Analysis Overview
SHA256
72ff03ee4a4ffaa7e1dfc4e03ad78940d52d24bc6b55dd9ed8584b795b882ceb
Threat Level: Known bad
The file JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0 was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies visibility of file extensions in Explorer
Renames multiple (57) files with added filename extension
Renames multiple (54) files with added filename extension
Blocklisted process makes network request
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-07-04 17:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-04 17:27
Reported
2025-07-04 17:30
Platform
win10v2004-20250610-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (54) files with added filename extension
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\QIMkAIUA\NsYgckMk.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\QIMkAIUA\NsYgckMk.exe | N/A |
| N/A | N/A | C:\ProgramData\DuEsYQwk\yUkAAkYE.exe | N/A |
| N/A | N/A | C:\ProgramData\nQwcAcwg\nugoUYAI.exe | N/A |
| N/A | N/A | C:\Users\Admin\QIMkAIUA\NsYgckMk.exe | N/A |
| N/A | N/A | C:\ProgramData\DuEsYQwk\yUkAAkYE.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yUkAAkYE.exe = "C:\\ProgramData\\DuEsYQwk\\yUkAAkYE.exe" | C:\ProgramData\DuEsYQwk\yUkAAkYE.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NsYgckMk.exe = "C:\\Users\\Admin\\QIMkAIUA\\NsYgckMk.exe" | C:\Users\Admin\QIMkAIUA\NsYgckMk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yUkAAkYE.exe = "C:\\ProgramData\\DuEsYQwk\\yUkAAkYE.exe" | C:\ProgramData\nQwcAcwg\nugoUYAI.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yUkAAkYE.exe = "C:\\ProgramData\\DuEsYQwk\\yUkAAkYE.exe" | C:\ProgramData\DuEsYQwk\yUkAAkYE.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NsYgckMk.exe = "C:\\Users\\Admin\\QIMkAIUA\\NsYgckMk.exe" | C:\Users\Admin\QIMkAIUA\NsYgckMk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NsYgckMk.exe = "C:\\Users\\Admin\\QIMkAIUA\\NsYgckMk.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yUkAAkYE.exe = "C:\\ProgramData\\DuEsYQwk\\yUkAAkYE.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\QIMkAIUA\NsYgckMk | C:\ProgramData\nQwcAcwg\nugoUYAI.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheConvertToRestart.docx | C:\Users\Admin\QIMkAIUA\NsYgckMk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheNewTrace.docx | C:\Users\Admin\QIMkAIUA\NsYgckMk.exe | N/A |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\QIMkAIUA\NsYgckMk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheConvertToResume.xlsx | C:\Users\Admin\QIMkAIUA\NsYgckMk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheDisconnectNew.gif | C:\Users\Admin\QIMkAIUA\NsYgckMk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheGetRepair.bmp | C:\Users\Admin\QIMkAIUA\NsYgckMk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\QIMkAIUA | C:\ProgramData\nQwcAcwg\nugoUYAI.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheImportReset.pdf | C:\Users\Admin\QIMkAIUA\NsYgckMk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheOutConvertFrom.zip | C:\Users\Admin\QIMkAIUA\NsYgckMk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheConvertUndo.xlsx | C:\Users\Admin\QIMkAIUA\NsYgckMk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheDismountConnect.wma | C:\Users\Admin\QIMkAIUA\NsYgckMk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheJoinRequest.exe | C:\Users\Admin\QIMkAIUA\NsYgckMk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheStartUndo.xlsx | C:\Users\Admin\QIMkAIUA\NsYgckMk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheTestExit.xlsx | C:\Users\Admin\QIMkAIUA\NsYgckMk.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\DuEsYQwk\yUkAAkYE.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe"
C:\Users\Admin\QIMkAIUA\NsYgckMk.exe
"C:\Users\Admin\QIMkAIUA\NsYgckMk.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\QIMkAIUA\NsYgckMk.exe
C:\ProgramData\DuEsYQwk\yUkAAkYE.exe
"C:\ProgramData\DuEsYQwk\yUkAAkYE.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\DuEsYQwk\yUkAAkYE.exe
C:\ProgramData\nQwcAcwg\nugoUYAI.exe
C:\ProgramData\nQwcAcwg\nugoUYAI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\QIMkAIUA\NsYgckMk.exe
C:\Users\Admin\QIMkAIUA\NsYgckMk.exe
C:\ProgramData\DuEsYQwk\yUkAAkYE.exe
C:\ProgramData\DuEsYQwk\yUkAAkYE.exe
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tiMIkoQc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQwYYsUI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fyMYIAgc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOYIwQIQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZiQwwYgk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tKgkkYwE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AUYwEMcc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWUAcMsI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEkoMQQE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEUkIgEQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PeEEgEUM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rOAsUUIo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\teQcAIUU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qacoMIoU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\duoAAIck.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tegcAMUY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOoIUoEg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TyEcIkUg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GyMwooUc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eugAEggQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYUYcYQY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIEYAEIg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmwIsgEE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAUAUQMM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sGwoMQcc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kikssMIU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TcwAUkMk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SSwsIIoc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZwksgMEk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swQAsQgI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUEQEAQY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BKMIwkUc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuAwwIcA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ysckkskc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GAIkoAcg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NYUYYQUs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JowIwksY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCwUUIgI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GqwkMUEw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAIckQko.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\saYcAsAk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgscoEEs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bUosMkQs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZGYQcAQo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\riYkQQAE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKscAEkw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AAcscQIs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xaYwogkE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQsQUwwk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQwQQUIM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pQccgUwY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAIIAgYk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XKEIkkgQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKsUkscQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYwgMQYU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FwAQYcEo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocEUooEY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWIAAkoA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.187.238:80 | google.com | tcp |
| GB | 142.250.187.238:80 | google.com | tcp |
| GB | 142.250.187.238:80 | google.com | tcp |
| GB | 142.250.187.238:80 | google.com | tcp |
| IE | 20.190.159.0:443 | tcp | |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| GB | 142.250.187.238:80 | google.com | tcp |
| GB | 142.250.187.238:80 | google.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.187.238:80 | google.com | tcp |
| GB | 142.250.187.238:80 | google.com | tcp |
| GB | 142.250.187.238:80 | google.com | tcp |
| GB | 142.250.187.238:80 | google.com | tcp |
Files
C:\Users\Admin\QIMkAIUA\NsYgckMk.exe
| MD5 | c60c9892550be94e6e8eeed918087199 |
| SHA1 | 306e1d9f68144b4dcff920c974a425df771f0345 |
| SHA256 | de0334278af8446457eae2c1853d13e49bf0ac0ee57481e58f9d00251c3a2baf |
| SHA512 | a8b5a87a4ab88abd10aaa5c88d2ca7da538605f085fedd29e0bbe89875d2447cc156bcd35eb6bf6b215a0b4e6d552d5dd0b023a042b7df79077a42d72ccc2863 |
C:\ProgramData\DuEsYQwk\yUkAAkYE.exe
| MD5 | 104ccfd8e7ebd319dfa9addf81cd6c88 |
| SHA1 | 976dad3a329f1055b11cf2fa240580a6f37a425a |
| SHA256 | dd85ca35936ce8efdcaceb753d45928a9a597c1fe470c6a4cc4ec55ca8beac05 |
