Analysis Overview
SHA256
40c503b54870d9e9036be1ddf841b7583fc0c0f35c3cd6855b29ccda113427b3
Threat Level: Known bad
The file JaffaCakes118_06a77e396c6b61b851e152328bb34960 was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
UAC bypass
Modifies WinLogon for persistence
Renames multiple (56) files with added filename extension
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
Modifies registry key
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-05-18 10:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-18 10:10
Reported
2025-05-18 10:13
Platform
win10v2004-20250502-en
Max time kernel
148s
Max time network
143s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\ieYIgAok\\aGgkwwEk.exe," | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\ieYIgAok\\aGgkwwEk.exe," | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe | N/A |
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (56) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\International\Geo\Nation | C:\ProgramData\ieYIgAok\aGgkwwEk.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\uoYcscMQ\eYIAYAUk.exe | N/A |
| N/A | N/A | C:\ProgramData\ieYIgAok\aGgkwwEk.exe | N/A |
| N/A | N/A | C:\ProgramData\CUUEAkkc\uOwYwYwg.exe | N/A |
| N/A | N/A | C:\Users\Admin\uoYcscMQ\eYIAYAUk.exe | N/A |
| N/A | N/A | C:\ProgramData\ieYIgAok\aGgkwwEk.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eYIAYAUk.exe = "C:\\Users\\Admin\\uoYcscMQ\\eYIAYAUk.exe" | C:\Users\Admin\uoYcscMQ\eYIAYAUk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aGgkwwEk.exe = "C:\\ProgramData\\ieYIgAok\\aGgkwwEk.exe" | C:\ProgramData\ieYIgAok\aGgkwwEk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eYIAYAUk.exe = "C:\\Users\\Admin\\uoYcscMQ\\eYIAYAUk.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aGgkwwEk.exe = "C:\\ProgramData\\ieYIgAok\\aGgkwwEk.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aGgkwwEk.exe = "C:\\ProgramData\\ieYIgAok\\aGgkwwEk.exe" | C:\ProgramData\ieYIgAok\aGgkwwEk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eYIAYAUk.exe = "C:\\Users\\Admin\\uoYcscMQ\\eYIAYAUk.exe" | C:\Users\Admin\uoYcscMQ\eYIAYAUk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aGgkwwEk.exe = "C:\\ProgramData\\ieYIgAok\\aGgkwwEk.exe" | C:\ProgramData\CUUEAkkc\uOwYwYwg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\sheWatchSkip.png | C:\ProgramData\ieYIgAok\aGgkwwEk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\uoYcscMQ\eYIAYAUk | C:\ProgramData\CUUEAkkc\uOwYwYwg.exe | N/A |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\ProgramData\ieYIgAok\aGgkwwEk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheRestoreConvertTo.docx | C:\ProgramData\ieYIgAok\aGgkwwEk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheUpdateImport.docx | C:\ProgramData\ieYIgAok\aGgkwwEk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\uoYcscMQ | C:\ProgramData\CUUEAkkc\uOwYwYwg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheLimitConvertTo.jpeg | C:\ProgramData\ieYIgAok\aGgkwwEk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\shePushEnable.xlsx | C:\ProgramData\ieYIgAok\aGgkwwEk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheUninstallRead.wma | C:\ProgramData\ieYIgAok\aGgkwwEk.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe"
C:\Users\Admin\uoYcscMQ\eYIAYAUk.exe
"C:\Users\Admin\uoYcscMQ\eYIAYAUk.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\uoYcscMQ\eYIAYAUk.exe
C:\ProgramData\ieYIgAok\aGgkwwEk.exe
"C:\ProgramData\ieYIgAok\aGgkwwEk.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\ieYIgAok\aGgkwwEk.exe
C:\ProgramData\CUUEAkkc\uOwYwYwg.exe
C:\ProgramData\CUUEAkkc\uOwYwYwg.exe
C:\Users\Admin\uoYcscMQ\eYIAYAUk.exe
C:\Users\Admin\uoYcscMQ\eYIAYAUk.exe
C:\ProgramData\ieYIgAok\aGgkwwEk.exe
C:\ProgramData\ieYIgAok\aGgkwwEk.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sAIgEoAA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JMcQcUIk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmYQoccQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AyUsYgUE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kysgYAEo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iiAAIYYo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqwMQsYA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqEIEYsM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SKwUgYYw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSsMYIEY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aiIYEcQo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uuQwYsYs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FugUkYQA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoIAcMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwoogUwM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 9a78b82209351bab0bcda10135da1764 wZP2JmNJqkirnNZ02zWmgA.0.1.0.0.0
