652cc475d34cde0f13c4b5640f43ee7908b17dd117a6361c07d2f04787b4c826

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
29/03/2024, 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
Size

212KB
MD5

187a052ff11cb16228342428d241f1a8
SHA1

fae50f317e402eb991e700f7133714c5409edabd
SHA256

652cc475d34cde0f13c4b5640f43ee7908b17dd117a6361c07d2f04787b4c826
SHA512

3e52a272c7d1a00ff4e8b13329a379f3232932db9aece327db4fdbdff988fed72576036aee1ca71028d6b96532ed6e6258ea14624a3475240913bddb63ec2288
SSDEEP

6144:EEd+RUDTBLse1t/yh/QdSM5KslH3v/9Od+HFHiI+pu3:EE53BLsOQQdiE3v/9OdiUm

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 63 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 63 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Control Panel\International\Geo\Nation	zGwggQIs.exe

Deletes itself 1 IoCs

pid	Process
1532	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1732	zGwggQIs.exe
2388	jeskAUAI.exe

Loads dropped DLL 20 IoCs

pid	Process
1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\zGwggQIs.exe = "C:\\Users\\Admin\\rigIsYkI\\zGwggQIs.exe"	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jeskAUAI.exe = "C:\\ProgramData\\raAcwAUo\\jeskAUAI.exe"	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\zGwggQIs.exe = "C:\\Users\\Admin\\rigIsYkI\\zGwggQIs.exe"	zGwggQIs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jeskAUAI.exe = "C:\\ProgramData\\raAcwAUo\\jeskAUAI.exe"	jeskAUAI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2032	reg.exe
1004	reg.exe
2488	reg.exe
2856	reg.exe
2248	reg.exe
1656	reg.exe
980	reg.exe
1184	reg.exe
1936	reg.exe
2348	reg.exe
752	reg.exe
1532	reg.exe
2920	reg.exe
3020	reg.exe
2572	reg.exe
828	reg.exe
1820	reg.exe
3060	reg.exe
1600	reg.exe
2380	reg.exe
1912	reg.exe
2716	reg.exe
2700	reg.exe
1476	reg.exe
2368	reg.exe
1612	reg.exe
2752	reg.exe
2524	reg.exe
2456	reg.exe
2320	reg.exe
1472	reg.exe
2464	reg.exe
1744	reg.exe
2588	reg.exe
2292	reg.exe
2800	reg.exe
288	reg.exe
1644	reg.exe
1692	reg.exe
1472	reg.exe
2420	reg.exe
2316	reg.exe
2196	reg.exe
540	reg.exe
2660	reg.exe
2688	reg.exe
2248	reg.exe
1432	reg.exe
2464	reg.exe
564	reg.exe
2708	reg.exe
540	reg.exe
2416	reg.exe
2520	reg.exe
1168	reg.exe
2796	reg.exe
2068	reg.exe
2524	reg.exe
2712	reg.exe
1084	reg.exe
2172	reg.exe
1816	reg.exe
2512	reg.exe
1440	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2844	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2844	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2924	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2924	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1088	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1088	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1192	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1192	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
952	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
952	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1696	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1696	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2540	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2540	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2636	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2636	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2332	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2332	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1196	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1196	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1708	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1708	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2344	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2344	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
3004	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
3004	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2496	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2496	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1632	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1632	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2128	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2128	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1188	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1188	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2300	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2300	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1744	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1744	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2248	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2248	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2040	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2040	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2104	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2104	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1660	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1660	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2320	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2320	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2828	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2828	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1476	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1476	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2248	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2248	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
3044	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
3044	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2716	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2716	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1916	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1916	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
856	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
856	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1732	zGwggQIs.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe
1732	zGwggQIs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1732	1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	28
PID 1980 wrote to memory of 1732	1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	28
PID 1980 wrote to memory of 1732	1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	28
PID 1980 wrote to memory of 1732	1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	28
PID 1980 wrote to memory of 2388	1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	29
PID 1980 wrote to memory of 2388	1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	29
PID 1980 wrote to memory of 2388	1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	29
PID 1980 wrote to memory of 2388	1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	29
PID 1980 wrote to memory of 3068	1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	30
PID 1980 wrote to memory of 3068	1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	30
PID 1980 wrote to memory of 3068	1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	30
PID 1980 wrote to memory of 3068	1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2844	3068	cmd.exe	33
PID 3068 wrote to memory of 2844	3068	cmd.exe	33
PID 3068 wrote to memory of 2844	3068	cmd.exe	33
PID 3068 wrote to memory of 2844	3068	cmd.exe	33
PID 1980 wrote to memory of 2624	1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	32
PID 1980 wrote to memory of 2624	1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	32
PID 1980 wrote to memory of 2624	1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	32
PID 1980 wrote to memory of 2624	1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	32
PID 1980 wrote to memory of 2660	1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	34
PID 1980 wrote to memory of 2660	1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	34
PID 1980 wrote to memory of 2660	1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	34
PID 1980 wrote to memory of 2660	1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	34
PID 1980 wrote to memory of 2712	1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	35
PID 1980 wrote to memory of 2712	1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	35
PID 1980 wrote to memory of 2712	1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	35
PID 1980 wrote to memory of 2712	1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	35
PID 1980 wrote to memory of 2584	1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	36
PID 1980 wrote to memory of 2584	1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	36
PID 1980 wrote to memory of 2584	1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	36
PID 1980 wrote to memory of 2584	1980	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	36
PID 2584 wrote to memory of 2476	2584	cmd.exe	41
PID 2584 wrote to memory of 2476	2584	cmd.exe	41
PID 2584 wrote to memory of 2476	2584	cmd.exe	41
PID 2584 wrote to memory of 2476	2584	cmd.exe	41
PID 2844 wrote to memory of 2912	2844	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	42
PID 2844 wrote to memory of 2912	2844	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	42
PID 2844 wrote to memory of 2912	2844	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	42
PID 2844 wrote to memory of 2912	2844	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	42
PID 2912 wrote to memory of 2924	2912	cmd.exe	44
PID 2912 wrote to memory of 2924	2912	cmd.exe	44
PID 2912 wrote to memory of 2924	2912	cmd.exe	44
PID 2912 wrote to memory of 2924	2912	cmd.exe	44
PID 2844 wrote to memory of 2404	2844	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	122
PID 2844 wrote to memory of 2404	2844	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	122
PID 2844 wrote to memory of 2404	2844	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	122
PID 2844 wrote to memory of 2404	2844	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	122
PID 2844 wrote to memory of 1912	2844	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	124
PID 2844 wrote to memory of 1912	2844	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	124
PID 2844 wrote to memory of 1912	2844	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	124
PID 2844 wrote to memory of 1912	2844	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	124
PID 2844 wrote to memory of 288	2844	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	47
PID 2844 wrote to memory of 288	2844	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	47
PID 2844 wrote to memory of 288	2844	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	47
PID 2844 wrote to memory of 288	2844	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	47
PID 2844 wrote to memory of 692	2844	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	48
PID 2844 wrote to memory of 692	2844	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	48
PID 2844 wrote to memory of 692	2844	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	48
PID 2844 wrote to memory of 692	2844	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	48
PID 692 wrote to memory of 1440	692	cmd.exe	129
PID 692 wrote to memory of 1440	692	cmd.exe	129
PID 692 wrote to memory of 1440	692	cmd.exe	129
PID 692 wrote to memory of 1440	692	cmd.exe	129

C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\rigIsYkI\zGwggQIs.exe
  "C:\Users\Admin\rigIsYkI\zGwggQIs.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1732
- C:\ProgramData\raAcwAUo\jeskAUAI.exe
  "C:\ProgramData\raAcwAUo\jeskAUAI.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2924
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        6⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        8⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        10⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        12⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        14⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        16⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        18⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        20⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        22⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        24⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        26⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        28⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        30⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        32⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        34⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        36⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        38⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        40⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        42⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        44⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        46⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        48⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        50⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        52⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        54⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        56⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        58⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        60⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        62⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        64⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        65⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        66⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        67⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        68⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        69⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        70⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        71⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        72⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        73⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        74⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        75⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        76⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        77⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        78⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        79⤵
        
        PID:288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        80⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        81⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        82⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        83⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        84⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        85⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        86⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        87⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        88⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        89⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        90⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        91⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        92⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        93⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        94⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        95⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        96⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        97⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        98⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        99⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        100⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        101⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        102⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        103⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        104⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        105⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        106⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        107⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        108⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        109⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        110⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        111⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        112⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        113⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        114⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        115⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        116⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        117⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        118⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        119⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        120⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        121⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        122⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        123⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        124⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        125⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        126⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DOIAEIkE.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        126⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iuUwUgsY.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        124⤵
        Deletes itself
        
        PID:1532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CYYQEQMc.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        122⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FKokQwQw.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        120⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oOEUsgwI.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        118⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IisgsEUM.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        116⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AgUYAgcM.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        114⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        Modifies registry key
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rmQIIUwU.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        112⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        Modifies registry key
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LAsUwwok.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        110⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        Modifies registry key
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KcAEwAkw.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        108⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        Modifies registry key
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\imMUgEwQ.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        106⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FygUoEsc.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        104⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies registry key
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xYEMsQss.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        102⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gyIwUQwI.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        100⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BggocIAM.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        98⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ciYUQUgs.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        96⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        Modifies registry key
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dQMcskEk.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        94⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hMAUIUMo.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        92⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QAAIQQgA.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        90⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        Modifies registry key
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mOEgQIYM.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        88⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        Modifies registry key
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CCAEkEgA.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        86⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pUkUMsgw.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        84⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xMwUIIwg.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        82⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NQAIQUcA.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        80⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        Modifies registry key
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cOcEQoww.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        78⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iEcwoAsY.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        76⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mUQQUoQI.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        74⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jIMAockQ.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        72⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        Modifies registry key
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BeogAQIA.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        70⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WYkIUYwE.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        68⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WMgUUAwA.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        66⤵
        
        PID:304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FQckggwQ.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        64⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aqwMsEAY.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        62⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZAokQUsA.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        60⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rsUYUooY.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        58⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dEcgkMwo.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        56⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UqQIkkoY.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        54⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ByYQEAUg.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        52⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YWMwoQUo.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        50⤵
        
        PID:560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NiYQMIYo.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        48⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gcAgkggA.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        46⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DykcAAkM.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        44⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JsUUkEII.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        42⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WucwgUkM.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        40⤵
        
        PID:344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aqMQkIEg.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        38⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KCMsYwQY.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        36⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DAAYAcoM.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        34⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JmkIgAAY.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        32⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QykUowsY.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        30⤵
        
        PID:800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UeMYsYwA.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        28⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xGUAkYMM.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        26⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bGQsYYYI.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        24⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LcUEMYAo.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        22⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zyIMEwQI.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        20⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eagEcYUw.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        18⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aAgAgskM.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        16⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OwYYkgsg.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        14⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AIowgYAA.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        12⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dugEAksM.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        10⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iOEMAkYQ.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        8⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2124
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1688
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1472
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:1644
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\agIgocoQ.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        6⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2752
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2404
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1912
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:288
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\aacAEsUw.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:692
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1440
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2624
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2660
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lWAksEkY.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2476

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-230935673-1157364053-442031288-1256739697-232290227-1203674634-507694354-1642783159"
1⤵
PID:1912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6112357351783663022-1816286498-740096716-30614938320937175611689309417442573453"
1⤵
PID:2380

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1841829261-1267821152965300642140011210-43681529677652252-566106941811115644"
1⤵
PID:2908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "802946122-1904603908-1245007894549956500-4292809791619667469-728661576-1023042417"
1⤵
PID:1084

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1591515399-724774229-1670471689591769791-1482487687-962890797-1542313909-1992136003"
1⤵
PID:1164

