory of 6116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1500 wrote to memory of 6116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4892 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\cmd.exe
PID 1952 wrote to memory of 5412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
PID 1952 wrote to memory of 5412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
PID 1952 wrote to memory of 5412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe
PID 4892 wrote to memory of 6064 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\reg.exe
PID 4892 wrote to memory of 6064 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\reg.exe
PID 4892 wrote to memory of 6064 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\reg.exe
PID 4892 wrote to memory of 5944 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\reg.exe
PID 4892 wrote to memory of 5944 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\reg.exe
PID 4892 wrote to memory of 5944 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\reg.exe
PID 4892 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\reg.exe
PID 4892 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\reg.exe
PID 4892 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\reg.exe
PID 4892 wrote to memory of 6048 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe"

C:\Users\Admin\iiEQckAU\aCQckEcA.exe

"C:\Users\Admin\iiEQckAU\aCQckEcA.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\iiEQckAU\aCQckEcA.exe

C:\ProgramData\VEkUwsYY\XQkYsEgA.exe

"C:\ProgramData\VEkUwsYY\XQkYsEgA.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\VEkUwsYY\XQkYsEgA.exe

C:\ProgramData\nmwUkYwI\OowUEMoQ.exe

C:\ProgramData\nmwUkYwI\OowUEMoQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\iiEQckAU\aCQckEcA.exe

C:\Users\Admin\iiEQckAU\aCQckEcA.exe

C:\ProgramData\VEkUwsYY\XQkYsEgA.exe

C:\ProgramData\VEkUwsYY\XQkYsEgA.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCIgoscY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKwcEoUs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SyssYkYY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OIUAUUEQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWwAUoAI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XIIsIUoc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RkUYAUQo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wwIsIAYM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwEEYcUw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYwQwsYo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ReEEMoEY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOEoIsQc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUkEcIsI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SmokcgEU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YuMYIgcE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYgcsooI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WYQoAgoM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKUAUQYU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsIkgAwQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tIkoUIAg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUEwQoUI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mowEIMgs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAwYUEsc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pcsMIYIc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DigYwAcE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOYEEEkA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gaUgUIQc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nwEAEEMo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgoEMMkg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DyEgYkgM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEEkwQkg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCkwIsQc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEoMoEwg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FssogIsU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fWggAMUc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYgcUIsk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYsEEosg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIgEkQkc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IwokckMA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sgwYgIUU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lyEgAAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOgoQswA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe 128d254a3e5719f0b0eacc59bfaa5319 iacK7xVHxkW0Th4DIdwJ+Q.0.1.0.0.0

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcAYsUgI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkcIIAAo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mIIkgEUg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EsMAQEcg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qqEIgIMM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NeIgwIws.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vyMgEEQo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSkQIQsY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hsAYEwIU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgooEYgM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yKgsQQMo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAwIkEgI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgEUUYoo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgkAAIks.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HWoEsMIA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYgcEgEM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIEsAcUU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMsQccUQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMogAMMw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\niIowsUI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FusIscQM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmoIwQoY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKgkoYow.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mOIgEIoY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMQocowc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmsYAwcI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RsYggkgA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcgQkkEA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMUYsoYo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EskQUcss.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YyUQIgks.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syEAUIso.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCMMwcwg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAMsccks.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xioookwo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv iacK7xVHxkW0Th4DIdwJ+Q.0.2

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
FR 216.58.205.206:80 google.com tcp
FR 216.58.205.206:80 google.com tcp
FR 216.58.205.206:80 google.com tcp
FR 216.58.205.206:80 google.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 google.com udp
FR 216.58.205.206:80 google.com tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.251.37.35:80 c.pki.goog tcp
FR 216.58.205.206:80 google.com tcp
FR 216.58.205.206:80 google.com tcp
FR 216.58.205.206:80 google.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/5460-0-0x0000000000401000-0x0000000000477000-memory.dmp

C:\Users\Admin\iiEQckAU\aCQckEcA.exe

MD5 d6e0ba831a58835550712b616b5e5bcc
SHA1 fccb200123e2bfb042b2104a090dcbb283fcc766
SHA256 a1422e8e2b7dc52c429c5f438a9b6c8721327cb2dbde306a8bdeaf3cc5a6ee07
SHA512 972dd4cdb996f02be9ffd58b5b7abdf0a7108cb9d6cb6bc6eb33a234219b02138a68adb6a4eb9310b58f5dd0010bc9ce25397c4e3ce9750524dbdafb89c06228

C:\ProgramData\VEkUwsYY\XQkYsEgA.exe

MD5 c4185fb087dee162655ec58ac0fa131a
SHA1 1681e564099f9911fa71a08757d9a82056d091c6
SHA256 c12ad564bb043ab365c4cb3145659a8140144e7f86b714f230e05a838d95a55c
SHA512 c438a272dbf9bb4c86849735399f01037abcab6020e33e427b63164f529384dd70f8250605760c765ab66f1f794c57e63a5980407f1c54967d375a98ad10bf78

C:\ProgramData\nmwUkYwI\OowUEMoQ.exe

MD5 b9dcfa54a10daa61ff49f6f421106227
SHA1 837e604720ec01708b84df12cc717f25cb9d903d
SHA256 c37295013ec7e516113c4612828ca672a4af4a73d04f4def342259a56f391099
SHA512 33472676df04e68c306e20957efaea24bfdeee444686d5e0e420697450cf07b20a1b04e4b975c33352bd3f8d6b03b281c89c1b1bd48ecfe82251f08e1a1f17f6

memory/6072-13-0x0000000000400000-0x000000000047A000-memory.dmp

memory/64-6-0x0000000000400000-0x000000000047B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0486b28f85e1557d6a69822e24c10660

