Malware Analysis Report

2025-08-10 20:10

Sample ID 250518-l7lv5aar21
Target JaffaCakes118_06a77e396c6b61b851e152328bb34960
SHA256 40c503b54870d9e9036be1ddf841b7583fc0c0f35c3cd6855b29ccda113427b3
Tags
defense_evasion discovery persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

40c503b54870d9e9036be1ddf841b7583fc0c0f35c3cd6855b29ccda113427b3

Threat Level: Known bad

The file JaffaCakes118_06a77e396c6b61b851e152328bb34960 was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery persistence ransomware spyware stealer trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Modifies WinLogon for persistence

Renames multiple (56) files with added filename extension

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-18 10:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-18 10:10

Reported

2025-05-18 10:13

Platform

win10v2004-20250502-en

Max time kernel

148s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\ieYIgAok\\aGgkwwEk.exe," C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\ieYIgAok\\aGgkwwEk.exe," C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (56) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\International\Geo\Nation C:\ProgramData\ieYIgAok\aGgkwwEk.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eYIAYAUk.exe = "C:\\Users\\Admin\\uoYcscMQ\\eYIAYAUk.exe" C:\Users\Admin\uoYcscMQ\eYIAYAUk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aGgkwwEk.exe = "C:\\ProgramData\\ieYIgAok\\aGgkwwEk.exe" C:\ProgramData\ieYIgAok\aGgkwwEk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eYIAYAUk.exe = "C:\\Users\\Admin\\uoYcscMQ\\eYIAYAUk.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aGgkwwEk.exe = "C:\\ProgramData\\ieYIgAok\\aGgkwwEk.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aGgkwwEk.exe = "C:\\ProgramData\\ieYIgAok\\aGgkwwEk.exe" C:\ProgramData\ieYIgAok\aGgkwwEk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eYIAYAUk.exe = "C:\\Users\\Admin\\uoYcscMQ\\eYIAYAUk.exe" C:\Users\Admin\uoYcscMQ\eYIAYAUk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aGgkwwEk.exe = "C:\\ProgramData\\ieYIgAok\\aGgkwwEk.exe" C:\ProgramData\CUUEAkkc\uOwYwYwg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\sheWatchSkip.png C:\ProgramData\ieYIgAok\aGgkwwEk.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\uoYcscMQ\eYIAYAUk C:\ProgramData\CUUEAkkc\uOwYwYwg.exe N/A
File created C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\ieYIgAok\aGgkwwEk.exe N/A
File opened for modification C:\Windows\SysWOW64\sheRestoreConvertTo.docx C:\ProgramData\ieYIgAok\aGgkwwEk.exe N/A
File opened for modification C:\Windows\SysWOW64\sheUpdateImport.docx C:\ProgramData\ieYIgAok\aGgkwwEk.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\uoYcscMQ C:\ProgramData\CUUEAkkc\uOwYwYwg.exe N/A
File opened for modification C:\Windows\SysWOW64\sheLimitConvertTo.jpeg C:\ProgramData\ieYIgAok\aGgkwwEk.exe N/A
File opened for modification C:\Windows\SysWOW64\shePushEnable.xlsx C:\ProgramData\ieYIgAok\aGgkwwEk.exe N/A
File opened for modification C:\Windows\SysWOW64\sheUninstallRead.wma C:\ProgramData\ieYIgAok\aGgkwwEk.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 760 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Users\Admin\uoYcscMQ\eYIAYAUk.exe
PID 760 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Users\Admin\uoYcscMQ\eYIAYAUk.exe
PID 760 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Users\Admin\uoYcscMQ\eYIAYAUk.exe
PID 760 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\ProgramData\ieYIgAok\aGgkwwEk.exe
PID 760 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\ProgramData\ieYIgAok\aGgkwwEk.exe
PID 760 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\ProgramData\ieYIgAok\aGgkwwEk.exe
PID 4576 wrote to memory of 3948 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\uoYcscMQ\eYIAYAUk.exe
PID 4576 wrote to memory of 3948 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\uoYcscMQ\eYIAYAUk.exe
PID 4576 wrote to memory of 3948 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\uoYcscMQ\eYIAYAUk.exe
PID 2272 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\ProgramData\ieYIgAok\aGgkwwEk.exe
PID 2272 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\ProgramData\ieYIgAok\aGgkwwEk.exe
PID 2272 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\ProgramData\ieYIgAok\aGgkwwEk.exe
PID 760 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\cmd.exe
PID 760 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\cmd.exe
PID 760 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
PID 1948 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
PID 1948 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
PID 760 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\reg.exe
PID 760 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\reg.exe
PID 760 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\reg.exe
PID 760 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\reg.exe
PID 760 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\reg.exe
PID 760 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\reg.exe
PID 760 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\reg.exe
PID 760 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\reg.exe
PID 760 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\reg.exe
PID 448 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\cmd.exe
PID 448 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\cmd.exe
PID 448 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\cmd.exe
PID 448 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\reg.exe
PID 448 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\reg.exe
PID 448 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\reg.exe
PID 448 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\reg.exe
PID 448 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\reg.exe
PID 448 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\reg.exe
PID 448 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\reg.exe
PID 448 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\reg.exe
PID 448 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\reg.exe
PID 448 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\cmd.exe
PID 448 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\cmd.exe
PID 448 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 60 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
PID 2868 wrote to memory of 60 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
PID 2868 wrote to memory of 60 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
PID 2956 wrote to memory of 1344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2956 wrote to memory of 1344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2956 wrote to memory of 1344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 60 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\cmd.exe
PID 60 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\cmd.exe
PID 60 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\cmd.exe
PID 60 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\reg.exe
PID 60 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\reg.exe
PID 60 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\reg.exe
PID 60 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\reg.exe
PID 60 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\reg.exe
PID 60 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\reg.exe
PID 60 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\reg.exe
PID 60 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\reg.exe
PID 60 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\reg.exe
PID 60 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\cmd.exe
PID 60 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\cmd.exe
PID 60 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe C:\Windows\SysWOW64\cmd.exe
PID 3336 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe"

C:\Users\Admin\uoYcscMQ\eYIAYAUk.exe

"C:\Users\Admin\uoYcscMQ\eYIAYAUk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\uoYcscMQ\eYIAYAUk.exe

C:\ProgramData\ieYIgAok\aGgkwwEk.exe

"C:\ProgramData\ieYIgAok\aGgkwwEk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\ieYIgAok\aGgkwwEk.exe