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWUMMUgU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAoAkcMI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWwoYIAM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYwcEksM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkIYQosE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IkoocoQM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCAsUsMw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wagMwkEA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOYYMAok.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FIUAockY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HakQYAgE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JcAgkgYI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QkYsEwAs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gUkQAQQo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ycQIIYIE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQUcgYAY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xoQYIAkw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWgEsAQU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\byQwkkQU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmwUYIEs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgAYIAAw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIEMMoYY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OSAskQog.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAcQEQYk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RAggMosM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pgwYAgAM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOoEAgks.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\euIQsQUo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IsMYwkoE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAYckMgM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wOQwsoco.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nSIQkkEI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rsQggYIo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RKMUYYgc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMcoAQww.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEwYkAYc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQsIYsIE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYcQAcAM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAgYMMMQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pecEMQww.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DoAksUwI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ToMosAYY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmkwUIUg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wuEskEcM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\socwsocc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOUQYAEc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RaIIQcMM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xyEYccUQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IogooYoA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UyckcMcI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sawIAYEg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\piYcsIgA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGsUwoMk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOYsQEcc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HscAMoco.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aoQsoUAc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGwkUwwc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sScwUAos.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DuYwAoIk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vcEgIUss.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tCYAEMYU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uQEYwwcY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GaEkkYEQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcIgEggk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv wZP2JmNJqkirnNZ02zWmgA.0.2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 172.217.16.238:80 | google.com | tcp |
| GB | 172.217.16.238:80 | google.com | tcp |
| GB | 172.217.16.238:80 | google.com | tcp |
| GB | 172.217.16.238:80 | google.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| GB | 172.217.16.238:80 | google.com | tcp |
| GB | 172.217.16.238:80 | google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| GB | 172.217.16.238:80 | google.com | tcp |
| GB | 172.217.16.238:80 | google.com | tcp |
Files
memory/760-0-0x0000000000401000-0x0000000000477000-memory.dmp
C:\Users\Admin\uoYcscMQ\eYIAYAUk.exe
| MD5 | afa01e6b0dd7501da6f2e80e015e37ee |
| SHA1 | 932fc5b8a5a6f9334e9b0cfaddf9a8a2631afba9 |