MD5 672a1f1de82c3076688c129d2c89d0e2
SHA1 02e8f06ad6888c9fb28059f5eac065b7bbfdd365
SHA256 1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363
SHA512 e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

C:\Users\Admin\AppData\Local\Temp\BCIgoscY.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/5460-142-0x0000000000401000-0x0000000000477000-memory.dmp

C:\Windows\SysWOW64\SEAi.exe

MD5 b527f099d0131b3497a9b738ec5a5f1d
SHA1 4751618aa8c80d899a1119e554200936692b630f
SHA256 ba577c97c2aaec2d76b7d8f1a0605a7552a9c32f758fadbf7330c760091f1469
SHA512 3a75f2432218f38a42b03566837a207d18870bcf95c7a108fd493cfea264d972978bd75c650b6098a443015ca62e072765adc981223ec82ba8fb24494b4f39c7

C:\Windows\SysWOW64\iskA.exe

MD5 ebc64d4a9a91760ee13c2cf471fe5aaa
SHA1 83bd84a906cd32bc29aa5b82d6194a89c99c70d3
SHA256 b8663c250bb221cfcf004be6ef772b34957fdfe12f1f13a6f039a308a5ed54c6
SHA512 697d7604807f63b4c8599e8ddaaf73dbab1d1929811b17ec15e560b60c961da3b1deb4e771422e74c90db94173a14e20d13f876e6156f38a9d3b4a3d850b460e

C:\Windows\SysWOW64\qoQc.exe

MD5 5ac689cd2f341cb5fe3a3f65a3fc4092
SHA1 fd4da947b952f1c9ec4fca31db8d94f50bfc349a
SHA256 20344f42411ddb7949fa169998f79e4e7a6f2925392b78c9fc96cc3f0d29f912
SHA512 de998b0d3387f4e8248dff97e577e9eebc5a72a0315b21d952810cc8ef8134d2971f68357ed3166e1eb978a181f5bb5848316a83d4e923040f37eafa1e0d1508

C:\Windows\SysWOW64\EoQc.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Windows\SysWOW64\eIgQ.exe

MD5 1696ac70e2d910813a58cd2324f3dd90
SHA1 7b1f6f1c263300c35844ee7baea0ede67a2639bb
SHA256 d76a26c7811138e4e1979429ade34b9b62538661f196526114a84ff6ae952498
SHA512 f2f777b9aab6d7a0b7432cec2e7474bdcca37e91e346e72f1c6a68e8dffac039d4db040884dbb5ea5277acbe91f9bb810fcc5c28b4666eaff72d48606025ccde

C:\Windows\SysWOW64\oQwI.exe

MD5 62064f0b2a70452bac01d94af9154d61
SHA1 43f318a8b16fdaa697d153ff16124320d2425888
SHA256 bfe1f5d3ad9f88783daf766e3769a4ee31d5f5306ab2844b497798c4b1b16e7e
SHA512 f01f39afc6cc6fdaf76a8e07030b044bbf5f2f039b3b1da47768fcbcb21b201619a265c3480b37ac2e1e2c2ab26747ad4f353e5931a0f40c3f8cfb6347f2a2f7

C:\Windows\SysWOW64\mwUa.exe

MD5 c0c0c23613f1b0a965ec6f79073639ab
SHA1 1fbab05fe9af27aa29bafbc295086941c656b14e
SHA256 1d03e30b6de642955d046946768e5dd2df45c6291c2912c6e08c43d6f65c1d4f
SHA512 a9568a9eed50bd7de05966af8410629e3aaf2162669197180623f3e7090537d800f123e40ec1621084e90bb108f523573c4fb8f8b3a36efbdc03ce5e8790ca9f

C:\Windows\SysWOW64\Moci.exe

MD5 4035affd40fa37b0b29376864b921b59
SHA1 1f0de14ccc07a596033b91ca375428d79f294553
SHA256 a333729a9303e53e5db116f9f5f32df0141021e837ba45aa31cdf978856b79f9
SHA512 e7326050c7bb6b87b71be9f11c170ba79a697641462c5ba11e32ac21f4067ae6a08972f4b8b742f361d33db3181605ba3f9a37a9f20138db3e89ecc1f30df010

C:\Windows\SysWOW64\qAwg.exe

MD5 c6b4f00f33f96e38b8c9f0758d20dbc6
SHA1 e11c16a1bb26b124fae6257e42888f6c37eb4b4a
SHA256 6e1a4ce01e4826605e96c42f8a91f6ee50e9478a77cfebbbecc59728aa9e7a9e
SHA512 c3fa05ad8508fbce5fae3d22e4485851488cbff45d44a6d32b42b4b811f39bc8889a71d68d0fc67cf27948f6cee7e346e936f67fef495fc68429ac501bb7770b

C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe

MD5 997b610669905b4b7dad786cde15a084
SHA1 8736195a2a7cec51fb5125d14c368e473d074fc1
SHA256 060582e1260ef162baca55f1e8ee218fdc747aa790d6e3f9654cb8e4ee5441a1
SHA512 bd1564f355bccfbd073192e291ad405b2996adf1a62154831c07207aa2421fb371fed1eb3c28608208c9a3d2320bccdaf423ccfa869564584a165a0bc9f46ffe

C:\Windows\SysWOW64\qIIK.exe

MD5 f9146704b58e5124573d658414aca858
SHA1 b0ca0d6f490b6ac0cfb52526e4e6924087e7d77b
SHA256 b76419358d79b50f7600a931ae2f8565aa378f114c05a4c4213381e59a2e246a
SHA512 99f8c69270e615c21139a0a17d823d3f9c99039f8982356c8913fa951069b79276ee0a847d1801e18a3c9469a7689341799e9ca2b7ab0872dda2dc8ff7633333