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2021548817532227641-1551810318-190983684411616345-11339371991691493658446924252"
1⤵
PID:576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2087073605-276644217-436219356-1911945363685269813484057607-901689942-1318996264"
1⤵
PID:2720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1152949040-3621493046689011281447916635146391558593981619010737321682018413263"
1⤵
PID:952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14747534441403117094733674288-11973950811451380000-1999007579-8954751571653333285"
1⤵
PID:2344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "544327284402095798-938548057-136704823-401252163-63160629-12045967492020785551"
1⤵
PID:1972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1698861602-2033665568-1558908451-138575126-1473263575-667243267-1854956276363946079"
1⤵
PID:2144

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "551080095-163662868-1322910469-700389691285266141-563545630-1067606205600064241"
1⤵
PID:1540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12163970571086701482-1688852264-178021577987220-144373705821236882231658050042"
1⤵
PID:2852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1975612534-1784530551-977469389638373769-21165669641226573288579339601-34441743"
1⤵
PID:2820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-568671530-319705942-14653648993987643641196790203-14928241121873416658929327297"
1⤵
PID:2640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2055376539-545366169-1037101408-847674983-737005541839863134-3706886411170624515"
1⤵
PID:752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1217210118-115838115320024785781885620587-1400349132-1009625018-104607395510681457"
1⤵
PID:2960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19675889862114295343-93484036993813577-180721998181462121812043672131727912606"
1⤵
PID:2736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1243153202-12728809601601895810-328291178881906023311807748-1639296321397414847"
1⤵
PID:2584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "56906649919946146-1949878428-1327556506874048806370968768-1240372019-1752716496"
1⤵
PID:1760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1368285647-1283572381326250739475114445-231183192-1634550460310395521-14267164"
1⤵
PID:588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1489764834567829252-1913238077521962351-327559626161550829866326159-1863023568"
1⤵
PID:2000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-843657626-203158907119320547871372835773-1920807259-115722621016622912791895175982"
1⤵
PID:692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "952722370-445979867212502211-15182739931670466707-25617916314074383102061299323"
1⤵
PID:2200

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1078845590-12168813121510892145-463828835-12120147751907210011256178021-1616164602"
1⤵
PID:2352

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-894955837425453662-684298261-2031154143-1042668321-1884484870-249213930-175637929"
1⤵
PID:2152

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-88076211-512396383-695599573-1949375621-464084450763879249718479474-1294962485"
1⤵
PID:2932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1291477537-1509723247-1904047477-144513806573098787-1945092931-2058867017-486957977"
1⤵
PID:828

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1795074417868096394-738751634-1794618389-95472669221251655111833343234-931110171"
1⤵
PID:2404

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1134982549-14224299011035555655926044068-705466258310720877-930260891-1146519717"
1⤵
PID:2968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-622008880592772590-1718843678-1735239790-736824021287068373-1873249319-481439737"
1⤵
PID:1080

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20336862821474305968-37243197317812376991788436720-7406742691998812470-437806093"
1⤵
PID:1568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-78719000711977341452651126681547834190-20331138691670937384-20778318711167800757"
1⤵
PID:2644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-914733921-67929919-192616639972120036514132453518688002145218462872102353214"
1⤵
PID:1812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "560991968-6466896301619695156-1335167706-207058010959909666116785428031447388286"
1⤵
PID:1752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1528085128-381440995679454163-6956860541282174708-149191673511325085411524707584"
1⤵
PID:2096

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "496338041305003854778545909-390471523-1280707746-1033871015-354630293-1895464496"
1⤵
PID:2248

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16676104841520528573103315162120386693-12823284522063657407-899282933254859937"
1⤵
PID:1728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19717252401497010386128899424-1526386181-187554891616164026592701373211237251017"
1⤵
PID:2408

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1854352766-280579011411695427-1239030543532351659912808457514892801831958156"
1⤵
PID:1112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1683677090-1239637969-4168345641303419767-2099077527147170634614925056461475187265"
1⤵
PID:2432

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "74866243-114221859363955578-346934153-13987396431020664265-873022443462171742"
1⤵
PID:1972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1138330624-3396063211738925213394503416710813499-2033406528-255186848873532269"
1⤵
PID:2284

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18523623751210484072-1823867931-4906040881553260991-1771500784-694345603-356815550"
1⤵
PID:2572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-855897068-1046572574717788246-918429181381016692-119532925021296029-739292163"
1⤵
PID:2500

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1459641457-1137655498-939664458-286286815-816063342-358230955-1386658919110726186"
1⤵
PID:2964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "189214696-262698089-83899596789384272747960171-1742659110-740270090404197946"
1⤵
PID:2104

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18021655551175528099-16385339411792467940-629967980292850901-1455198067425583756"
1⤵
PID:1708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13410611721211928944925329486-10574631122073324417-19032573131289474708-851712549"
1⤵
PID:1472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-515536812-1893268518-1528992110-990356725-341856387514536743-373601119-1876014319"
1⤵
PID:1688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-480351499-480095629-16466642221608918958-91610200617174173871097203341336835500"
1⤵
PID:2716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1114133257-1779641957-2012997003165638087315949263801487551402-1611289068410293294"
1⤵
PID:924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "854293694664504608-269282690-1585633545-1219167750-285812064-603881231673358995"
1⤵
PID:2380

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2007607008-1592299503202972013-15515220874958825439047263811218327415-1396819854"
1⤵
PID:3052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "487102444-69339172-1764600462-95578325617437181318987196611377642026722528224"
1⤵
PID:2472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1089741542-8589592572085365337-924958002-110949806349604822317662769691332523181"
1⤵
PID:1476

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2122416289-31526532923814149814647011929038978606782487511278614482-1119888432"
1⤵
PID:864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "65628068320418056446536927861681763742-914652601-10831915951808352960108551899"
1⤵
PID:332

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-49592067-1111358718924327213207111084-8037773131206238450838289961302786679"
1⤵
PID:1824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17314814221923881992-16435650861213616417431453392-1962164178-34890484992526453"
1⤵
PID:2060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-204163208114591517091281435648-576425520-1134969468-1037286148-1569967778-416443402"
1⤵
PID:2548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19136987441498775071174777599430726820-8042401342103031146-2837195051699441874"
1⤵
PID:2052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1475583675-17982874611965844466904992641214882840-1719790328-2104027723-1445843357"
1⤵
PID:2976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "26523214117571215571143212113-90268142415298255121018309232-1989314785233992754"
1⤵
PID:2496

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "130000003171404848-1296552486-366293131-1384460552-1310141964-125171639-2004272845"
1⤵
PID:2856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-603601865-61070520254836608-4430838781428320785714707502-6105192881031319888"
1⤵
PID:2304

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-630167090-1699208457743666090-13555913116876910461909709128-1454791568208066742"
1⤵
PID:1088

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-830614943-2029794867-986826704-1724528358313133017135033651619015175111637204290"
1⤵
PID:1816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2112562669-1347788746-381164920-275032991355699449-15903279521190277547-1022724992"
1⤵
PID:1996

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

Filesize
241KB

MD5
52c28e3414e7bb2d12e090470d700740

SHA1
cc85c43258f89f3a141156d4a931183a82b205bb

SHA256
cf5f92d834ac048600e62cc2b46510d2330c36478da3f24a3eeccbc0d644be3e

SHA512
ca671b81889dde9c897432af5c6529b0e85537056a4b522ad834ecb7cde710a71e27a2f7087d7b29b8280557bc700628066edccf2f12701991d47c4af5a495e4

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

Filesize
243KB

MD5
d7d6f1f365c51b38da3481971ecb30dd

SHA1
83a83fe02c940c4961bf51fc451a63f4b267ff8a

SHA256
f1a322056b09aa568a94b5e41afcdcd6cda4244c8ea70f14d0e72c5bb45a18fa

SHA512
a889137f18852133b40a662614c126d8fc44ae76bee603ddb6535c41af6c159d10ce963807bfae205b7d570fefbd8866d54aa7d08577bce10bba5f2feb1d85a1

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

Filesize
226KB

MD5
bf1a68701e4fe1f1a17bbc71b7a4922b

SHA1
b27ea1d037b0ed1cfeeb547cc5c3f5ea54bb18c4

SHA256
2798d8c2fc6b49df04ef599c7b6114977638a898af9db48a1fdc39ab1f6b8379

SHA512
3e81f2979beac84a7ba84367acb656e5dcd9879321c4e566fb497f75142321a546ba2fb42dee9683e805e7fdab9e1a42c00e06e83dc08e3615fd6c3521f60ab4

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

Filesize
240KB

MD5
3cf5ccf6eda372bbd0a0aab6889f310e

SHA1
58533ceb7798ad063e87590c5271e29822833f54

SHA256
55ffcbe5e5ebf36fc9dd06317779157c6fe7fcb4811f0f284fd5d2a82eda32be

SHA512
117313747b7d17ccec3a854f0a8aae1ef43caea098bbb431ad301bb084b0ed2a1c250f85d1c44644ebce2bbe28bcbf3ab98726378645ebc384ddc919ffbe3c28

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

Filesize
246KB

MD5
b7c9bb7b2db8be72eda5d1e0a502b6aa

SHA1
ba271d7c70c59dc8d25e0af746c5109f975050ea

SHA256
a26bb6bed7cbb2089b34bdba8a0dacc394fef3dbe44a7274b4b96ee19923e953

SHA512
263e5ddbd67b3c0888d226ca6703c29cb10fbb2df5815aa2c0330ba1c2e366416b3f607c223475459753c1164deac86ec670f1d302376dc6dfc2befe201bc7bc

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

Filesize
227KB

MD5
5850d0006d0399e973df87b405f8bf6a

SHA1
7c3c68e0abe0b47916be84c5b959d749ec1579b0

SHA256
255b649e27f6a668f603a88bb49f6e7129b8af211e156932bf9cd3a0d3720122

SHA512
c7300a976e2901250f6b05e20b30f565d6afc6cfbc144743bd4d11a0359653c8fd65137ed2d386d0c6fa265c32d2606182abcbacfb4525d685fb522052d49060

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

Filesize
248KB

MD5
d950d2cebb09d0554ba9e6cd130206b7

SHA1
5d134fcc0ff8e58fbfa3d26ca5ac9725a5e0d83c

SHA256
288340af62689312f5107ac8ac7f6b8f26ec8cffa3ac82d33b6c6bf45c898ea8

SHA512
f1fb40926d63da69a3165ee47f5e061ad3901ae9d31742362db34c043a14ed3ef595ea8e61d7af71b2243759e620fee090ff5ba3173b4b3676ee63afb5c50bcc

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

Filesize
249KB

MD5
bc00dd3cf9d0494654fdfb8ed68add24

SHA1
a0d85da7d33a2d01607e66becf150577624a0706

SHA256
15bad0a41e4ee96aa4b5647dcc8d2b7dd85f43cc9f5b59f34062e316b49478b3

SHA512
26abf3102c6c6acd476ab9281f19c09cf78e16b6909533c9fadb5c8e86379dfcd83de4f0f09ccd3a1129ba49ec6e08f1158c3b3fcdc1976a03927351a549565f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

Filesize
235KB

MD5
0bb07ed9daf89e1e0f2a498fd45ff8ce

SHA1
3647dc6817ba09b3749db1d2dc72433143d060c1

SHA256
b777c2c090513c3f689a7b7a75e5efc9757b01411df3381ab2babb8096d31f23

SHA512
db5b8c21e0d6017e88ad94c81e41f8d7890bcfd5a7ae4c79e9cac3bb228e33fe84f196a2c3596a04aec584260075980fa07c439fb3a1b90b89f02e6da66e2421