| SHA256 | cc516e64041d02d52498e82e0a40e2e91d2f036f9341aec2806554b9ce87363e |
| SHA512 | 1575615054313ce117bb6581bd51aaa53f138dacb67300685f3d58a5afcc05b914ea1d2ede7a7fff1d8ce79560eb484876a39a75442718b3955dc6b1ec749112 |
memory/4976-8-0x0000000000400000-0x000000000047B000-memory.dmp
C:\ProgramData\ieYIgAok\aGgkwwEk.exe
| MD5 | 94aa57e0fa2e5aba56b134c0ad9e71a0 |
| SHA1 | 7bf8061725025c6dcdcee6cf974fdbd859e17b9a |
| SHA256 | 8919f330e5a06c4c88ef681f082f534c9aa2400a1aefddc5992013ee182be30d |
| SHA512 | 8200bda83ba8a511ad92859b98e97253fe8acec18f0bcc2331bd30e1c27f6a1bad0583be4d341786873bc485aaed88fca08098affd3d9b92a6690edeb5341b77 |
C:\ProgramData\CUUEAkkc\uOwYwYwg.exe
| MD5 | f4fc0d64ebb6f128e539b375470b324d |
| SHA1 | 625894b555da5b1eff5030489e2bf04f3e4afbbf |
| SHA256 | 8c157d9d23c010b8ab2f1487f05d11e5514c634a5d95074b25092019d7a5d621 |
| SHA512 | 6e1621acc6b588cf98f1d9f74b72c01e8548cb6b8719e438767b2469de03934db5974fa411cd7001497603088939325f4db87f9edfec9fd6e834892b083aa9a9 |
memory/688-11-0x0000000000400000-0x000000000047B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06a77e396c6b61b851e152328bb34960
| MD5 | 96b5a5aa81cddc217e02a83da419a8ea |
| SHA1 | 2f005ac25837210b71780fbf0d44b1b1da873749 |
| SHA256 | 50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c |
| SHA512 | bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc |
C:\Users\Admin\AppData\Local\Temp\sAIgEoAA.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
memory/760-132-0x0000000000401000-0x0000000000477000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Kwoc.exe
| MD5 | 08bbf112deeaa11c22150007b13fccd0 |
| SHA1 | d7965c38a5c7e71043920147d38662e2b180da85 |
| SHA256 | 6c045a9284637449fda1d52fe36507485c61df0897ca472f5b3a10b4f5d9df5a |
| SHA512 | 8e4ed785f11936fc7a846edc8aba8e15eff4530a222330745c8f692fa56a6b425fcb9e2ec381cd1d071d21149ef16ddee6597b2cfedf4a5c11b5ae17dfd0cfef |
C:\Users\Admin\AppData\Local\Temp\scEU.exe
| MD5 | 58defee4968224e9a6af68e9fcbb91f7 |
| SHA1 | 836dbcb6ce7aa0ab3303c7945f1b79caf576c4b5 |
| SHA256 | 52609bf3febdcb45ff2ffe8528c3c89846e662d3afcd39b5507e2f08e0331e82 |
| SHA512 | afe9b9db24903d6270d5772978c029e26d7002660b3a6067a855e56d6ea398d3b5e349a90e4fb38c5ee828407bc3cec7c489f31a84c853cf7dbf5f0bc7383e70 |
C:\Users\Admin\AppData\Local\Temp\eMIm.exe
| MD5 | 65ac44d48b45d48e89390afa56a8300d |
| SHA1 | ce8b9179dbd02c31bd42a4ebe4db2c3102a306b1 |
| SHA256 | 64068a35528f19f16cce442fbf648fac60576f0ed75fcccaca0b69b32866e6b7 |
| SHA512 | d7d07d994093f14adddabebd46a38d12ecdc18b00eea43a504232118d74c621b76d85672f9952b8a3dd04906a6cde2efce1a2a409971c74f4403a2fb39989203 |
C:\Users\Admin\AppData\Local\Temp\IYkk.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\YkQU.exe
| MD5 | 55b8333202897ec879a0f782aaf2701b |
| SHA1 | 8136a1d362068d4431a983f650d7e95b8074392f |
| SHA256 | ccf7d7a1d7c8168c737a588d6f0113e789809daa9d5f70c7e7f283b69ac48722 |
| SHA512 | d3eb0b9fef82a1061dd709398c1729389f5ae95b8b2e028dfd8c06976228bfb1bdbfdcf44f4cadb8a735c75bb20302d9c0c08c7770e256fb70af062276909066 |
C:\Users\Admin\AppData\Local\Temp\CYsO.exe
| MD5 | 09c3ae98926bb467162a71a45a37b398 |
| SHA1 | 19b1d0ec4111bd19507d03ed3602be9fa730faf4 |
| SHA256 | fabb14941dd68bc91aba4ac28e28a4ad2f68cdeb3d72248536b7555ae7c2c26a |
| SHA512 | e7693074ef0c2d030aca86c1d3193b415ac06c61ab9cff34d24dee64b1eddea7daf32a1cd87a3c103d4ced38d78c42fa4f17b099b83bf358bd79305c59b62dc6 |
C:\Users\Admin\AppData\Local\Temp\OwMA.exe
| MD5 | 52655491b7043589a67ade19baec07dd |
| SHA1 | 1d3b385f3747d764f184ca4e729b2b889a745f67 |
| SHA256 | 9807a2bd29e8d178677401fbb1a66e724411201bbb1b4b1d55e035791f5bc603 |
| SHA512 | 7359eb5522a71cb0cd3477281dcd6e5f80f26fed173ff89b30c1acdbf49ef73904809ad6cf4a12450234b121cf8ee146e55f665874139c746de36d5a3c489e70 |
C:\Users\Admin\AppData\Local\Temp\QoEK.exe
| MD5 | fcb1ca0482187985f11479edca9fd014 |
| SHA1 | 2bcf456c53088b7e5ea849dc4b65c6cd2ca7772e |
| SHA256 | 06b7326094e8547db854313ff8a1206f1868c34f7c503bf3535c733bc24aee86 |
| SHA512 | a037277e6c93c0bdda5c982c9c788d42ed0b0374571dc0d819cada4cc1b9f8fb5785539e75ecac18dc9d192c65e03da73e82b193511aac1bb4336ac3672672ea |
C:\Users\Admin\AppData\Local\Temp\qIAy.exe
| MD5 | a0c2b31aad53bfbb7e37d4afee312bc5 |
| SHA1 | 1fc60b0d093b02e09553ba86d7b09abde690b726 |
| SHA256 | f1ac23cf0c8a9155c47afa599570fdeed45e7b31078b05a6671795291e90cd49 |
| SHA512 | c68c621a0b4793014ac946d1b1ff37d5dd92f6b0b52cc1ddfc02670457cbfa2e9e465f65503b15dec5329d2ae20736775a0eb657f44cbfe23c8c23beeb5a68af |
C:\Users\Admin\AppData\Local\Temp\awgI.exe
| MD5 | 29bc472451c3860c4a505a6b1917230c |
| SHA1 | 37ee914ed25cccb711d1bc64f5ef952b4d73367e |
| SHA256 | c2463ea1fb6854d8041ac62e68c44b057443e794243b8d36861b1e1c6c5c28ed |