C:\Windows\SysWOW64\wkUq.exe

MD5 8103ebe2562aeae6778d0befaded48ae
SHA1 1ef098f6cd603531d36f161b41d579f27d83c9a4
SHA256 9d0eaed853b932f2da7fc7996238135da063ea29f6ac9d05942391a4e790dc23
SHA512 f896d18dc9bfcbbb9c65a7caad87ed3609826b5fbbc4f08d394014a069f9a8799dac09c946f88f30cd0a421b691f8a0411b722101dcdcb2057790b5318e85b41

C:\Windows\SysWOW64\sgUe.exe

MD5 d63936ffd8a869d204d835bed56ba36e
SHA1 dccee411d44d5124a0595334198ed75b6256dc6e
SHA256 59e24100012433bcb60ab107018b087d04b99c9ca760ec847cff19031e2797f4
SHA512 50ca8d3b71958534902319058146436631e6a6e664c74add6ce01790c979850d924ad31d5d019eb1f6cadc1b827c0c6355662a8043bf91d20fce19bb846f700d

C:\Windows\SysWOW64\EWII.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Windows\SysWOW64\qEII.exe

MD5 7ad6c40b57037af509a02ed69a7f921a
SHA1 b09679f51399b1a92b97ed1548a91de7307e7b29
SHA256 5736cf700b8483c9ffdf2c305d934eb4e433fd6e5957f189cebe5abcbc86bc44
SHA512 3ba3beef1d729a988516528b7ade8947017f9b3e8fb2e4bed719dfee0175d539763ed5328413d587c3641dc9a0648c13ad3e307ba5e215c7217e66ada1d39be2

C:\Windows\SysWOW64\CYQy.exe

MD5 1cdb4092c6cec50d107ba1f017807b8d
SHA1 6aa60a6410f885f5fb63f4e3329c1e0e41d7915b
SHA256 a9cc7f5731f9f196d1f56fa46406f761345a3e027d920e7165b7f3c93cf67aec
SHA512 1df2a79a80c64c35d6bf9c9c1c73baad4402026a12a486c1dbb1f7904a21bfe3d24324f04b67aad37c13ebc8a8b4db89abe57f439ec83d968077c9a2656ea78e

C:\Windows\SysWOW64\iYYQ.exe

MD5 c64ab51fd2bb092fcdad614ebdb64a7a
SHA1 604e668ff3fde559854cac7c42094cade513034d
SHA256 96ef3a73a49f8983b4f00729e5878d401c18bf91aec7a7670b1c9d5c7784a4d0
SHA512 9eb57530b0e1e2953cdd96212e5a8b60b903b546152bc41e6603412bfb0eea30d8fa491c00092f162411df3a9e687ec464cf7f1b4ee79659bdb51a73233c7344

C:\Windows\SysWOW64\mcMS.exe

MD5 d64bff449c01ad4653cf41813d81b198
SHA1 e7ba3a8bc1169c948a7c6bf39712ad0d51afb2b0
SHA256 8eae34db75ec3467df300833303ceef61fc9d21641fe6f89019207ec7e4facb7
SHA512 f72e71dd3dda227dbf50e611a0fe3ac37638427f0b34e21b9c51c7a9684e75d2f6602894cdef05a14322c0af76df4fc48461a4c4a4ff336cb14dd0de10b0af7e

C:\Windows\SysWOW64\aoQQ.exe

MD5 57d7162e44214ae9b3a1b93477bb9be0
SHA1 cbff916d43693dd4fe82cbad89448c8f0a33240e
SHA256 bbe81692a4fac1c5925d503eb2f8e0e8c40cee4a0563af09521fd3ceed8840a9
SHA512 5487be690b93c4be58894e1df4e6fed8d3b2ad12440e0ecdcf5c44901870243aca9fee2a5fcfdf69cb034eca9f435268ee17d3077b21d911ba1d3384d750c406

C:\Windows\SysWOW64\osYO.exe

MD5 c56b44189694754f5bd5307605f4a1c4
SHA1 c7722bbe2216ecc5cea7d274661919b2e6f20195
SHA256 d296a8e6f585ad67ea86415e84c9e6fa3af50476cdf15e1e0f727fee8cf5a61c
SHA512 1956891285b24513b3e5cf18a46b210555769fa0388028b316d8729f3b34f5a8155a97f8766325a3fe052a0eba20f0c0f2ca01911e13b282df6a6ea0a250e773

C:\Windows\SysWOW64\asUw.exe

MD5 8435d5738abb74aa7441ac5d170eb9ee
SHA1 c1c2bca228520f01763d84db9d045ec5f48c2e4b
SHA256 163aa23919a2015f6f469e88e9fd1c2d253cb7ea1a8062754ed2e28a264f875f
SHA512 67730aad4a0fb76962cfed0f9562db5d05325f74531bc0d6287fa913e1e5831563da67287d44b9a49bbbaadd4ef0f854fb1b7a03b04204cf81541e7855c43be5

C:\Windows\SysWOW64\QgUC.exe

MD5 7312354e9812affc2f08ea7a04a74448
SHA1 0aaee734fe5c166b74a2b762510a5e3eac2600a1
SHA256 47f3021cc912f170ccdc6bb0e7b78889f6d89b406dc3c792c8e22e7d78c9344d
SHA512 bfe5bacf13c69ac899e04c750e605b107401bed7db92cfdca2a639ffaac1962b05db785607c541bb62682040690fc8262cc1edf7e9af9377c2727c94f5291a42

C:\Windows\SysWOW64\EoMi.exe

MD5 5334b7403bc5c4b23effce91efd13c42
SHA1 b27bce62bb7dd525c570fe58d64fb51279d65f59
SHA256 9906c804f7558765f3dc14973ae386378b3370a6e32735aaa716fa9081e0b3e0
SHA512 a233e12e3cabef9e3d6dc5283b3db097a5c1ab9972eb5bce4aa53301cda352d26ee2a6bac4d64f267fd1de9610fc693d0e86585fe5c4dc8361b1878a46f0723e