| SHA512 | b0d733fc064a7b4208d9e9d833ca70ba9dc0ccf42c295b94de194b90ff89af384a7666eb3193a0329b99ad59814dacd02ed323a5305ff1eca6a23365edaef200 |
C:\ProgramData\nQwcAcwg\nugoUYAI.exe
| MD5 | ebdfa183576bb309b9dbed164a167d69 |
| SHA1 | f282130701f91a4e0c803b00cb3ac11eac4dcef6 |
| SHA256 | a9fa8f7dd520aae5443850ecf0373a405ef4e994b884f156aa830a273d15eeec |
| SHA512 | 5e9b34adbe34adfd375088afde1c0af99d542c8f8d9653ad367f76aa819012bfd300d3abf8bef6e25a1c03520696f4d13e85e1cea7a44bb97441eb81f2829a18 |
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
| MD5 | 1f93b502e78190a2f496c2d9558e069d |
| SHA1 | 6ae6249493d36682270c0d5e3eb3c472fdd2766e |
| SHA256 | 5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e |
| SHA512 | cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3 |
C:\Users\Admin\AppData\Local\Temp\tiMIkoQc.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\fcMe.exe
| MD5 | f44ba422a07c24d4300d67b4c0dd5cb8 |
| SHA1 | d05d64acbca46617918eedc052119ae3dcdf3910 |
| SHA256 | 3489dbdd45164292a51436df5318d34411f8c32de7aac496e935b7bf758b6a66 |
| SHA512 | 04a5e40da1028863efdeb53c67e3905a4b484702993cc4e0ebe06f0f65877ad9ac1dd042b3bfd1510452b68f810a41c9ebb0990ac6dbacefd36b76f62adc3cf9 |
C:\Users\Admin\AppData\Local\Temp\vsEW.exe
| MD5 | a9815c2ffc1c8e6410c453feb35896f9 |
| SHA1 | 26ffa958a5f7514a2dd84f2b047bb6e18d189d4a |
| SHA256 | 11a5afd88394e35ae6e5e775e57c1c4b1f8a6265bbb1a4e26105994af1c0dcf3 |
| SHA512 | 139a4eee9caeab0b877ff4adb8d03fb9caf2261842284458613eb44d8dc9066e7cc921b618c6827520ea2ebf80b28ae4c424f113d65c1d886ed06f8781e47a92 |
C:\Users\Admin\AppData\Local\Temp\MUYK.exe
| MD5 | bde656d66071b691e169a1b62acfa3fe |
| SHA1 | aca7980feb3291d3dc6434844cda827252d35b8d |
| SHA256 | f3020a4fb7d81bca24d2b46124014556834efed8dce4392b73ac2839a840d10b |
| SHA512 | 3658b48ebc16d8f421d089e1207484339891f6038c605442060df762b26e156e3d80d26e280e8db016189f768e79fe590b4ba0a86daa46e546c0643e23d38995 |
C:\Users\Admin\AppData\Local\Temp\xico.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\moMA.exe
| MD5 | 68239ed20f42a4c3f67897f380902b54 |
| SHA1 | 09321ca30feaccbefa65f7f4d89b4670adf2d948 |
| SHA256 | 9cb3f7442138fff84d5c829f99c2929776410aa7cee33b390153572c9edb8cbb |
| SHA512 | 687df6261f0575d11071e4be6c0bd5af582c2a860dc20592a261e1445149527e46a24296270a8aa21cfaa4cc965c0add08fef17e4c40c52c176472617db87449 |
C:\Users\Admin\AppData\Local\Temp\lIAu.exe
| MD5 | f3423d76dbc526da3a37f269c0e2742f |
| SHA1 | c4480a12ab94bb370cbe991a98b86dd635f7458c |
| SHA256 | d9a984a02266a276932a99dbfde61dff415e0c852167cdc1d9e1dc14e2bdcb00 |
| SHA512 | 50f2fe6d7d031da70bf1fb9649d38c69d41c7c284ded7109005073a5ba422a424a438c587213ec3fb9bf1c8b7869a6d88f432eea09a04474bdc6e21f98e50793 |
C:\Users\Admin\AppData\Local\Temp\KwQU.exe
| MD5 | 292e18ecc5ee9de9a1dd1e54bfa2e858 |
| SHA1 | acbdf97c06fff32c762ffa61ba8a83726802c7c4 |
| SHA256 | 1a0a3109ff40c1ec995adc937556880c692129c72d706577d747fa891ab60d70 |
| SHA512 | 18128d2a7bd4877d278f2854d787df72360d86c22bd42931b465b2eb7bc9f9452edf78190bc67e9c7340556a7c86a642f3fb5f1993aafabd2dcf75aed02e45a2 |
C:\Users\Admin\AppData\Local\Temp\sUoo.exe
| MD5 | 05400b5d2b2b0a3a8ee3c9754b27ab78 |
| SHA1 | 119ee4f33af17eea7b0462ab0dee6c89dfd0000c |
| SHA256 | c2ef448f02548379cc8f8656b18e109f7a5ec262f5bba176dd723b370cb2cd27 |
| SHA512 | 3d2d776a761ab3c013eacd8dcfb097269fb4ae018918465ebd87277a7416c49b8f1528dbe2fd1b52394877fc8a31fd223a7f587ba02ecdf7a335941061c450a4 |
C:\Users\Admin\AppData\Local\Temp\xUkE.exe
| MD5 | 769120a3fc2afad6df814899ae6f71a6 |
| SHA1 | 8b9ba6461cdca08d20ee27645c7a8b178c1899d6 |
| SHA256 | 9a0782dbcebe541a3acafecf44d1158ae034c5a499ed0b83f235b3a684bffead |
| SHA512 | 57ad242cb2d052215d35cf0e7b8740eb0d6a13d380fd9a57ddf7f054712087359fc0500562be9c8c95fa5d4f335f123c69c2a9c34874b620b1eadcd0f302b5a5 |
C:\Users\Admin\AppData\Local\Temp\REsy.exe
| MD5 | 29d4fb675ffc5feb6c87aabb07ba62f4 |
| SHA1 | aa71dd96e720913dc8467297a062e5950c067414 |
| SHA256 | 5e86c96da15b4cead22eb90df168d245f805476eef484638a13306145c6201af |
| SHA512 | 2addbab4458d94fc73faebc61a740bcee5e8a18f3a3ee20f2515b3364f8725669b11739a5eb8ab123dea57994bb08579694b46ede42638ff5a467bcbff4b4091 |
C:\Users\Admin\AppData\Local\Temp\Hwci.exe
| MD5 | ad8cef161cdf26dbd20ca8bf6d016258 |
| SHA1 | a2c832d4574d5ad71580f45e5bb8ae59b6b2aa44 |
| SHA256 | c1e974473e119ee3cfd1990d31eba27b042ab0aab4244d27b76e64f7049fa1c7 |
| SHA512 | 719f67f239f2c33427943b98eda590bf21d8fd67f3d1b9d1e3f06b7044215891a0b580bd998e9f7d96325efcfd7457727a2aac1bbf78277e71d02065599b236f |
C:\Users\Admin\AppData\Local\Temp\eAMW.exe
| MD5 | 5ec90428eddfc705e15b2668bf9292a4 |
| SHA1 | b953977c950929b5aa783daa9ab2fc4908401ca0 |
| SHA256 | 18c6247cde66dcc5e4e276440412cc63999f844d3470428b480b8521ea4f3113 |
| SHA512 | c4986fc2fc6386247486217ae36611b3d9910203caa2a5ab71c752acb833452b494ed820fec1237c6262aaf7b960e9f6da1e5f3e26aa1f5a6886055db34c7286 |
C:\Users\Admin\AppData\Local\Temp\igkI.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\dwMY.exe
| MD5 | 068073624afe0c809457b75d8813de1d |
| SHA1 | 11721d91d504ba15e36ca9737c5d6805cfe7cfb9 |
| SHA256 | fdab3d60bd5b033c05223bc0b3b138b9fe13f89bd92a3592aa18f1d79b17af2e |
| SHA512 | 6a90996d510b40e0052be6e23917a0c65c904f1ec522309246018c494e5292d60caadda6a86da6a5f75c4e2bb720af60b7f93cf84fe35cf1b80f108a8ef1f2a4 |
C:\Users\Admin\AppData\Local\Temp\fEcS.exe
| MD5 | 118fc2132e7f085f80c7e266777d3311 |
| SHA1 | 55defdf97da6c8c63c225f2d792d156015d9bc46 |
| SHA256 | e1d2dca1ee9fb6211e7b640452b736ffd4dfc18e859982890247b8d4230ab8de |
| SHA512 | 5e413ad73d1f056b9dbde0d5034fa3c85fbc4eb43f567ccf6ef7e861daa93da960a32504ebaae8a7e9a86ae1b1a7322449c5c665c30d91f4c841984a40791b15 |
C:\Users\Admin\AppData\Local\Temp\VgQM.exe
| MD5 | 891bbe1fb75f7fa36d21376d5f7767e2 |
| SHA1 | 9c47398888540222fad98f6afb99c1e9ab87e838 |
| SHA256 | ee6376d9128e2475fa1198f08173e277cffb8d436a5c7f5ca996559d1af7e75e |
| SHA512 | 18869719037184aec8ce8f55a7e07626a3070b9b61799118b81e23f3a60cedc126efc99dca3902fcfa80466925672bb39ce11011e3e0cd24fb0c52e624e7e683 |
C:\Users\Admin\AppData\Local\Temp\cUEe.exe
| MD5 | e032e61ea99ff1f4df2173330252b7e4 |
| SHA1 | 49d658200baa1e7ef735b320645d5465942ee9a0 |
| SHA256 | eb87c1d8dfa9310d43f2f114b16f78d1d1b97547b2f726d9b7a9e15a484d3641 |
| SHA512 | 6d099e4b38cda3a756a589aa67a2847ec06cb718a5af3c145eedc91dcaf32539fb8898d3ba09fc9608d7fe8e160e7bd56f0ea37c3b9edbe91a834f35acb9943f |
C:\Users\Admin\AppData\Local\Temp\SwoM.exe
| MD5 | 1ec175cd7bebfb3508de0f9bb9fd9f24 |
| SHA1 | 12f6476a0dfc366050a7629015e488699ba4afb3 |
| SHA256 | 8e0eddb14e9e451f77a14aaf481fd0860bf904f42791e3391879a6bdb007c833 |
| SHA512 | e024c87d6cf62c344cad0c97adcc3a9c200c11cee804bc4b797b79a21a19c4b30048d231e9800122017b4e6cacd4a93712cd1bae37ecc3e3010b940270bd2c44 |
C:\Users\Admin\AppData\Local\Temp\gIUs.exe
| MD5 | 68d3e3ded4a0eb3217c47b424c49dd8e |
| SHA1 | dad8b4977b9ab374e6548535d1221bb23698f884 |
| SHA256 | 3c60cb3806c521c3174e32c4ae2827de2ef87db27d6e7b88e3080d6e269fd7f6 |
| SHA512 | 8e0d7f91dfb313f24f611dbd5e46d1b7b374e6e4fe6543178ab0a56aa6b08e5451b4b42658a984eb14889858feed254b5150dced1a21dc78a79859f39c50b11a |
C:\Users\Admin\AppData\Local\Temp\TYsu.exe
| MD5 | 0667519095014036bf61c4e8d8a91a0e |
| SHA1 | 85c0a0883bf54fe2155de5eaab406d7b86f24804 |
| SHA256 | 11e80a0116af4b0b18131bef2dddc9d9f3a7d18dfbc4a4c98ec85d4acd5504d9 |
| SHA512 | b7c175e3e384b0f2a6bd045bec5a1dc0ae57d2c5b11e9a33b7c7564cb1e1c00889b490445eef9c0c39be0c6b6cccf61ea6e827b60492a1ed19a0aaf90cd0b6c9 |
C:\Users\Admin\AppData\Local\Temp\bgMG.exe
| MD5 | 532a7c419f85660f1b87624ff2b19880 |
| SHA1 | 80f1c79d7aa65a721a6aa131ae7d1815b6946c34 |
| SHA256 | d878ecb566308f841907a09e72bd2ed9dc8e7ec4686a6b67a6fd499e9c10f9a5 |
| SHA512 | 1acbf647adf323fd2a3024dc4a6bd12c6c14e5afadfc677cf17d2bf39faecec87b97bf633ce177b77b971524b823e85647015dc4ff30bb4add056b8400272aa0 |
C:\Users\Admin\AppData\Local\Temp\TIIk.exe
| MD5 | 95c1555ee883491d47fdf5bd7f614d1f |
| SHA1 | ce087f356acda238c5b20a3c42587fb992ab349a |
| SHA256 | 2d703f8b49935e687e519248529e6a0a8553885f79e6c5b80b61e9b11f045495 |
| SHA512 | 6e4006d995aa5ca517b94804ed345cd570f2a500addd9d6750a240bdf62e86e65ba692ea1d8658de24add94e871c2f496da40565fefacd2c7424fece5512a94b |
C:\Users\Admin\AppData\Local\Temp\XIkk.exe
| MD5 | 0b1647a5af94874f958a7a2038f5be91 |
| SHA1 | 1f5bc013d8dfe8d5060e320b7e835a72d234e381 |
| SHA256 | 81b11a52f03ee538e2c36a6ac5177bc5b474ee38b0d74fe687bbf1c0880290d1 |
| SHA512 | cac9ede230a78b6ff2fd94fd3696adb8390f608b1a6bca86199197b05f70093205003b54ebda682a32b9e7311165361e555a2b4b13abf6bda3443825b1dde96d |
C:\Users\Admin\AppData\Local\Temp\eEgK.exe
| MD5 | 8c2eb12ea7d5b52120291ab14f9f0e81 |
| SHA1 | 3ee6a0fca724e2b7540b566426922703050f72dc |
| SHA256 | 4e2c14bf6dcc84a8e1470df79ebd4bfb5881e62454a7cab839cd9dc225fc5dc3 |
| SHA512 | deb5f761e688d1de03b17f866a7b47123ef56fdcdff8117eb5b38b219464ae063c49d524f7c1cb982799d983653ab14dfcf7219e13f6715ef9125b07214f1c97 |
C:\Users\Admin\AppData\Local\Temp\HYos.exe
| MD5 | 6d85c4360cda022da2d8abc6adc3be9c |
| SHA1 | 73ebdab9f3e38ef07140e9ed87cd6f14b4d01593 |
| SHA256 | db1f4efe0bbd0e3c859b7e1d8019b59499a2f1b68ffdf63395d6702ab9ad6693 |