| SHA512 | 3beecf1fdefa00a6b73325cacd926ed767c869d7745f1a72c57a7f3e56b1ef60d3bed40556a58d61700d8f7fab17c74223aef6e7a5ef0960776505c62e481549 |
C:\Users\Admin\AppData\Local\Temp\QkkU.exe
| MD5 | fc6ac4b1369c43a6c95bd5fe308f80f4 |
| SHA1 | 4710845e0756d99d69d54429d5d2c0705a56f1c6 |
| SHA256 | ad5abb116648dca7ec9ac645d1124e93dac52ce56b6c58f4c548bfb7d4372a38 |
| SHA512 | 43866eb9df9826c8bf039a007f76032a90fd7a717767d5fc398b81f012829939606f6a2f47fec2b845d9a3b189346c1945fdb33b55a68d248b1dd01a123883e6 |
C:\Users\Admin\AppData\Local\Temp\UoUM.exe
| MD5 | 421b0afb65eb09448f15f95650a6627e |
| SHA1 | 58936dfade32169914cc3aa1d40563ef1b6df2b9 |
| SHA256 | 73e16c30b6101c2e2a84c0c7ee8fe25b3d4b5e4abcb92b8a18f217cf9e14c1c0 |
| SHA512 | 36f58fd02d74c54b3513f0d17e4e1154390eff87aabeb3febb3c90c06782d25cba1c89fb04979c9fa0813552f26424e9cfb6cf518710924b3c6dfdbeeda942af |
C:\Users\Admin\AppData\Local\Temp\KAMQ.exe
| MD5 | b6684c8220bdd38cf32a26f76eb4d55a |
| SHA1 | 0efcc80c82f9907a951975bddaf4926c460d07e2 |
| SHA256 | bd365672ab9b9b650083331cfbd0c534f6ca34d04db7b3aecbe3819b1682cef4 |
| SHA512 | d4baa34f2649de31f86ddbc95b490c9376e0bacb673789d82596a2725bc5ed69f6015f3ddd31df69e14c19d6f019a88e61e3d45545a3f22aa2c9797b757600dc |
C:\Users\Admin\AppData\Local\Temp\Yuso.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\OsUu.exe
| MD5 | 5dbc18a1c35f7eb11ec3269460b1567b |
| SHA1 | 72e6cae011a7d9ac4a0df679e90addb53bf7d033 |
| SHA256 | 902ec96aeca2e08ec898994f31778211652da85de878a7b6bdb8ee60e0f8f3de |
| SHA512 | 341be4799d4c5e76cf05a7401635d46b08a9e1fa8afaeca299a930b87e28d663dacf9a2e6e489c541d2f182841685824727dafa5987c28c264cb54de808d1533 |
C:\Users\Admin\AppData\Local\Temp\WQwE.exe
| MD5 | bf0beedef13ceaf16df93b51d08105b5 |
| SHA1 | 213dc03d2c3436d95e64a02a9c5a7ab6c28ba86c |
| SHA256 | 5edd8452cdb5877291ba8a9051f17306d0e7ad04d37014ca30ec5b5975f61eaa |
| SHA512 | a97770f35173b3412366f6bb3489ff56175b8eeed0834b4906ae05ea2f432a891d6f5e66ae1aace0420fc8e19da3e817d81f14ac8bcfb4039431f43751af1a6a |
C:\Users\Admin\AppData\Local\Temp\UQMc.exe
| MD5 | 18f70416769f93ee14dc37be70493607 |
| SHA1 | 042d5663cf5cfd36234041c655734a45978d91b7 |
| SHA256 | cee24b1e721b9e4dd9e400e8b66fc584c268df28fa736a00af9462757cc36f17 |
| SHA512 | 850d53f82a7ae16ce62a8fe37ecd00d2afdd8094037eb46aa2b1fd62ebe4a6f1d4dcbb48129e1568b4429dd896a4be92aad6243485ba00e6090ffb3793175906 |
C:\Users\Admin\AppData\Local\Temp\oUIW.exe
| MD5 | 3139562cd4b5361b0c9ad26b2bb11257 |
| SHA1 | 072e0cb3c1a6c568d97702f6b4ee6626dd0852cd |
| SHA256 | 429aede3f0c4eb0e6640820255c0e13a30b9c57758b9386e06322091ab1c6dfa |
| SHA512 | 662426ceb3b1fd21faeb24c439ee967c66cdb4b5a040f6140ec4334befa6e88a44749c5716b748859fac675c6cd6f755b69c4dbd78c3b4aa9f7abe0280bfcec9 |
C:\Users\Admin\AppData\Local\Temp\SssE.exe
| MD5 | 7fe5f536a5a4a1082dccd6103c89a85c |
| SHA1 | b125a586f04f59ae089221f4c6e4cc442be34cad |
| SHA256 | d570141fa1143a65ad4a5c8e3300f27d100c388f0afc32a9a6acb6124ece73d0 |
| SHA512 | 403035d2f31291e72bb7694f4328328182250f3be9f7de0297cd0e73d73a3ee8618fa2224943531718eb2ba7ac3b34912c1f31dbebd1d728420a8cd1d67015c3 |
C:\Users\Admin\AppData\Local\Temp\MgUe.exe
| MD5 | c4f0605354d941427ed83678057ea3d5 |
| SHA1 | afa8bda05d35ece1c762dfb2c0ba4aa87a454cdb |
| SHA256 | f48b7f6da17e8a248082d21185e9e52aef8a0cba87ad1a6e6429e6ae1c132809 |
| SHA512 | e2faafee997e415bd46fac660ed9a6189503e54fb3bb9fea2b68c74d10278dc44f66e5b4f1841852a71e11ff053c38684a6e08c8539b5243c40dad9c5e9ff4c4 |
C:\Users\Admin\AppData\Local\Temp\KkAI.exe
| MD5 | e9f97b5f7ba3cc657b8871a26cd88c3d |
| SHA1 | b2c90633d0e457a9f057a92d86cf6417ada7d8e3 |
| SHA256 | 524f6c5dea3c74496a1dbd9c3da8630ab59f8fbe97c73dec6b9a30e639d49cac |
| SHA512 | 46fa539c029bedd24591cc3b0b709aeef7ed94134d769eaeb896e5b326bc0fc0775d6b5c37dde4cc43a73086066a494e22af51a84f0e39e6e63d49eca25dbcf2 |
C:\Users\Admin\AppData\Local\Temp\SAcS.exe
| MD5 | 7b7a03dbfe5c36ba17afea62a9edbf40 |
| SHA1 | 49704a35420c0feecfc00cc4081f20bc8f6af7d1 |
| SHA256 | b6ba4a638b52a12210a9e9150c2867494935afd6375f13e3fff24d451676b180 |
| SHA512 | 057efb13f2cbb765fb614919919ff5f01e5f49127ff04b9eded1226c4c7c5e2afc9f4da193e7a3e65f8772b4115192e973dc9ef3a6c164009e487af870bf3218 |
C:\Users\Admin\AppData\Local\Temp\aIAw.exe
| MD5 | bae8a572cc30a06b708516f0816aa516 |
| SHA1 | dcb78cbc9bd3a23f4ed3263355570c49d1a8a824 |
| SHA256 | 327f2ddd2c728d65dc8b482260b00bb7b1c2e00a4998152033ecb6634f0b3a27 |
| SHA512 | 7588846001550eead9d9ba29d32aa9bb24a9699d4231d29ab2d4d94d1a03d2244a634ac5c5c90ad3c482721f8267808b4121109bdb84893e7391bc8768ccc079 |
C:\Users\Admin\AppData\Local\Temp\Icck.exe
| MD5 | 6b481aac3c384d1092ddc49a88eb86d2 |
| SHA1 | 4b5fae5b5bd8af8a4bca3f0a6ad86e475c94fd79 |
| SHA256 | 880b13d125ef7f23297f851b9b01eae7f4742f73a79fabc2da3aed4c85bfff7e |
| SHA512 | 19659405452df745ad0fa8cd309f5f97420ec4abd4255153d270dd4f2b1d7b4e37a763662bb299e9801896b2113c455d4515998e405a6454859aead74d5a307f |