C:\Windows\SysWOW64\KcUg.exe

MD5 8a3636d12a8c8592184128a388a21627
SHA1 9bcb4f69ee62a451dd0bf768a06f08bf3b198490
SHA256 9e76966aeb06b0d38ad3d15dab90c3908738770aba14721573fddd743ea89c13
SHA512 62b8b3586f0ab5042d610c016f7f2b6d7878e8b68ec079f1976acb2ece733858ef6556050fc96581b5a5eb3a3ac0c49648a3c9d0f39e619d6a2416353b559ee8

C:\Windows\SysWOW64\YcYa.exe

MD5 d2c4bf317e221fb2cd1f121ae4ba4e84
SHA1 ef2c07f827f7d729e4ed52f3aaf2331f397bfa72
SHA256 ab94da41800828ccb88b57ccd7dfd9e2205ca35269922b8e611cc30292cb6047
SHA512 aea4c2475785d726043c5e517ce0cc16f4621d94e94210e4ea8f5fa138549ea83c73ca87897f7fd0e934a8da54094c8218a036953cd9a57655fddc7156f52f7f

C:\Windows\SysWOW64\MIIY.exe

MD5 ce98da2646058145b71e49415f7920a2
SHA1 5d59bc0fcd93527739e1775985010889bc03672d
SHA256 44d80073919491d5d9379f1f28370aa7d000fca524cbaed3ddb767c9d9dfcbfa
SHA512 9583c580e05004ade33642e0ee545eefcf6b9493e68ca25713127de2c9141e269e0b4fc9196e67e9eaa02752803ae0ea7e6ed36de8517482da88c71eff774e02

C:\Windows\SysWOW64\QQou.exe

MD5 bc3fea841bc5de4eabed3deccb397208
SHA1 5527774c3390e38e0e2d70abef0ebc54d29faac1
SHA256 aa95a246318c680dc962094e4d41fa3598d819a86b8200fc02dcf01c36d1cf5e
SHA512 7a332bbfc3e775492a115cfe20b5f9814c1e2e7287a7cedd6a011a535e6cd879d66b15e5de203fed9220baf710c39fa719c85ff56d8779e2fb7dbb13829b1909

C:\Windows\SysWOW64\ooIa.exe

MD5 aacdefa5b2efe1eb6cd7b0f0aa630733
SHA1 457f4ac318b3fe7b5fefbafb8a57628a3c78c719
SHA256 0cca422be2e4e1ccdcc5255a704c61f2f5d96a34b2012c1015776730d06b71dc
SHA512 5c407edf7a17b467fe466eb8a67ad612501e59ade564a9f9fd6f1b3d51fee2c7a402169784ba217261ccc0284f0d213f2ed3029fe20bfd6fb1c848fd662e6f02

C:\Windows\SysWOW64\sIsS.exe

MD5 d7d7b21287d7f3353ea27a7a87d49486
SHA1 15add4970acadbaf5a29a044a06c1638ccf34035
SHA256 1dec4fea47ac587754492219fdb3bb13408f594d9a3014d9c5de07670d8aaa1e
SHA512 8cbe918a7685c68eafae0a50a304dd7fa92691a2e62cc20fe400acecc963dbee4fb2562c6d3cef8e2d3e6ad6fb9535829b2f7385e289dd531169a1a528dc563d

C:\Windows\SysWOW64\wkYE.exe

MD5 2762c715124aa0d5ae35e01b435ca720
SHA1 86405885089b9c235c4d645561ef3a5e85925973
SHA256 2255f7e02ebd19594aa2503089ab54dcec7f3d7283b5a3c181185550ca9673b9
SHA512 c1cf74f77d931a3dd359236db67c424a0937a8a7695e987d246608ed9f2b8a2478f97e67dca8c0fa30ec9764a1df6505c151659e2e548559d5e6b21ed9f076a7

C:\Windows\SysWOW64\yYEu.exe

MD5 f72a33caa6e35f0fc51cafdca2480806
SHA1 bf0ef0132fc182b441f44133bfd84d812db406ed
SHA256 55b65ec543767c447c2efb8eb1a28ae347649d70d89fdeaf013561d1f6f48b3e
SHA512 087318f74ed2a0f8d4808b8ac8b73f6af180c858536ea4307bb1091aee552198c3beca592c2abc88601e8f76c107c54102513a9d5b366f4034fa6969c4532fd7

C:\Windows\SysWOW64\uUoy.exe

MD5 3402bab2dc453fe5d1c426a2c68b6540
SHA1 d223339cda45df39e7e0a5541b47e26dcbf5be33
SHA256 d956e24a6bf51d29ef04b4c1b04ec768d03845b84d96447df8dbcf010cf8ee14
SHA512 e11c2b7b66b0b14b3aade05caca1c97dbe7e6bb892949d0449619b140556c1e940917c830fc204bc05ca6cdebccc0c19ac8126cf50d8a5bc87adff5376906af9

C:\Windows\SysWOW64\GMIE.exe

MD5 2d2420cb35e238389a195b75a7db2b92
SHA1 0b7e719abce496e88fa41069b4d2ca82a260bf20
SHA256 393af1cf5bbc2dacb79219a6daaf08e5459f666afaa30cd1ea8c509dd930cddc
SHA512 0ccde43c43a43ecc88a06f4423ab749705cc409d283c0e13d37d503efa8463c2b00139b543283c4b7d245b91e600ca3df65e86028c7aa0a2a177718262396f7e