| SHA512 | fae418f3b15e6d49c5ded83b2e0affd92aa4eee87e83e3da08685db3b84da4f2fa7a734af4b6cf946af5326c50f469486c866af003de772f6caef0028cd56ef4 |
C:\Users\Admin\AppData\Local\Temp\cgUO.exe
| MD5 | 7054aeb61f9fcef396bcd30dfe669a21 |
| SHA1 | 3b16a68bf448ca5500b9c3bceebe0bb91a4dcec4 |
| SHA256 | 69b80c31499b34bf6bfa4edab6ef2cc72ac7f510217a85dba2b7590ba6b36209 |
| SHA512 | 289598d44a6ed37198b59f2b66135460441092f74f5e0efc0215b06f93b75d9c0005f2d28d0481f807fd8b7943c87c94d12aa8c65daf2715d14b71c69d73eed5 |
C:\Users\Admin\AppData\Local\Temp\JEgw.exe
| MD5 | 887f65577e51d928b876247e5385da78 |
| SHA1 | bf1b867b7c6e9bc34faffd1f549afdf76f872eb2 |
| SHA256 | 5985f9e7dfe42a41212f62a770e5e31d2f25bcbc2fd40f92f1c41e3ba6745cda |
| SHA512 | 652e18d878a1df0a9808f17d5c0f3e019d8a34eb9c0f6519c37ca95e970c471b2b6c226eb0aa9f860df5edd455b9396ce5b7bae90f82fa9d638665b5efa133f0 |
C:\Users\Admin\AppData\Local\Temp\ZEIQ.exe
| MD5 | 3dd240e7dca05ef4659e2f8cbcb304c6 |
| SHA1 | 2280b429eb7f03b5d7f24fc5b95804eb4c7e6bd8 |
| SHA256 | f64cf12695df43d126fc611965e4e1d56bf5762f4b463a96b4cc5d911b8a543e |
| SHA512 | 23ce9d0ca9cdb50c8944e7ca870a187ea96222f4ba138387d20502834f7edd6a32988747ea1418d4e5ca91156dd6970c1ef7e6f866031b04221e84bbd2ab827a |
C:\Users\Admin\AppData\Local\Temp\xYsK.exe
| MD5 | 4c82c3c055a1bd100512146766944925 |
| SHA1 | 02017ec68063447fdddd0c053af52298bb9100d8 |
| SHA256 | 22e051e4c6da8172ac37e20ea1b9cec324329b806bf6163ee02975b4fd3cf6c0 |
| SHA512 | d97ffe66967599af8ab4f78137b90447c7a1f1fe77a36fa78a080890ca13dfff6a863e89add013edc5e315fb25b022a2c3e9136f54c694b32878243504db1b8e |
C:\Users\Admin\AppData\Local\Temp\Dggu.exe
| MD5 | f937eb1580f9ab26bdf675531f0d07e6 |
| SHA1 | 9c031aa609381c8232f3089083e9c640acc1e457 |
| SHA256 | 612270efee014b9118d8d374ae08c5bf0411127b7c7cac4f0e3f656b34b8e821 |
| SHA512 | 375b1a912ce7a5dbe8163564cffa215c9c6849d2dd57c88375648bb3fce219ebeb707ab0cef6d5a4f53afd54cfb88f01550d6bddcee70b62aa35f5dca9d2cc01 |
C:\Users\Admin\AppData\Local\Temp\Gggm.exe
| MD5 | 5002fb97508e4ad3de989cadd1196169 |
| SHA1 | f1e65bd3beb47de33c9a861e8983bec00bad485b |
| SHA256 | 4eac05be3f1fb9814d20f8d6ba3916b19b6bed3a731e32e9663436317050b08a |
| SHA512 | 833c64cde084809a365c8b7e6e0c1b6e9663a0267bcfdf426d05e98c35ecca9a650b242c001084c68ddd529459177e768608f5a008fdfefddd5893e344db43eb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe
| MD5 | 181d6116f922343ff538ba0676cb0a31 |
| SHA1 | 0ee99800c064278df5e125cd32a269cfd2d9f5f4 |
| SHA256 | 40dc9f8aa52efc1f87a1228d524d8c65cb093011a08a39387da8c035960bc89e |
| SHA512 | 30940b9ae9063df23c16450a0f6e5db96b17bf725b12feb1c3df067d95151fe83512930cc411d88ab6a3d08d5a6af224602d89191d5fe83846546ec0b608c2a7 |
C:\Users\Admin\AppData\Local\Temp\PAwm.exe
| MD5 | 37063a005db36a1d1a826d49895e483d |
| SHA1 | 0c00eee12532f4c71f7279b3e8794afc6cd40cba |
| SHA256 | a0107c96aad4d80a81846503f50d2e587361072617fc8d74a61713630dff48c0 |
| SHA512 | 99613bbd963b4719f855c740bbcf6382ba3244d4f9d8572c9c640529a34c5db4910ff69a4bd79d443f532573e0ac135971b4320b1ab67a135d523baa7fa80f97 |
C:\Users\Admin\AppData\Local\Temp\pUMU.exe
| MD5 | e0332c860b59725a8dbbe266c8920711 |
| SHA1 | 1dd5f4147618a8c0b8e126c30bac55aa9af69d4e |
| SHA256 | 7f26e12263c46db61e7a6665afa780a658aad3b5db2ce3719f0be90155e802e4 |
| SHA512 | 0096f89401b64e8cd31a0b921fbfaf15cbcfbc217d58f0c17aabb4c5c5ac79b7cb0398a9a535a6685ba9d7bcc5784f24f819671e4357c2015676c1e92c4904c9 |
C:\Users\Admin\AppData\Local\Temp\qsEK.exe
| MD5 | cd2e7de205d5f387afe754364b3c1bbc |
| SHA1 | 6aded3dafddbed97bc4ec23a7058c319bdd7de4b |
| SHA256 | c552e1c48f659d23691b31017a92bba5a3a08ce744317d23a0b7391f62fb3709 |
| SHA512 | 8c1af3ea9d59b4b49982232424559c9d72a99d2fc3380a0ea7b3558e103cbf48cb445d2d03f92b37ac28063a3bcf827b1dbb019a3c2cad290c64a4430e25353b |
C:\Users\Admin\AppData\Local\Temp\VgMI.exe
| MD5 | 1fdfe43a7993cf5e5e46c38b74b4be55 |
| SHA1 | 54106db4f3969c2f0076da691f0be33c4966f53b |
| SHA256 | 7ad7f8c48f9c9b06d0aefb0b02c1951a6a04edb993e9c7eb223477ffbcd9e4da |
| SHA512 | 00f90c3134be4993a6c6473e9c80bb91e1d535134b633b88e8a3521fedf70876a5461383e3701da04b322e178146d28b9fbebc50b553afa724786e8164f1cbfe |
C:\Users\Admin\AppData\Local\Temp\bwQI.exe
| MD5 | 4464923fb5d44357e7098d486d86ea2e |
| SHA1 | cbc243dcb3cc7ca154a8cfc42dc244808a5be51c |
| SHA256 | b53c110d80f6e887b4908ea3ea7fd1db65e1de413735c9651118d187dd18d4bd |
| SHA512 | af63cf6eb6775be5c2e605b48312f6da1375e37084e30a98b3497d6ce4cb3832f0a14ca9f3e9e81632aa7e0b62bb164469d51be068f3f2fcde2401bea74f92e9 |
C:\Users\Admin\AppData\Local\Temp\oQIW.exe
| MD5 | 5db40cce99a737f3cc97116f3aa16c33 |
| SHA1 | 378c8eea5235470fc1b506c21c839cd3b3817684 |
| SHA256 | e0c24397d8ed2e07c61929080147bd4f936e7417cb698c80fefd3b6f99b93e45 |
| SHA512 | 0f95bf79ebab97fca435ba2cad8dcf522382a1220b0125f7a0506469a10de124226cf0e5fa1258ced2bb3abfebe80ec1ab8996beea85445cc8a7fd050ddbf071 |
C:\Users\Admin\AppData\Local\Temp\ZAkW.exe
| MD5 | 9a6ec21a49abb2808a46933142ad2e17 |
| SHA1 | 1701b674701ef278bb9297feed8ef0853621e8ab |
| SHA256 | d393cdb655e99ab0179c32090e8c7b1d9ca1a1e28f44cd2001a708676669e3f7 |
| SHA512 | 1d1cc743ce11a6bb8f7077139116dfcfb22601c75c3d8de9cf412ec8861111a54e7bf679abf744838813208bd9b0e55917dc41523b220208613e60651d15f70d |
C:\Users\Admin\AppData\Local\Temp\PkoA.exe
| MD5 | 2a678449b974678785d3a0fb97d7ab94 |
| SHA1 | 178054b630ac671baad004e9549f8f67c6bda260 |
| SHA256 | 10ddc861d45e0f7ea6fb284d859eddde1908f6d606ee3c6f505a74b7ce63e557 |
| SHA512 | f63aef848b14f81b4b269aab935624d3f9cec4b46bdb7c6613795a99ac0c77d8185bc8c4a8264cce4c84683a3e2634f3557e27e901b54072839f0ee0de5b723c |
C:\Users\Admin\AppData\Local\Temp\HIsK.exe
| MD5 | efa2febccf3f1fd14a49d88d26f5976a |
| SHA1 | 029733d7f66563eb49c47ae418c39f0f7850634b |
| SHA256 | 784472543af5a3e9590efb5d4fe33cc003a57de014f6296973d0e2991b60de90 |
| SHA512 | cd0d9cc485a24d1ce06f6f905600610474d1046d4452b81f7c26e585608485fde57cb53c80bd76dfe2d7db2af338c408fc0e22b8f81c949dfe48373ac09234f5 |
C:\Users\Admin\AppData\Local\Temp\JQoi.exe
| MD5 | 801cfe9edc872371b3423cd1ea9c4f2c |
| SHA1 | 2c7d1573145ec67081929925fa05d07b1d7627f9 |
| SHA256 | 4db53abe6109fc75a6b5ed1fc4c3ed210491faaeea0231fd270f61d8f1f35275 |
| SHA512 | 8259a1135431b3c95eba29ea4051b0e6c653673e601a95a2cf2061692d113fe3bb5a50a22908d348bbea1b7c89cc3fc625b66f289fa3b8e4ab6eec91c4aa2519 |
C:\Users\Admin\AppData\Local\Temp\RoYi.exe
| MD5 | 5502cde963cd3b84d91595d92ff500eb |
| SHA1 | 4e1b5267743ae799c079dc6c4b71a0ae56b99aff |
| SHA256 | 65aba2afecd11fcdefd87476b6a344827445e3f025a7fd33610e641ea1cd6c72 |
| SHA512 | c77db5ce36cfd0747202ef622f9fc6d87078f658cf6822999c4c1962b3b00272840d372bab795ab2beeb1e0ab4623d37da5abfb76a6fbbd5ef8099fb8135b435 |
C:\Users\Admin\AppData\Local\Temp\ScUS.exe
| MD5 | 35c7b6a830365e0fcb5e59e22661384d |
| SHA1 | 29c614d2b0362ec3dba558a107238b1e9cc450ff |
| SHA256 | fbd7b7af7e8e06566fbab72c85b59aeef980583a2600a18e5ba9c20f1c9b60a2 |
| SHA512 | b0b6edddfc0efc48b1fa629ed77460b0d835a8d855d12366b6e8bc59f2ac611599a6d53c81b86642b865e282722734e8ab9272242cfc92aa8876cc35a65e5718 |
C:\Users\Admin\AppData\Local\Temp\NEYU.exe
| MD5 | ecea104cf6fd77922a2b71541c2c23ef |
| SHA1 | 2e48d49a1b9cffb10045f148459259f47db7659e |
| SHA256 | 3b8157309fa177396eb51c9f60c77d562dea05c22a7f5edd797034f6d86fc8d8 |
| SHA512 | b4e1d5df3d4ecba4e1809fc1e4a10396f6d07da7af6ad245b3a10e7ee3b66d082eb7fe1dfae239cce820374bc54621a75987e80d5c9c4ae09271bea36e5149b8 |
C:\Users\Admin\AppData\Local\Temp\Ksoc.exe
| MD5 | 9a55fc628c6639ee612730f22c95d8a4 |
| SHA1 | 1baf091338a7064de266d46f75376d26d9de18ca |
| SHA256 | 8f9fcf9503e65b0423ca9257428797ab487a451367e84dac2509fed2c1a27489 |
| SHA512 | 083f0442a573372ded2528030356b146a5a6732191ae83099c1bd6f60e4a786f6d3a367e56e0eea55aeb66ea8a7cd4d8bd3dc0d9537fdc96c173c6ca8fbd666d |
C:\Users\Admin\AppData\Local\Temp\igMW.exe
| MD5 | dbb44b664a72744e191aec591a9c6d24 |
| SHA1 | f606a33fc709c75691dc697d5c6331b1c2e28440 |
| SHA256 | 25822c516ea46a30640324c63d79ef86153b45e8ad834542bbbfb8c3d61510e9 |
| SHA512 | 11d3f6235eba203ba4bc5fd9d2fdb8b827d2b0b612dc120e733330568096b6da72ef6823658252115e23035decbceadca1c055476e5f72f77bb584f8297361fc |
C:\Users\Admin\AppData\Local\Temp\ZYgm.exe
| MD5 | 2aaf7487b4e8c318bbfe76637901311f |
| SHA1 | d1411b753674e9076ea84bf76b3a18339a49219f |
| SHA256 | bdc2016c986635f8ec424c125a41483bfef841266d87f091df29ee7745a7ee68 |
| SHA512 | 976073355139bda692d4945b0e746c294a7e255127aac9fa25fd857c93ba8505f5196116b8c818001addea1fa0fed46b903c4ad3e7b0d8add75494d256471907 |
C:\Users\Admin\AppData\Local\Temp\EckE.exe
| MD5 | 4dfe4d9684b451beebdba76fc8502870 |
| SHA1 | 0fa76bf7a4c237429ea17f3c0ecf93728709edf8 |
| SHA256 | f371e27ea20041ed8deaf542edacc2dbcca51cff0783f2929d3564eb90a8ab2d |
| SHA512 | 6a62b6a343f82900d5528bd46ae3fd995730fca1f4f20f5236f502f2fb7377dc8bed7e45b2b69ad5159a00c24dae6de1ccecae50a0f357b50625867b5dbb6bc6 |
C:\Users\Admin\AppData\Local\Temp\kgQO.exe
| MD5 | 4b2b2e909b9694e7f4e72fce86b7d1af |
| SHA1 | 477fe4902cf340fdec5b3546d28b51c9b0febd19 |
| SHA256 | 788e1764fc909ee051c3571a4ca6a28897ad6ba3ffe66a902d781f4ee654d298 |
| SHA512 | 66d992127364a10fff7b79b3df0d1f17c6ccaa67242e38cc8c6fd9fa4fc321d841f706509527fce21cc6c5fdea8ba1b2fe8d0286b726ba311f3da538b56d6652 |