C:\Users\Admin\AppData\Local\Temp\CsAw.exe
| MD5 | 682dc30b2bbc1423a79f0940f2fccd12 |
| SHA1 | c6dcd246fe578b335b6f74661d435c8c25fc18e2 |
| SHA256 | d8a6395bd24f7a71e79dc6c9e2c4892a1ea49807dc470b323340ae62d153a098 |
| SHA512 | b6a61df21b305400d7b7320b5371dda744d74761500db4acd8d9b89e6077b548d9e18d5aa3e631084d9f20d3d36d204e1c0936425a509ccd8e967394452b4f7d |
C:\Users\Admin\AppData\Local\Temp\SsUK.exe
| MD5 | 20f7371826938c49e6ca8cd4d35be5c6 |
| SHA1 | 45879604c60fc444c320b684e50ef2d21391f7d0 |
| SHA256 | cd99e8357adf5d1549ddf9315c52d7998faf29d04d3951dd27f382ac8201605c |
| SHA512 | f7389e03d131610d09ffe1c3d4f6f082e201f38d6a834acaa91aca98c7d4674c27e9a6f569bda5a69eb0d2ec93fa6fe845f538a649891c4e754c65250d9411d3 |
C:\Users\Admin\AppData\Local\Temp\OYYa.exe
| MD5 | e6d8151a5b37f9e4d3651e465a5d883f |
| SHA1 | cfcbebdff33a8b9d9269fac551952b93bf5b0841 |
| SHA256 | 602b95f250f8c70dae12883cfb06ee5f0110cad70c12cff63da55fb0569b5e85 |
| SHA512 | d9b1afed5dd650f177d6958afc41020319c0fc8e035bd656908c0a38ecae1e3ac01f7b81b015a91335e4e30af67f31239515526ed241598aaef63d09579def55 |
C:\Users\Admin\AppData\Local\Temp\akgA.exe
| MD5 | b8c3f37b047147d26da421d9d9290b0b |
| SHA1 | 894a3ea0046687c2803be2cbe33c6fecee87e075 |
| SHA256 | e3db55fcae4f558a73544c3a168a2d42900ca96488ceee11b3828f3ca7810628 |
| SHA512 | fa3b0d1464450d74881f8db182894272e84f09627b4a6100815db81540cb41ad43b649318630bd26fbeb2df886dcaaf1b32c7894301b9f25148e86003acb6fae |
C:\Users\Admin\AppData\Local\Temp\MAsK.exe
| MD5 | ada88ad6aa40f61a013d428f547e01fe |
| SHA1 | a65064772386ed6005a559631a06f59d64328d35 |
| SHA256 | c64521af48c06a95d9cf84309d653d53a800d66983dc9388a55929cb8e065f05 |
| SHA512 | 4971aebb919748475d278ef5ff8d8882a4e3bf09eeadce0527bc23db48019fb07adeddcc4a50dce2149a799775ab035c880d962d8a611fed7ce57f3dc5535ddd |
C:\Users\Admin\AppData\Local\Temp\scIg.exe
| MD5 | 17f76cba1e433a2a1aaabfee74d4428e |
| SHA1 | 136ae97f2bd8397f1af6b1fead0c68f9704e52ba |
| SHA256 | 1e4afdf8e3cc1089b41ee61782dfef679c513e931560485b22848196c22d3e66 |
| SHA512 | f18d04040e61569c54cbc240c1b8007bf3c35c48923b9d77d1b7541a85463aa99e4d9c518fae2197f4d3fde9b8d71a99fa7e3994b62aa6cbf2ae9bea88ebf7b3 |
C:\Users\Admin\AppData\Local\Temp\uQQE.exe
| MD5 | e08671327594457753ae834aecbd7f20 |
| SHA1 | 168c9e98f082169507e0688a6e0335258c462b0e |
| SHA256 | 356b35bbc706f3f07eba268f4c883eb8804d96facab173d33ff7f02ace6a0faf |
| SHA512 | d49c29aa135b48191a7bbf7cbe16924d44f177316212ea98ac744ad330f066c29c3bb3721323163070fc461a1fa5a4ac3b5e4d9a51fc1fadb0412dcdf496518f |
C:\Users\Admin\AppData\Local\Temp\eUgy.exe
| MD5 | 3c32c855f2466b1a1ddf0348435873c4 |
| SHA1 | 7142b450e3a0cb13fc392db87d44df28e9a0ffeb |
| SHA256 | ab946f0b2528dfb2a73b584adf1b6c3d5df1dd36395d852d1cd01166884dea5b |
| SHA512 | 0d4137d3949f4d9ede6df1f44e6b10655fc99d5834076e5b9e87207993d00ea49b83ccefc858babc1329f9efa517b21d259b83ff6becc909e678dee1d4cad5e5 |
C:\Users\Admin\AppData\Local\Temp\AwUy.exe
| MD5 | 549a7e8c287409c78f0da1c24b2ee55a |
| SHA1 | 8d4c7e1ace1b59ebf40fb5d0a5220915522bc20f |
| SHA256 | 3828daf1331554d02c455cb9b39962aac2ff394a0d61af82e98f029845e1714e |
| SHA512 | 3819e02df82399ce0f3652cdc5000d677145ae866f980ebd3d62584f4005df5725d4776fda788da5875f83ad170810cbdff35429e5d0c3c477fff2c053210614 |
C:\Users\Admin\AppData\Local\Temp\wows.exe
| MD5 | 5e23f1e5cf787ac3d49547e4fafa01b6 |
| SHA1 | d6a9d10758954705d51920076500f12c2bdbafb0 |
| SHA256 | 1c7bd04acf1c9c89e91cc731de6d07c47eacbb6f0d04a0dbbdac0214329e164f |
| SHA512 | 5ffbcb050256e11855cc4d1fe91f5a3e8301b167955b905c20330ad10f2e3720c890124936f085b5aa98855769d3753fa955ed24e76801667c40408915eb2f02 |
C:\Users\Admin\AppData\Local\Temp\SkIC.exe
| MD5 | 68fbdb4abea5109008249371a013979e |
| SHA1 | 74ebc24abf6899c36e85d841ef64818bff310a72 |
| SHA256 | e7c42aee37a402e1dc45927e693a6f59fb42033715c3a7f7d924711bd66bdbda |
| SHA512 | 319e44b6a5f690f1ebffc6827cf119ac066ece4172e7916424b9dd7e8925de0f10919a0056b452876b37abb065ecc89b8152a02aa42bfaf8c602b69db4e85b7b |
C:\Users\Admin\AppData\Local\Temp\qokA.exe
| MD5 | 28622208767d6e8910642d2b750ce527 |
| SHA1 | 08d20ef846e5aeec530d873ffe84ca8cea609b40 |
| SHA256 | 7daa2aabd1adf78b20c6bee256edab2cadf04736dbb50576333069c30995c403 |
| SHA512 | 50a833b3aedcae7598c576367d1ed1c9ac95e8a4f279dc01c05767ff62c69cef473c3dc20cea622060e3a482cea3228856bddfc7e88de5801ca82a3950789b8e |
C:\Users\Admin\AppData\Local\Temp\wcwG.exe
| MD5 | 8acdc03426f97365625ef15a30fbb24c |
| SHA1 | 962223cd5c1ed7274880c17aee27f86a91f40d77 |
| SHA256 | c0806721daa7eaae81ca77aca9c842d7584ffb4383836ed91e3c7c676224e310 |
| SHA512 | 174209b68fb81c4e2594db6a5fd2a3e896dc987ee007d3664eee2c53fc9656b3639c9c75483ed79055d84a18a1d33925479118a52e09fd1a2f479901e0b6fcc0 |