C:\Windows\SysWOW64\ogsM.exe

MD5 c245d2b4c19a1e651e4e68b788c463a4
SHA1 058865c7c557f306301a04a4103e7cefa3a203ff
SHA256 3fdbcc690da682a5c069e7bddbfb40c0eccfd5881d7bccd1f16d8be4fe18a02c
SHA512 d0669ae5aa7b862329b99896b9a405d96cda9829100b93e9b21ebc6b4bc9c2e29a58d4ecad724784d8a0bb500da6eac7649600eb5519fbdf4b7b8336bfac04c8

C:\Windows\SysWOW64\eAwE.exe

MD5 76d24403fd1d917950da71433522b5bd
SHA1 9387202d8490ad798a5b71163ce4f57d68184b5a
SHA256 85b0b3dcb000a1d55b65bb949b9ef5d63514c3f0ed4797313cb5ad86b9e3c415
SHA512 07428c952bc9a88fe6bda2fb279d302d8b799fea4ef127b63b9b121fd6177b69f22d1c445c62ce05097584ee3a59b34ec7b6b5f86bd5b02a38563b77ebad4a4a

C:\Windows\SysWOW64\oMoC.exe

MD5 4218d5fad004ef00cdede8d72ef2c992
SHA1 89de08349d4ddbee67589b47e57c095fba5fc352
SHA256 5a384840bc02bc79927e86ae27ba587c1fa9a99d2e21d318cbf73cc191aee9b5
SHA512 413579b92ec4b354fab19d623f9c81a0ac9513b5fa29dee50727edf12539843400b3405865e6267b95d11e14c4843f9b8deb1b1b2d17993371a63485f554da96

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe

MD5 77e6e63e2257f466872feb1de0b29324
SHA1 52fb64de9eedd3a936142119d9ca1eebf58ab552
SHA256 357b6c2c5ada3ef3407e69778e75e8c6a2708c7bdabc5d5eca92758e38dcf735
SHA512 88542c0674c024c5a39bbd6d40b6c09e642f3d260bf4a1caa5ceb4814af1ca0a1ddc2bc6585757ae4ed1e32dd9e06d90c1a0b8869a79ae38c8b25f497dfef849

C:\Windows\SysWOW64\IAcW.exe

MD5 8e72f3025de62d8cc1bc56dfeee36316
SHA1 83a7f5005ea208b02084b4f945d6878d5170c885
SHA256 4f6815f7911e14436e7ace595031e89a24034e2ff9b5e69a2828bb081b7d6085
SHA512 99a86290579b89d379131f38cec7c4f873d7642e599a5bf3d41de76b723d830c418e665081bcc08b3849ee1475c052a3613c25af17b53152d0f0e7dff44880d2

C:\Windows\SysWOW64\CEYM.exe

MD5 943bb3dd3bbe43a88ad56b0b2e2d5716
SHA1 72691cc7f8f7c4e6e4b92768d0a4d9432e712ac8
SHA256 f2aa34f81479dcdb4ef04e92143ebf66f5668caa05e2d0d77cacbcb5091bb096
SHA512 50e0e26f23df3dbdfcc28c2523abe7c060ef81d563c670dc97438a2bc52dd09c47e854dc9f6adb2843d41949e49120134de84a39688c9cdc912490e7aea4a716

C:\Windows\SysWOW64\acQI.exe

MD5 f3d428feab2c9c3b4a9f6e9c1288455c
SHA1 e7d2194fba087d8cabef137e78e59d4fd8504277
SHA256 9f6d09663a1906ac467da0b73b950f71ac2c10c51c259735183795a59296f9f6
SHA512 77f5573f54daffc9b941d47831857ead4bc0c996cd684c6ff62150bb6b1576b3434ae8bb56bbdc9c965dfa3ee966d88d80e7f554c375fcd35d3dad1d19ec9bf4

C:\Windows\SysWOW64\ukcC.exe

MD5 c558a79805e7936b6a5b8f863bc564fa
SHA1 7a0d46bb935857c9e27e26a8d814741eb61e531c
SHA256 166cb5bca9ea224bcc7075e8714e77560f17f71d0e11dcb765e7c898659006ad
SHA512 7c5c886bc19afa69cf78149127a83d1a491a018486eb095cf5f3274835e242f93e788264bea2bf8536350a3b34d28ac2e34b8297285c019e1d448be90c55b382

C:\Windows\SysWOW64\qwcg.exe

MD5 d3887211cb7d56fa577a17cb0179bb09
SHA1 b8de2e073697a987bcd334068c31b0d58cd69a91
SHA256 4f1ef132405e011093adfdbd8c7eff6fc4b7effc7f1666885c6b0b81ed8cc1fa
SHA512 4d1285abaa16b95c32a7250fafe234976c30f57e5ebf04df551dc0bab5c316e6fe74dc3610973b0b9eb82f731d8de195e878d362c48e86a606073ff4ea7d9186

C:\Windows\SysWOW64\WkMQ.exe

MD5 22a197db12493e66acbd833e2840e630
SHA1 e9677d043c075207799ce8b7570518d31eef9117
SHA256 edb1707da2dda53faccd62776b39f80974925b99d629a63761e45d2087661a08
SHA512 b44775ac78cf04a332bbe3eb4cce2b7827b648dd89846b85b576154156ceff40ea7acee1becb76a1a27abd3a7d582fd47719b9418b977bcde6a4f23ac08dfcbd

memory/64-851-0x0000000000400000-0x000000000047B000-memory.dmp

C:\Windows\SysWOW64\MYYY.exe

MD5 1f18cd3b34dbea0e2abeb6d7b0e14f7c
SHA1 c0fb4b4522c9633643f0572f0e2615c4613ea1b1
SHA256 278a46cb2969589ec870b1ee2e219347f054137b25114926f1dd65744096056b
SHA512 aca74f090043d0ad2e006300573d1cc1f35bbcc754d6546216d3ffca0159a8f8af6f361562149e4603b48cec5ee0a41a2a02f4069c97c7bfa66a82fbd346e738