C:\Users\Admin\AppData\Local\Temp\yIYM.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Users\Admin\AppData\Local\Temp\PkYo.exe
| MD5 | b6e93788387a8bdfa9859e8029f0e365 |
| SHA1 | 87eb781fcece373adff8aba3b4b820ea9e4839f0 |
| SHA256 | e702d071ea5ea18f356cde8b2090ac161e7f6f02bda10c0e9655f513db3be3dd |
| SHA512 | 7240f10fcf551b06a8c0c457dfa93fb7e471378b91d0e82a10f98cdff3337c52a3f72063d216bf1fb6f8f7bfb237e575500e411e58b81939c0395b771265a4d7 |
C:\Users\Admin\AppData\Local\Temp\XYAK.exe
| MD5 | 19c83a1466b2226a6884d3ae03f1ec8c |
| SHA1 | 477378ce75376a457a9d0966133240b1fbd538a2 |
| SHA256 | 75512500b6520dc4e45a55d325ca7ce6353a4e52dc1237e99e02f3f0f740c534 |
| SHA512 | 38ec599a9493307854a17a4a96c0b68434c4ae52de5b99f59a4f7cade97a8bb11c2d4eb7802ba49f58e329bed1cd25e616831d06f14b1132212e582d6b7a1b67 |
C:\Users\Admin\AppData\Local\Temp\Hgck.exe
| MD5 | a02fdc99df697faae2995ff3dacc4925 |
| SHA1 | f9256de757d1de54cfb2e541d0f82230c22178c7 |
| SHA256 | f95da48ab6b4b373b7e085529ff81756933cef80e90287760fd0d518990badaa |
| SHA512 | 5f17627ad8e2d4067591fbc52ad4354c31f54c0889d64844ea1c46239b62450ac16a3ddec3d9f00958037d3cf459f1ffb4f6db960187238e63bec52c988f6dc2 |
C:\Users\Admin\AppData\Local\Temp\zMoA.exe
| MD5 | dc98e33fded28cf249c21c1a967d069e |
| SHA1 | 89948e0b4fc7439f0636f1405bd4b29c1d414e15 |
| SHA256 | 6b043312e82019c72480fc23b2e9759e7c6cb26187c992f7c05929d0553b1d32 |
| SHA512 | 42b0e5d5ec234c3327560ea86ca57c90f8917243822c469c4f2b85336efb93f6e5d731a143874154635bfc379445ccb862a55eca6f463b31f7b7afab57006c72 |
C:\Users\Admin\AppData\Local\Temp\FQIY.exe
| MD5 | 34b62d090508f6389c312b0b3487a706 |
| SHA1 | e56753b66255ad2b311d4c038111743366ef2784 |
| SHA256 | 86917fc6710244ed4bc0b8819aabb38915a8153f72f4859f14d2fd59575e5ac3 |
| SHA512 | 4b968a5a612eaa30760783ff6d449ccb4cae0d319198a30edb55fa41baa1911f1ba202f11ab7a62331f36afb66e4a9a6833acf58934ccbcfbe269ad8ae278838 |
C:\Users\Admin\AppData\Local\Temp\hYQG.exe
| MD5 | d5acd6aca35aaed98bd241ee431b9538 |
| SHA1 | ebc5a100042d3802c5bd426dc300ed08fbfff71f |
| SHA256 | 3629869b7cfec6606e5b166b489abf671f1603f087042c9578dddbed100f605b |
| SHA512 | 05ae4dc689a629927ffa49d02f7129ada36eb18949bf94bb835b517648829d703f69c94a59d0633f52d0f669a919ecd9195e852744c4a619078029959de0fe92 |
C:\Users\Admin\AppData\Local\Temp\UUUM.exe
| MD5 | 3232d2607b2336b0d777bd772849c62d |
| SHA1 | b752e493888e50dd927acd7af7fd980af37ad1b5 |
| SHA256 | bba7762135f33f4310d1890f9080f8b9fedd26f578c730f60660c81bd842e245 |
| SHA512 | a27639a521b52e76ff26ebd2c68de3c04c7cefb2f99a7d2c4902a5f987117e9184313d8d2542e207c925f55648ed2a2ed2de5e51a1baa8fd0cfd7c477811b3c0 |
C:\Users\Admin\AppData\Local\Temp\ksUw.exe
| MD5 | 59ef2b13e61fc8dd7c580d4ed29155a3 |
| SHA1 | 1a7b8360ecdf5e59469b68624f0ad164d38bc829 |
| SHA256 | 4b37be352340d8dfa9708d355ce9de89ac63cd530a7d4bc6e4c20d7894f7750c |
| SHA512 | ca9e24fbb2230e4d555f0b1e1cde57694722f8606cf37973545644bdf9244a8483e33ea98a994f67c91ee27c88b697d2266bd46b08228401c460c07a964485b3 |
C:\Users\Admin\AppData\Local\Temp\scQA.exe
| MD5 | 9c56696a48edee2e07a2f8d519768329 |
| SHA1 | 8181d795d6672aa63efcd5dbe39a07a0776b9c5d |
| SHA256 | bd6dbe2cc75f01dd7bb5754a1bd1e130e0821461b678c712a4625e2f08a9a194 |
| SHA512 | 3a2eda3a06fc1a1fe2619a5a27a4e9751cb45a4667c0e0bf2b7471c67153ab17903eadcd52b455500621b2a5fda488797f97aace978ddcef633123d8369bcafa |
C:\Users\Admin\AppData\Local\Temp\SEkK.exe
| MD5 | 22e60e3d35757f399fcd37478de8413d |
| SHA1 | f5f634888a5341aa8761f4288e2786bae5ad999b |
| SHA256 | 30f2a26bd2a9b50dae9da730f644c83fcea19a30b691299ac6b3d9ee84f4a04f |
| SHA512 | 8395bcbebe4908219b3b6c8ec12e12337c8c8394eff2f58bf46da0f067068571d60f03c47197ccfbbdb5ca5e3dd6c2de9b763ef8a56264930facea51b1e64c34 |
C:\Users\Admin\AppData\Local\Temp\aYwA.exe
| MD5 | fc5523bbc70af4b21e83b5f114902616 |
| SHA1 | dff321d4a8694660dc39a036238221086fa7d545 |
| SHA256 | ae77bb4bc3804f935d12bfeb6abd64092d95989d6ce095e7551aae1752ce8dc5 |
| SHA512 | c2dc5ddd960f1f32d4d544067221adafccbc982b02281308f392325e5cf0328b278e0cfc78b71a90494b7a2c838d14e41a20784cc11544fd42f7ef4037b97e82 |
C:\Users\Admin\AppData\Local\Temp\DkMe.exe
| MD5 | 5a0b5e52e9da9f25e95463ec3f424bd9 |
| SHA1 | 42ea838595dd24adf3f48e50748aa01350212a12 |
| SHA256 | fdd7effd564983a78864b2b803d8c6b84112f98d0d1dc3ca84911955b8a91002 |
| SHA512 | 8569c0d023f3a55fe3a26e995412e0cf009956698e49d62f24387ae95ee1db8c2e15081dd4c9e7768c777f7b42c371f7040a3491930af6d77a5c31a5878104ab |
C:\Users\Admin\AppData\Local\Temp\hkYi.exe
| MD5 | 71e204e916f0aac4325e98fb91d9f188 |
| SHA1 | 29e6931d43a4cc7233e3b5d2a55bf71a84c8d947 |
| SHA256 | ad012a97bb3da6ea2a9813ff48e2e4a092ae1f0012483dbcc83143458eb50463 |
| SHA512 | 1e39dc9c819890689d3b7b6ac1efb4e5207e6f5f15b9f6d04d83c025ddd788c4f2ccc772c1ae5009aafee07c51fa0600924c2a0a59c574c3bd0dee4f50f24282 |
C:\Users\Admin\AppData\Local\Temp\PEwQ.exe
| MD5 | 4ef34e1ca5593ae12f4c92a038d2cd1d |
| SHA1 | 5c7951ae22f5a45edfc860abf1163a64c5ed6dee |
| SHA256 | 1e09c73e421fb6629bfccd556ae6f03fb5ca4efcfc23d8352edefff23b210d19 |
| SHA512 | 78521a042682708461cbc633008cb9c37c372c6146d3d1412dc42f0a5038c17b53794dd1b14bac263d6432c50101c90dcfbb26ee8e356f4234febeea86e9373e |
C:\Users\Admin\AppData\Local\Temp\nUQE.exe
| MD5 | 68b54fe5e8c95cac8c89f362b40572fe |
| SHA1 | 762e57e717c61a7fc9b9872267be401708f4a27e |
| SHA256 | 072de302d56380aa87a2f93d75ba8d09586ba82e8de6de699654c318e7c8f0b0 |
| SHA512 | a2c5379a43c34516e3eeac22dd2f76acc800e25622bc861e68e5df1bd2dc6b8319d4cb195f8227e26b6970248b0fbe3091bf612cd87881642132ce153afeb743 |
C:\Users\Admin\AppData\Local\Temp\Qoou.exe
| MD5 | e7dd2f011d3cae7a908334a837dbfcb3 |
| SHA1 | 7bc43af22f69e4edaac13ca960966c7ed503b7f4 |
| SHA256 | 78fc9a17a6c050906c46b1e3eb2789b7ade4f0633c141c1fa34fb3fa164d6ad1 |
| SHA512 | 325c6a4645d7e8145b79d2d57e5698926c9d0b38a8c16a939214851679c92a7f71521034642147180fd2c795e6a350316ac507c2be47b50f691acee18a00623b |
C:\Users\Admin\AppData\Local\Temp\mEUi.exe
| MD5 | 9b7b4a88e5144038ceb507117349bce3 |
| SHA1 | 2a490bf1ea7636f2ff62eaebedd7768c52730d1d |
| SHA256 | c9b0c96ee73afcd58bf121a5953ca57ecc9793288a97521bded0d74c909ac987 |
| SHA512 | 35a03cc2374621e7ee748511b25ba40a006443efb686cf396f442a7e55dd3949db7e0fc1c7d01dff2de1160d4c7b744b1feb67b418d0daa6edf7019755a96918 |
C:\Users\Admin\AppData\Local\Temp\EAUe.exe
| MD5 | 883b93bd9e379ebcd1f759a318c99455 |
| SHA1 | 7d9ca3b7ad809a64382feab502dc8530e4d71069 |
| SHA256 | 8a2ee821d838859acde6ab9b530c3614fb0c813cfe1cb5e2be720fc3a9ada1e3 |
| SHA512 | 8c57f96ed9843682e56882b6d76e85ebc5b2db07978404c6c85ebb53799a080c3e7fd26fb26f06fc5b390980f2df8ee568de99585e379c3fc580f7ca12ec542d |
C:\Users\Admin\AppData\Local\Temp\bcok.exe
| MD5 | 2732f61d4bd07609d47013b2670a2a1b |
| SHA1 | aa27b3c89eb1fa7f3d79fc7d6af58803e9b94e3e |
| SHA256 | f0ae7a08cdbdd0bfda81db48ab2ea79b35ce233cddaad48ccdb80983ce0d3b92 |
| SHA512 | 7ef99086ed31e9745856f597e7a6c1c0a416246aa1dd9b1ad4ba7af140f8996bf7cece0589ccb91afc4a57f7e1521dec80d2f05d269260326bea4ce6eb98ec9f |
C:\Users\Admin\AppData\Local\Temp\GoUk.exe
| MD5 | 1656bd312f7f04609f1657af179cc546 |
| SHA1 | b5d65def3b0b941da187a3aa21f688cfae8ad452 |
| SHA256 | 46e6a5e7b218b6d2f6ea53438a94979384eded24f82bd0a5e410c68a694d374a |
| SHA512 | 02fad3eada4ac8763853359a0ad5886804d7114a15b2edaa4344cede6f4bd1d31c2e4ce69b4843bba55aea3e195f2a277e271acd46c81de04bffbe2895360f4c |
C:\Users\Admin\AppData\Local\Temp\GEAi.exe
| MD5 | 320bf7432bc94b13a08ae45aedda3a34 |
| SHA1 | 7c09e00487e673e9be198f2e649c122fd338ccee |
| SHA256 | d43747f21466283a45ff5bf7660dcc6b442ee0b9986350ac5fa1b88d0b3699f1 |
| SHA512 | f440118eec21a6122da19be1e402a331b29ecbeb7bfcdd89fc0b8102ffc102f2648f61e9951cc22e1a852ee095f21de3fdb26fb4633dcd7ef07e0faaf270e238 |
C:\Users\Admin\AppData\Local\Temp\FcgU.exe
| MD5 | b90cb759c2872aaa377b76f0e8e433ee |
| SHA1 | c6ef92561bcd60db98bccb6aa6002b273fb75853 |
| SHA256 | 7e77f075147a3bc9d43da5ecea45d77f18fcba1d5b80ba9e70b18a8bcf654fac |
| SHA512 | 85d6b52d0df8ad7917d4053dd328678f9dbcf4b07343be97930f6374d30742e59f3c895b89df8b1957882602846a640512014f4e8cc7cfdc25412eb72558c9b1 |
C:\Users\Admin\AppData\Local\Temp\fEso.exe
| MD5 | 29e1289c5cb845119bff1091a714a064 |
| SHA1 | c35eb013468236177f60fb40850d7560981b0930 |
| SHA256 | cabfc82ab42ccf19c8a782775d12a393f8b63db167d74eb4d8db2d912521d343 |
| SHA512 | 4549140fd9b635d92f2527b87cb5b2248985062ac950a9f6303c80191f89d0e3bee3d6763e9e6f63ff0d2f67d36afbaa8bd93a111aca6371f286455a29e7122e |
C:\Users\Admin\AppData\Local\Temp\aMUY.exe
| MD5 | f7774d8c164b5347dc3b56cb5362f969 |
| SHA1 | 41c3be516fea51c7e6cdde7f10e06a65681aaf37 |
| SHA256 | c815e872b75ad136f4609c01882dd6d3dce00474c22da9f6dbfffa96560bb70d |
| SHA512 | 34c6c0b395ef55b23492efef7d1d7ac1b38ae42b04e5c0ef27e6654f2a1603d53ab43b42c5c44869bcc9e57313b3a57bd4113d4af34602badca62a0e83b8ee21 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-04 17:27
Reported
2025-07-04 17:30
Platform
win11-20250610-en
Max time kernel
150s
Max time network
110s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (57) files with added filename extension
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\vAEQAssE\KMcsAQMw.exe | N/A |