C:\Users\Admin\AppData\Local\Temp\iwsk.exe
| MD5 | 0b2d6ad05d301b66d618a70db094c0d9 |
| SHA1 | 3d2479d33268007b1f4bb2e951330b3b04e538bb |
| SHA256 | d18338e80e72de9175df303574dc1bbbe280c6fdc44ab530d78b2983850875d0 |
| SHA512 | fdec374e6006a7ed44ef3ae223a2040098ddae6394cd01a823553433e70f321e0b4574ee0ffbf51d3ffb13bf574580615e82fc33801552d6b1773abfaa9d5c43 |
C:\Users\Admin\AppData\Local\Temp\MQMM.exe
| MD5 | 1fc739391ef83b0a78260f35777d628c |
| SHA1 | a8fb1422660a1290ecfc5e564daf45217e15334e |
| SHA256 | f78e61b316c8f396fddc1764531d0d7efd39e660b1e96b5765e9440740a871e7 |
| SHA512 | ba39f8b8c58ba42c97666d820407356c912a462067a676f1a64227d5a6bf7e2ce80fa649a0520310fa6030dd27d7876695f95a94eb48eacec86e3dde5b7bb93f |
C:\Users\Admin\AppData\Local\Temp\CkEg.exe
| MD5 | 049f9a78ecca56cbe1168e043ed44f58 |
| SHA1 | 160d02797f100ee4691cb182c308b0456cde947f |
| SHA256 | f8aa51043f5124581afe2f9712a572ab66e8f71a7d2dac81a3f4401701d8efed |
| SHA512 | f3013ad875374119155c61def1d041696ede46b9d5636a591a744da6ea7e470a5b19ff4f9345e0aa821c2942841fdc93edf5ca88433911cd4d991c83159e0c6e |
C:\Users\Admin\AppData\Local\Temp\KcQe.exe
| MD5 | 1b38287a0577299d982cb89aaec001a4 |
| SHA1 | f4e6aa70f9e2ed6fc5fe174bca65af122ca72a51 |
| SHA256 | 6b9af06521496bfdd3d04b1136395687efbe26f475efb6dcb275dc3c260c9185 |
| SHA512 | fc09ae5e9aa59511eb90909df0ea0486f3afd51086ee7991ea86b9fb45062d3fd857105ad8d20967f93fc3b74567118bb108fb42c7cb67990898103505e77ef8 |
C:\Users\Admin\AppData\Local\Temp\cIgo.exe
| MD5 | 2dda2f479fb486be14ec64bdc357fbab |
| SHA1 | 61e3cb2208b470083139740676b2408413b73667 |
| SHA256 | 1d9585b9c42e125a0777e9206fed4f681176029420c87e22050581cd2f30baea |
| SHA512 | e77f159f872a4fad460d3fdbd9770c09e247b0c4ce92505d2b1139d5df83e24cbeb5b646b3f00a5d7fed878d5b21850c4f0f9d3b5f7ca3ac6676eb3fcfaff6fa |
C:\Users\Admin\AppData\Local\Temp\wscw.exe
| MD5 | d71c80d18dcb6000cb5745badbaab15d |
| SHA1 | 9268b3deb466b031a420c6024d703613233888ef |
| SHA256 | dd73efe6b7c36d17174db466fc9cbc36ec605c6fa9cf8e06e11b73cca6126f9b |
| SHA512 | c5c47ae4c4a1950af655ba2e5b24ca171aaaab695b866340482feaa6c5e491f1051ceba8fbd264f5e0e93bffec9dca9894a210205e68b13411457e143a70b734 |
C:\Users\Admin\AppData\Local\Temp\iQEq.exe
| MD5 | 9e3e5c7238eb84b781e32eee44a763c6 |
| SHA1 | ae17cfea5b434a14c4e396bc5afb156f243e1660 |
| SHA256 | 2f9b5309ee3f55043cad5aa6d625587aaf51478f2d4bcb280db68c16edbb3e92 |
| SHA512 | c55bddc9e75078ca86f8e73ba1d1cb6b9a6b918739c06bb32d9e50caf400100a57cb002535e135c5973d09119107f128f9dc8ff5f203ca523763a921b5e0cc61 |
C:\Users\Admin\AppData\Local\Temp\sYcI.exe
| MD5 | fb2c17d9705bdbaf51ae5f14e2062e7e |
| SHA1 | 40d0b69df6de0e915567b50d56c6c00e97d9542d |
| SHA256 | a02ff3e983eb3c12290531447ced1033b7953b2e4866bde91a498a596bed30a5 |
| SHA512 | 23b3df13b76d80f17a37b935fc4e6abf90a93087ffa3711aa3d5c889862119186c81054309abfbfb88a5c50087b3d25bf96ccfafe3aef1f37ce52ead98463e7f |
C:\Users\Admin\AppData\Local\Temp\gUgQ.exe
| MD5 | 2472e48fe4ab278f2cbaef33452f5ac2 |
| SHA1 | 1865ff264b9585fcbb819b76e6053362e52aadaf |
| SHA256 | ffeeacdd822891b95610f1366d31640e8abaf667375ba69ad9a6867c5fceff4c |
| SHA512 | f45aefc5ead959aadcf8516361c5bc14e89eee8c5c59db084f962181eb9e9b28516ef896db474cb882507f1d1b6c2d9d5d0971543873e911945b490816f16595 |
C:\Users\Admin\AppData\Local\Temp\akoG.exe
| MD5 | f9144f2fd349bf5463caf6919d339300 |
| SHA1 | 6739e07813e731131398aa4f302c28e5effe6fd4 |
| SHA256 | a3a6b354304769a3bf284496c75c1793c528c02973aa1b9d7439f66ffb9e54b3 |
| SHA512 | 55af40a88583e909487775c3b56a9c8bf9df7c4584f9769f8c2185035fbbbcadd4bc8754bdf6268ed00beec5eb71f799dc02dd7ec9f4b039ea7226c06bdec1b3 |
C:\Users\Admin\AppData\Local\Temp\oYka.exe
| MD5 | cd14bb5d878faa09e7fbf8232b8ef64d |
| SHA1 | 0e3a53c6de3b0a592b9302cc93ba6653e0782510 |
| SHA256 | f3de315c8c3f21ffa12bffdaf2550d775d154c26b04d8c18c282ec8744f591f2 |
| SHA512 | abf5faaf6f168b2e65cfd521917f7936b540561bae6d238ca795420564ef45d6101f836bb4935f95ae726baab8b2371edb74e551a0813c6f16be30a0457a6aab |
C:\Users\Admin\AppData\Local\Temp\oYAY.exe
| MD5 | 0ea383162b9d971f4c6fe0bf220edbed |
| SHA1 | 664b9389f2ab9ffd13d3626fadafa5fa4409f49c |
| SHA256 | 0dbd896425f923a4b348d2092b1512553d07925474b3ee0fe1f2ab8c3542e07c |
| SHA512 | 3b38741285bf7e34dfa675edc0fdd9d0dba16b1e76b488492f723d6f4e68640573681b9a2ffa4e33e3d71db9202e0863282e661798e8a2000d1021cd3c31090f |
memory/4976-936-0x0000000000400000-0x000000000047B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gEYk.exe
| MD5 | 5699304fead1dba00efc4b10e48d6c1e |
| SHA1 | 0a5d0f2e58ef7ca42883142c67246e4cbd76821c |
| SHA256 | c409fff397a189ccf8b3323686f3a4b3cd7762c3d4946e0867595f87bc4c4698 |
| SHA512 | 8120cc0196b35fe40ac148bf6ec90218cb44089a7c82137cbb7535a6aff5978c5f96426931e3f479611fa50e81a3a7375a2e11f06065d1181ef59c04c84ad82d |
C:\Users\Admin\AppData\Local\Temp\SgIa.exe