C:\Windows\SysWOW64\EcMm.exe

MD5 61a74c222381fc4ff9f0bc33e3b743be
SHA1 bdb86bc0edd7744438ca63628e4bad911535921d
SHA256 eebe24c54105010189e14aefdbfa905efbc127a2954b25f462df5d6f7a621904
SHA512 923e06e44d5174ea27d540a0d3cc9178e5a75c1c0cbd9ba06f1d4e51afdd48691080fe46665f511c58c0c44f5c7565e79964bc56723d58979d9de49eee820094

C:\Windows\SysWOW64\ocYi.exe

MD5 858d33b539e5acd9637264f1c5312fe8
SHA1 291745006eb6ed08f9a5994601ad4453e32791a2
SHA256 430327247d5f0e46f572ebb4419e53e31e4517cf3498fed0fb16645b8d789f7a
SHA512 e988634dddd8b1216b15e52d0fa4c64df2516ace252991b21aa75932b6a2282907d7ff3d3bd1a029f712f7614fab315d09f0212c5eb52525ba9a06c42a5bad6a

C:\Windows\SysWOW64\sUAC.exe

MD5 14dbeeb1e16a015ea2f9aa48f8f4b4c1
SHA1 9f0ad33132c9e4d56ccfdc3909747868f7d56dc4
SHA256 cdfd4d7156d47526b68fdd752fbb353fdd923c5c7264c9a79cfbffa8e199b587
SHA512 be15833b79fbc5ec2a35da863a780ebdaf64b748575394f513d5e89967ed1a2d9547d29e66fdd163d8c26187323c28d580c88bfd153de9a63d3f635f33fa60c0

C:\Windows\SysWOW64\cEgI.exe

MD5 bf11f31ca50355ff01f75ce7b2e21652
SHA1 8396cd5320c2abc2885ab5760f2053109c983ee8
SHA256 fcc342d73b9b4e0cbf95850d7f4ce031893234b3be487ee508eb6b2f57c4889e
SHA512 84725b6dc75859ddfad376a77b8ea185bf03f5ad60c7b145f367c73f1f48573e0db78e880b22fdfabcc3a0e429ea35f6d47971d87eb352f1cb3fb5411428973c

C:\Windows\SysWOW64\ikMy.exe

MD5 42a80751938b27ea556ac7f4bedd351d
SHA1 5d66fabf04c3ab98ec3664b073d9585d3b186de8
SHA256 22d1b412044b51ef06e799a2750a536d1f3e59d1b6c6a17199d164337e9200e7
SHA512 eac96f4e43ed5e19e40bae955140141add2652737f802ef3b3a3a0fbcea9637ccae22ddc6e96ccac0dfda9889383057851912a109a57d86046467f45a08697fd

C:\Windows\SysWOW64\cQoo.exe

MD5 c62a9e85f7388a8564a3dcb9339d5452
SHA1 c31d801e1ac1d3be83cd3419ba81176da13aaa96
SHA256 bddf219ec2fce0eb89996bb12ff849072613105476c19547d3afc09ab4ed8c69
SHA512 c9e4e8da349495e0d20057ae5d3407805aa7958f6f1cd205fe24dd2fa3517054a82c38941fd6b7b707cff82930694901cda30136812de1f039a607df8d557197

C:\Windows\SysWOW64\CwwE.exe

MD5 2d57a77d0a1f8ba21604e4f886617b87
SHA1 bac8a5f871d8f1e901f22a3598a586e1374917e1
SHA256 44b84f8fd1b9b4fb260fb9e1ce8b419a09028a5e1c9b1cf32464734fd51f6696
SHA512 3db81deebc009d94eb746c33882393eed6fd4ab942acae3ef2ea2be810c81ac3d3ce86a95671b8a3156677774c5aca44da67bc6fb61a093d4880b90e325ee4e8

C:\Windows\SysWOW64\EAso.exe

MD5 042a0bcec006d9b942ce16ea8f0c120b
SHA1 4f5f29e28b05019c0b97177712776793594d41f0
SHA256 2fd3037487f57d66aef531417fac4766192d2455a3349f63c3b99ed6739f5efb
SHA512 16edf301a8f965ded2fb026bfb70df1da9ef4378fa76c00693d25e78b418b59b3410296edf98a7f07807ffd84499b1dffeea0d9dd9b6e9ea3c26cdcd9eb39fdd

C:\Windows\SysWOW64\msYG.exe

MD5 347c579280ac852302f608ad8eccaa79
SHA1 38ede826d934d7c5069dd5e3c5943e4bca6d9172
SHA256 c71480d8073d45771d0ae35df9b772400b93382b4da256626e57e48c46ba32f4
SHA512 b91e4505728584db863aaf0415929fc658e95c07062411e66d08270919aa6b3dc484964ecf0f7ba026f517fdfcc967c149f985530a4f6d6df940803cef737799

C:\Windows\SysWOW64\Mosm.exe

MD5 6cfff71bef6362b8b8a3780371c1e01e
SHA1 6683a673e4f540f0f73e96b0963087325cdad1dc
SHA256 9e187da9cd1a7487f387e317581e89abeebafdf6981d937089a7e5727cb684a9
SHA512 05556d7c5c609c170f2766aeb9b7de87255094ef09597f6e29547904e28d72f043a641c2e651d04e170587b912af3c8857e9a947bb54d8a0bca136f91504a285

C:\Windows\SysWOW64\yUoG.exe

MD5 9d3a15c03d7ee45d24f546ddb462c532
SHA1 8523316dca05a11f5013d0801f73037fea7216c3
SHA256 6fe6a9357468d5b8b204b67f7116a4a151a21d36feaa25d99502b77c0d144cd3
SHA512 1897bcb8b98885bfe3a755b97775a598722921b6c3c293bd5af1e4b441b86d04e5f1719d2a655f1959b39d4c49366d350f60a04d8fa522fe875ddf55fc96dde9