| N/A | N/A | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| N/A | N/A | C:\ProgramData\yWIEAAEA\xgIIIcQU.exe | N/A |
| N/A | N/A | C:\Users\Admin\vAEQAssE\KMcsAQMw.exe | N/A |
| N/A | N/A | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UEIAIkkk.exe = "C:\\ProgramData\\fKIMUoUk\\UEIAIkkk.exe" | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UEIAIkkk.exe = "C:\\ProgramData\\fKIMUoUk\\UEIAIkkk.exe" | C:\ProgramData\yWIEAAEA\xgIIIcQU.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Run\KMcsAQMw.exe = "C:\\Users\\Admin\\vAEQAssE\\KMcsAQMw.exe" | C:\Users\Admin\vAEQAssE\KMcsAQMw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UEIAIkkk.exe = "C:\\ProgramData\\fKIMUoUk\\UEIAIkkk.exe" | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Run\KMcsAQMw.exe = "C:\\Users\\Admin\\vAEQAssE\\KMcsAQMw.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UEIAIkkk.exe = "C:\\ProgramData\\fKIMUoUk\\UEIAIkkk.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Run\KMcsAQMw.exe = "C:\\Users\\Admin\\vAEQAssE\\KMcsAQMw.exe" | C:\Users\Admin\vAEQAssE\KMcsAQMw.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\QYoc.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File created | C:\Windows\SysWOW64\ykAi.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MkkS.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gsss.ico | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File created | C:\Windows\SysWOW64\wQMG.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File created | C:\Windows\SysWOW64\UAYW.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aaoM.ico | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\EGgY.ico | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File created | C:\Windows\SysWOW64\mksE.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Asgs.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aMcM.ico | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File created | C:\Windows\SysWOW64\Asgs.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\qyYw.ico | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ukcI.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File created | C:\Windows\SysWOW64\GQIS.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\iwcq.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oIku.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\CYUc.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wuAw.ico | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kSwY.ico | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\siAE.ico | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ykAi.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File created | C:\Windows\SysWOW64\uooo.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\OoQe.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File created | C:\Windows\SysWOW64\mAQq.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ywEC.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\vAEQAssE | C:\ProgramData\yWIEAAEA\xgIIIcQU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ssgU.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wWkg.ico | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\IYcS.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\CGow.ico | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File created | C:\Windows\SysWOW64\goge.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File created | C:\Windows\SysWOW64\ysIs.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File created | C:\Windows\SysWOW64\gwAM.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File created | C:\Windows\SysWOW64\yoAm.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File created | C:\Windows\SysWOW64\GoQQ.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File created | C:\Windows\SysWOW64\YcAE.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\uooo.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yQMK.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ssso.ico | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File created | C:\Windows\SysWOW64\YUoo.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ogMm.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\YMck.ico | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File created | C:\Windows\SysWOW64\IMIA.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\SEwc.ico | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File created | C:\Windows\SysWOW64\CIsk.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\SoQy.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ysIs.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\vAEQAssE\KMcsAQMw | C:\ProgramData\yWIEAAEA\xgIIIcQU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\QEUY.ico | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File created | C:\Windows\SysWOW64\qsMs.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kOkg.ico | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\EoYE.ico | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File created | C:\Windows\SysWOW64\QAIA.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\magI.ico | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ymUc.ico | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gYEw.ico | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\UAYW.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\CWIM.ico | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wIIC.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mAIc.exe | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheUseInitialize.docx | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\AuEI.ico | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GgkA.ico | C:\ProgramData\fKIMUoUk\UEIAIkkk.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\vAEQAssE\KMcsAQMw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe"
C:\Users\Admin\vAEQAssE\KMcsAQMw.exe
"C:\Users\Admin\vAEQAssE\KMcsAQMw.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\vAEQAssE\KMcsAQMw.exe
C:\ProgramData\fKIMUoUk\UEIAIkkk.exe
"C:\ProgramData\fKIMUoUk\UEIAIkkk.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\fKIMUoUk\UEIAIkkk.exe
C:\ProgramData\yWIEAAEA\xgIIIcQU.exe
C:\ProgramData\yWIEAAEA\xgIIIcQU.exe
C:\Users\Admin\vAEQAssE\KMcsAQMw.exe
C:\Users\Admin\vAEQAssE\KMcsAQMw.exe
C:\ProgramData\fKIMUoUk\UEIAIkkk.exe
C:\ProgramData\fKIMUoUk\UEIAIkkk.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUQEoAUo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGcQcYgo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZycsMkEQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XokoUsMY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qqMMQwws.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umkEksgw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcIEooEc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\leEcsIsc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VQosUQck.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vmYgkYgw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ikkMkYIs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CikUgEkI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EOcAwQQY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEwMQMMM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZGAwIMYw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKoAcAoM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAQIIIUg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsAQEosM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amMIwoMo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIsoYIMc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqksEkEc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWYsMgsQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkAIwIYg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VQggsEAU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IgwokYgM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckYskwIM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LiIkEYIM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMIkcoYw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fWsAAgMo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqIsQswY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.187.238:80 | google.com | tcp |
| GB | 142.250.187.238:80 | google.com | tcp |
| GB | 142.250.187.238:80 | google.com | tcp |
| GB | 142.250.187.238:80 | google.com | tcp |
| GB | 142.250.187.238:80 | google.com | tcp |
| GB | 142.250.187.238:80 | google.com | tcp |
| GB | 142.250.187.238:80 | google.com | tcp |
| GB | 142.250.187.238:80 | google.com | tcp |
Files
C:\Users\Admin\vAEQAssE\KMcsAQMw.exe
| MD5 | 0ac7016c63b3f0b85610ab14d8cafd6e |
| SHA1 | 8e8a9319d670042e990cc920dbab33df3f7b654b |
| SHA256 | 89a73155018cf0725ab717f809a7165c27470074215973dc3bc0d735914d28d4 |
| SHA512 | ab7fe0205dc44a0402f0f2a1b3120f60fe5b45f6034a1a1b6f0db1a5240d906608a9946b4c658bf4fd10e752b9c94e47529fa0c0de7fd9f24724831b04f6fe83 |
C:\ProgramData\fKIMUoUk\UEIAIkkk.exe
| MD5 | a360696ffe49a3a1a4ea34d3124d012e |
| SHA1 | 6c9b77b0c16f9a842d922daf61d1c3640c2ebcec |