C:\ProgramData\CUUEAkkc\uOwYwYwg.exe

C:\ProgramData\CUUEAkkc\uOwYwYwg.exe

C:\Users\Admin\uoYcscMQ\eYIAYAUk.exe

C:\Users\Admin\uoYcscMQ\eYIAYAUk.exe

C:\ProgramData\ieYIgAok\aGgkwwEk.exe

C:\ProgramData\ieYIgAok\aGgkwwEk.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sAIgEoAA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JMcQcUIk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmYQoccQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AyUsYgUE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kysgYAEo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iiAAIYYo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqwMQsYA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqEIEYsM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SKwUgYYw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSsMYIEY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aiIYEcQo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uuQwYsYs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FugUkYQA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoIAcMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwoogUwM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe 9a78b82209351bab0bcda10135da1764 wZP2JmNJqkirnNZ02zWmgA.0.1.0.0.0

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWUMMUgU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAoAkcMI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWwoYIAM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYwcEksM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkIYQosE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IkoocoQM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCAsUsMw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wagMwkEA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOYYMAok.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FIUAockY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HakQYAgE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JcAgkgYI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QkYsEwAs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gUkQAQQo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ycQIIYIE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQUcgYAY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xoQYIAkw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWgEsAQU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\byQwkkQU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmwUYIEs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgAYIAAw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIEMMoYY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OSAskQog.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAcQEQYk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RAggMosM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pgwYAgAM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOoEAgks.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\euIQsQUo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IsMYwkoE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAYckMgM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wOQwsoco.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nSIQkkEI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rsQggYIo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RKMUYYgc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMcoAQww.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEwYkAYc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQsIYsIE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYcQAcAM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAgYMMMQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pecEMQww.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DoAksUwI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ToMosAYY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmkwUIUg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wuEskEcM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\socwsocc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOUQYAEc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RaIIQcMM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xyEYccUQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IogooYoA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UyckcMcI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sawIAYEg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\piYcsIgA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGsUwoMk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOYsQEcc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HscAMoco.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aoQsoUAc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGwkUwwc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sScwUAos.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DuYwAoIk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vcEgIUss.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tCYAEMYU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uQEYwwcY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GaEkkYEQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcIgEggk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv wZP2JmNJqkirnNZ02zWmgA.0.2

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp

Files

memory/760-0-0x0000000000401000-0x0000000000477000-memory.dmp

C:\Users\Admin\uoYcscMQ\eYIAYAUk.exe

MD5 afa01e6b0dd7501da6f2e80e015e37ee
SHA1 932fc5b8a5a6f9334e9b0cfaddf9a8a2631afba9
SHA256 cc516e64041d02d52498e82e0a40e2e91d2f036f9341aec2806554b9ce87363e
SHA512 1575615054313ce117bb6581bd51aaa53f138dacb67300685f3d58a5afcc05b914ea1d2ede7a7fff1d8ce79560eb484876a39a75442718b3955dc6b1ec749112

memory/4976-8-0x0000000000400000-0x000000000047B000-memory.dmp

C:\ProgramData\ieYIgAok\aGgkwwEk.exe

MD5 94aa57e0fa2e5aba56b134c0ad9e71a0
SHA1 7bf8061725025c6dcdcee6cf974fdbd859e17b9a
SHA256 8919f330e5a06c4c88ef681f082f534c9aa2400a1aefddc5992013ee182be30d
SHA512 8200bda83ba8a511ad92859b98e97253fe8acec18f0bcc2331bd30e1c27f6a1bad0583be4d341786873bc485aaed88fca08098affd3d9b92a6690edeb5341b77

C:\ProgramData\CUUEAkkc\uOwYwYwg.exe

MD5 f4fc0d64ebb6f128e539b375470b324d
SHA1 625894b555da5b1eff5030489e2bf04f3e4afbbf
SHA256 8c157d9d23c010b8ab2f1487f05d11e5514c634a5d95074b25092019d7a5d621
SHA512 6e1621acc6b588cf98f1d9f74b72c01e8548cb6b8719e438767b2469de03934db5974fa411cd7001497603088939325f4db87f9edfec9fd6e834892b083aa9a9

memory/688-11-0x0000000000400000-0x000000000047B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960

MD5 96b5a5aa81cddc217e02a83da419a8ea
SHA1 2f005ac25837210b71780fbf0d44b1b1da873749
SHA256 50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c
SHA512 bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

C:\Users\Admin\AppData\Local\Temp\sAIgEoAA.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/760-132-0x0000000000401000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Kwoc.exe

MD5 08bbf112deeaa11c22150007b13fccd0
SHA1 d7965c38a5c7e71043920147d38662e2b180da85
SHA256 6c045a9284637449fda1d52fe36507485c61df0897ca472f5b3a10b4f5d9df5a
SHA512 8e4ed785f11936fc7a846edc8aba8e15eff4530a222330745c8f692fa56a6b425fcb9e2ec381cd1d071d21149ef16ddee6597b2cfedf4a5c11b5ae17dfd0cfef

C:\Users\Admin\AppData\Local\Temp\scEU.exe

MD5 58defee4968224e9a6af68e9fcbb91f7
SHA1 836dbcb6ce7aa0ab3303c7945f1b79caf576c4b5
SHA256 52609bf3febdcb45ff2ffe8528c3c89846e662d3afcd39b5507e2f08e0331e82
SHA512 afe9b9db24903d6270d5772978c029e26d7002660b3a6067a855e56d6ea398d3b5e349a90e4fb38c5ee828407bc3cec7c489f31a84c853cf7dbf5f0bc7383e70

C:\Users\Admin\AppData\Local\Temp\eMIm.exe

MD5 65ac44d48b45d48e89390afa56a8300d
SHA1 ce8b9179dbd02c31bd42a4ebe4db2c3102a306b1
SHA256 64068a35528f19f16cce442fbf648fac60576f0ed75fcccaca0b69b32866e6b7
SHA512 d7d07d994093f14adddabebd46a38d12ecdc18b00eea43a504232118d74c621b76d85672f9952b8a3dd04906a6cde2efce1a2a409971c74f4403a2fb39989203

C:\Users\Admin\AppData\Local\Temp\IYkk.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\YkQU.exe

MD5 55b8333202897ec879a0f782aaf2701b
SHA1 8136a1d362068d4431a983f650d7e95b8074392f
SHA256 ccf7d7a1d7c8168c737a588d6f0113e789809daa9d5f70c7e7f283b69ac48722
SHA512 d3eb0b9fef82a1061dd709398c1729389f5ae95b8b2e028dfd8c06976228bfb1bdbfdcf44f4cadb8a735c75bb20302d9c0c08c7770e256fb70af062276909066