C:\Windows\SysWOW64\soAU.exe

MD5 a7e9d325d5e0fb85d206357d1c94cef0
SHA1 43162a6ab0188f8c27ca43ad2b72af91f2a87101
SHA256 99e1b1cd7e54057949845ecbc3af6d3f8f555cadf2fad1368d54f39a509ad0dd
SHA512 6a5f6a8ee1c617fe1fc630beb265e98f2a339ce6c2c911dd5380683cee28e48e344fb304e03bd7158cb999215483cb5e9f06ade26547a5f01f12a43789ae6088

C:\Windows\SysWOW64\QMws.exe

MD5 15dc3975db5785c571b8e6d4d1a1ad4c
SHA1 e30f1a2cc55a06da044e821b0f409413f03984fd
SHA256 c23de6f8665f42ef10e444da722c238aad7765159d08e91842509dff8bc7781c
SHA512 c0bef343060ad2065078cb905e58cfe5b1ce2ad58dad014705ddee4b7747b8500e044d5498cebdfe93025ac49ffe61305010001fab96b06aa224736537a75c5a

C:\Windows\SysWOW64\OEks.exe

MD5 4c8bacafa6ddba0c85adaec0a948a80c
SHA1 1727115144723ab178dcb23b9a22795efa37684a
SHA256 5fbac12b2a4d23d3005388500bfbe5ba2639bc984480f60b8b2ce365f6134155
SHA512 5fd7db2dc40b16f4338901df7d9f5b4fc29aab1783664059df5384cead67ab7efbd980066b1e61324adf7da6c805e5ca57adb5a736d9e1961699643c540e9cd5

C:\Windows\SysWOW64\uocg.exe

MD5 c196b7372ba3691ab3a0665c0dc4a44c
SHA1 6e813a330559ecea70be05e8cd5f1e0db935f681
SHA256 6bf0d26a4e3ade6aae5af91c567f3b9ec497ef7f7627b04b0cfe5a0ea666ea93
SHA512 ee9783730197aa2a446731d2c08205cd07f57bfbbbeeedb18e02fd8d0b39c5db7d06c51c392df20fd797ed5ac6e3d6bb75e0fa92a9cd3eb68ba4e2a555cf7e9a

C:\Windows\SysWOW64\KMkC.exe

MD5 831533e2ef9d123ae3526a363ca5d46e
SHA1 3319672c8d5bfaf1c7f28d5c436f242ab762d7bb
SHA256 20184f92ed35f9f29c17aa257123e007530887d5b256506f87f1c4fb8803f807
SHA512 bda9321d13f7f24584d4947a3ac761a3765e1b2b43be6967a95f3a5889ca7575a60ad851f136d6cc00aa028205bdc28d911aa4f5d2a27761928a627a48837592

C:\Windows\SysWOW64\SkQM.exe

MD5 f64a7982482815febfb0aa6f24a9d065
SHA1 80c677251afe05462b1f0dcfc60598ea207133e0
SHA256 75b1e8e7d0a4c5a9730c6857d68ea49efec9b0cd92110ac81d8826b75c1ed4e2
SHA512 1f5155025fb61c45716866cead308f23604a0d41682e96ba2dfd955e86fb0d1e1c6d42b0c1c154cf4845d09bec93ac260f4e930db3a4ebaecb92641a3a999890

C:\Windows\SysWOW64\cIwK.exe

MD5 118b8ce6f9024a09e88ff5a170e9a993
SHA1 1ffe59a17d499b7d7b681daf4eaef41bd94235cd
SHA256 6ab89183c70e3f5ffbc0826ae2496a97d7163baeeb4122b9f190febaa932732c
SHA512 e34a529a6f31fab89542496babae57f54c6bdbad727515a2579ab64287cd78d80db5d81c00e86b7fdce32fd5793896f99bfb18744bab0cc6b0900656e98ab559

C:\Windows\SysWOW64\oMkE.exe

MD5 ef337eaa710a9e4e0af584b2a93a93a7
SHA1 5a3c466b7af5bc79170f732b9f2469e3eb5e3dc5
SHA256 ee434f9f535ccc61e95a5179f828108e0d14ea43ee1e0802d4ecb49b217fa90f
SHA512 8dab94e97e518b180434e66507a7ed655a3a4bf27665255679b49d49be993b93b7963215a53d42bfc9a0da9df625de8a15f6d33baf7793c7f9fd663dc5ece934

memory/6072-1156-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Windows\SysWOW64\WMow.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Windows\SysWOW64\MgYs.exe

MD5 24587d56767b2e3a42c480e3792afc77
SHA1 08d98cb8d12f1d01627544e74c3a340257e77491
SHA256 bb347dd4a1c0706c270c7ed1d9abd349c9c44e1b2a493505c172e7880db40b01
SHA512 8757be0695835ba32357a18bde48a6c5f20814b61f287331e5045118b178fe9677869a829ae48c9b6f4a9b9a21ed07ae18c59a2318a0765e36e1a703690574ce

C:\Windows\SysWOW64\UsUU.exe

MD5 07710fc353f3c9ea0ec852b28149a70d
SHA1 c2d5c38432fff6146616785e72bf646df9e433a6
SHA256 b183845fa4a1aae3dfeb78d8441345d4cca54f13307204fd4bb414df4c982de1
SHA512 33a2d475974c122d9c118f466e2b5794b1f433276d4da51e1dc0b8c13ea733ed93f879aa39d41abf1e8d0563576857d702e025090303b5c3fc264d33672dfa58