| SHA256 | 150b11c0fa57b4e107771b42669f4691cc96dc74fffd6db630edc0fb14fc3ff6 |
| SHA512 | d1e9d2fbfd16aea3ae9c2687017864f89c4947191c55bf85d3ba4ff03ad70846d9a7e09d43269bd3d604dd25350325ee977d282b68cd4b8a08e97c06e6c69233 |
C:\ProgramData\yWIEAAEA\xgIIIcQU.exe
| MD5 | b3d93ac5643066e180812ff52457bfed |
| SHA1 | f4d104c54f1b6285aa81009fa957fdd0a4c18b3e |
| SHA256 | 438c536f3d4d1a65b2df153d74fbdd2db9e5aa143c0e6c694e017a031f3a54b7 |
| SHA512 | d35a693e6939395e98fe871e06d760a19ff3b875af991d7dc178cb39db91254bae2b5a7a5a2534f1191cb7618a4946e018b146475bf06a8d1c271c22b96e81e9 |
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0
| MD5 | 1f93b502e78190a2f496c2d9558e069d |
| SHA1 | 6ae6249493d36682270c0d5e3eb3c472fdd2766e |
| SHA256 | 5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e |
| SHA512 | cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3 |
C:\Users\Admin\AppData\Local\Temp\JUQEoAUo.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Windows\SysWOW64\ukcI.exe
| MD5 | 1c38def6e685211b276e51f9b0e47743 |
| SHA1 | ad009d0c0bd8eba706f9e45a73c069909eb15e0d |
| SHA256 | 3641964e9e2e15f61dec63b29054bd648a8ae686a94be0e8cb7a7af76802d89c |
| SHA512 | 2f67dbd61c675543e693e153f3d2a9ecb22ad44d04f6f2d44c9c6e717ef4e4ed043b69c21515e0b0078ff5d6bf8e029a2d06c8fcb9b86d233f262e0ccdab56d0 |
C:\Windows\SysWOW64\GQIS.exe
| MD5 | bc9365222954ad3b9d3d92e95418c218 |
| SHA1 | fc0b2cf785c8fc5d7bfdb4c007796f3b3cd7066a |
| SHA256 | da35e7c64a783a287ce7fdc645233fba7b6ac50e1c83696802ab9c1d8e92db32 |
| SHA512 | c23a9f3f3141d5f7a0989efaa1887efbf94c7aed82f6c29009b58f96a95a85ed7dad0f0c19fa084dcc8849e50ef0a808befc65f00090c18cdfb66e62cf078e95 |
C:\Windows\SysWOW64\GoQQ.exe
| MD5 | 0c387781384c5571e121557a7850ed63 |
| SHA1 | d6d51fac911473338b83e1bc6bf1900cfc94246d |
| SHA256 | 0d380a5fa67c5f9857619be286090aa659d01d272ac3845fefa32b96d4b26229 |
| SHA512 | 343671228c1c18f8f4ffd466469836fa596a723edbb21a4a5be3ec735a2d4c4e37921416e850ab3d3472c870b0b816c3fae21cf14c96129564612526d56cbaf6 |
C:\Windows\SysWOW64\MEws.ico
| MD5 | 9af98ac11e0ef05c4c1b9f50e0764888 |
| SHA1 | 0b15f3f188a4d2e6daec528802f291805fad3f58 |
| SHA256 | c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62 |
| SHA512 | 35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1 |
C:\Windows\SysWOW64\Eosc.exe
| MD5 | f9520333b144b3c1777bb9300e87a459 |
| SHA1 | dc46c12925120b59e9a9b6763dd7fd1a51d83620 |
| SHA256 | b0763fe3d60ef495e252360ddf445c4c9f3c416853bb757bf1dea2168358cc5f |
| SHA512 | f6ff53d6312ac6463dc03c5e73e32b8f6fdeaedffcc43929bd6c9ca8a6ce7b0cbd2dc1b02c763a8a9ffc8e77846299abc278620e0c5abcfcdf2616f830f3ee1c |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
| MD5 | f68b8e896be5e89834df6d2fd52ecd66 |
| SHA1 | b5437e4719c1a093b23ea74b0a1ca710a1981447 |
| SHA256 | 6203c67830a65b035ba248daf0a5a38cc7bec303f48643e6650ba910bd8eeb8e |
| SHA512 | 2cb5cc81015fc2b2d4dcfc91cc9624328f489bf8b3be0788f9af1488a96a37adb8b269944f2839eae1585832677ee9541e501f8fe5c2336d492cdab009edc62d |
C:\Windows\SysWOW64\oAYw.exe
| MD5 | d557d97345267a6a57cdf514d7ea35f3 |
| SHA1 | a42347ffc5790143065fcb4a5835f92a7cddb845 |
| SHA256 | ffe1ab27f43cd29ecd0a1e49209a96e15d2632d5605b2f8497777297d684150b |
| SHA512 | 65d2e72b99787a35cc0f98a7a98789098f1a00ad48224672c0fad76b5502a5639919457faece23c701738172ba2fa989ee7617de1c348bd9ee6ce0881e153c96 |
C:\Windows\SysWOW64\UAYW.exe
| MD5 | 53424a09df67198e21575d0d7d3ad920 |
| SHA1 | 5271cd8c4962bca0f7206dd3c868c00f7781437d |
| SHA256 | 496aef9aa9357318aaf0b912c45c2603750da6232d790ac4be875979629383c9 |
| SHA512 | 35f0c575635febe2f613a067894c6be916f01b3f4b2acd657bd1dfabc2a151e519c7284972b40440f9f91a8855e4b104768e54799b9bb3f26b6c6cae197dc1c8 |
C:\Windows\SysWOW64\YcAE.exe
| MD5 | 5456a5d7ea83dd434868730100ae6c94 |
| SHA1 | c49df723b03af14633e761752c332ae213bd2a29 |
| SHA256 | 02ef0a3515bc081bf54d3f39b1e416a1b4fe0260f45889f38fc36de4d96c4f00 |
| SHA512 | c327a429cb662ebdb8b297b0aeba9483a9488f127ee38d882773aeb0db386a89175f51fe182bff78528ea8302b9ea9909f39ac547e0b85800a8cd665703cbcb5 |
C:\Windows\SysWOW64\soUC.exe
| MD5 | 250e673ab8f86c18a797c29f15a2104e |
| SHA1 | 0f3f91d69aed7ee2cf4d397548674cfbeff6fec5 |
| SHA256 | 4246095a0522d8044c53e0ef621642815c4ab5a93787c151fb1f1a44e9b195bd |
| SHA512 | 33cb823576d9b24073664d0e75569d1b48cfb58c943a4346c167467cedaf74c20d466b253c50c5b8d75f6afdea953e34de085443a2ec971090cf4b169eaf9dc3 |
C:\Windows\SysWOW64\wsEC.exe
| MD5 | 5b867b63438a5c5afb474c6e28d92017 |
| SHA1 | 8dbaeaeb2f34f2bb968c5b226a6d97856708456d |
| SHA256 | e8cd500ac65f1dc902c50c0c8776656a2826522d87937256d36b1799b0e49dfd |
| SHA512 | 8f8ef3368223c69ef1fab6621e8d456abe02cb4597f60ddbef48b39ec9de9a6456067c65f577186c17abcde8e878fff10e25e323c9379df706195cb7727f4d56 |
C:\Windows\SysWOW64\ssgU.exe
| MD5 | 6d0095de56cbd7d226cb21759a8731c6 |
| SHA1 | cf86435c9b8449fe69b2decaa2afebf7054c8c19 |
| SHA256 | 872aef99779673e822b7894d6132c333ae8469719d97fcaa9dddc5afbd0db0c7 |
| SHA512 | 5f7e527f37594069f49b2204e7b2899be119215ba871421f4b1ccfd9325e1b64ffdf4a0b1fd67c84c431882fc1cb44c093b010122e9546d65892e7edb1d2b096 |
C:\Windows\SysWOW64\uooo.exe
| MD5 | 1de2124c53a3fb082ac15ef6f785b5ad |
| SHA1 | 2335257902e386ffe713fd7ede88d08cea400006 |
| SHA256 | 9037079d4f90d1097ad078386516474f93d40fd74b49d83db240369a6b254e1f |
| SHA512 | c303a92ffecbb7c56b9c999ebb7b767a37215c8a8a3fb78a68d8017d6c81f6d1e0938664c51c1f999ba243d653d4851d4d7df7d4bc0763f3ab53b6e922013e16 |
C:\Windows\SysWOW64\IIgg.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Windows\SysWOW64\QAIA.exe
| MD5 | 92ffad35c595ce5b71a9e74b13bbf864 |
| SHA1 | 4c397b49c2e2b79cfa035359f1473b524685189e |
| SHA256 | b1b4f0c24c5f3897970e03bfb93bc147621a75b7a4be88a74bc73ab2f9b8ae2e |
| SHA512 | f977ac35a8384451b984c3379343dbbda04e5d24d41f53d911b5fbc4389c30f61e67b593455538e8d9e7eb9ce12722c2b0d80c0a55367acafc771bd5f8c9fea7 |
C:\Windows\SysWOW64\awsy.exe
| MD5 | b3b95f8be6ce7c0bc6524509bbe49376 |
| SHA1 | 491fd35247dff19f29f687820fe925933f6f4fae |
| SHA256 | 84770edcf5ccd90b0b80ccfaac7f7cbc1ab8ad21251429329696214c6706124f |
| SHA512 | b28b15dd6864c954e099f3971a560dc95a77900f81603fa8ce1b17c4e43c269cc217d770a537b890943c2ef33b2cc9b2506ceec407dd8d4d4bee618f92d3808e |
C:\Windows\SysWOW64\OwQY.exe
| MD5 | ea702dd3638d0b25c9e9458ceee5b47b |
| SHA1 | 9787137143fe088511cbe9cbf7e03c38b76c9d96 |
| SHA256 | daeb5a88cef7df9ce05d021df4a0c42fde8e5fc42cc1a7dee1d9cb4e97f7ac35 |
| SHA512 | d8f106d21d6fa66aad3aeb0671d7b721381437dd844952372b5a95321bbf5b77419a5003a51916903bf3a55d132a9d88a1016683526c0948a7dc3f52f4024879 |
C:\Windows\SysWOW64\oIku.exe
| MD5 | d27383fc46255500fd0ce250118ebb43 |
| SHA1 | 37137057fe152caee901a87db77023b69b4fd248 |
| SHA256 | 74de6a0cb410f42a41c4f013e5cdf8cf6a4a48afb9ea51f2e4ce760fb880147e |
| SHA512 | 596e55fba526f280eda50b0d4fa959dee7364b8c195cb4088c8929b0d5621cabb19bc5e58039972fb5f805db2bec28bc45f910a319204b588db22633ccd7370c |
C:\Windows\SysWOW64\EQoG.exe
| MD5 | bdda120760525dc480708cc4e11d5174 |
| SHA1 | e393a78bafed9dd171f05a5eedd32aa09a7fbc63 |
| SHA256 | 03d42f9b43ef75f37a4ef0cfe7653e50079b6af12c638103a775ea011ecce7b6 |
| SHA512 | b82763c8a792ccffad13972eb268857c060174603e58d8238c91e646ab7eb5085ec9ccee75923a3465be3505b912ca3e88f22d26a08bd221b97a0c5c6868fcee |
C:\Windows\SysWOW64\IYcS.exe
| MD5 | 8128ca3c13ffa3a55d4bd2acbd9908ef |
| SHA1 | d2ceb4da48751f2064e3320bcff87847252a3ef6 |
| SHA256 | 09f8ccd649d7b3c0ef31749151c5d35286c9da6b909477cf4598e254cb4818c9 |
| SHA512 | b7505cd86ec19c1929091967d0d73f94ee32190beee9e0858bdc6fad0ab35c59304ce7bfe5a961653433d2606151ed1726b5ad0c1ae2b71e5eca8447754746ce |
C:\Windows\SysWOW64\kIAU.exe
| MD5 | 9006e5a0f6e4bd48d7c905f84488ce3c |
| SHA1 | 0cf732d0b793b638222f804fcf95ef3b2ad1ae6a |
| SHA256 | 98c71bd2c7d95d6c7bb7e9e64163cd966226a024f0cc3a6a954ffbd0dc556d64 |
| SHA512 | 6c312ae41fd87793219c58a1e55c3127edeb6e54435770a4bc52d95752a1f2008282c9e9b28510246a275a0970a2426f64a7c5ee4d6556297408dfa4545d5ea0 |
C:\Windows\SysWOW64\aUge.exe
| MD5 | f318bed33bd9fb61302823e9a94e7bd3 |
| SHA1 | d348e9f0cb201ccd90dcf14654985fc3a38bd679 |
| SHA256 | 730979f39f3568a4386ed0bedc734f45867beb1d3355bafcfe7ecc2ad0558f1e |
| SHA512 | a7c118ead6e3abc02088be0429f3d191fae27997c4af0b618b4f658eb4729a5c4e6e8d4a66150466e9356b386d5f5d0d90c6ac11a9cf5469d257abe75011f5b0 |
C:\Windows\SysWOW64\awcY.exe
| MD5 | d554780c1ae7d91a992364d24a50281a |
| SHA1 | 80cb3c16dc53878a745e72bf8442eb137a7a736d |
| SHA256 | f1fa0752e8d2f78577f58a66f278f13011de6968ed54f66d576a66a35bb8f879 |
| SHA512 | bb4359b4e8b474751164fd163d3c1c20862d206c0f7878b334bbf6892653cd283a7ede0e80ceaeca35419dfa4920bfb925dfb5f540531e197de9a41477ba28cf |
C:\Windows\SysWOW64\CIsk.exe
| MD5 | 6632b6080824ea3df85a9f1ec9e36710 |
| SHA1 | 1dc8399ba2b9eb953af8faac7361bdf01be589e8 |
| SHA256 | 33499212efeaa825d0ba67d5a7eb547ba2f0ef638dac641ce8f425425dc55b4e |
| SHA512 | e7d5d51043cdd2d6b3487fe2f30ef6b4ff9628ae7904dab786752bedbfab369123abe933b187efc48f72befb143b76b02304a0f5b4959c0f77abf0a4e058dd13 |
C:\Windows\SysWOW64\qsMs.exe
| MD5 | 246c89806e978794f84c7076b175a81b |
| SHA1 | 45c4fb322db91058116f6057d3a42829ceebc353 |
| SHA256 | 5f17e3cba53f5c6e657d59cdb8110ce27860883f99b636750c981e6d267dd479 |