| MD5 | d5f990c06118fca278ed89a31ead5833 |
| SHA1 | e24be79a5b7b7ee88f3e7e726fd8dee2e41889b8 |
| SHA256 | e48e31ecdf95e29a79bb4a678603c2213effc102df11f3cd046d3e3143be6320 |
| SHA512 | 5ab5b987809153082115f6d4f1b589bf39752dbc0aaa80c9df46d77fde7587c7365c0974018da57335fe347aff88be46cf68eb1dd6d1bd6117a7e5044ebb4532 |
C:\Users\Admin\AppData\Local\Temp\ygMO.exe
| MD5 | 0ca53f44d7e1e1b9432472583ebf4de1 |
| SHA1 | c4e933d7a0a10c04e0203e6ba1fc5be6e89b7708 |
| SHA256 | a0291a341ec1c3542f429232462f72be9c72eb67a53d6124208933be80c864ce |
| SHA512 | faa04561828128f82c296226c9186549f7347ca3634f7603062ebf2b35af7e6220ee77a0608b8f0c33c9efb90cb20316ff5e9079aa98e71922de65cd1f37ac38 |
C:\Users\Admin\AppData\Local\Temp\Ykwc.exe
| MD5 | cde956319ff85ea44ab7ccd41ec09e77 |
| SHA1 | 963594a24f41159865fc4c548e3933a262994a73 |
| SHA256 | fdf51bf42510594986120909d99afd5027741cd79b2d6eb2d9e232870d8258f9 |
| SHA512 | 89102c9f4c2bd936dcdc1260fc634aca5cbd8151117850d2dba9c5a20edd9115ebc5a89fd7519e3ba42eac0b26e3c0bea08c70e4320864e5daecd901e8b96705 |
C:\Users\Admin\AppData\Local\Temp\WMQM.exe
| MD5 | 8b92ad2a77d0185c339851484b39c27c |
| SHA1 | 7c2d7a7cd0ce54f7344306e518325f1272e5add7 |
| SHA256 | 2d842865dfcd38fdcc23adabe3ad80369c4fbb2f76b7a3991e3707261bed99b8 |
| SHA512 | e4cecf51e8e47358f636fd96cf3e1bf8e0c8f698d04d67dc7b9c3bb5f82704366ffe0137ec48f071ca205c1184943eb9bc2741b08e248b92223c700eef479e71 |
C:\Users\Admin\AppData\Local\Temp\sgkO.exe
| MD5 | c54323e566bfe310addf3358db886ef8 |
| SHA1 | 5ee83d63cf29027090ac3baf1a0b6ae9c845e689 |
| SHA256 | 65672bc665018365fb91475f9dd7422f04012266d95f62170ce010f2bde277db |
| SHA512 | fcc09cf7a450a900c1c82c0c5f96bda170a1efc685b4751839c083885e4d397c3759589114f9d6cd9c11871daea1b11ed9414cb75e512f1ef988546a36603d5b |
C:\Users\Admin\AppData\Local\Temp\AoIO.exe
| MD5 | 78619c335457e590cf5ac8fcb87a41b7 |
| SHA1 | 580d5aaaa3652f89e18e9041a12fb02dc5fd2d3a |
| SHA256 | 0b90e4926ef1fa08e8845817808f92a3f4be991f5202a527dc10c57d116dd910 |
| SHA512 | bfa65027f2b10a6e7f08d49c6b7e16f6933767844cdeedae8c411c64cd306c8bdf7ec43687833687a63bde926ecabe70deb1669aa4d0f2aea495bb3433a98e10 |
C:\Users\Admin\AppData\Local\Temp\QEMg.exe
| MD5 | cd4d56af567aa49dec285484c27280e4 |
| SHA1 | 62652e7515a95604c0ed5f94d645b1f7872b420c |
| SHA256 | bc37b7add1a2e21cb320377fe371b76bd2c7a3cfdfc0b382acf106b2f06a7047 |
| SHA512 | 67641eaf98fa0bd021fe25937d198267e1372d5cc739f5eec31cade6c8d5c17e019f7a8364c0955188fbf23e7e84f6eb3d360f4f1a1ad99975f1a9fdf353d6c6 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe
| MD5 | e5ca64660784263c4837d2990694a86d |
| SHA1 | b85f646d68ed00c1ec73351101ecf64e1fcbb48b |
| SHA256 | 2abdf4eecc05e932509323d1c9eefa8beccfe6079d0d2a97934b71b3b90e414e |
| SHA512 | 0ae7490e7cce6d9767618257e72246e55aebe7079b7a7fa68d28d65e463966739cd7fd7639445c40ca5a8d146b5313866cb1a7efd515c511d147decbe110e71f |
C:\Users\Admin\AppData\Local\Temp\kQYo.exe
| MD5 | de0b2a3eb47492cb2faf865c611becbc |
| SHA1 | 8b2779cdf2e8ad9c0b4fafcd59ede0d8e0f65a14 |
| SHA256 | 59d141eb19fcfbd613c4261a22b40a34b338274ae5d5ef8ec0ba6d12393d5fb7 |
| SHA512 | 7b1f51e29f0ff5f7e07d0bcd9a925a0fac5221066f2ad8286d0ec284285e239f52ec350fdf2949ac0e703af4528b998d846de90a2580fc05675e7303d9737338 |
C:\Users\Admin\AppData\Local\Temp\Awgm.exe
| MD5 | bf599cd6fd2fa593234fe34c40631ddc |
| SHA1 | 4899e21eacc3a7df6b429c192fe31be1bc26b33d |
| SHA256 | 4757510b04d488f78db080a326d096a61b39151b33996d8dc39ae1ca155fe3a0 |
| SHA512 | 2a03751a69c252dee57e28898be6389dbf432bdcc6c4a0ae24ad0a1ad9629e61f29bf4032eb0252460f9a2c30c7479779f7c2a075a3353f3db0b1c12665cd0af |
C:\Users\Admin\AppData\Local\Temp\yQkI.exe
| MD5 | 0491dc7330744ab56be0fcccef695bf5 |
| SHA1 | 58ca7c24d2ef57e30db1f49580524302d08f0b42 |
| SHA256 | d0a16a38601991e44e624ed7892f879e77a9e02201059a537d3d9ef3a8efabe9 |
| SHA512 | f17dd23ef5cbe46430c47866a202a97d0dc43548b21dbb7702f169f9352081a2c815a5204f6bcd04b2868f6e9b97cc4786dad227da6d5115593bf66236afe0eb |
C:\Users\Admin\AppData\Local\Temp\yIMU.exe
| MD5 | 610b278449492dae89079e2977aed7d0 |
| SHA1 | 5714d7e5acab3543b063f115af5d95b2308c4888 |
| SHA256 | 56491fabf7835357a3842d3f9405f59aea31338b2ea33c71cdf0fbc415912570 |
| SHA512 | 4aede6e128bc380d8aad5ffa1c95eb30fb57c6f413d9f8574faab2256550e72d2f2f3cdc32352d5975fd8f08832046fd604d06135f2b3e8f108c30030702f5bb |
C:\Users\Admin\AppData\Local\Temp\aYEc.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Users\Admin\AppData\Local\Temp\ykgO.exe
| MD5 | 46d33da341064fcdd5ec30968a6b346c |
| SHA1 | 638cfa52af798f5d23fbe93c2a6b70dec1c69888 |
| SHA256 | ae3879ac3739c0abce3e4cf7807507f9ef7c16f46866918cbc353d74c5e883a9 |
| SHA512 | 0726cdb6d388848d760fcbf14c5ef476c6fdf06ecdca4acc37fe6461c7c29cc7da04f3fe53e179ec4b50a213ab5bb0723a04df017165fc172e36e281f5b9fb2c |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe
| MD5 | aa50ea9e85013d85bdca2d606db8dd7f |
| SHA1 | e672bb927e99fb4b4c29202d98c6097f1a95bf20 |
| SHA256 | e2aeb5df3adc44dd81d2b0233ee955beb6be149a4be9d8578b54bc783b5601fb |
| SHA512 | ea4ad11eaf2b4e46cc20bfbc650aa5b993cf012873f22173824e722425b6f6cb9247e99b6ce82044648c9919ea379ba6cb31f6ef17a3d6f3ccdee07a511b1483 |
C:\Users\Admin\AppData\Local\Temp\YwIs.exe
| MD5 | 29ce91bdbdd6432762e87fc43ac61ce1 |
| SHA1 | 4aff5743171bcbfbf5f613d338cf88f93dea3f3a |
| SHA256 | 0acf4ff26ba0715b5b92cb4161d4bb10cf0ac4273950c6b8fb26d6e02af73fe9 |
| SHA512 | 3fdb40455d54bcacf72db13b44e67051b4d7335f5a828637e1d6ca3c544637e5002d412f47f852edfd1f5415c7fc151fed245856058a19c36e1286c88bf91c42 |
C:\Users\Admin\AppData\Local\Temp\wYIc.exe
| MD5 | 85bc884aea74731e19a771b4b02fb6ed |
| SHA1 | a61b09b2610f2d5cda98e8657d9c4680c91a4bb7 |
| SHA256 | a877180ee08e9e752e982b4922d20957feca863b11aa394cbbf25f6c31bd258a |
| SHA512 | e0fec1647607549c2621d8c1a23dfe0ab46ea8bb6b3afcab5a746c21b83f0e8d9c7cd66fa76819157c64c9ae9ae897879a3c66d6ec6edbf6a37ef4aa9906ac22 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe
| MD5 | 05c6c7a3cc053be21cd0f3c526a1e08b |
| SHA1 | 5affcb8dffc8d820300f2f3c6758ad87b1fc7738 |
| SHA256 | 8ed4d4da75f85cfa110b5cd57f7d12359b318614b5e9680b328d748887ad25ef |
| SHA512 | 7ab78c376d8d3799e5b5df3b4d01489bd40e98b61cfc2900412026c0ba4252a9be5403a8ff5ac4173a4d838c9f55bf23b8a058ef1ad484bc889770390f5e375a |
C:\Users\Admin\AppData\Local\Temp\KkEw.exe
| MD5 | 85b0130e8c35b42cd76c18b1252ac8b8 |
| SHA1 | 83a10490d4104fa2109d699eb57efc7a8addc844 |
| SHA256 | b60acf76d58987d5d1e92b9cc2b5f77ea8b8687d17201a0df917203bef3f5d1d |
| SHA512 | 112f775e6ac3b20c235013b4522bd5b3835edd90fbd16c20630a73f2efe159c3be207a358365d91913399c1cf689b9ab7c2608d07e3da4d8029e589789d88416 |
C:\Users\Admin\AppData\Local\Temp\Kgko.exe
| MD5 | b62976184221bbbfa07194e5a77a70c9 |
| SHA1 | 3d66c6ba1609f2a8126e0854fbb64acfa7246e1a |
| SHA256 | 793831d031bd18a258e2ce85d809fe34564b7ebde6f9294deac19c7806c9e52c |
| SHA512 | 15843f23fbbd75dbe41330af5096e04aa3c85e2284233e4ad061fc6643090d0885bb7823cf7abba94c6f7192d0f320a7d964a6dddcdb5b3970ac6d294f037457 |
memory/688-1276-0x0000000000400000-0x000000000047B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cIwM.exe
| MD5 | 7153a39a93e1089badb819cb4ee28c6f |
| SHA1 | ea1e2ed2be806a73b95cf9866d28f0b01b6de695 |
| SHA256 | 65aefe3b12cd21997fd39244e52a02d166ad75926c4793e62e21b1c6908df07c |
| SHA512 | d3652f249d98a213ffe8f298f07ce7d6d6655937b491966c829cefa33f85865cb9e07b9520e26787b5025b5fcac4ef7356e751cfa92fdbf680db6de211a6e835 |
C:\Users\Admin\AppData\Local\Temp\GYkc.exe
| MD5 | 9e77cb426a2c448eda44805679132f68 |
| SHA1 | 24ec6a26248578f798fd40003a586e77a23e8a39 |
| SHA256 | 636fb8fe6ce71e4cd3735ded1d4c3c09e0269a13f579a1393d3ae06410281697 |
| SHA512 | 83cdafd6b8e446ccfc3bf68d954c4563f0157cb634f001297c618a9af559aba8280be9a7e35d70cd89e757a039633fb9091699b7ade854685971d6f6d1cd8299 |
C:\Users\Admin\AppData\Local\Temp\eYQo.exe
| MD5 | ad7982acd539425d9a967920b47698d9 |
| SHA1 | 85a1d745505903c69b567a9ff59dbf27e572c86f |
| SHA256 | 506fc84a3dbdf0ee9f37f2fcb05802c47e953802c36255fd78958f2a3f95b1fd |
| SHA512 | 9f878396679b906b9ded5349d7cba1d4ff01d279e8646d25c69ad9908356555fd40a68cfec600a87ab4aac7bee5a47baae4ea2a787dbbc4f1b83eef72de7a12b |
C:\Users\Admin\AppData\Local\Temp\wEYW.exe
| MD5 | edf7a0f5967f7bc47b131380884b3629 |
| SHA1 | 5e16c4fdf1bd5c195d3c27552f6ef91507556777 |
| SHA256 | 717a315a1fa6188872ca647388c0f18dc7c45c21bdc2095c78723637a044c4a7 |
| SHA512 | 3ce6c8ef68eb8895fad39d181add208d32ff4ca1831923b3d5f23a67a254ecb847c88a42264e12e2477f3c3b5f011c4049abd097a69e7de1f7ac1cbcb23105fe |
C:\Users\Admin\AppData\Local\Temp\QgUa.exe
| MD5 | f707591a51b9ea841c2236b145000cfe |
| SHA1 | 6aab59d351ea38db0957581f56d961a8957efd54 |
| SHA256 | 268f28db9650c7b8d6d44232b698a57642e03f9e9a75747ca6b6df4a26cd0956 |
| SHA512 | 0c658bbc6e85cb38936973853421f20d6efdf17f5ec4f787411f3c03068cb168d176865c94e3af61970abf45e10324ce056df822b114a1040abcf2ae9930a281 |
C:\Users\Admin\AppData\Local\Temp\gcAw.exe
| MD5 | 305d61b7b65ba942f9dc871c87355da0 |
| SHA1 | edfa6fd0036d933701233d25195a0e647d6288f8 |
| SHA256 | 6c8a0c6d9fdfda770775ec0ac527a2c3708ce9503103748447f8390ffb913e0f |
| SHA512 | 1dc41e5fda279f41abed5b85aea544f58ea725fd6c053a549c9aa405d23369516aa2726179c310f6ef40a684bf9e13cfc42aa7f32b1cfcc4049e016f2a0c9280 |
C:\Users\Admin\AppData\Local\Temp\mAwa.exe
| MD5 | 3b3860e23a593392a715e9e99cc68b48 |
| SHA1 | c122d6d5f570308c40eaf39ecda998dfc7d7fda4 |
| SHA256 | fd7803bbe6158680966669bb9d0eff677b60925e402c28598508ea32269017a8 |
| SHA512 | ffb37261d138af05db58d8a5cc60a09ff75c82dcfd3114ebbff7ee73dd3cd798118f87a4e9bc429005812b0ac1a5d1327ba316e1f29b64e2d8602df611730f30 |