C:\Users\Admin\AppData\Local\Temp\CYsO.exe

MD5 09c3ae98926bb467162a71a45a37b398
SHA1 19b1d0ec4111bd19507d03ed3602be9fa730faf4
SHA256 fabb14941dd68bc91aba4ac28e28a4ad2f68cdeb3d72248536b7555ae7c2c26a
SHA512 e7693074ef0c2d030aca86c1d3193b415ac06c61ab9cff34d24dee64b1eddea7daf32a1cd87a3c103d4ced38d78c42fa4f17b099b83bf358bd79305c59b62dc6

C:\Users\Admin\AppData\Local\Temp\OwMA.exe

MD5 52655491b7043589a67ade19baec07dd
SHA1 1d3b385f3747d764f184ca4e729b2b889a745f67
SHA256 9807a2bd29e8d178677401fbb1a66e724411201bbb1b4b1d55e035791f5bc603
SHA512 7359eb5522a71cb0cd3477281dcd6e5f80f26fed173ff89b30c1acdbf49ef73904809ad6cf4a12450234b121cf8ee146e55f665874139c746de36d5a3c489e70

C:\Users\Admin\AppData\Local\Temp\QoEK.exe

MD5 fcb1ca0482187985f11479edca9fd014
SHA1 2bcf456c53088b7e5ea849dc4b65c6cd2ca7772e
SHA256 06b7326094e8547db854313ff8a1206f1868c34f7c503bf3535c733bc24aee86
SHA512 a037277e6c93c0bdda5c982c9c788d42ed0b0374571dc0d819cada4cc1b9f8fb5785539e75ecac18dc9d192c65e03da73e82b193511aac1bb4336ac3672672ea

C:\Users\Admin\AppData\Local\Temp\qIAy.exe

MD5 a0c2b31aad53bfbb7e37d4afee312bc5
SHA1 1fc60b0d093b02e09553ba86d7b09abde690b726
SHA256 f1ac23cf0c8a9155c47afa599570fdeed45e7b31078b05a6671795291e90cd49
SHA512 c68c621a0b4793014ac946d1b1ff37d5dd92f6b0b52cc1ddfc02670457cbfa2e9e465f65503b15dec5329d2ae20736775a0eb657f44cbfe23c8c23beeb5a68af

C:\Users\Admin\AppData\Local\Temp\awgI.exe

MD5 29bc472451c3860c4a505a6b1917230c
SHA1 37ee914ed25cccb711d1bc64f5ef952b4d73367e
SHA256 c2463ea1fb6854d8041ac62e68c44b057443e794243b8d36861b1e1c6c5c28ed
SHA512 3beecf1fdefa00a6b73325cacd926ed767c869d7745f1a72c57a7f3e56b1ef60d3bed40556a58d61700d8f7fab17c74223aef6e7a5ef0960776505c62e481549

C:\Users\Admin\AppData\Local\Temp\QkkU.exe

MD5 fc6ac4b1369c43a6c95bd5fe308f80f4
SHA1 4710845e0756d99d69d54429d5d2c0705a56f1c6
SHA256 ad5abb116648dca7ec9ac645d1124e93dac52ce56b6c58f4c548bfb7d4372a38
SHA512 43866eb9df9826c8bf039a007f76032a90fd7a717767d5fc398b81f012829939606f6a2f47fec2b845d9a3b189346c1945fdb33b55a68d248b1dd01a123883e6

C:\Users\Admin\AppData\Local\Temp\UoUM.exe

MD5 421b0afb65eb09448f15f95650a6627e
SHA1 58936dfade32169914cc3aa1d40563ef1b6df2b9
SHA256 73e16c30b6101c2e2a84c0c7ee8fe25b3d4b5e4abcb92b8a18f217cf9e14c1c0
SHA512 36f58fd02d74c54b3513f0d17e4e1154390eff87aabeb3febb3c90c06782d25cba1c89fb04979c9fa0813552f26424e9cfb6cf518710924b3c6dfdbeeda942af

C:\Users\Admin\AppData\Local\Temp\KAMQ.exe

MD5 b6684c8220bdd38cf32a26f76eb4d55a
SHA1 0efcc80c82f9907a951975bddaf4926c460d07e2
SHA256 bd365672ab9b9b650083331cfbd0c534f6ca34d04db7b3aecbe3819b1682cef4
SHA512 d4baa34f2649de31f86ddbc95b490c9376e0bacb673789d82596a2725bc5ed69f6015f3ddd31df69e14c19d6f019a88e61e3d45545a3f22aa2c9797b757600dc

C:\Users\Admin\AppData\Local\Temp\Yuso.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\OsUu.exe

MD5 5dbc18a1c35f7eb11ec3269460b1567b
SHA1 72e6cae011a7d9ac4a0df679e90addb53bf7d033
SHA256 902ec96aeca2e08ec898994f31778211652da85de878a7b6bdb8ee60e0f8f3de
SHA512 341be4799d4c5e76cf05a7401635d46b08a9e1fa8afaeca299a930b87e28d663dacf9a2e6e489c541d2f182841685824727dafa5987c28c264cb54de808d1533

C:\Users\Admin\AppData\Local\Temp\WQwE.exe

MD5 bf0beedef13ceaf16df93b51d08105b5
SHA1 213dc03d2c3436d95e64a02a9c5a7ab6c28ba86c
SHA256 5edd8452cdb5877291ba8a9051f17306d0e7ad04d37014ca30ec5b5975f61eaa
SHA512 a97770f35173b3412366f6bb3489ff56175b8eeed0834b4906ae05ea2f432a891d6f5e66ae1aace0420fc8e19da3e817d81f14ac8bcfb4039431f43751af1a6a

C:\Users\Admin\AppData\Local\Temp\UQMc.exe

MD5 18f70416769f93ee14dc37be70493607
SHA1 042d5663cf5cfd36234041c655734a45978d91b7
SHA256 cee24b1e721b9e4dd9e400e8b66fc584c268df28fa736a00af9462757cc36f17
SHA512 850d53f82a7ae16ce62a8fe37ecd00d2afdd8094037eb46aa2b1fd62ebe4a6f1d4dcbb48129e1568b4429dd896a4be92aad6243485ba00e6090ffb3793175906