| SHA512 | 7a37b0d7064ec593a5aafbf521354a66f9a6722c8fd3723f5eff4dfedf37109a3ad07334ea9d908cb9ecd4963e0843ecbd31d96e952fda5a7cd03ac59efdded1 |
C:\Windows\SysWOW64\mokS.exe
| MD5 | 100e0538cecdceec8ac6adb01b609f7b |
| SHA1 | cf81de854e202dc69f18ea6e14b50f2eec0179a2 |
| SHA256 | 0252c95389410d9db3fe5d342610059d912aeedddb5e6df02c2af99742d22742 |
| SHA512 | 6bb3ea55e16657b93328008860a83e660ee86fd7d09ee32ea026e9aee58b3602204bdfc8b56e62bc18fa3e141ab1951c5fecce02d39e8b4affe900f6b2b5666e |
C:\Windows\SysWOW64\iEcQ.exe
| MD5 | 356e053c4971cea1af234832b2e890c3 |
| SHA1 | ab0689ddf6a766395bdffa32f251c223cdabc07c |
| SHA256 | a8020955fabd102f49a315edd8cdcfc28c9f118e298caf90dd055473e0b54024 |
| SHA512 | 943d99261dab90e409aa52cee80b71cac299d1260b0c26d7b1e80bf3cb8133d357fd29f7df1e9f1cff86ff82d5ccdaf30e3b6fa2524d6576d728db3e35611ccd |
C:\Windows\SysWOW64\kkAa.exe
| MD5 | 5ac7996e52337350aede2def9fc073bc |
| SHA1 | e6e2525b5e2ab42997ce9a0c1eb618f8bf6e1cb7 |
| SHA256 | 755aaf12f4a28c7f2683a6f60b4148a3e879948cc02264c70ba68b6cb0179f4a |
| SHA512 | d4182004dbeff4ce7bdeb01769a36e527d062496818cfc0f3d80760a46279a2f230bdddf2aef0d8c4c024994f322fef5c2d51ab79a48d1fc0a9cb3706eed12c4 |
C:\Windows\SysWOW64\EUwg.exe
| MD5 | 41c5d6f211d4fcdd1f7e29de5d58ac4b |
| SHA1 | 4b61f269328214c8000d15be64d9b870506457b5 |
| SHA256 | ddef160a257382053a7e53a89bd391a2ce4bbaecd68e93184fd776c7eb797ed9 |
| SHA512 | 1dad194979d14582ec6ccf3a1dfc69e302712dbeaa0606745968858ae1a42710526ed220c1b4e0d36e9fe833d35532293c2bc6d1975015d6b615a2d3d71f75e6 |
C:\Windows\SysWOW64\Asgs.exe
| MD5 | 8bd013a5949251aff96c0963f2f42140 |
| SHA1 | 0b995ac94280cbe427eca3a37e2af32334b085a3 |
| SHA256 | d1d0fb93e9df7fc5c8c79a4ed67e52caf104bb4bb95bf1bc4d2b2d31a096793e |
| SHA512 | 9073506937896d65e4cbc1f1d7a78fb4d08625dc8ef005aea9eafca454a4b221ba277606f18431b90e48168e1aea41c5aacbcd4f9fd60254988b66ec82c73f10 |
C:\Windows\SysWOW64\GAoA.exe
| MD5 | 209bfb7589330b756f26f7d0b80923f9 |
| SHA1 | d4c4f0dc8cfff0aec023d5f39f8fa98e3b0c66d7 |
| SHA256 | 8de33445d70b63e74b222eeaa1401c4de55faf81b3fdca2a9625df9f7086a773 |
| SHA512 | b1c6882c6e0b845c53a8d3ca32277cfdf0cc7bab5f30be99249d9d073e3b107aaa4ddca653c4f1d183cdac57b3e8828f51bfc341bea5fa5991267194db03933a |
C:\Windows\SysWOW64\IwAe.exe
| MD5 | 1780775bb4fc5d759d5098b33b8c8599 |
| SHA1 | 43c79ae0b61e42123c4a90d12eb5260b4494bb0d |
| SHA256 | 14822ea68022d1e9edf1fb39e0b0fd2deb2bb939a2ce162cff5559a706f84704 |
| SHA512 | 6bb786b56d2cf2428a706ce4636d461cb203c5648d40976edf6c001fb550e351ce715863f406cab41057c6f9f03ed66c454caa9fad3deb3c6d956fb677a904eb |
C:\Windows\SysWOW64\cwkM.exe
| MD5 | c69f1b7aa0e7fbd8a2f65fb279b8c294 |
| SHA1 | bb6eb9da555175180f7b3803c9f010aa96197bb5 |
| SHA256 | 63f1a79eec7b3e9d41eac80f1b4c1ff2bc66456ec647e1aad057d5da96b7e7fb |
| SHA512 | 75377a0dee0f8443268c578e1a6def0259b4b588c7b9b529dcc8056ca83294f686a81c5bcabfd6387afe8c495998dd1dd9136ba9733f19b77f4210262fb18553 |
C:\Windows\SysWOW64\McMQ.exe
| MD5 | 35cea8773eb4083166d03e7735f694bb |
| SHA1 | 0ffa5225d14b4ca5871f199e97e136c9fb0bb5d5 |
| SHA256 | a508f33e342880c38c5315ef359d0916cddadae0599408f64f3d3aadf1beec45 |
| SHA512 | fb1f085955e6ab79f4d579376f4d0ea8979eb81ed6a5c768ded6b4a981dc31ebe2796aabcafbfcf83c1c3f183832d69ead692e5080c701b1804060d799f8ee2e |
C:\Windows\SysWOW64\CYUc.exe
| MD5 | 94b48c13079c41317a3800ad2f31c20e |
| SHA1 | 0221e15c159f01709c208181049f1c8f6d087c6e |
| SHA256 | a1bcab6c9424317aa21cceeff8ac95bd2fcedd276cd7df6d4d9b05cd31c8c6de |
| SHA512 | f72bdac099c22f19681c2b05caa30e745392a9e61f30fa3df48a97a920fceb509c229364a361521b2194c5d58cef810a8f7483df5483c10d00411039bc9826b6 |
C:\Windows\SysWOW64\QYoc.exe
| MD5 | 2568aa7dc93b6501c03fcf3a7888b10d |
| SHA1 | f125559f236d8109d498de4a113848a355255f48 |
| SHA256 | 84c4938f3234ca8c5c5c83995abdc04f00232bd121eed5326293d3697c1667f3 |
| SHA512 | 7292a9777f07992d758b44e77a0669fd67dcb506394b428e378dd73cc761802d185501ee959f68154547ca53278e3b7ad4011a6c82f0604f9f6447f1d1a7bbe9 |
C:\Windows\SysWOW64\ykAi.exe
| MD5 | 1d970a8697b7e321c63bb72e227c5acd |
| SHA1 | 70e721e6ddf4df83d79a47af6ec03b77af7b57f7 |
| SHA256 | 0a57f7d7877e7ddd71e04242db2edf14ba4be54f6e6b2495e022df3e90b36b6d |
| SHA512 | b9c40d6c7ac742c1e3680b983516478782d39f20cefbb979e767b23d067aef96aae29429e220449ddfdc1719a246055b793a7df45f664aa6a4a9fb7c4de2cb13 |
C:\Windows\SysWOW64\UMcC.exe
| MD5 | 99799f36f91b74f86d7c031e29ac8ece |
| SHA1 | d2e86d937519329fc6718096e2a866f9b699d104 |
| SHA256 | 298b13bbc636965002f7357e3fd06e8066fd8c822711f479cd5532e92468e23e |
| SHA512 | a2b13dc657a27d3467a32575fd1b666e946c5cf07c3e8963dfb5213573d3c671ac6ec0a0ef2a71328be16a35b155560acfe88c3903ce8c5146cad4b9521523f8 |
C:\Windows\SysWOW64\MkkS.exe
| MD5 | 913362f055890e862ffd17d1cc1ae8a5 |
| SHA1 | 3b3d459f1464e8561e313480119159e0299cf664 |
| SHA256 | 69b9b2e4d0b597b520778993ba4e84fd08a80d45952f77d0e6e0c8b3a0a6023c |
| SHA512 | a87b1dd0e93859377af1ba05d972bcbbc5e54cf9e5df3a34bee1b90609c598c5c8318339e5b0421414918cff1e6e4f7099fe3355b14a8e5b5806f44ce0c2a7c3 |
C:\Windows\SysWOW64\CUQO.exe
| MD5 | 888ff600421b3972037e248c18a9f70f |
| SHA1 | f0193b3822c8b0283944ea714e073e8d2a173685 |
| SHA256 | aa4daa593b942e44c4893483b982b2a560a5fa14c78a48d5811efdf1704da1f9 |
| SHA512 | c66b77a37519e3ebe71db7496a47ae31597a33bb7cd1ff497a47003f640c926b7d28d5eb89c5dbfc981df450c6f222cb411710c380b7d2ac0f415cfcc5d7ac5d |
C:\Windows\SysWOW64\iwcq.exe
| MD5 | 865ada3d9c326f408d9557dc4fcc501c |
| SHA1 | 2d8f1b311fb4e2ba50fe6d9ff4484a09d595def3 |
| SHA256 | bd34837131481745a7b1b80ba7703a93b93740f15961db96acebf77f0e347c01 |
| SHA512 | f976805983377429ea52ea08b20c1eb94f5f71059d32049a19623e7820b329d189b14acdc8cf4a1ae1e7e416a468411710ccc93c8b3220767a454e37027c4223 |
C:\Windows\SysWOW64\UwgA.exe
| MD5 | 9087ac25ca86bbf9f0ab83273d73d389 |
| SHA1 | fd6bc2a09c665439641470896096e93ab7a7555e |
| SHA256 | 702728f6e5941739214caf180844759d3f5e814ed74e960e440ed3adbeeb581d |
| SHA512 | e5bde0f0156bfcdde35e21f968ad18fbe358e15d7032d7a73a60669269fc693c7f6c3c6c0fe901cb50d5eb22ead50f2fbad277249747ed108b97d153dd052a41 |
C:\Windows\SysWOW64\gkEA.exe
| MD5 | ddb523791a16484dccaddf0d4e279d73 |
| SHA1 | 05ef9850a2d51f360903e2728ffdf9ee715f214d |
| SHA256 | 78a919dee18db73b6f3079db8a8c74c1c434336270e6c02a6bf4638e11de5fd0 |
| SHA512 | c632f7406052023bb5aa7e68cb4951fd3113d19febaedf2303cd72b877659763e33e11968a2e44ebcbe0e3c903511c35e9f11d75daa1b2f56be74fa9213c62b7 |
C:\Windows\SysWOW64\uYUE.exe
| MD5 | a5babc89795dd5127dfc616b1ecb3a64 |
| SHA1 | c49022009d12e109d809bfc68b0c407b3ecfb697 |
| SHA256 | af3d1b33f7116cd965b2f94a2f720c533c7d9222fb7df069d3969dd96cea35e9 |
| SHA512 | 47820956934b6d8df5ce72b4d417ef3633d077504a73e039918e66bc690d35ca3cf74c040034fbbc5016caa34b58dfc54934640429b5dffaf5a3d1601edf6bfd |
C:\Windows\SysWOW64\cMAO.exe
| MD5 | eb5001d5332c8a59eb14b80de060804e |
| SHA1 | 33cd141ef81f9f9b04ada85c9a80cd3a288cbe17 |
| SHA256 | 0296db912ba5502d475771e98ed00e9556dd2835a54707d2332361d50496643f |
| SHA512 | 0a3652a2012067dfa0c9c947725ec4cbbe312b19eddc5c08ba0832d4cb99862fb549e686929772b94953af5182051c549adc078a27dac59a52890bdc207adcb6 |
C:\Windows\SysWOW64\mksE.exe
| MD5 | 61abb115d4827f2e70e5bde670246ac6 |
| SHA1 | 7c5f12402ed197d038551ca67f30f2ab829e6bae |
| SHA256 | 96a17d91ea28451154b558bdc5f0ff49bab42677507dee9f912e713f6bc5c8f1 |
| SHA512 | bdad91b59f873f3d5a2651e3724b96da81f786719087ecad57d5c22239b827b1bd88ab20983f7c402324c4405984c5a33778774dd5d5577477060c103af5de90 |
C:\Windows\SysWOW64\Coca.exe
| MD5 | 2d1dd4692a56956a9a7020d3a3a795fc |
| SHA1 | 4c0f98d644ec090ace3d08725c1923d722fbf0cd |
| SHA256 | ff684300f8781c5d1dfb01d66a0041f45ab76dd510b8790727ad043477f6b01a |
| SHA512 | 9a407985902163c5657e83c998f7fcef726894ff6b73f744f85cfe54e6e3cd41a599b943bf5cda3d9ff04c69380b858ef5002e212f4fbf96a6d63c43e68718e2 |
C:\Windows\SysWOW64\SoQy.exe
| MD5 | d824568ee0f3717d6064adea34308c4b |
| SHA1 | 5da5a6386b34fae6ece8c87c072ea81f2472f025 |
| SHA256 | 0e1b9da6a42969b246d0618e2707c20beedb853f7b0c2384cc8e9e53c9220466 |
| SHA512 | 277e76e8e4732869a630b11eea38635f6b14b63ab0edb68c54dd8cda73776dfcc7856c05696fd75ca26ff269155d190b6a260356b5f809ffa23f3e9589880fe2 |
C:\Windows\SysWOW64\goge.exe
| MD5 | f6f98c608d1152e0bdfd20652fe05da8 |
| SHA1 | de956b83be7a04acab861c9ccd515464441f0651 |
| SHA256 | d394045940e548c8f31f076b1db5b664f897234c67616de2cc243c9794a140ff |
| SHA512 | fe8e111b504c0ada184fba9afa7e585e6bb43c3671dfdf4a03752007ffc7292312f7c615c51cc96f034f800c1a69e46c9b94a19c422a0afbe31099bfb6938b93 |
C:\Windows\SysWOW64\EIAO.exe
| MD5 | 5bd8a1561ffc4bf8793a9b4df3f635a9 |
| SHA1 | 9b8de8b587e3e9dab3535bcf5cfd0b5c717566fc |
| SHA256 | 394163600192827f37a00ded46f256c5e320f00c7508a2f12c8858fcad399979 |
| SHA512 | 4b8965a409f2c62aa08ba1f9ee1b4e3680a2e9b7c14ca6e4173739e0695a980c34cf557c0f9e462debd0958f47b2a9b4b5473b3862715e8d1b554f7988bdec7b |
C:\Windows\SysWOW64\Awge.exe
| MD5 | 93ac5a3bda172bc4d0620de84d22c6d2 |
| SHA1 | 86c193249a99cf83a0d6642e8a36284286c62a27 |
| SHA256 | 95afb9a901572e19d7f7201b046b3b8b675005b7d6135df1bbcd5570a00184e5 |
| SHA512 | c2e2cc63f486751d6b0181ceb0a234ce0dfb070f4e39e682cd976b51db7ba9a6295d4c01542cead4ef69664ae31a2d49087d3721efda2423980bff5d8d2f0920 |