Download Submit
C:\ProgramData\raAcwAUo\jeskAUAI.inf

Filesize
4B

MD5
d612e5be55626990a5191f3e9afdaf9b

SHA1
f41573aef07d8efb455ae92d7f66baa0b37109af

SHA256
c6a0ad0658c0c312308c361e0dc65422e4c4cd2d97ebcee747274bc0c764738a

SHA512
af38814e040f690af90a0fc42b92c7a587fff060a3e0bc5cacc035b21f6d45e992326d6cc68e3348ea91a61a85bb51134595344716f06988e31a9a78617ba121

Download Submit
C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118

Filesize
16KB

MD5
ca649352f8c5eeb886e439ff4fc79ba5

SHA1
276774d2c9f1d93cd398ad3ada3b141452a5e877

SHA256
b1137e2c17c7d2e2fcac46bcef934b0915c77181bbe99b90556dfb3e86a2b0ce

SHA512
757845fef605f0b1cbbc6803f93079619a08376ff57831ef0319fe5c2aea787d3a82d1a1a947dd579099c8c64f03a90d9a764f87b4cc6ea3c42444c6388dbd3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMAI.exe

Filesize
750KB

MD5
3d747a3d4ead4b7e0f6cf6d8a92bdc32

SHA1
97e86e1e72424c01966f11401e652ed08f6cae14

SHA256
906ecff32265a7f9b585a6bbcb874dd9433c6b08dc29cfdc0b50cabefff5b330

SHA512
8a8a16d0ad081e8daca73d070619bea36417089f647c82d25fc41cb98d3065bc6e9d33f997518e13f11b9c84683995076acf8f40c54784671e10246d21f9d520

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUga.ico

Filesize
4KB

MD5
e1ef4ce9101a2d621605c1804fa500f0

SHA1
0cef22e54d5a2a576dd684c456ede63193dcb1dc

SHA256
8014d06d5ea4e50a99133005861cc3f30560cba30059cdd564013941560d3fc0

SHA512
f7d40862fd6bf9ee96564cf71e952e03ef1a22f47576d62791a56bdbfbff21a21914bfa2d2cae3ca02e96cd67bf05cade3a9c67139d8ceed5788253b40a10b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\BsUC.exe

Filesize
515KB

MD5
fff37c816e2deccaf949a41c58a7e199

SHA1
f6880572abbc38329e9282cb3d20526abbacad57

SHA256
cd04c9c1f9216de9ae8494973fed280985be9651530f03fe9f91f49976fc078c

SHA512
a1748cc0aaddd265930f93f2e07faa1273a26e8c66943a9334c0298d0718ce452acd8d325ef23cab27e854bcdea465e0906afbe4e47a679bd5eeeb83898fa83a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUEQ.exe

Filesize
232KB

MD5
86e5f7b09fce91bfa2ff7812ca18f35b

SHA1
c283075aea33d51c984c5e2ea0f180f6b34e929e

SHA256
843ed455e769402a6a42e2d47e522bc092923ac73fb161495a1b2e08b5edce62

SHA512
df4753f78d4ba94d3a716407d1943c3992ae637e32203280aa4bb5ecf0ef7569b3a79766ec0fe96cf5664c3caf55bdbf4b847ce33f07a7e0644de3fed64505af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Coggscgc.bat

Filesize
4B

MD5
e9d28bad16dfe97cf5fa1dbf16ee07fa

SHA1
1e6a4d985d50170779610d59c1cf68c40ba186bc

SHA256
74316a8e5dad06b902c5101a3aef990ce87394a772a113147f8de79af5104053

SHA512
a1e160cef4e0295750d786390324132e7b8bc5bbb9dabbaa381217df6d500463ef310ca84510844c7e738277c969c404636bb849cafdc2f9a88397c05a1f5b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\CugMIQIE.bat

Filesize
4B

MD5
4dbe98821c92ddc42ea967a1b0196c0b

SHA1
9a8f964f61aa9009fe37173c000583dfa88e3cd8

SHA256
11a2cd0d3762fc32cade4198fe551c985de26ee504aed1c9330ace0c9603e346

SHA512
ce374e7f6f36a408cfcf6548dc7e6d39a8feef5dc4155e670d841321267497bc236744c0feb5f46e1a20e76fe52a5fefa33fe8da0edaa263f5969cf25d3a607e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CyMUAQAE.bat

Filesize
4B

MD5
73dd19286806eb30196b96c956098a4d

SHA1
473a801e54dd9ca76c60c1b39e3c341b41fb4687

SHA256
aac0336456bc27cf97df8e10b678a6d045d37b035cbd630a85426540a41d8641

SHA512
8d3894ab4e6f65ce990514f2631daab12615b387285823887a19b049def9036b5ef342c1f5cda622c2572973f69c7ef5d223eae76fd49dccde0a72c706d52433

Download Submit
C:\Users\Admin\AppData\Local\Temp\DwgS.exe

Filesize
230KB

MD5
6a8bdaa5eb74008f2d11d88d772200d7

SHA1
9fa599bc07cb61c077570fdc0965fc90a11efa0c

SHA256
215e147863dd439f9ceea87891fb26a4ac81ccbd90f71b3fbb1096316b5679f5

SHA512
2deb82f86ec47fecca983bcaf866c9e711718526c0ce5920ade78cd9690b7e5fabf85df18734e7cc005b2aee7eaec2c670e76fc49a54c5c3dbbf37409942389c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAAA.exe

Filesize
241KB

MD5
9b31bce3e262080d6caf522ee777cc0f

SHA1
57a2ff015286bfdb3810b9970b188f0a8bcb34bb

SHA256
f61af94a2b980aac94e8297c2eb7be947e378907abedbfd24f5b29e9ec03830c

SHA512
269eecd9d8c24acf3fb49df534288c60f0299e7ada13606ad430958b8daba125a4d7d2911efc489575c3415b2b69f1ea41fe31fe006e3ce1bbcb7484a3fda549

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEYe.exe

Filesize
251KB

MD5
e1a786159d30ee5ab692c9d65141e9c3

SHA1
7ea4190ec4b65578693e5392804f0bcddf2b5b9e

SHA256
122eae3b5a0b7d59bd257b26440c17f17e5ac75a27251292c842ba83f01f7f53

SHA512
7af0363f4b091086ab6650921681cdfa3a61787db86d933436ee0fab9a86a498b5deb2e3015be2d06d9c9eb02ed78228654958d25671eb1567c7e70e5570c39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUwo.exe

Filesize
236KB

MD5
97710b87de09199e4f48c92430dc757a

SHA1
7e1d5cfb7307dfc43a75fabb75efc6edfdfa024f

SHA256
b096eb6a447dc6a90a2b9e6dab99d393cdeb529dc28610bc13eefead1580f1cc

SHA512
0d796d3bb0d1d0eaee5bf9ab296046ea20bb901d69a6d34cc0d415a56617314d8f05af49946e62d3e5fef0831aac2743784c9e2a8b65f5ca525a9b33ad9b8138

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eoge.exe

Filesize
241KB

MD5
5c44cd47ea9147b75b6a16bca905c909

SHA1
901779448ff72b22b94f27527da8196b9db3f6e6

SHA256
02c55c030c12ee37727992c84961408e0adc3835a11f9476bb030605dfb69534

SHA512
ca2a64f7a2aadac4dd4e1b7e787aa4816a072ebcc950d9e5bd2e6cf38bc1d3976e797def400ac30ffbb7ace050386d68b7711cbd91cddea1c9a6784cecff2775

Download Submit
C:\Users\Admin\AppData\Local\Temp\FcUc.exe

Filesize
231KB

MD5
9619b1e7c26afacfc5e507ca06496dd3

SHA1
d6af78ba925a6e42a3ff9cafbbfe3054a4146593

SHA256
baf7add47d8c0ef3d2fcf2f8a3351207a189b266f46c87e66bfa8784be8ce5aa

SHA512
91a244f510d408ba87803d4c022c19ce160ac64c8231e23931e1efbbfb4c2298f742c3ac31fec485157941268ce6be37641981c5048339818ccff751526436f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fkso.exe

Filesize
939KB

MD5
c2cfab36e4559e72de9e0ead142594ee

SHA1
61c9b05a4b18016b6c7eabddaf104e80e3b98426

SHA256
61406b0da5563a9fb9a8dc686812e301bce38d400d8fdddecbdd9e17c43d8cb8

SHA512
41be3401ef8c7ee3f64b5641ee49726a062dad3f4776486e3a5cfad5db2ba76f1c13ee384129296f92e75527cd198047bf6c318c2c78fc5f5456ca2411992bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FkwS.exe

Filesize
230KB

MD5
901d14e80b514bfef9df1c60f3a87ab6

SHA1
a57575bc3af745bdfca674133b3495cc4611ce4b

SHA256
3b6c7138fbaa6c84eaf0012885593bab663a81ba6a6078f3e98de0551ea22f03

SHA512
ed5e32476128e4e9e0394d9734b2d32c9c9a33ad25155602afa95b7e4020dd4b9f02b2903c6ef7642fcbc44bf1ef80666c35d99dcd2a9bd7ae5ca439b96bc86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgoY.exe

Filesize
245KB

MD5
cd83574a34b87933eb3303847697f9a0

SHA1
f57259870e51bd301f59b709632eba40afe859c8

SHA256
57a7f64889c8ce73acb624fb010983e88e32dfa3b5f694f3b708b05544b4c656

SHA512
62d5a5699bb1949033574f8ac4985791268d172cf7047b8f604cec99022e45b0ed03c1f22fda0e95e6bc29788d34d0cb415c1a6f3539ff3b996cf859bd846419

Download Submit
C:\Users\Admin\AppData\Local\Temp\GksIowcs.bat

Filesize
4B

MD5
a2a6c12ba45fb39d2b75c168b50f5d0c

SHA1
e93d5b29185cd1fa6f33ee37711abd6d58f76a94

SHA256
55f5ea1e43b09a8415ff54f53cbeefe8b513e036578eb60dc4468bc8d5b46965

SHA512
ace815b37fe8f27628fcbbde88550d716d567e2fe7c4ccdd630ecb93073ba08ded65cab09845c7aa8a3e5835725899dc7a9c9f2d525c0e5a41754415cd26c0cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAIk.exe

Filesize
324KB

MD5
79a903f744617eb73f67a30c11477e37

SHA1
186bc6bfbf68abab34af5467aee400d9cc180bd7

SHA256
2110499024071b65b3e98188e4701a64b969bd762b857c812c61b59b0418e34f

SHA512
60325cdae565c654437eae0745c0a190e24e4131ee41a06d017596f60f671befd6c0d8ae02d438a5429e1171af90879a237105b6e7f8c1dc58a92fce2cc0a24e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HKsUEIQc.bat

Filesize
4B

MD5
35ab47b944d67d122307cb85027c25d6

SHA1
5ace5a1d196471f60fdafd7db16650f9a72a0364

SHA256
b79ee68b26b137f5098918f118d146a6de1e79e96529e3471f5127a4457b7067

SHA512
1283f56c0d62d1b4b6c64fbed57cb844b71be0fd1880ea9be0d8c38a813d8e2f3806dd7b0d1cfffb16e28ce4370ec617b955314b9243c82726bf6a8033e8df4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcsMsgsU.bat

Filesize
4B

MD5
cca1d426972843f27d786edd442d72bc

SHA1
693b673e010910e5986af33010644c33d9a3cbb9

SHA256
5f5f3d8ee59fc9717d981bb786cf586d29e2ada3d9b31a3530ea8ab00efc0884

SHA512
32c2443054ee17c319c03f84b9e342c2f09eb30fda108a8b1934178c405ff9b2ac86328517b0fc9d20edba3742224bb12e22352eadbd47c5274d217771d9bab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HgkE.exe

Filesize
242KB

MD5
9ca0a47fe5ce38bf57bceedd46b3297d

SHA1
c6bf7c9a0ab46349bd9ed0f64a89fd11a994bad3

SHA256
a89e9ae5d911ace43567e4b7e0e76f49972ce966e1f762edb2949b9408b21836

SHA512
1b4b5161982d77480e5e5b312a2fe6df6ea48dad509fadc4bcbbc5d6ca687ae6b7b779da85c3ff19637db65eb890c38c1c4900d28a95b85ebccda03439ceb269