C:\Windows\SysWOW64\WEsy.exe

MD5 d619c4d8091e402cdbf96444192a0a4a
SHA1 69582e5ce5e49b7a1aad5b46f82aafb8ea1ede0e
SHA256 1270e83bbde550b964e15ce7bae0264a3f5c875072e7702ae94a371acb36d97e
SHA512 cb8a4b6b0f77d888c6d5796e78861abff8c5230acbc0fa95c0c803f3d7b883028f2d2872731b8f639c2bf55da31aa589fc8d31b866d111b50dfc42197e814863

C:\Windows\SysWOW64\yEsY.exe

MD5 ba8baaa7a4682cec8cbbdf840c92c014
SHA1 750616069133d7797e7bdc33bcd769f962f81852
SHA256 f9846fcf68392efd9388759d59b7c9675051028524a4cb473d595810de97aa6a
SHA512 364f71e88b932162257b95f159e60af4393f0fb8c297d79181a39c1d676e5805ad1f110961250e91433bb576a6368c2b91e1915b5d1668d0ddaeac06906cd1a9

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

MD5 9aaf54d2b407b0c66f29f793f1cc3242
SHA1 31220e8ced4edcf2c47341185359c053c118abf0
SHA256 4ae005399e17880a1bb80dee48b20cfd2a7d1f0588f2cfdd6f2bda82f1433df6
SHA512 7ae308d331441483450e8c3fab1ed943a1ce59bc1459fa4c63b1cd5607bbe8fbc41fc3e36b1f2e9128ef1d7217b44f1131fb746f7ef16c1af8987978043e3da7

C:\Windows\SysWOW64\KgEG.exe

MD5 2ecfe9c6e3900ca44304925723f1f623
SHA1 3fad79f36753c090243c4632032afc9457d649bf
SHA256 795f95072f45879bcd50c8112d57437a31c78b81cacaba99355bcb931aab5149
SHA512 5c602875aec5daf85cefcfa1cc118d683a89c4dcb977577fcdf05ee8a69ae208543eac0000f0ba35d8356f59b23a0df197c18719ba180c83a926b7a7e3146534

C:\Windows\SysWOW64\QoMc.exe

MD5 c80b62ceb9bd6d0fc5d4e310704adfe9
SHA1 23c4c0894ba292addd3f8c4280ad7e2a3e87e1da
SHA256 331bcd939f0871443432b0aefa241104293c1ed7629cd19dd49798dfe1e6f31d
SHA512 f68fd19a9e1e50630eb3f037f2a7e9e3551a78c4f5e503ff887cf122af18f96af2a11acbb239fcdf4aba0679cf0c56eddb9e7da8e9af73dcf4ee9330a40209e9

C:\Windows\SysWOW64\csMY.exe

MD5 e6130e452eb97fb1b703ca7b1c0a3b1c
SHA1 fd470e1ff24ab3eb115ffb3c66d09c4d2bf6c414
SHA256 c375dc67437541e2935c05b002688124ff36a562b489513d5150e093e7242e25
SHA512 c0fc2494492da050a1bca4cce0a6b0161de96af83cab98af8480be8d48a0f77814407adb0fdddf142b0c9982e2089d232c55ca397295b8f74c454a0b7f6159f6

C:\Windows\SysWOW64\CAgy.exe

MD5 233bb177715b0e776bd29cdc4a248f2e
SHA1 296dd87dbff6c3b91cd80ffef47bc52e9e049397
SHA256 4f0eef6a49ee2a6ea3103816379640a7cb1a6066d2e52b3db40c213751a7fc3c
SHA512 6013ba6532dbe4d156d5b4671ce5bc67188bef138613dccf323d89bcd1d1c52306095a73479db8a180ae1010e4cea9edb9ab87f396f6356c5ee34c6bb8b6e1e0

C:\Windows\SysWOW64\GUUM.exe

MD5 cc1a47246332d5f55e2216142b633647
SHA1 a5a73040a150bf4c94fde1321d5c9009bd46dcc4
SHA256 8fe3dcd6f5c87fd5039a72c4fef6fc9f763b730a12ae1115056f7ba890bbc480
SHA512 371dfe33bb41e3f15d4046ed461d5fbb61e13617c826ea75b3abd0bf72da390da72fe74966ae864c7fd1cf9ab2004cafec7ba6e41a6eb9dcd5df67a9e5398634

C:\Windows\SysWOW64\mkkm.exe

MD5 ccea885a7df51924bfbc63be995e0b7b
SHA1 5c8278ff5a269bfb2ed88e47df5eddf663d62124
SHA256 1c2e8b571ef39bd0efd88add1d079cc2854a577923a9edc04e05a7e8cdfd6f0e
SHA512 643d06b10114845a96bd4b842b2f10f048d17783f40e9e9c27edb1b927c84c6169bad6f932204437862d8ab587c490335696a63cf8e3a7b72879ef9d1a37bd77

C:\Windows\SysWOW64\MQYk.exe

MD5 55be586c1c822907fc6c46999cc32ecf
SHA1 f938e092ab81a7e760cd29a87d738fe4ddab39ad
SHA256 c2677d84639e7589e86ea7f27cd30651629ac86be4037b6e1a2606286c849a17
SHA512 d4184479a8f7c28133b4a19cb649b9c78323b3611cbba907d1e5873375c464366f5d5425c67d352b1ef8650c5d196b6d8d542662e21340dc111194c14c7bed31

C:\Windows\SysWOW64\mYQE.exe

MD5 f01d4c8c4a367d8d1a650e260adb1aa9
SHA1 214a41d978b58a7d2515727f3af04012e78d9022
SHA256 91c8411de17bb34b4f564215ff28c8c7ac52f51e3e43b997a00bee84ee98a348
SHA512 8f33bd42c06826434f4bf73600d7627ebccf800eb7312a1b3180491f1fcdc7c1fb3153d7eaa512d22e6dd6310087bf683ff0f8e2d9c2de39428a71324055d553