C:\Windows\SysWOW64\wIIC.exe
| MD5 | c6edbe835bf49ac0a6067cb45f14f272 |
| SHA1 | 40db38c095e3691abdda4bc5690d0a63edfa58fa |
| SHA256 | 116f2ff08e872575c2705d6b0ad22533e345a56935f871b0ab76c70bd469e3c9 |
| SHA512 | 72796dd1266660567650f9c371675a33b8b1993a5cdefa47cc13f415ed2ccff5745a50de9784a12c8b4a079d9fc70e3ea90d2a3d11a3e2156993481e89eef0f8 |
C:\Windows\SysWOW64\OoQe.exe
| MD5 | 79598afca0f6140cf6b2517fabb0c858 |
| SHA1 | 6520d5581153f3d830d854fd909afdd754167f18 |
| SHA256 | 0a65ea30f1a411676d1ab587e8e31b82c95e9ee3733289ba0e8be0166eb16ed1 |
| SHA512 | 84fb16c615bf64c3e45c5631356c509db136890805741c9d51287db03502c580c23b56bab074f7e0231de30cf5c44dd348a86f3ddbe143329e2950e28089f918 |
C:\Windows\SysWOW64\yQMK.exe
| MD5 | d09c9049ef512e6c41e0f2ff9d2c4384 |
| SHA1 | eeadc927b272b9a9de205f4ccdee18df1366ceae |
| SHA256 | a056488060ff3cda8529789a734cb6efae1b3ce4f6a0810972de746d9f84592f |
| SHA512 | 997ad7371e92e9d5e4354836c3e30848fa9118ea8f5f090fa969d765e6b3821d17271fea90a79dd4a39522899a5651717622fc579efeab2777f6e206cf8300c6 |
C:\Windows\SysWOW64\yMIQ.exe
| MD5 | a5b9aa74db32c9ecdc2adb6977bea5c7 |
| SHA1 | febed118486f9066c8a83aa10dde8b7c145c66c5 |
| SHA256 | 4961ec39476b268106ba32e59e5b334b9a59f70bf2f1f72e6638c769b070a034 |
| SHA512 | 6abb7704b9b345e75de5b4e03c4c91484a080ed586f35569d86ea09cbfe1b5b6c062b08de3cf65e253d4ee3fdc0be70544520b541f7709c059326cfbda410f3d |
C:\Windows\SysWOW64\mAIc.exe
| MD5 | 03a24225c67e4176baf66030aa9899e3 |
| SHA1 | 2458f9464bceac02c8454d70fbec5ef33434b0d8 |
| SHA256 | 96e33bb5a6ce0e42d3b3ca59490276095f77b592765f78ace7d17a92e7c65cb4 |
| SHA512 | b493541a72859aefef7b52aea7164e215d53d11bc54cda6d441e9fcd8332ffd6716204f840939b3e427c599548cae1a82d29545503a92063f23cb439e12acb8e |
C:\Windows\SysWOW64\wQMG.exe
| MD5 | b68fbefe43db690b893111695c716583 |
| SHA1 | dbd81e0c3dc05b55494c281bc4ea1c479018f34f |
| SHA256 | 41b1ba2ff5f525687cf3aef8d7edcb29b02e0bce42d9b075f307711fd9013927 |
| SHA512 | 4bba6269684149d8e83b580fbad2f21e3ddd82c65b16281fcb3c15b54f0764320b5192c1ad64b3317c461214dc46998880de6ee05ab193da284f369562f40cae |
C:\Windows\SysWOW64\IMIA.exe
| MD5 | 189ffbd432dc55ae904fbfff127f27fe |
| SHA1 | 3a6f9100ce1442a2d305074c2ead8be7cfafc0bb |
| SHA256 | 799681990f4a0b69b1ba471c65510fb0cc957ac1adf44339d5b75eccebd8696f |
| SHA512 | 5932abce1588db1f6bfca6ee75e5e3aaa5230f5d10610f34f5f965fbbdecd8fac674855f7c06214eb5d263f408c632814cbb20399d6935a07990f8378d3ed2d2 |
C:\Windows\SysWOW64\mAQq.exe
| MD5 | fbb6c81381c63d6d97c81cda09c9d802 |
| SHA1 | 9b409e73b85ab19d903c7d90ab5d136db5b620f8 |
| SHA256 | ca417928e2fd979ce05b3f24dc87ff470b463ac5286c8f9834f98a9ac709ca22 |
| SHA512 | bca35b99ae9f97bb64b3455ee8d26257966763c3c35c1f1b63e4b4af4eb6534b590fbbf1eb8d68c64f8f4a15b72a89e185d095e965b35c17219575f16c91a6fa |
C:\Windows\SysWOW64\qkYQ.exe
| MD5 | a285a8888df9f9832d16c56e7e1902e3 |
| SHA1 | ab0986e9e5482785e287797259d31053729a8958 |
| SHA256 | 9203d6499864962162702e61228b1b5df1504099de1f48da8f2c7cf4c040ee2b |
| SHA512 | 3ed41bddc6e75b31e84f9b470674e8a812936fa9508bedf71f0d771bd116f438c4eb7c7cf06c896ece0743592ca49c9b7c6e882b20558b9483dfd9fadc78acd9 |
C:\Windows\SysWOW64\ysIs.exe
| MD5 | d8c69ed1ec1b1571c3fdd1440aee147b |
| SHA1 | 6d645e48142ec9a621312aa9dc3168c1fb9e9570 |
| SHA256 | d22411bf0d12e9824437ac6cd90e4c206a4914806d671abd95e42a64427dae5e |
| SHA512 | 62713e7aa53d51b3ab7c5fde0527e0e2416f69455e27ef517eb8756332834f8f2f996c9a2250eddf2fd6d15165eadb411d65d527453eb30bb9f427948c01057f |
C:\Windows\SysWOW64\WQME.exe
| MD5 | baf94ae7c4df21dc0e9316d81b794529 |
| SHA1 | 78247fd4ef748f5ba4ffc041a529c93fbc2bcf75 |
| SHA256 | 29c869d873506024f56abf518c5d1a70fecdfc449958df43cf6c64dcca193a0a |
| SHA512 | c2c11fe8828fe7d4ae13d92d67df105acf1e4372c8a5d603be6e02693582fedebbe33d1bb57d93b4f39ec0730d3d9cdeb89b3421ba256d97910001144ecdcef7 |
C:\Windows\SysWOW64\UUAK.exe
| MD5 | da984fa9aeed534931bb829052cd95cc |
| SHA1 | 932b32239ad81256a297dcfb3b390cbaf6d7ecbd |
| SHA256 | a5a540f69f400d5951458347dca2b8934c3030e435aab26fd8314c5633a83262 |
| SHA512 | 482513022f52053a29a07dbdba8359d6fecb3b81378530c45b7933ef95546a57ee9dc0677e0b54ff2af01ea304a56e39fb365e747dc9fc11fd4ae6d19b1e4b5e |
C:\Windows\SysWOW64\gAMI.exe
| MD5 | b799dfcf030f709a1f2ac4913b98c1f7 |
| SHA1 | 5bddf7cdc3facf1dacd757972033f8799ffc59ce |
| SHA256 | b70a571aaffabdcb618680cd57c3402e4c4942d2a7d0b3bf5d23325ce48c6f2a |
| SHA512 | 0de67ad3a770ec3bc1cd45be4dd1c7abdcb9d74bd4d54143a4ca317f1248ebaa87e9271a52e85500d78bba4b583543a0ef0a271aa198c91ea724743e5fb7269a |
C:\Windows\SysWOW64\swEU.exe
| MD5 | 2d24c8a32ae0bb7cf31366e957e1a327 |
| SHA1 | 938b92f130d7e060b953b528485604410f22a188 |
| SHA256 | ec1d93946304f1a82e0e73629faf47952b2138de59179c532da84ebe457af53c |
| SHA512 | 1d4261adc8709f21a9f7caf83a6173e509a21445926640efdb814adead66054042d4dcbf8a2c31a6643a53578a809ef7142caea824a2614ce9cfbcd17e4a61fa |
C:\Windows\SysWOW64\UYUG.exe
| MD5 | 2e440833a3633df648417d9f9e977685 |
| SHA1 | b89d3dbd52e9f77c44e3404f7220764baf73cec2 |
| SHA256 | 87a5941f85df15f9902d151a9aaa27a54dbe8a7b3aa759713ee36d925d7360f5 |
| SHA512 | 150ea4cd41a13980fbe8fd793fdf76eede318b44bc86596b49858c2dfa06fee71ac84fba95416bb85c778ea685d4b6d7eba4a03418d44a63eae0f175c0c1b4ba |
C:\Windows\SysWOW64\gwAM.exe
| MD5 | 04fc1adb2f09c93bad07edbfaa438db1 |
| SHA1 | 5d2aaf237384ccd3ee7d2a55e03d7a19e3b29b82 |
| SHA256 | f05d2d51560c94c080c5491a5ca422ac8db2f79f05739820eb949d89c1a30f7f |
| SHA512 | 35955e7784a0ea323585ff18b9a7cb89c51b259b3c648dd23afcb2115fa3542294f5bf697feabded7cf40c811315f0598a7dddd079f080150a3104ebe85783fd |
C:\Windows\SysWOW64\YUoo.exe
| MD5 | 0b905b6f5425b7674df15d8eff248f64 |
| SHA1 | 3d176e0d1e6dcc87bd0eadfbf150485cf40353d5 |
| SHA256 | 2a2c7c44b4df1fc2faa38a6f772c74be46b8723ef3cdb2097eb9824a6ace71a0 |
| SHA512 | 4d88c94114f0da9ded96dffe38cb1bae480bad6f18d75d54c93f567e13e8a8b2e9efe85e6b9b77312d1aa1a689ecd4d03cda6f83b5659b708ba83978657061f2 |
C:\Windows\SysWOW64\iswA.exe
| MD5 | 73b38a3f7842876deb0a38510d9b4d89 |
| SHA1 | 3cf0ec89ee1f1c6691fb5b0d0a7260b4d264f9a0 |
| SHA256 | 84efdd60f35e6a20b31ec570d8ad6f38f49988b33695b0a8f361daf0295f8972 |
| SHA512 | 47de4bb9167f8ad08920fe6faff534c04716e019f6f7f03656ebf66e81671366371b634b5481fdf6cc1028ed29dcd30cdac1766dcd475fa6545da29869f61028 |
C:\Windows\SysWOW64\SsYw.exe
| MD5 | fd69a685ddb3fba268ca63c1dd3a63fd |
| SHA1 | 089fd6f622d36dca9bef8f020745c6a3daed9bf5 |
| SHA256 | dc0f41a98075d447216d38c607497bd463cb763c850beef638b3ef31829d7a58 |
| SHA512 | b718f2c98c2f900c17b311f2dac3f1aec335d9330829f9a5ce8fd15dfe63a15d287f365b2fed31f2c303592cee55330308a4a8b23acd1d2e4eaea6843e1aa7fa |
C:\Windows\SysWOW64\UsgM.exe
| MD5 | abbe6dfffa9f1dd90031c80fb16924da |
| SHA1 | 3e6d221dbdc2d58aa87f718a47feb9bda7a3d8f2 |
| SHA256 | 067ef5c8d48035e76db4f6a8721c8b60f1cadd55d7b742beb3fd01b85fc1bcc9 |
| SHA512 | d070e521235a7481f935424e201176186978d211ce3db9802adede9a4057570769e4c2e2675c935a8a1f8ba4bfd05cd64dfb9afa04265fe4a56bc49062169d5a |
C:\Users\Admin\AppData\Roaming\RedoUpdate.jpg.exe
| MD5 | a626f224015d3c6d884489b6a5d3b4af |
| SHA1 | 13a352036c64e17fe3739aed923e76e2b5f82eff |
| SHA256 | d59db777939675313aa5837669144ef180bcc4a1b32ff951cb89560bf19ec32b |
| SHA512 | 89ace93b72526be1ec043dddfe3e92d4e8d3d868c4c95be50a2e003157f4da8e4876f2709c9614fec18b470c675ea45ff7a271ad7f7a5838d074a2a74148db68 |
C:\Windows\SysWOW64\MwAC.exe
| MD5 | 1d731adf5cb793b1c5ee01ade52ec0f9 |
| SHA1 | ddbf5932f0eaff19f7f4c9675e6b68eec03ca86f |
| SHA256 | cd3f4d0487199408c5f94255204addc03da1d31fb37f9f8ea571745d81036810 |
| SHA512 | 38de7064086ea3db17820be64639e215d090fa8e7c317da12b5504208b37ccd67528f802a03636cd24fc4cccdf6c949417e9e8a00c8e6be9637e46bb80bdc01e |
C:\Users\Admin\AppData\Roaming\StartStep.jpg.exe
| MD5 | 5d52d1cd75ce22b8870b068e05bbce82 |
| SHA1 | caf1cd9bf02674ad697237496296974a8ff81c00 |
| SHA256 | 35abe51dad305e152b6a8d5009bfa064605bbd916d3906757e3f54523f225c22 |
| SHA512 | 738e85004289f4b2c4687c2484fdfe73f40d8a0f5b7d628c37f0ef7246749245e21e01df58a51b95478eaf33e5b6022dd6ae851a24ccbe46a9301897f2bd95a2 |
C:\Windows\SysWOW64\ogMm.exe
| MD5 | a902164c3152ac91821f645b912c1836 |
| SHA1 | f29c1af985096d02b79580037bf67b047bb73bd1 |
| SHA256 | 70fd317238cac8fb1320f10205bd0c4d5f639f332b98adb40d089bf42650edd5 |
| SHA512 | 8e893dc514d861f5fe56b7fd81a78d93db56787ed5c83e979b8e0d0f023329854f6ce7ef19ef68cc813af49fece44cca50c1ffb8e343f7509eee3d8391ad4757 |
C:\Windows\SysWOW64\kQYW.exe
| MD5 | eee45cc17f15794d025b46bbd44409c7 |
| SHA1 | b80dfb21f8457413dc6b1046bc701d1afdc20a6d |
| SHA256 | 5b24a8fe501d7a9ee3063bd79058ce8c7162754705824b0ca0a40f255c1307c6 |
| SHA512 | c8375f662e7ffecd156180d95b873978956f7c3a97961bd80726267c44e3a58c7dc78ba2913ae9618904493d6c60256220e621dab9d2e290523d7acf5da95f64 |
C:\Windows\SysWOW64\shell32.dll.exe
| MD5 | 0cc82c788c89ddd7a47968c0eeffb758 |
| SHA1 | 058e68bc656b33663d0851a0c884a90aedf4b789 |
| SHA256 | b09c2e97e3c1a19ee02562f2d86622acee1f9cc3f22595153b874e5ae3244daf |
| SHA512 | 7a2d7cc7639337db7cd3e4431145138535d94a79d11995f00395344dc9984d85803c891b41070a39609b72f6fe944ff9216966fe7a4f854a9a9fe251a5ec397b |