Download Submit
C:\Users\Admin\AppData\Local\Temp\HmIkIQYM.bat

Filesize
4B

MD5
0fde2a78b364f9563650bfc2c47fa93c

SHA1
2e9c4575e7abd3a35f458fd81b39dab8f1d42e6c

SHA256
b6c4217f2e2b261c880900d40ffbe4cec5d0cc3398c6b273dce6749c5a5ed672

SHA512
629f2e3368fa7016cfa1680343b9aebdd0816301801fefeaf6dc4d3bc2f5a79a3768cd2c257324793f6df464c68ac780163f11b82f07c52235b8e350e938d343

Download Submit
C:\Users\Admin\AppData\Local\Temp\HwYIgUAE.bat

Filesize
4B

MD5
ddd98a119943872123791c7f6e293f3a

SHA1
2f40abb7324ff68cb64417a422e0ed17bdfe40ba

SHA256
0e504e3a0ee40cc52a26881078c356bd01ff351e313c08361854528f0ea29d2e

SHA512
e7f996e44485f3988c94d63333f865e60e4a0b5df1c6b61a5f4778005cf3e5ea6e957a77cd78b91aba5d80ec167f067e0355ffee56ea68074b65a50b731aee5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hwse.exe

Filesize
579KB

MD5
fd59500700d5b10e5ddc5ceddd504544

SHA1
c3ea796783ecc750218284945b1af13f9b7d3297

SHA256
04d7136a05fef1f4d981a0685bcf7df06efa96444a78e3a56c21e6295564f532

SHA512
cdd9a78450cb0bffd003fb9c56856b3e86b0852e3dc065256f5e3f18f2677e401518835e2ff6660db1f71a0f89e02cb5272997c7a58a941a17766646ff5fd366

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICkMkgko.bat

Filesize
4B

MD5
209f3765fd5f10d03050c59d093fdfbf

SHA1
b0ee0a3942b51cc99d06fbb993b3b4ed90a72acf

SHA256
e1af928fc34b23148945f13f7bc8d896ff02bb69c74fdaa34f05d178ce5e4116

SHA512
5497ba08497ae06173bbd4bf6f225565c6dbcf88da34e5416ff55917af26ee9588f9254f6fb55383d9f0a0729b2f3d1f7cf6383c185ba146a21052ffed897406

Download Submit
C:\Users\Admin\AppData\Local\Temp\IyccQUwA.bat

Filesize
4B

MD5
b708e1df5909146fa7f1a04feeeef90c

SHA1
459875c436297c0005775c3b25ae4956e43d190d

SHA256
91506042ece347ca7d01e0dcde9bc0f9ed8d49b2d28346af2000fba9e722437b

SHA512
c8bf09a24971747adaec324c83505ebe3adf55e2fe2f064efb3206975492f844498fb5b7b2dd020ab0f868fc0f3177a581a7e77f7de8353b65fb428cb929630c

Download Submit
C:\Users\Admin\AppData\Local\Temp\JUIw.exe

Filesize
1016KB

MD5
ed97d2f1e231f8a64476a0ce22edbc8b

SHA1
4cfb0e362201e4c55fe00d491444c0a9eb242441

SHA256
e3c3043dc3c6d0fbf2b0970c0008bf1c69603a8137bba1fc178e08b42a104e11

SHA512
fae7a19bb189d9d034370e33bf31d97ce40824f103e282969508db6f3f306b098a852f89d8b470e6186d8f5ecd5f678597459efe1aaca8b51e723f5b1dd561f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\JWEsokIM.bat

Filesize
4B

MD5
c643b1c0d40475e18fc35999565e266b

SHA1
1f93b4c5fcb7806acc4bf3f7ea711078c30529e4

SHA256
cb89a4d228594d90519a5dcc5b1fa58e811c43ae433d19c2d45390622f6f9073

SHA512
a5c35a5b2b46ae5dfabfd7c0d06118f89bacd0ef4631f5914e01cc04ae3bbec33a5a6586ea4d68be77a0ffb77a0c3e3960b420b0a40f17df3d49271dc0f17553

Download Submit
C:\Users\Admin\AppData\Local\Temp\JuMAUEMU.bat

Filesize
4B

MD5
1de929926d09fd066f798ca00213bcc0

SHA1
ad526484b6913346c8637085ecfe8f9a24eb32eb

SHA256
b1a02503e6da1d7eaf957c20df232ca7367bf5dc784c601e759ce99feb26ebdf

SHA512
d5dfa07dbd1bc3cde5b289ecfce89734cef9f9582b31f0d8d3fb014a5f734480c807e4a7490eeb6e8ebce2cd1a6616ae66ef4fc05e32e23229bd6f47fe1fd596

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMoMccgQ.bat

Filesize
4B

MD5
c77cbf9f312200ae3c9f59c17991c43e

SHA1
6c2675a8a2d3066fd8ae43ec324213a6ade3e192

SHA256
19e6bba948b78334ed582125565c688d304dae286a3c89e82e3b9d2b7b4289e6

SHA512
87a0f0254ac1f3a20152849beb54a5fbecd0500832b2b98f6d7e802d0d54c7ae5005aa40c849db8efd69a7a7bc697dc07444b2880a4b551b9cddce9e60816ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KSUIMUow.bat

Filesize
4B

MD5
1b50aa2b358ea140115a905a7cfb9f48

SHA1
4561e54332881fb0e8d564ced9ea85723ea230dc

SHA256
a310163704a606c6c5d5584c6913d07003ffbcc2a881acfabe29f8e42588c8ab

SHA512
7b86ce22df88e90bad29d01e1dbcf7eea9a9cb6066e719a752878722eab5058977c27e8607f08e7fc7fa34060b0697082bad378d8ee7dbc58480620a0674bcde

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwe.exe

Filesize
228KB

MD5
dd6ac73b2df84b2b0e6fbbf0d2661132

SHA1
ae7bcb0a3dec69ae48f782a7d507d06800406d40

SHA256
887ae70227d709642cbef25f9042a5afa2cee30095679ce06ee5f14acb7068f3

SHA512
d5c5b984b591a6bdb7395f750f38af52910d2dea91e62cf665fdcb0bb63972032a12f3ee3e38563cfab99a96c60a3e8f87b56875189bce52c52d22a554faab22

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcgK.exe

Filesize
233KB

MD5
9a74184a06f565f1c7eaa6dca7514332

SHA1
a7984dbd6500bb1c05b3ebc051b08e2bebd7dc61

SHA256
89e4dae0aa134d7be9cf5e5c706f9c9912312d8ec24d566a3aee219dc92ec5d2

SHA512
5217cbec75c1d3515937315ea7d9dad9bd11dc6879799d0359a5162e998b57d2c5b7ce3c966bea9361184535e670c454070cbf9204e64050dc1f2cfd4c72e44d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsQS.exe

Filesize
232KB

MD5
24f47338b2e18c123c9bb040fa8938b4

SHA1
0dadf967f63c5525827a7cef3118f1c74f3e0685

SHA256
33440f3140457ad8eaab250135bbf1e775c61e03cc93402fad438c747cf6047b

SHA512
1fb5552de1b114b67fb725a9859c14e3e94f3432f1613c57ff5d382e10cbdd846bed750d7e0341129e5200d16f2e139eaec6312012694af2bc5250377892d6f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KysYgwQM.bat

Filesize
4B

MD5
eecd316204216c2ac0048aaeb5243d33

SHA1
dbd601eafb78a4eabb899ac8043c3bd9a17be815

SHA256
e0cea66581e909075ee610c2645505381d4f515445e6cc545e22a4e5cd23cfe0

SHA512
cf0e1ed4123e6140f243e1c51cda375ea4e2ccda461504ecbdc6bc63ebc60a680f370a7c6d2fed265a894003e17087971a62f3426e3333a352336dee513e1f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEAw.ico

Filesize
4KB

MD5
5647ff3b5b2783a651f5b591c0405149

SHA1
4af7969d82a8e97cf4e358fa791730892efe952b

SHA256
590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db

SHA512
cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQQc.exe

Filesize
653KB

MD5
bd6880170f46af9750ead98974c46f20

SHA1
5ba3ccd76db73b3d5c66c5986f7dec0316ecee58

SHA256
e24922cc15aaf1eaea1c6d3a1404a589304bba7291847e6ffada05220a212f72

SHA512
78cb84b1a3918477afb990657c75822c295c201870fb36c4c9fd14a0bc6f82223b3514a6e90a7dd96b088b973188bcef20d3571f8fc8fdf19b7713938b94b5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\LUcm.exe

Filesize
421KB

MD5
95575ad864d2e3e05609af19b072d5f7

SHA1
fc3544ac85c1d2dc2de0bfeb293e8ffc2a2b7742

SHA256
a19daf09ca5affcedc55bf4c81510571b248ce2bc7bb440f4ec3e9c342b90cd1

SHA512
77a97e902e1baea2d52df85f8e1b7854eda74f574989e54144db922b29122276de20ac2e5d6ccfb5fa8b2abf42f42bea8abe518965dfb8bfeb442272d40f1d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAIW.exe

Filesize
857KB

MD5
2cb66e411d2618cbdff6937d326a7275

SHA1
fabc1c9baed51e6014033cb5397275dc54e69a9d

SHA256
92d7887caae9ee3cd15aef9d2b950325d58d773a9ad730f26e7a2c6d01b3779f

SHA512
2c511ae7874f5ce0a5ee18d8c905600ba44d966061d125ba4d4126d27d0a9841c709aa5a36c2082afec16db73b6bdf377d076a4d9fcd72dc82c302d08aeb0948

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUgoEsoA.bat

Filesize
4B

MD5
4c5ee324a0a4da8cb48176362e5ee67a

SHA1
38cfaaca7f482bc8f489ab4fe6ae41e2ebd10314

SHA256
860c7cf512207525688b4a88092fe68afc753af36911c2db7676d10e17c81107

SHA512
d3f1c76bee6036ec63cb7bae4a83f58c9f6acea9448bec0d60844350bddd2af06aae7f2c3ef54e4d59408ddd2eb76f5e264826499c1fa1b49867d88e58ee9873

Download Submit
C:\Users\Admin\AppData\Local\Temp\MaYsUsQk.bat

Filesize
4B

MD5
5b9948e7acebffaf8156f73a7a14226a

SHA1
6932615bd29102f449a4a8a67a0b5369be3d94fb

SHA256
34a3cb6975c19fff98fb3847935721aec1d027212442eb84665cc2cb1a9326c5

SHA512
1a6b8930001d954104e98ba1e095ebf75a1f55f3e5368803abbdb645c0ce4da7da51f8a690155545da4386fe43fdbbdd114b8902daa06c007d30148f1998c837

Download Submit
C:\Users\Admin\AppData\Local\Temp\MowW.exe

Filesize
234KB

MD5
05784ee9e8d3758563698a6d71694aaa

SHA1
f26540aff449ac377d34b271973e172fa0d2da5e

SHA256
2f0671c51e33b1ae29d27ea4be77674aeca6ac38d2106da50187705feff129f4

SHA512
1b55a2c6e258e5f1cf6a57b6fc8df5dc485c64e0c297cf2aea39120e0f985aad4d033a0b0c5bcc051cdf230977ca039d47b225b2defa7b712003ad4bd79c1c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsgsQkMc.bat

Filesize
4B

MD5
a0390e0947e428a5a990167d5cc01fde

SHA1
1d83ce4eb5667f79b45748d5994662763ac0ff2e

SHA256
f374dea5e1c92c60559f20d43a8f00e39d8cffe6eb8a87869e9928085bab47d7

SHA512
1671a8ffca85c92f829173aaa5dffaab6a4bfb3271feec79a554a72cb5d6bab455230b43848f73d62da401ca9ef3e34b3c2bb7d49d147cf2cb09d307eef7dd7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NUMS.exe