C:\Users\Admin\AppData\Local\Temp\oUIW.exe

MD5 3139562cd4b5361b0c9ad26b2bb11257
SHA1 072e0cb3c1a6c568d97702f6b4ee6626dd0852cd
SHA256 429aede3f0c4eb0e6640820255c0e13a30b9c57758b9386e06322091ab1c6dfa
SHA512 662426ceb3b1fd21faeb24c439ee967c66cdb4b5a040f6140ec4334befa6e88a44749c5716b748859fac675c6cd6f755b69c4dbd78c3b4aa9f7abe0280bfcec9

C:\Users\Admin\AppData\Local\Temp\SssE.exe

MD5 7fe5f536a5a4a1082dccd6103c89a85c
SHA1 b125a586f04f59ae089221f4c6e4cc442be34cad
SHA256 d570141fa1143a65ad4a5c8e3300f27d100c388f0afc32a9a6acb6124ece73d0
SHA512 403035d2f31291e72bb7694f4328328182250f3be9f7de0297cd0e73d73a3ee8618fa2224943531718eb2ba7ac3b34912c1f31dbebd1d728420a8cd1d67015c3

C:\Users\Admin\AppData\Local\Temp\MgUe.exe

MD5 c4f0605354d941427ed83678057ea3d5
SHA1 afa8bda05d35ece1c762dfb2c0ba4aa87a454cdb
SHA256 f48b7f6da17e8a248082d21185e9e52aef8a0cba87ad1a6e6429e6ae1c132809
SHA512 e2faafee997e415bd46fac660ed9a6189503e54fb3bb9fea2b68c74d10278dc44f66e5b4f1841852a71e11ff053c38684a6e08c8539b5243c40dad9c5e9ff4c4

C:\Users\Admin\AppData\Local\Temp\KkAI.exe

MD5 e9f97b5f7ba3cc657b8871a26cd88c3d
SHA1 b2c90633d0e457a9f057a92d86cf6417ada7d8e3
SHA256 524f6c5dea3c74496a1dbd9c3da8630ab59f8fbe97c73dec6b9a30e639d49cac
SHA512 46fa539c029bedd24591cc3b0b709aeef7ed94134d769eaeb896e5b326bc0fc0775d6b5c37dde4cc43a73086066a494e22af51a84f0e39e6e63d49eca25dbcf2

C:\Users\Admin\AppData\Local\Temp\SAcS.exe

MD5 7b7a03dbfe5c36ba17afea62a9edbf40
SHA1 49704a35420c0feecfc00cc4081f20bc8f6af7d1
SHA256 b6ba4a638b52a12210a9e9150c2867494935afd6375f13e3fff24d451676b180
SHA512 057efb13f2cbb765fb614919919ff5f01e5f49127ff04b9eded1226c4c7c5e2afc9f4da193e7a3e65f8772b4115192e973dc9ef3a6c164009e487af870bf3218

C:\Users\Admin\AppData\Local\Temp\aIAw.exe

MD5 bae8a572cc30a06b708516f0816aa516
SHA1 dcb78cbc9bd3a23f4ed3263355570c49d1a8a824
SHA256 327f2ddd2c728d65dc8b482260b00bb7b1c2e00a4998152033ecb6634f0b3a27
SHA512 7588846001550eead9d9ba29d32aa9bb24a9699d4231d29ab2d4d94d1a03d2244a634ac5c5c90ad3c482721f8267808b4121109bdb84893e7391bc8768ccc079

C:\Users\Admin\AppData\Local\Temp\Icck.exe

MD5 6b481aac3c384d1092ddc49a88eb86d2
SHA1 4b5fae5b5bd8af8a4bca3f0a6ad86e475c94fd79
SHA256 880b13d125ef7f23297f851b9b01eae7f4742f73a79fabc2da3aed4c85bfff7e
SHA512 19659405452df745ad0fa8cd309f5f97420ec4abd4255153d270dd4f2b1d7b4e37a763662bb299e9801896b2113c455d4515998e405a6454859aead74d5a307f

C:\Users\Admin\AppData\Local\Temp\CsAw.exe

MD5 682dc30b2bbc1423a79f0940f2fccd12
SHA1 c6dcd246fe578b335b6f74661d435c8c25fc18e2
SHA256 d8a6395bd24f7a71e79dc6c9e2c4892a1ea49807dc470b323340ae62d153a098
SHA512 b6a61df21b305400d7b7320b5371dda744d74761500db4acd8d9b89e6077b548d9e18d5aa3e631084d9f20d3d36d204e1c0936425a509ccd8e967394452b4f7d

C:\Users\Admin\AppData\Local\Temp\SsUK.exe

MD5 20f7371826938c49e6ca8cd4d35be5c6
SHA1 45879604c60fc444c320b684e50ef2d21391f7d0
SHA256 cd99e8357adf5d1549ddf9315c52d7998faf29d04d3951dd27f382ac8201605c
SHA512 f7389e03d131610d09ffe1c3d4f6f082e201f38d6a834acaa91aca98c7d4674c27e9a6f569bda5a69eb0d2ec93fa6fe845f538a649891c4e754c65250d9411d3

C:\Users\Admin\AppData\Local\Temp\OYYa.exe

MD5 e6d8151a5b37f9e4d3651e465a5d883f
SHA1 cfcbebdff33a8b9d9269fac551952b93bf5b0841
SHA256 602b95f250f8c70dae12883cfb06ee5f0110cad70c12cff63da55fb0569b5e85
SHA512 d9b1afed5dd650f177d6958afc41020319c0fc8e035bd656908c0a38ecae1e3ac01f7b81b015a91335e4e30af67f31239515526ed241598aaef63d09579def55

C:\Users\Admin\AppData\Local\Temp\akgA.exe

MD5 b8c3f37b047147d26da421d9d9290b0b
SHA1 894a3ea0046687c2803be2cbe33c6fecee87e075
SHA256 e3db55fcae4f558a73544c3a168a2d42900ca96488ceee11b3828f3ca7810628
SHA512 fa3b0d1464450d74881f8db182894272e84f09627b4a6100815db81540cb41ad43b649318630bd26fbeb2df886dcaaf1b32c7894301b9f25148e86003acb6fae

C:\Users\Admin\AppData\Local\Temp\MAsK.exe

MD5 ada88ad6aa40f61a013d428f547e01fe
SHA1 a65064772386ed6005a559631a06f59d64328d35
SHA256 c64521af48c06a95d9cf84309d653d53a800d66983dc9388a55929cb8e065f05
SHA512 4971aebb919748475d278ef5ff8d8882a4e3bf09eeadce0527bc23db48019fb07adeddcc4a50dce2149a799775ab035c880d962d8a611fed7ce57f3dc5535ddd