Filesize
241KB

MD5
f22cbe90d727722db63feab034daec40

SHA1
1266a26cc78369ec170b3c99ff0d6287634620d6

SHA256
ae6411117f50877eb8f292c7cb90afc2e56c03d70519bf97c214fa77203e737f

SHA512
29f1491891e36df4f4a3e028fc527b52dc75919bac14e3ec7218ff91219c8c4cfa0beea1eae3539b7dac9c0c765ba356d8c21cf16d443d1205140bd0064f26c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NkIu.exe

Filesize
473KB

MD5
22bf150f875522241e1b6cfcb73b9511

SHA1
fd29abe82bcdcbcc84f5bfa027f16d1a1cd5cc54

SHA256
fc00eb47fb23d90b33606a3431f7544b202bfed00df3f798adfe9c002a463446

SHA512
c2888789771511f11f08508794f91d5c89906e651e43250a7e0a0b45d3e812d6ebb9b4fe7a02b7ad4d66c9d7e07756a1f1c0c1b16d12a242d7a22fdde047dce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAMM.exe

Filesize
247KB

MD5
1f0c7163d26a40f50f89e7b45605225f

SHA1
5503d13748083f228eab49c319e84011a6ac4512

SHA256
13f55dfd116fb97950aec3b61bc9e07b1d12cc04b476bdbe3dea71f3f0243596

SHA512
6aa970bafe769bed70cc31e5bb526a828d9758759110d4563822ec0d6ec880b34b827451587f35d4f59e7ab8c38cc27ffe23b981ae675794857061e236b985ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQka.exe

Filesize
247KB

MD5
4c276771a767515ae5de208afb47d61e

SHA1
0c5a6602b2ac6e44897f2865ac388b6bd09a178c

SHA256
914ef058e74a3f943bdae1f05856effce590f18eb5d29a70fb3823a41a98db89

SHA512
bed6de621e801844e40edb5d948e6cc8ef9a70614b9d1163fc5ca7d7ddf773214b8e7e985baabb7ddc305d0a8064d223124cc5c3f874a0b010c57d18b161671e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUQS.exe

Filesize
453KB

MD5
30b9bd7f9b62094a97d96089cb917f96

SHA1
8ab82889640e63d80f60b20fbdf47ddc216be059

SHA256
c8f5b1681dcf4fdc6e3505754baa5faa84cb22dcb281c3b9fa453412a074ca13

SHA512
850e55ab2114cc2f4dbf0a0070de6aef7bfef8e9e1b14cbf9f1d3d5f59007f26da8689327f8bbb586b2f6fdb87367dbf99e09c477d7afcbd247de2708c347744

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcsEgsEY.bat

Filesize
4B

MD5
f2f33132f9d661baaa2a8985c2d7a62d

SHA1
3dd8b315b458a9c305f5d29b5d75627591f05c3a

SHA256
d69577e9965a0adea7992c8938f8d90d4836ab30f27126cab4296245f8db2f64

SHA512
7e3765ba6ea721159251282b35170b4975f8a91bd9104ac0e54968ea12020b9f0449c1f08708cff2a156848c353d0096334fdb0e0172dbabfaffbad08e46eb6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgIY.exe

Filesize
503KB

MD5
36fea4f9cd574e82b186e6930cb88d16

SHA1
0d4a61ca6975c2e8780e6099fb7c93d8ae78ce73

SHA256
51b29c3a15bf3c34c8cf456f76bbec6c01d6f5bb0fd58c64b4ff030aa7e2d772

SHA512
52bb6e3b2d7b86a070f10e370dc2e7ce40c7f63e66e5b3dfbc21e3bd042c2a8845f9a33ab49bda63f852e80a04ebbce7b36b736d5af99c8ac9338e7a76f3e162

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkssYQYQ.bat

Filesize
4B

MD5
a6c408e6c3eb40ce45d189ef345bb2aa

SHA1
c36b50982cade75d3ec6ebb5c9108586bf663d5d

SHA256
a8c91484ecc13935eb020909254e8ffe9749cc3c9f6100582cad20409f67f1d3

SHA512
3457bc0bf3eba0eb6c1c808201277aa68ef2caede6eca380952dcf3c55727270b801365a2f4f4e5245af76ad89639c753372741037e8016bd3bbeb7b7d3163b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pwku.exe

Filesize
238KB

MD5
d51fe033c8da651971429223d1d6daca

SHA1
a4319573630c1cc50c09046c165127794bb1b25b

SHA256
6cd8d509bca028ce9dbe9fdbe9e27b207587cefb5f3afaabc3b18ba5291ed981

SHA512
1fb7b87fe96075de510c919b3011729a9e3da0980899bcd84dfd5c716e489c64fefe1a242b7934703d8ee24d509d4a9f4210a526e8d3f50edb76ed4b8040ce11

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYck.exe

Filesize
236KB

MD5
4b8dbbd17386f2029f741d1db6351f08

SHA1
05996bb94f4072e7799dbce9309208c05e72cc07

SHA256
c9bbd8a709307d2e65dd8107fc5061028e2833a1ce25a9da1f4893a7b9316e98

SHA512
7da3735a378f6883f1fe1195a4c8d6fdeeea730107b51a0133ce9257e605e1c2f8e30674002545f390bb2f590d7f3fb751cd398dacf652c5bd5b96f87482fa23

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcwG.exe

Filesize
226KB

MD5
af1635cc5f70fcd4057a579c89d98841

SHA1
fe1c3ceae16ce78095b55b8590246824e7d97550

SHA256
c4e9460e60733c8edb5daf63b0fbe3b9800d83766b2c7dfc199cc8dc46badf70

SHA512
42ee039686f725ff7a592b0135bc9436ea669f00460c633e015c9ffc2cd7d3eaf249beaf127e58786b64553fe7cbaf9a485b4a5e8e750be4bf85252dd4941a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgUQkwkI.bat

Filesize
4B

MD5
b26938f6a46aea9dee558340f0aa5e0f

SHA1
297c47378a2a7e5d33662149ed0f8e8bceb73084

SHA256
7f0cf2f738290bc448ef99b09edde920a8a8ce22b912bcfdecf234f0c4d88ba6

SHA512
4fd9bcad6208ce8a67b5081060d5f50cfe95bfaf4407c3b160526991ea95a9f9495b0135563f10b34730d2e33a254452ef4fd734756865775ffa07ab40d7eaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGMwMoco.bat

Filesize
4B

MD5
8820bc393e290663356a6ad53b8ab6e0

SHA1
2540390220e79e0e4db8db3228df17761a921f2b

SHA256
cb374119af31ba8c117860e97a20eaa458ca77ef56c7ea8c0d39d94dce4fd034

SHA512
8a48f18b2fab01ff01f6267edb612431b2720da3fa12f8fd1074ef8487742942173b6d1bc596184449b9a03aa36093e06e1dcb7a1a26dc5350de8bd360160ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMAU.exe

Filesize
227KB

MD5
ecdf15075e82a5e25b5f6e14ad98079b

SHA1
b30a19102db42e6678038ded6d049693538c2014

SHA256
573256f660efc42b3ad7a97b5f1d5cbcd2b949b0380aaa73581ba2ea1d73d0a3

SHA512
1751cbaf2dea5b412c6665cb01a510851059e7187cfc67a184cc8b212093db9a2b34868d21c826f003e6486e91888cb4a908a4df5833deb0f7c6dae378e2e137

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMMG.exe

Filesize
242KB

MD5
cfb7660a2b949afa358a16c6618afcf8

SHA1
67284a63dbf70757fc89c48df93601546e1242b8

SHA256
01bf7fb5a722bf65031916daaa28c0edc09bce4b6f255691450dc91d53e10d03

SHA512
3ecd6c78e439b3a0f032fdc6585333e547469c5359c013ef51954e11b19de7d5ba4630a9a16e74a9760aa3f2f836512c555e0e767ac5a4dbf4669f25025833aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYMW.exe

Filesize
240KB

MD5
4581d4bf6f73c966c4643862a96429d3

SHA1
567ae90eaea3382f558a6d3ed1729c5f353a4311

SHA256
f5cd3b80cf7d61f536924e93c7f003fd718b7396f76007667142f7815946edab

SHA512
df65a7eff6b17a73667ed77bb85fef0733b6a18bd443d62eda322777207cc33efae04e1f357c3699c41f7652dea5f4ee0ffc43f3a20a11e29a63b15951be2992

Download Submit
C:\Users\Admin\AppData\Local\Temp\RcUu.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIIy.exe

Filesize
233KB

MD5
2c46934149e69db034cd71fc641286c2

SHA1
0368d18e0c56457098c1dd54f7454fe29600d8db

SHA256
44b1dd46c78c825cd95d1e28f39b71e4a7e7f5a18e50235347c1f64d3d22856c

SHA512
2169d17dbe9250f646f403e50185e122907235e1023f70033b6bb464f8783c4abfa16026e7fd900c5eed89323e0a4ec818e70886e90abd2a0aeef5242497db86

Download Submit
C:\Users\Admin\AppData\Local\Temp\SowC.exe

Filesize
248KB

MD5
eb1f10a536c960215d893b9291f88bfd

SHA1
56091647023eeeb6e20377268118a419e123ce4e

SHA256
9686adb05bd8a6eff515a708b279f3c343e56e1309edd76c4c31e243d6d57b83

SHA512
72ad144aaa221a270eaa4c5eed7113a806956b4443b48f6ae37d31baae5abc531eb54dccdf633700f2425b9968c807213dd1916a5f823dc758a2cc15aed125b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwgYkwUY.bat

Filesize
4B

MD5
16e74f8b41161899ef2e4cccb9804361

SHA1
c7220e8a34ee9d429fd9ae56b08220ec49b43f06

SHA256
1b7d40b73a97693af692695ee918ea8b3814c4842e7d5c3bf96c154bbf3b400e

SHA512
5bc7b06938923c36fb5bf4759281c1aa00ca374ae95738bd6eba1803d95238fbf441ec7e78aa176a2ee246688cd007fe5b3f14742d872ba6a590ef2ac76bbcdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TIUK.exe

Filesize
233KB

MD5
da77481b945c2ca057986b186259e9eb

SHA1
fb2dd0ce524bd1cf4924e1f93d54279019e60497

SHA256
4e3bf0c384b437bcbbf7a6510a4362bfb4913b72390c0f7c6c4226d89e77ceba

SHA512
68501185d1f40883644cececa7df99754739652eb68274a94961c7a5fef71faa69536484f5c6cd81f4a7bbecd98204b1e8fbfe3e7114470c84597c71d75e66e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TIgk.exe

Filesize
248KB

MD5
9a02c536908129b46baa4e5ed601c385

SHA1
97cc57701b7f9a7eaa303c5e7b483ffd861b31e8

SHA256
bcc3acdaca90eb9fb697f25286d286082cd51e503dadd674bcee4fa0396a2030

SHA512
53ccd426b5d8cb1c135080ba00d010b14b39598101c7a3bee6941463e8ff12038f91823437ac6b0910f43280b995e659e4c0c1425df446ed0e2d6b8c7bbeabe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TQgm.exe

Filesize
239KB

MD5
ea65f902840147f9a73b654a8ac9594c

SHA1
f65289f22c3ae8f19583af8764b7b3e9a18b7c5a

SHA256
63d471bc70d771a110480cf109547afb786c149c19b8bcd277b310e085fdcf73

SHA512
c068c65ee4d443c754d56a496cd88cfc7ef6676135dead31ef777caeb8bcbe5dd2fb706dbe7d3a4ac4bbf61281fb52086aafe8c40e076b8ff087f26d57274370

Download Submit
C:\Users\Admin\AppData\Local\Temp\TkEC.exe

Filesize
644KB

MD5
234091edfff24c7d6e9d975a7122a20b

SHA1
32ddbba1a73c80d3e58b582271ba8a2122026120

SHA256
23257867ab4efb41f764ca8d52bd32536b544a2d7345a3bee710a9ae8bc1037b

SHA512
370f6817fd292efec4ab31258a713fa90de908715baa9d7dc15669d5de1b39a3b20a7243d0b0908a8a1ee2c201c05ef672ae3d3316d1ba00ec6dd9096205185a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TkgY.exe

Filesize
244KB

MD5
4dd4cd21f62da758482cac863255a4a8

SHA1
82cfb4c662ce9a010415e85fc537953ba935104e

SHA256
855c4bda5f63e4c3d94e914eff76515134318ccb0bd563c280076fc57a9e0a35

SHA512
127ac04fff4a2715294fcae2310172c25a355ca0ab5a3d8a3be6ea4d85a5762dda8b1cda112443d4224e76299236f494e2e9d9d5623b92a3c047b8edb4c48424

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tswq.exe

Filesize
836KB

MD5
88a4596fa878060e90ce9a0c2f3f7ff1

SHA1
05bd994a60b54e55c4621315692cd0bf2c373960

SHA256
b4fc614253921575a42a9c2dfc43e7a9e0f62d6558dae71e98b894d2da2bfe59

SHA512
5d279ac041d7ae3f55862087a24163cd95e49116a11996ccda61aa0e9cbcdfd5f6cd22d4bf6f5829a1b464a717c10b4d24378dffda453b911adfb0a9737619cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIAY.exe

Filesize
238KB

MD5
ce2873427ff2f55389e26d33210a6baa

SHA1
db99f4d426de70a2827211bba7e863b854b290fe

SHA256
f31712f4733d282e1f649188fa5702d1dc8c08f554f3a6b3056fef536f72cb54

SHA512
91e28a915ad2896c2a80ab9cdcd6deb1c00ba3e15b660561cc710d0fdfffef883ca842e0353e5b595481daf7fa6c9205d1f7321a37cd53c111a2a878a2141868

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMIcQEsE.bat

Filesize
4B

MD5
140966fdef1aaed67adffa06ed2a661c

SHA1
c95ee98021ad0eec7ec7d1273a415a390f21b484

SHA256
48dd822368779ead5c00c20623455d4aa026d6dae03d143edc467aa2ae4d5773

SHA512
23c59fa8a88854121313c7afbc366ed6f4839f5a54984c04cbad18944a1a1c9465d1e73839d40f009e536192b3d338134583541cd9c320b638b6dbfcfe81fae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUoc.exe

Filesize
595KB

MD5
75937467157c26f412f007ef74e1590b

SHA1
8eaffca4a827a7039031f8c799e525fed3d3cd3b

SHA256
7c9f8e58b1dc32323686daeb0713ed7eda7d7fe260e45b4867728ca79816445c

SHA512
ae6462dce31ed0ec53b79b5a4866e09b41fc7d09f0b8079b4d1bf8d3acb7cba0f0ff290c07b5a9af129acdbe21537076318bd1fc4cf105cbc329dfd5d52d8b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\UckA.exe

Filesize
657KB

MD5
d315708e75a6c3162a96280003ab87d9

SHA1
1765fd32a730cecd4eb93b6a0fb6c2baddb76ddd

SHA256
989aedab70ea676a7701340bbbecd6b875bb0a2be08f32fbe6f0def8eee47a05

SHA512
9c6633c6646b7ec56ea1ffefd3605134bfd4f7ba03176f5e0dfd61f342f8ade77c11af30454096fa42cabd1f34d4f10a8b4a749f418f9b2667818c112dd210e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\VgUA.exe

Filesize
241KB

MD5
ffc7af0ca09480a8822c7176eff17434

SHA1
68de844f6dd20106f9d07fa8f524ce5e938a9b38

SHA256
3e95853b85f9b4b2d1d492f77f3fb9871bac469493b77bc82c9394f9be90316c

SHA512
ca5cee36aeebf5ed729c37d0453d81b5b188e88db72784ffa73cd412e523abb83fcf6f8aac0df2ca429b793bd4e29def47b65b77b53e9d225e056b9a19e1ced5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYgk.exe

Filesize
227KB

MD5
f7069cf084b06dbc3639d564c8dfb50f

SHA1
a01e4bf56356321a2bb9dfcd362a8ceed2837fa1

SHA256
be122e7331b3c60538916607ac3f0ea03fa03a8c53ef02204f18490be7b90bd3

SHA512
89b49925dee5be58afd19adfd53c74752a44589284318bc8e8be158932c7c6318282fc47f3ef3259cf6f1fdaaa9b3b737010f38a3b2957733e29579512079763

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wcka.exe

Filesize
241KB

MD5
cd646dfd3a450daa29f450209db28bc9

SHA1
a33ac1159c0793b278b549cb52644e1d4ba972f7

SHA256
4d83b76a2c878658ebdd002f1390d7aa81c536c6d4c91204a9782729d1c992ca

SHA512
1730812a5800ed55ed2594adf2be7d2e833293ac199afd2176c08da53df536c3afae3872fa896f03737e56b28f6569358430492e9571f765dc9cb2d1d44e7f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WoQO.exe

Filesize
238KB

MD5
8931cf053d09fab20c8582d21d9aeb5a

SHA1
9a9b4b23b897d8a024a1802ae61d8e24cf716774

SHA256
a636c8b46f075b088ec00a8af914ce1d44b0672750b397a133c82328d6158e6f

SHA512
8a738195a13be7709e366ef997a508561a9f9d754f85b3ac1147855ad830e1773b0caee02aaa1ac1f6ced4dddb126040251b55e1cb08f19a308825f6aa00f39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsoQAAoA.bat

Filesize
4B

MD5
e21aebe8ac9ec9602e7fb26c4c6b9925

SHA1
0a2d59f6d39af31b203f98deb3729582230308b4

SHA256
11cf80daeadab0850ff37f144bcdb17e701eb345e47b0cd30415b4b3bdf87f48

SHA512
659e28b2b0c2ec338575474afeb6074b99f4cd5076cd74f9417f39f7101bfd000827c870638c6167684f9d596a6a102bca117eef8c41daca5a47a163975ad2d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XAsO.exe

Filesize
728KB

MD5
6c76910d1f34095857e1134407ae45b6

SHA1
fc5cd2ff5a523760e1298f35ecdbcb397030b91f

SHA256
a1acbb4cd845e31976016215021dc4a0f97f4147345aedf96d1772f2b6287861

SHA512
bf125b979a4e4f28b59bbf3f32bf2bb93ba2c2066e5b61213db597f3e6e838324549e18430b52abf8ebf5ad01d59a273fea432e0579c201889cadaa126f04fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XEIC.exe

Filesize
822KB

MD5
07932eae70150a242cd6b45355db4cdf

SHA1
617c31e933a8a77a7f1b0cc0e74d5448c1b79e3c

SHA256
2e8335db7af68da008f9227bd6e7bd2bc3f8f5134f94c1e750ee3bfa78e352d9

SHA512
60ac168ac273cf50c6df83c3814119284c7c50115c0e45380e9ba2a429f04bac39ea3c28e507e719e1df2f6d6871d0074c0cb70973e03e88ff220ddba6bba1bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XMogwEwE.bat

Filesize
4B

MD5
4abd7a67aa389983e8988bbbe24a1ec6

SHA1
0162074ddf602239a3b1e4d1d4ea8a8e7c5870e6

SHA256
c7ec3bfe6d869d8cccc211c5c7a88ed4f580a88695eee31dff2347a976877c1f

SHA512
df8a18767022f3e138acbba4a7060fab69c66a6c6e2c25f903d76eaf03df6d524a24cd74c3629c4c948769c8834400b1127ea29fcf34a136121084eeac3ad99d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcsoAMYk.bat

Filesize
4B

MD5
abaa9c5acc83fb32706e5f92e608f87d

SHA1
bf794fcbaae00696704733035dfb63faefa701c7

SHA256
de521d2462d84ebdb6d699711f4e3f035193adc0dd8d046c6346e02449fe8205

SHA512
b8938479ebe5d302863599e2de65198fc8f12bd530c5a0144915827cce85af805c515da4e2f2d56d81fe5fc62f388f5db01f32700de71c0f7610c3c587770395

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkIw.exe

Filesize
975KB

MD5
e05c6d0898a0cf18e844fea8b9b3d1b7

SHA1
0a7e02e22f17631031c1d517cea7f6e5f27400a3

SHA256
04575bf8fa8d57de6b6c26e7744d9d88299c0d335c76e1ca1c6de2eee62d9b9a

SHA512
2d18976aa40afcd15d76cbce19225d851bbb15d0aa1f6209e5198b28fb54dca45a9b82824167a56fc211bb8e095ea85365d023d8e8a810a9254bac31a2d231c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YuAQYwsY.bat

Filesize
4B

MD5
90e18e40f779f5957c62972d0a8d746d

SHA1
bae62ed8a8b4ba2f9313bb43b7ff39854d78e1eb

SHA256
4bb2c8b510451c1a3cb0978d264353bade4bbe538be6b9c43852852e25311baa

SHA512
4f97c0085255a5142f9c50e61c21049fd0acee8284fd7eccfd02acb9a12f04c1a85b58542f48654fa2fccfe978e1c0baf41746c3ffa57d78202ddb4e900659f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAcQ.exe

Filesize
248KB

MD5
ec730cb15c7ec850129a0a36a8cc6671

SHA1
b41f84bc268a79de5d2d4357874840c067f1a553

SHA256
c764bf33ba5c732edc9346cc053ba11ad20e90f1dc3465113b7cf607bc559a16

SHA512
586e638e9d329c9f47b67388cb4241823652d557c7c36f02f608d21c687f87e521aafd0075fdea5d8b0266cacf60fcf5f1070325ec15018c9225657400e2d3cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZUMS.exe

Filesize
324KB

MD5
3dc460f2a3693423bc9ae0b5b2546c86

SHA1
628865a89a15939b4aeb9003b26903599bcaf07c

SHA256
08f53a84e7fb37617af327bff5caab940d98c347c6fa718566352210df9e828f

SHA512
eeba31db1979c2ca4e30d5df6070417c9fc25b8098091b3c5bdc518b942fc0abca69d1c28444f1445c8417bb991b752c5028bf7016ac23e076830f3d48b510d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZcsW.exe

Filesize
230KB

MD5
209252fb2ccf81a33b0c80b9a406c139

SHA1
2919b101c5a8b951b0543e26d5146e41d2e2d506

SHA256
e2401667494141ca7c455aa8bb6e260caae214b5b9457f3253da3a2c130b5155

SHA512
0a2a6a18ed0ea953b91ccb3671459342ec81b2d374592d62ba3e21b2b373dfd0dad93cea5bc941ce16103a9a5ec994be34f813e35a3d1b3b4273cbcdc2303272

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZkEUQkYg.bat

Filesize
4B

MD5
e2f984f0719433ddbdc2b54703aa3c02

SHA1
a0a898710597427f46bfd7fb75974ea2deab93f8

SHA256
d45562731d790abe30ac7c98bcb28884f3247c59d171915bf7b2c2a1d9a751b5

SHA512
a6031a96d3b5e14b928e629e2a8061df93d69508afdde7ed86383e27e69924846aa873b0bdf4ab970b3b2624d6de5daf11944f6b57273d83b890a58bea1d77f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZqUsgQkk.bat

Filesize
4B

MD5
3eae3c4ccdbe218bc3bcadcf025b1951

SHA1
5c3a1c6a26a51eb16ea69371a06fa6524939b8cd

SHA256
8e1ecd6613afc8dfd912aed32f80a5df7238681d2b306004e6c8ffe438d00373

SHA512
da3ac81b8bca2d45735211d1cb8455463fcfbfc3e105bf9af70992a2d8e5d6a3454dd35e0ba8722a8a5861bf6c31e5f3efb20647965bc989de607e1925346577