C:\Users\Admin\AppData\Local\Temp\scIg.exe

MD5 17f76cba1e433a2a1aaabfee74d4428e
SHA1 136ae97f2bd8397f1af6b1fead0c68f9704e52ba
SHA256 1e4afdf8e3cc1089b41ee61782dfef679c513e931560485b22848196c22d3e66
SHA512 f18d04040e61569c54cbc240c1b8007bf3c35c48923b9d77d1b7541a85463aa99e4d9c518fae2197f4d3fde9b8d71a99fa7e3994b62aa6cbf2ae9bea88ebf7b3

C:\Users\Admin\AppData\Local\Temp\uQQE.exe

MD5 e08671327594457753ae834aecbd7f20
SHA1 168c9e98f082169507e0688a6e0335258c462b0e
SHA256 356b35bbc706f3f07eba268f4c883eb8804d96facab173d33ff7f02ace6a0faf
SHA512 d49c29aa135b48191a7bbf7cbe16924d44f177316212ea98ac744ad330f066c29c3bb3721323163070fc461a1fa5a4ac3b5e4d9a51fc1fadb0412dcdf496518f

C:\Users\Admin\AppData\Local\Temp\eUgy.exe

MD5 3c32c855f2466b1a1ddf0348435873c4
SHA1 7142b450e3a0cb13fc392db87d44df28e9a0ffeb
SHA256 ab946f0b2528dfb2a73b584adf1b6c3d5df1dd36395d852d1cd01166884dea5b
SHA512 0d4137d3949f4d9ede6df1f44e6b10655fc99d5834076e5b9e87207993d00ea49b83ccefc858babc1329f9efa517b21d259b83ff6becc909e678dee1d4cad5e5

C:\Users\Admin\AppData\Local\Temp\AwUy.exe

MD5 549a7e8c287409c78f0da1c24b2ee55a
SHA1 8d4c7e1ace1b59ebf40fb5d0a5220915522bc20f
SHA256 3828daf1331554d02c455cb9b39962aac2ff394a0d61af82e98f029845e1714e
SHA512 3819e02df82399ce0f3652cdc5000d677145ae866f980ebd3d62584f4005df5725d4776fda788da5875f83ad170810cbdff35429e5d0c3c477fff2c053210614

C:\Users\Admin\AppData\Local\Temp\wows.exe

MD5 5e23f1e5cf787ac3d49547e4fafa01b6
SHA1 d6a9d10758954705d51920076500f12c2bdbafb0
SHA256 1c7bd04acf1c9c89e91cc731de6d07c47eacbb6f0d04a0dbbdac0214329e164f
SHA512 5ffbcb050256e11855cc4d1fe91f5a3e8301b167955b905c20330ad10f2e3720c890124936f085b5aa98855769d3753fa955ed24e76801667c40408915eb2f02

C:\Users\Admin\AppData\Local\Temp\SkIC.exe

MD5 68fbdb4abea5109008249371a013979e
SHA1 74ebc24abf6899c36e85d841ef64818bff310a72
SHA256 e7c42aee37a402e1dc45927e693a6f59fb42033715c3a7f7d924711bd66bdbda
SHA512 319e44b6a5f690f1ebffc6827cf119ac066ece4172e7916424b9dd7e8925de0f10919a0056b452876b37abb065ecc89b8152a02aa42bfaf8c602b69db4e85b7b

C:\Users\Admin\AppData\Local\Temp\qokA.exe

MD5 28622208767d6e8910642d2b750ce527
SHA1 08d20ef846e5aeec530d873ffe84ca8cea609b40
SHA256 7daa2aabd1adf78b20c6bee256edab2cadf04736dbb50576333069c30995c403
SHA512 50a833b3aedcae7598c576367d1ed1c9ac95e8a4f279dc01c05767ff62c69cef473c3dc20cea622060e3a482cea3228856bddfc7e88de5801ca82a3950789b8e

C:\Users\Admin\AppData\Local\Temp\wcwG.exe

MD5 8acdc03426f97365625ef15a30fbb24c
SHA1 962223cd5c1ed7274880c17aee27f86a91f40d77
SHA256 c0806721daa7eaae81ca77aca9c842d7584ffb4383836ed91e3c7c676224e310
SHA512 174209b68fb81c4e2594db6a5fd2a3e896dc987ee007d3664eee2c53fc9656b3639c9c75483ed79055d84a18a1d33925479118a52e09fd1a2f479901e0b6fcc0

C:\Users\Admin\AppData\Local\Temp\iwsk.exe

MD5 0b2d6ad05d301b66d618a70db094c0d9
SHA1 3d2479d33268007b1f4bb2e951330b3b04e538bb
SHA256 d18338e80e72de9175df303574dc1bbbe280c6fdc44ab530d78b2983850875d0
SHA512 fdec374e6006a7ed44ef3ae223a2040098ddae6394cd01a823553433e70f321e0b4574ee0ffbf51d3ffb13bf574580615e82fc33801552d6b1773abfaa9d5c43

C:\Users\Admin\AppData\Local\Temp\MQMM.exe

MD5 1fc739391ef83b0a78260f35777d628c
SHA1 a8fb1422660a1290ecfc5e564daf45217e15334e
SHA256 f78e61b316c8f396fddc1764531d0d7efd39e660b1e96b5765e9440740a871e7
SHA512 ba39f8b8c58ba42c97666d820407356c912a462067a676f1a64227d5a6bf7e2ce80fa649a0520310fa6030dd27d7876695f95a94eb48eacec86e3dde5b7bb93f

C:\Users\Admin\AppData\Local\Temp\CkEg.exe

MD5 049f9a78ecca56cbe1168e043ed44f58
SHA1 160d02797f100ee4691cb182c308b0456cde947f
SHA256 f8aa51043f5124581afe2f9712a572ab66e8f71a7d2dac81a3f4401701d8efed
SHA512 f3013ad875374119155c61def1d041696ede46b9d5636a591a744da6ea7e470a5b19ff4f9345e0aa821c2942841fdc93edf5ca88433911cd4d991c83159e0c6e

C:\Users\Admin\AppData\Local\Temp\KcQe.exe

MD5 1b38287a0577299d982cb89aaec001a4
SHA1 f4e6aa70f9e2ed6fc5fe174bca65af122ca72a51
SHA256 6b9af06521496bfdd3d04b1136395687efbe26f475efb6dcb275dc3c260c9185
SHA512 fc09ae5e9aa59511eb90909df0ea0486f3afd51086ee7991ea86b9fb45062d3fd857105ad8d20967f93fc3b74567118bb108fb42c7cb67990898103505e77ef8