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMUC.exe

Filesize
305KB

MD5
0fd29fe0c420765afe83a43fb96f64a5

SHA1
b611b734f3c3b1d21fbee18e0452d852f7f39a04

SHA256
07327a95254b2659f8451821256ad32ad0d6a49d7ef2e345f61322840d1b80f8

SHA512
0478ec86d0b21bc0b1058b64bbd4911d41c8108245b5a9f62f5ef1993a67f53ba903cf1b07d8b3881f1108a023d32973af5487c07b4702b0a5b3f11b50399555

Download Submit
C:\Users\Admin\AppData\Local\Temp\bIEssMIA.bat

Filesize
4B

MD5
eac095da3e85a3081c413f555306ab62

SHA1
6036f8b3c5a59018c21bc51b024a7e6e7637d470

SHA256
2b96e5e679b601b0d3b3620485b32f6790153f69b8ba6ef2de2ac0108730c311

SHA512
b646c2e0a37dc80fd7cd37b9931d85fc743602fe0fcfaa18ab48216968b95da756ddc5c3564a8aa516593d7fd64113b390857ebde434448f1a70baf7efd225fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\bIUA.exe

Filesize
239KB

MD5
43b6cc9fd0414e1a727b561ed96818d2

SHA1
70925083c843399d357930ecae48f5608c52a71d

SHA256
00f7cc8a8ba6e77da56067dd411ae558f04b76a2437c5257b58612820c65be21

SHA512
884f9bfe76cf0ff65c6acf2c8aff1964efd33766bc28640caf6bb5e8343c51c7c8de6e27195e59a4c5079d6b81b2bab70737bf139f04ed486770556d3d1223e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bSoEkYwE.bat

Filesize
4B

MD5
441cad65e542beef825d8fe82f71eae8

SHA1
80493502d5ce8bc4ac1f4c4869c26d3e1ee0cc18

SHA256
bb6f1779e891650e3be1890210fcce23bf332916ff8172621ec05f8b97df916f

SHA512
07f7a6d1635d71e8d853f21a7d7e3538c87c40f5fc741a2f4db1f69b087e394b7efe7f3d82360bf41bef9302afdac88de3af23205fb65aaabb91625282fed3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\bUIq.exe

Filesize
234KB

MD5
643933c66e9d19ea1727eca08fa1263d

SHA1
220f630f2a06aefa26bae9ecb104c85ef8aed19b

SHA256
a1b11f60bc6d6fafd2fa7d3dd2c1c76735b83b160651be953f425ef2a67a6f14

SHA512
77930184de7ed9efd57c63c774a258ef6f270327ac9e6058f04bfa70efc4779a9e91cfd40a5e474a21bb6c05ca6f4f59ff25cbab5e712fa0f74d7d37786cf44e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cOkosUIM.bat

Filesize
4B

MD5
2068da143f1181da89b02f36bff7a98c

SHA1
9e72e8170cec0692fe952559128261e9a1855466

SHA256
16027e480a6f26e2ebae607c49cf3de8fe9b4230ae1537c054c33676791c8542

SHA512
5c4f921dd04f8dcb35fc264029997fc1697a8c44fa171ad094c0acc42849b287541dd53f70197163cf04eb0128feed21306e7046d5a8974629284104f6300ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckUW.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dEgMcgco.bat

Filesize
4B

MD5
878af0b3869311a4dc92f041ed537abe

SHA1
27493aef07aa9f43405dcb701974ce18a57d8eb8

SHA256
c3b5be1a8f81a8489733979e75d2112a3b2a6ab60c244f0d9654960a7281f97d

SHA512
86cb8d2aece8cc99475ed99b3d3e882feeff4395979d636b97fcfb4c3c05d01e0351a4dabdf6f4cf6a4cbc1239d1f32b74052a91b7b638f5b634dcddeb1e3296

Download Submit
C:\Users\Admin\AppData\Local\Temp\dYYU.exe

Filesize
241KB

MD5
f986ac01f8803ffb66735f9baa638a85

SHA1
3189e34c9e4aae2583971a57c1e049367301d953

SHA256
3115e25b3470227253142c05435a2c7ff2817ee829e5e6f1d837af03b2fd0498

SHA512
6f15bb704d69c751c16197ab15f8a164aae11aeb1ab4a13b1f2fcb0e34fad2440e4bfa76b1604c00ee5b1104a165005d56df127496776ab84f34efc52fa498f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcUY.exe

Filesize
230KB

MD5
c92c774a4271d7fd55fe42757c5947b4

SHA1
56888cb80b20b243d77b8fcee76cef60dd0f61d1

SHA256
1f19d0bd52bc4e4c33889dd70863f525c18ace754fea9b581be1c078b52b4f9c

SHA512
e4f29f79a63227e6eb15e0ac619ddb6ceaf545b252fb4ebb97a927c04713e78b422d0dbd511f5085f870741b86dbab15e282bd2acb34fedd6ca4d2ee7cb0a83c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwYS.exe

Filesize
235KB

MD5
b758df729922c1500a219e347768d724

SHA1
6037d7fa15d8a6111721a026508ee8de63e5cf9a

SHA256
df92df9b1e38c13d202463dca9d49f065b95565d60d2ea82ee0a2f114985b145

SHA512
f79c0f040a1d131e76c6ac395574091accab45415fa5b89a1029cc7856e849ae8a6407b445da30726878d8946b4e69f60f1eed9af524951436cc930233a2c3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\esAu.exe

Filesize
973KB

MD5
1dd6ceb0419589d06f99f11722c5f349

SHA1
564d1deb6cf1ed0dca764197da735d241d7341df

SHA256
a0cab61adcd315e3e0c6dee75f995d77c7e773cf8698a9123b448133112b8fb9

SHA512
5ff4d27b2652e586b1bcff82e9a4118c7d31a23dac9499f299944bbfa1f4ecc59691f79fb67e25798088b177cdd696d86c8a71cfa741b7c3376376218019de2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\esoK.exe

Filesize
940KB

MD5
175b0e074141e1a072a70e7a9bdf88ab

SHA1
50859ec1eb5ccd9fc7eb3f4634516534b810db9b

SHA256
06915d7ef547a7985b12871b570ebe20512d269fa129e2ee2ebf6f7a35fa1181

SHA512
238743fdd59005f455d136124ccb8939c7578e5148714331f9de3c2138c40009e755eaf91da140f19242e7585c75f9d9e2f39c9fe0f3fbc3bcbca362a90934e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fEowgIsU.bat

Filesize
4B

MD5
3460c6fa45d0168710ac7e7aa01c5738

SHA1
afa53fac911e091217f27042ef8fb7968efee15f

SHA256
b9cee5c27cd36803b8d67a71598b8298dfb7ab63dc820687d5465b3d38ac6f4d

SHA512
8c2ea6e00447e295b2ce13ae782d89f31d642d7d6aa83943179065061888bf7a31a6dc9d1d8277c52d7801447f9cbc0a31b229391319194220f556a4989135ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcsC.exe

Filesize
8.2MB

MD5
f58119dabf4ad6a7197e0da529852e6f

SHA1
e2ed220be4ca2b15d64b8fbcc7441dec4986740c

SHA256
d0fc2feeb225abc2bd1636ba7770814d91b990139627e8b63fd0e44c9cb7d7d6

SHA512
2afe2e0fcad2d7dca7e78c7a482ed1ed50a07e061cdaf9afd2de8b9dd364f74aa5862f522b5135845d21f2ad7f9e81c4fe7c90d518e2d364befad19a9efb3e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsck.exe

Filesize
236KB

MD5
4f880e995a78e7a095b54868b89b030b

SHA1
621e1a58c191e9a828c15f6d79aa0637e158b057

SHA256
5aa61eaf1100a5835919c9647e59f42b71003441184d5c73e88b2856faac87cf

SHA512
b330bfb948008331351a2742a4ce5966eb4346ab265ab47b7c4de209620973b225fe791de47d30122cee5d137f253535ccb27b01fe10654c8df13a3f63f49367

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIcc.exe

Filesize
210KB

MD5
1fd5f9cef83cc854517ff97a9551f8ac

SHA1
25a5a6e3bb9f7c737b37c58ceb1728ab213feb0f

SHA256
cd0277498d7f20a1a5d8756ca025c6144357b1ad5594df6d649044ce98ee726b

SHA512
5e93101eb3820483bcaf8f4638f86a9415d5d7b6a6c7c810060264cc5e38acdbc5db9b9dd81bb1ade713fb48537343c775f6487ec1c64de385bec57b9373edbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIsS.exe

Filesize
253KB

MD5
d6f8cef9f07123449eec531666519aba

SHA1
eadb530d9d7f62504290082d1414d24bbdd01347

SHA256
3668bcd173e9bf573e964e2ad236cd8c2ca54b210d15d3ab33bbe1670a376cf0

SHA512
de469ce2fdb27332217cbd6c72578deb8646d48ec3fffc15defc17a5b8740fe48309c94d8bd9e743c55ea678041a6c1eab9ff00f98739f790c3ac8c58ad9f969

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggAk.exe

Filesize
252KB

MD5
b80b1ad457553a08ff9a08b6f3303579

SHA1
a2ae95f2a8c68bd82437ac1e0380c37b646d2a13

SHA256
01bea8965952dce53415aab9af13b738d482c76f5a82c6deb5ddc621158954b5

SHA512
1b17a61c7ba03a18b9c1e21d6629b5f7ed1113b8d36dd3c97d1134159a7a1e06bb70987ed5681d6dbb21c7b75030d2d5df53949ec65ff59a1e6a25a7df2e889c

Download Submit
C:\Users\Admin\AppData\Local\Temp\goAQoEQo.bat

Filesize
4B

MD5
cbdf7f19760e63d6a77fa113c361be8c

SHA1
4641b89aeb394a70217bb4afefc5b30365447971

SHA256
32017e1c7295bf396a1b17458fcd0433dafd520bcc61fef008887c6ee168098f

SHA512
dc99a994f14d404c4fbf3062b75a684e1cd6bca50a370fb86ba3ddb99fd91be9528495f2b3474ea14c2c63823cdb0925892be7f40ffa360edb5d86389d64838e

Download Submit
C:\Users\Admin\AppData\Local\Temp\goEgkcoo.bat

Filesize
4B

MD5
0f1cceaa693d4d5577cf94dbcd9ee143

SHA1
3ab551ffc2c76ae6a595bba3fd737fc3f49d3c56

SHA256
6781247d571d58a22c04a1e26fa4333479b73f50048d2956488c6f6721703d5a

SHA512
0ff6af7bfd5686bbb8dbc37d52a46c02c569bcc43234c52e3c14158465c8539228abe191f20eabdb6d8b13f866d040c0a883b026c049804c1a9125f3efe7f910

Download Submit
C:\Users\Admin\AppData\Local\Temp\gswU.exe

Filesize
240KB

MD5
a53fbf8f11f0efd23bb287bdd8cbcc89

SHA1
5464a40abe0a248ab6f9a68a76a849b367aea6e8

SHA256
ac1f5ab2f465004667611441e929e1d3536bb82fe76fcab28f323ee71a54d222

SHA512
c2eaf0bcb4b1373bdad55c9705e03cd8e6e281df47d4c8db39bde9a85e70aa590f34800ad45e91ce7f507a1cfc713c518d3df35a6c2c2788bab89996cb652c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\hMEo.exe

Filesize
787KB

MD5
30170c37afeff81f6f18d50973c61719

SHA1
62f2313d6fa9cbc492492bb36064413d2c9f4bbe

SHA256
fc81d319e1fad3c330d7b51735afc65ca49a930051b6a7442e9ec38170521bb2

SHA512
c080da0e0489bdf5accb87d102aadd00a7d1136324c5b1c2054f2372eb4a74637b4805cbec91269cea77ddec0503a78244c147c000d7742a9be5e1072329c139