C:\Users\Admin\AppData\Local\Temp\cIgo.exe

MD5 2dda2f479fb486be14ec64bdc357fbab
SHA1 61e3cb2208b470083139740676b2408413b73667
SHA256 1d9585b9c42e125a0777e9206fed4f681176029420c87e22050581cd2f30baea
SHA512 e77f159f872a4fad460d3fdbd9770c09e247b0c4ce92505d2b1139d5df83e24cbeb5b646b3f00a5d7fed878d5b21850c4f0f9d3b5f7ca3ac6676eb3fcfaff6fa

C:\Users\Admin\AppData\Local\Temp\wscw.exe

MD5 d71c80d18dcb6000cb5745badbaab15d
SHA1 9268b3deb466b031a420c6024d703613233888ef
SHA256 dd73efe6b7c36d17174db466fc9cbc36ec605c6fa9cf8e06e11b73cca6126f9b
SHA512 c5c47ae4c4a1950af655ba2e5b24ca171aaaab695b866340482feaa6c5e491f1051ceba8fbd264f5e0e93bffec9dca9894a210205e68b13411457e143a70b734

C:\Users\Admin\AppData\Local\Temp\iQEq.exe

MD5 9e3e5c7238eb84b781e32eee44a763c6
SHA1 ae17cfea5b434a14c4e396bc5afb156f243e1660
SHA256 2f9b5309ee3f55043cad5aa6d625587aaf51478f2d4bcb280db68c16edbb3e92
SHA512 c55bddc9e75078ca86f8e73ba1d1cb6b9a6b918739c06bb32d9e50caf400100a57cb002535e135c5973d09119107f128f9dc8ff5f203ca523763a921b5e0cc61

C:\Users\Admin\AppData\Local\Temp\sYcI.exe

MD5 fb2c17d9705bdbaf51ae5f14e2062e7e
SHA1 40d0b69df6de0e915567b50d56c6c00e97d9542d
SHA256 a02ff3e983eb3c12290531447ced1033b7953b2e4866bde91a498a596bed30a5
SHA512 23b3df13b76d80f17a37b935fc4e6abf90a93087ffa3711aa3d5c889862119186c81054309abfbfb88a5c50087b3d25bf96ccfafe3aef1f37ce52ead98463e7f

C:\Users\Admin\AppData\Local\Temp\gUgQ.exe

MD5 2472e48fe4ab278f2cbaef33452f5ac2
SHA1 1865ff264b9585fcbb819b76e6053362e52aadaf
SHA256 ffeeacdd822891b95610f1366d31640e8abaf667375ba69ad9a6867c5fceff4c
SHA512 f45aefc5ead959aadcf8516361c5bc14e89eee8c5c59db084f962181eb9e9b28516ef896db474cb882507f1d1b6c2d9d5d0971543873e911945b490816f16595

C:\Users\Admin\AppData\Local\Temp\akoG.exe

MD5 f9144f2fd349bf5463caf6919d339300
SHA1 6739e07813e731131398aa4f302c28e5effe6fd4
SHA256 a3a6b354304769a3bf284496c75c1793c528c02973aa1b9d7439f66ffb9e54b3
SHA512 55af40a88583e909487775c3b56a9c8bf9df7c4584f9769f8c2185035fbbbcadd4bc8754bdf6268ed00beec5eb71f799dc02dd7ec9f4b039ea7226c06bdec1b3

C:\Users\Admin\AppData\Local\Temp\oYka.exe

MD5 cd14bb5d878faa09e7fbf8232b8ef64d
SHA1 0e3a53c6de3b0a592b9302cc93ba6653e0782510
SHA256 f3de315c8c3f21ffa12bffdaf2550d775d154c26b04d8c18c282ec8744f591f2
SHA512 abf5faaf6f168b2e65cfd521917f7936b540561bae6d238ca795420564ef45d6101f836bb4935f95ae726baab8b2371edb74e551a0813c6f16be30a0457a6aab

C:\Users\Admin\AppData\Local\Temp\oYAY.exe

MD5 0ea383162b9d971f4c6fe0bf220edbed
SHA1 664b9389f2ab9ffd13d3626fadafa5fa4409f49c
SHA256 0dbd896425f923a4b348d2092b1512553d07925474b3ee0fe1f2ab8c3542e07c
SHA512 3b38741285bf7e34dfa675edc0fdd9d0dba16b1e76b488492f723d6f4e68640573681b9a2ffa4e33e3d71db9202e0863282e661798e8a2000d1021cd3c31090f

memory/4976-936-0x0000000000400000-0x000000000047B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gEYk.exe

MD5 5699304fead1dba00efc4b10e48d6c1e
SHA1 0a5d0f2e58ef7ca42883142c67246e4cbd76821c
SHA256 c409fff397a189ccf8b3323686f3a4b3cd7762c3d4946e0867595f87bc4c4698
SHA512 8120cc0196b35fe40ac148bf6ec90218cb44089a7c82137cbb7535a6aff5978c5f96426931e3f479611fa50e81a3a7375a2e11f06065d1181ef59c04c84ad82d

C:\Users\Admin\AppData\Local\Temp\SgIa.exe

MD5 d5f990c06118fca278ed89a31ead5833
SHA1 e24be79a5b7b7ee88f3e7e726fd8dee2e41889b8
SHA256 e48e31ecdf95e29a79bb4a678603c2213effc102df11f3cd046d3e3143be6320
SHA512 5ab5b987809153082115f6d4f1b589bf39752dbc0aaa80c9df46d77fde7587c7365c0974018da57335fe347aff88be46cf68eb1dd6d1bd6117a7e5044ebb4532

C:\Users\Admin\AppData\Local\Temp\ygMO.exe

MD5 0ca53f44d7e1e1b9432472583ebf4de1
SHA1 c4e933d7a0a10c04e0203e6ba1fc5be6e89b7708
SHA256 a0291a341ec1c3542f429232462f72be9c72eb67a53d6124208933be80c864ce
SHA512 faa04561828128f82c296226c9186549f7347ca3634f7603062ebf2b35af7e6220ee77a0608b8f0c33c9efb90cb20316ff5e9079aa98e71922de65cd1f37ac38

C:\Users\Admin\AppData\Local\Temp\Ykwc.exe

MD5 cde956319ff85ea44ab7ccd41ec09e77
SHA1 963594a24f41159865fc4c548e3933a262994a73
SHA256 fdf51bf42510594986120909d99afd5027741cd79b2d6eb2d9e232870d8258f9
SHA512 89102c9f4c2bd936dcdc1260fc634aca5cbd8151117850d2dba9c5a20edd9115ebc5a89fd7519e3ba42eac0b26e3c0bea08c70e4320864e5daecd901e8b96705

C:\Users\Admin\AppData\Local\Temp\WMQM.exe

MD5 8b92ad2a77d0185c339851484b39c27c
SHA1 7c2d7a7cd0ce54f7344306e518325f1272e5add7
SHA256 2d842865dfcd38fdcc23adabe3ad80369c4fbb2f76b7a3991e3707261bed99b8
SHA512 e4cecf51e8e47358f636fd96cf3e1bf8e0c8f698d04d67dc7b9c3bb5f82704366ffe0137ec48f071ca205c1184943eb9bc2741b08e248b92223c700eef479e71

C:\Users\Admin\AppData\Local\Temp\sgkO.exe

MD5 c54323e566bfe310addf3358db886ef8
SHA1 5ee83d63cf29027090ac3baf1a0b6ae9c845e689
SHA256 65672bc665018365fb91475f9dd7422f04012266d95f62170ce010f2bde277db
SHA512 fcc09cf7a450a900c1c82c0c5f96bda170a1efc685b4751839c083885e4d397c3759589114f9d6cd9c11871daea1b11ed9414cb75e512f1ef988546a36603d5b

C:\Users\Admin\AppData\Local\Temp\AoIO.exe

MD5 78619c335457e590cf5ac8fcb87a41b7
SHA1 580d5aaaa3652f89e18e9041a12fb02dc5fd2d3a
SHA256 0b90e4926ef1fa08e8845817808f92a3f4be991f5202a527dc10c57d116dd910
SHA512 bfa65027f2b10a6e7f08d49c6b7e16f6933767844cdeedae8c411c64cd306c8bdf7ec43687833687a63bde926ecabe70deb1669aa4d0f2aea495bb3433a98e10

C:\Users\Admin\AppData\Local\Temp\QEMg.exe

MD5 cd4d56af567aa49dec285484c27280e4
SHA1 62652e7515a95604c0ed5f94d645b1f7872b420c
SHA256 bc37b7add1a2e21cb320377fe371b76bd2c7a3cfdfc0b382acf106b2f06a7047
SHA512 67641eaf98fa0bd021fe25937d198267e1372d5cc739f5eec31cade6c8d5c17e019f7a8364c0955188fbf23e7e84f6eb3d360f4f1a1ad99975f1a9fdf353d6c6

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

MD5 e5ca64660784263c4837d2990694a86d
SHA1 b85f646d68ed00c1ec73351101ecf64e1fcbb48b
SHA256 2abdf4eecc05e932509323d1c9eefa8beccfe6079d0d2a97934b71b3b90e414e
SHA512 0ae7490e7cce6d9767618257e72246e55aebe7079b7a7fa68d28d65e463966739cd7fd7639445c40ca5a8d146b5313866cb1a7efd515c511d147decbe110e71f

C:\Users\Admin\AppData\Local\Temp\kQYo.exe

MD5 de0b2a3eb47492cb2faf865c611becbc
SHA1 8b2779cdf2e8ad9c0b4fafcd59ede0d8e0f65a14
SHA256 59d141eb19fcfbd613c4261a22b40a34b338274ae5d5ef8ec0ba6d12393d5fb7
SHA512 7b1f51e29f0ff5f7e07d0bcd9a925a0fac5221066f2ad8286d0ec284285e239f52ec350fdf2949ac0e703af4528b998d846de90a2580fc05675e7303d9737338

C:\Users\Admin\AppData\Local\Temp\Awgm.exe

MD5 bf599cd6fd2fa593234fe34c40631ddc
SHA1 4899e21eacc3a7df6b429c192fe31be1bc26b33d
SHA256 4757510b04d488f78db080a326d096a61b39151b33996d8dc39ae1ca155fe3a0
SHA512 2a03751a69c252dee57e28898be6389dbf432bdcc6c4a0ae24ad0a1ad9629e61f29bf4032eb0252460f9a2c30c7479779f7c2a075a3353f3db0b1c12665cd0af

C:\Users\Admin\AppData\Local\Temp\yQkI.exe

MD5 0491dc7330744ab56be0fcccef695bf5
SHA1 58ca7c24d2ef57e30db1f49580524302d08f0b42
SHA256 d0a16a38601991e44e624ed7892f879e77a9e02201059a537d3d9ef3a8efabe9
SHA512 f17dd23ef5cbe46430c47866a202a97d0dc43548b21dbb7702f169f9352081a2c815a5204f6bcd04b2868f6e9b97cc4786dad227da6d5115593bf66236afe0eb

C:\Users\Admin\AppData\Local\Temp\yIMU.exe

MD5 610b278449492dae89079e2977aed7d0
SHA1 5714d7e5acab3543b063f115af5d95b2308c4888
SHA256 56491fabf7835357a3842d3f9405f59aea31338b2ea33c71cdf0fbc415912570
SHA512 4aede6e128bc380d8aad5ffa1c95eb30fb57c6f413d9f8574faab2256550e72d2f2f3cdc32352d5975fd8f08832046fd604d06135f2b3e8f108c30030702f5bb

C:\Users\Admin\AppData\Local\Temp\aYEc.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\ykgO.exe

MD5 46d33da341064fcdd5ec30968a6b346c
SHA1 638cfa52af798f5d23fbe93c2a6b70dec1c69888
SHA256 ae3879ac3739c0abce3e4cf7807507f9ef7c16f46866918cbc353d74c5e883a9
SHA512 0726cdb6d388848d760fcbf14c5ef476c6fdf06ecdca4acc37fe6461c7c29cc7da04f3fe53e179ec4b50a213ab5bb0723a04df017165fc172e36e281f5b9fb2c

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

MD5 aa50ea9e85013d85bdca2d606db8dd7f
SHA1 e672bb927e99fb4b4c29202d98c6097f1a95bf20
SHA256 e2aeb5df3adc44dd81d2b0233ee955beb6be149a4be9d8578b54bc783b5601fb
SHA512 ea4ad11eaf2b4e46cc20bfbc650aa5b993cf012873f22173824e722425b6f6cb9247e99b6ce82044648c9919ea379ba6cb31f6ef17a3d6f3ccdee07a511b1483

C:\Users\Admin\AppData\Local\Temp\YwIs.exe

MD5 29ce91bdbdd6432762e87fc43ac61ce1
SHA1 4aff5743171bcbfbf5f613d338cf88f93dea3f3a
SHA256 0acf4ff26ba0715b5b92cb4161d4bb10cf0ac4273950c6b8fb26d6e02af73fe9
SHA512 3fdb40455d54bcacf72db13b44e67051b4d7335f5a828637e1d6ca3c544637e5002d412f47f852edfd1f5415c7fc151fed245856058a19c36e1286c88bf91c42

C:\Users\Admin\AppData\Local\Temp\wYIc.exe

MD5 85bc884aea74731e19a771b4b02fb6ed
SHA1 a61b09b2610f2d5cda98e8657d9c4680c91a4bb7
SHA256 a877180ee08e9e752e982b4922d20957feca863b11aa394cbbf25f6c31bd258a
SHA512 e0fec1647607549c2621d8c1a23dfe0ab46ea8bb6b3afcab5a746c21b83f0e8d9c7cd66fa76819157c64c9ae9ae897879a3c66d6ec6edbf6a37ef4aa9906ac22

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

MD5 05c6c7a3cc053be21cd0f3c526a1e08b
SHA1 5affcb8dffc8d820300f2f3c6758ad87b1fc7738
SHA256 8ed4d4da75f85cfa110b5cd57f7d12359b318614b5e9680b328d748887ad25ef
SHA512 7ab78c376d8d3799e5b5df3b4d01489bd40e98b61cfc2900412026c0ba4252a9be5403a8ff5ac4173a4d838c9f55bf23b8a058ef1ad484bc889770390f5e375a

C:\Users\Admin\AppData\Local\Temp\KkEw.exe

MD5 85b0130e8c35b42cd76c18b1252ac8b8
SHA1 83a10490d4104fa2109d699eb57efc7a8addc844
SHA256 b60acf76d58987d5d1e92b9cc2b5f77ea8b8687d17201a0df917203bef3f5d1d
SHA512 112f775e6ac3b20c235013b4522bd5b3835edd90fbd16c20630a73f2efe159c3be207a358365d91913399c1cf689b9ab7c2608d07e3da4d8029e589789d88416

C:\Users\Admin\AppData\Local\Temp\Kgko.exe

MD5 b62976184221bbbfa07194e5a77a70c9
SHA1 3d66c6ba1609f2a8126e0854fbb64acfa7246e1a
SHA256 793831d031bd18a258e2ce85d809fe34564b7ebde6f9294deac19c7806c9e52c
SHA512 15843f23fbbd75dbe41330af5096e04aa3c85e2284233e4ad061fc6643090d0885bb7823cf7abba94c6f7192d0f320a7d964a6dddcdb5b3970ac6d294f037457

memory/688-1276-0x0000000000400000-0x000000000047B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cIwM.exe

MD5 7153a39a93e1089badb819cb4ee28c6f
SHA1 ea1e2ed2be806a73b95cf9866d28f0b01b6de695
SHA256 65aefe3b12cd21997fd39244e52a02d166ad75926c4793e62e21b1c6908df07c
SHA512 d3652f249d98a213ffe8f298f07ce7d6d6655937b491966c829cefa33f85865cb9e07b9520e26787b5025b5fcac4ef7356e751cfa92fdbf680db6de211a6e835

C:\Users\Admin\AppData\Local\Temp\GYkc.exe

MD5 9e77cb426a2c448eda44805679132f68
SHA1 24ec6a26248578f798fd40003a586e77a23e8a39
SHA256 636fb8fe6ce71e4cd3735ded1d4c3c09e0269a13f579a1393d3ae06410281697
SHA512 83cdafd6b8e446ccfc3bf68d954c4563f0157cb634f001297c618a9af559aba8280be9a7e35d70cd89e757a039633fb9091699b7ade854685971d6f6d1cd8299

C:\Users\Admin\AppData\Local\Temp\eYQo.exe

MD5 ad7982acd539425d9a967920b47698d9
SHA1 85a1d745505903c69b567a9ff59dbf27e572c86f
SHA256 506fc84a3dbdf0ee9f37f2fcb05802c47e953802c36255fd78958f2a3f95b1fd
SHA512 9f878396679b906b9ded5349d7cba1d4ff01d279e8646d25c69ad9908356555fd40a68cfec600a87ab4aac7bee5a47baae4ea2a787dbbc4f1b83eef72de7a12b

C:\Users\Admin\AppData\Local\Temp\wEYW.exe

MD5 edf7a0f5967f7bc47b131380884b3629
SHA1 5e16c4fdf1bd5c195d3c27552f6ef91507556777
SHA256 717a315a1fa6188872ca647388c0f18dc7c45c21bdc2095c78723637a044c4a7
SHA512 3ce6c8ef68eb8895fad39d181add208d32ff4ca1831923b3d5f23a67a254ecb847c88a42264e12e2477f3c3b5f011c4049abd097a69e7de1f7ac1cbcb23105fe

C:\Users\Admin\AppData\Local\Temp\QgUa.exe

MD5 f707591a51b9ea841c2236b145000cfe
SHA1 6aab59d351ea38db0957581f56d961a8957efd54
SHA256 268f28db9650c7b8d6d44232b698a57642e03f9e9a75747ca6b6df4a26cd0956
SHA512 0c658bbc6e85cb38936973853421f20d6efdf17f5ec4f787411f3c03068cb168d176865c94e3af61970abf45e10324ce056df822b114a1040abcf2ae9930a281

C:\Users\Admin\AppData\Local\Temp\gcAw.exe

MD5 305d61b7b65ba942f9dc871c87355da0
SHA1 edfa6fd0036d933701233d25195a0e647d6288f8
SHA256 6c8a0c6d9fdfda770775ec0ac527a2c3708ce9503103748447f8390ffb913e0f
SHA512 1dc41e5fda279f41abed5b85aea544f58ea725fd6c053a549c9aa405d23369516aa2726179c310f6ef40a684bf9e13cfc42aa7f32b1cfcc4049e016f2a0c9280

C:\Users\Admin\AppData\Local\Temp\mAwa.exe

MD5 3b3860e23a593392a715e9e99cc68b48
SHA1 c122d6d5f570308c40eaf39ecda998dfc7d7fda4
SHA256 fd7803bbe6158680966669bb9d0eff677b60925e402c28598508ea32269017a8
SHA512 ffb37261d138af05db58d8a5cc60a09ff75c82dcfd3114ebbff7ee73dd3cd798118f87a4e9bc429005812b0ac1a5d1327ba316e1f29b64e2d8602df611730f30