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcgq.exe

Filesize
244KB

MD5
72c4b6319cdbe867c20c0ea827e6a996

SHA1
072dfaf75a583ac62a08c468c643e823f0c68527

SHA256
62132f80ae10df82f167d99b2134a97f5de008c5a87746e2406ba27b95f69c2f

SHA512
3c033afcaa25d276026b678d3729288b5b51f997e30bbb7a35b083d045db41c1c7c4fc329971f95fc22c807694daf717031d831c9d07aa53089eba9b09623e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkUYgMAM.bat

Filesize
4B

MD5
c85bb64bf55d8606fdfc3829f5241115

SHA1
d77d3d44b21c9017e4bec784df3f4a9989caeac4

SHA256
486b4ab0a05340ac09cacd37d4a8a13fe176c9716758f0d81b9d6157c36a5815

SHA512
2b472ff0f94f93f24632ed746195fb0da7dcdcf36072acd706d6542ae29fee507df0e4d72acefe71a848e4347f9edfb187cfa0d0c84df68b1c0cc0e48d1b4889

Download Submit
C:\Users\Admin\AppData\Local\Temp\hyEowksA.bat

Filesize
4B

MD5
e69e3d4a0704f8a430391e95a89fca11

SHA1
1cb6f3981eb06e97ad34b45812dfd5320b4f0340

SHA256
dcd5a2a63d28820055f4c148938fd060c419354672398f64bce787fdac1e8a64

SHA512
7856e840bdf7194ff33f815af19a1baf34822d29861c9f39b11547b2cea90635b2f184915573ef0c5646dece902e00e4f71ec828162311ac566fb1f922bb3467

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIAq.exe

Filesize
519KB

MD5
494a7b8e1b8af8166afc7ce3ebbb240c

SHA1
7795daea6f0c8a90214be2e5bab5c8889967134e

SHA256
534dd583eaafe5a9e1ff31710d07728a6b8d5799b04daaafb8c1d714a41b0bbd

SHA512
a86da8c882836228df15d7619adf8f94e01ccefde5545e6fd382937f3e25cd99d089b3b7748e5d49319c442a756a176f7c616f9ff4579345d5fbde78f4e9a7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMgY.exe

Filesize
674KB

MD5
55b751aa0ff846240dab1e4c7ddf9af3

SHA1
e0a51d97a4f6d0b9effdfeae10e01f14d1df3d29

SHA256
e7eba568eca13029832b9a84ad883758ebd5b7143bcfa5f24e2313401aed4337

SHA512
9c75060e4bab8547b2f35834d965e78214b3bddc55cf44599094eb23a54401dc6eae9bf9c706dacc4914068ebdbd69bc5a6edcbe5f8733ae1f4d0a4fa33ec2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMsYwAoo.bat

Filesize
4B

MD5
3d5e6fed3220cfc2fc95d819da05f9ed

SHA1
43cd1ef1a2809e4adfdf750d4a4b03b9c12f49ea

SHA256
37cf48ef1fbf4f7b25669ab2a209d28169567e64b744f2f948560745dea73f65

SHA512
9f85951a784e466c12ca634dc666015009e9fd6d13542394d420ece6a3b772bd859a2e8bb58ef52619a27229dabb5167b3a387d90a095363ac732cd4270072de

Download Submit
C:\Users\Admin\AppData\Local\Temp\iOAkQQoA.bat

Filesize
4B

MD5
5580971b29d713d71b42fbb0345a5328

SHA1
68f6f8e1fc881da263c461233b056568dadaee51

SHA256
c50f91c742bb4ee9674e65ecbd7896ebaf82f69690653cc40d4d984415277194

SHA512
6124c71126356dcdde1a1a6e7f45615ea8cb326ad0035111a0bfeac32dfbc4d5ff67004da1d16765d083cead8c0d445d23d496892770bb132d9fa41225cf2194

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUES.exe

Filesize
635KB

MD5
4e9b97a17ffa86ef9aa3f8d8382ef01e

SHA1
f08de101aa7e6c690895bf6a8f8e20dd051fc42a

SHA256
86d0693abd61ff23f0d6e46a96ed77dc619ece4a12f5b6270c728471f919901c

SHA512
595983d8654bcbe4f561f89248045ee74c29b233f401199f144b18690061106b6a8412605c75ec812c36a0239b15d11508761c47d05e47e87a1917d5be7c38ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikUQIgMU.bat

Filesize
4B

MD5
385aab3bde712a9dd058d2ca01670137

SHA1
69bc7348df53e69c95ccb937e6658fc052185727

SHA256
316941830b5232419b76090caf34889ba4ce7724383a358df9d1320e832daf47

SHA512
7fde5e42bad6353805ab0d1a00066ee934a59843782f67acc3585f1ca243488114ba11a9c037b06118937b959b1c16efb237e6efee61787c014883911efa718c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwUW.exe

Filesize
242KB

MD5
eb83b44d0731f9ff8c6343b0cff63f54

SHA1
ea8116c5e2e84a85508708e9177e97f04d5bfb7c

SHA256
41eb059220608a913b837f281a4c2dbe07d84e5296f36372536d6c6ba76df6ce

SHA512
7fb01ecdda0f2546a1d573542d62616ca9b4f809dd9d6f6805f6708de3908e26c695af23ed21a229dd9f16b4c4ef9d2a5485152335b8029e07438669d5e5c0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jScAYUQc.bat

Filesize
4B

MD5
89d8f76c96035d91800c7b17de239d8b

SHA1
a58ac39aa75890bc30b36269681cb54de8c58cf1

SHA256
9979e509430c58dadbd74b490a6534c3d843a30228e0954df8e3a2782f4b234a

SHA512
a2c734f7987d665c1e54fbb7d2a558419e51c030988c0ba551ae4109dde6aa3dd9321745e8ef8ebae34b6124b03a610e55c2d4c10a8e5abb51834af93942d7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkYU.exe

Filesize
248KB

MD5
30d885108d5b2ae370d01cd21013e1fe

SHA1
46a84b48b087421cba604123b5e0035d2bff781f

SHA256
89ef6a3eb02279fa2744c64fab1d0bf0c562cd98d5eaed663634fe2165f9373d

SHA512
093477d6e6d8911f09c6646dfaceac40aa9bcb331ffd2eb8c0be234fabaa98a1a0bd41ef4ffdafb1f32b3ebabaa3fc272319edf53ddf9913df99cd498e913a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jsAM.ico

Filesize
4KB

MD5
964614b7c6bd8dec1ecb413acf6395f2

SHA1
0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f

SHA256
af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405

SHA512
b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMky.exe

Filesize
236KB

MD5
ebe87dcf0c0fa569a1f926c27f938d5d

SHA1
c177a35628e2f571d6233508d36bf96cca062284

SHA256
68c55637514b6ed244fa136fdcda9dd6b55d4e13ec279876eb9ed5bdb90ab542

SHA512
fc39f7408fcead47990378a206bc03f21618667d25c2f5c135a36df08adf80853f2651291ccde62abd9ec68e11d3b5b6381acbd02b1aa1cb1f4e1fdf7a3e8323

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcAq.exe

Filesize
219KB

MD5
f8eb3388c27a662caec03d6138876cd3

SHA1
15f9a9f02d4c44bf41422da8c186e59160eb59b5

SHA256
18b00d02accc989ee103154e3d50b3b719751d7d8b8d46d4e0df31110193c964

SHA512
d128cb79feb3f3e54c11b13a3ba20e1d3500db02cb7dfa4787d63ffa98410dbeecfc0d9a77663ba78738719d4e86e29d07f36d89168ecb8e72ab0fb2249028f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgga.exe

Filesize
508KB

MD5
e0aa7620f69cd340143dcc3e8d7c628a

SHA1
412b3e3032c99b65e83bd1790540a3925518a250

SHA256
c1cd22992a5a21e6998a23e2aa94fcb2c4f34083447bea6ccdc3f8f0c02bfe69

SHA512
4364e0f83dc02dc34ad5192e8e0196d7777b04bffde360d5257ad161e5c14a68561ef2b357e49736324382f09478c05bed6744ef687b0d4510ee9e05166d64b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksYG.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\lUMc.exe

Filesize
752KB

MD5
b9cd46c65bf78d1fc93397b5355abf80

SHA1
cc64bb7af7b73386be4cc89297ed9d5d0ae0f51c

SHA256
23f465526b5392a72b6492c0f584e6053fb9347c1b5b9df446a7500b06a44d23

SHA512
03d083e250cfa5769ea8f4a864efee42c387885f9955adaed92d2a8de04a8f629e8edbac4b62a51febaf7da47c52d3b3083efdc1b8f0eae122a9a7604436c989

Download Submit
C:\Users\Admin\AppData\Local\Temp\lWAksEkY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lggW.exe

Filesize
243KB

MD5
41f04dba5f65d3509022a97f05272bad

SHA1
8e3a0fac48de2521653d09a1333436a0fb2ca1a0

SHA256
d5bc666a58f69fd8fa96c3812860a19dd42ef6b55c08a29c756e44c3eb51e57d

SHA512
543322d03543914667d3a1586af919aafb4feaf7393dc4d3aff3b0a5b71807a65244b8c95bbd3407aebea0be11343b8238a24bdb5119b2f41ebe6f2e1bf82405

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQwW.exe

Filesize
214KB

MD5
82c1712eaed3ba59e49c03aa9729ab32

SHA1
e4206ce48268344c544fa8442517dfd708723512

SHA256
03d44dec084b3ad1b49455e4f15de72787a0dd3ca9f1871ac5db1686712a97ed

SHA512
00ddc076b972b5de0ebf2113a500099b821448f93dd0cdac046a70f25e654842d1357d9e29875ca4a634ef3e0d7bb0e333f314e45cce68782e84d8fdfa60807e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUEA.exe

Filesize
239KB

MD5
f27ec1dfa9241cb408bf7d2ea484d25a

SHA1
9833ae99b31bdd8faa22073d40f7f1b785643a14

SHA256
241ad6635b9132544ab585ac5a3155f24df5a33ccc8f18e8ca0b511803e2e86b

SHA512
91e9d5d9cc7aae368c1e5d7c6edb70f23eacbbfcb4189547198c43e40ebfaed3e0cc35ffbbeebe2853a97a2d80833af96ee9909fb48cdb89824710b5cbd607ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\mmMsoook.bat

Filesize
4B

MD5
91fe4eaa8add262e2485579598efe49a

SHA1
cf982261e5f2124d37f080c38d4db6204752740b

SHA256
1724a86f6ca18f64fd57a52eca289d14c54f223511b8e7e4c78af88bbb5db020

SHA512
b23a058ff85bdec052601b7731fc6ae1b3e6445fbc9ff570c4766dbd3b1344d1d615b21ee2139d182962c14026ca955dc984b7be5ad41a3513c2c29841edca0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAsQkgUY.bat

Filesize
4B

MD5
22a9e1cc212e8ce91845415bf122cbb7

SHA1
e2f79bad789dd9c5384488f58b8b9d5166fbaa67

SHA256
f5227ebd1440fe8843a1895b2c0b7ec9ddf399fc6063fb74900e12246633de95

SHA512
3f9d698f8319d71a713e6206339fbf06cc72d5269bf240cc5514cdc2d164cf7053e99a22dce8fc90ec1b6ba947a66b5447cf7a663f1eb7c7992dc84fd7b0142d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMAc.exe

Filesize
231KB

MD5
2e032a46e2730135cabfda9a4c82d2b7

SHA1
7d5502c5ad5bb51fe9846032f1ef3d4f0cb731ad

SHA256
7cb0f1c3eef16aa70f023189f8675fe9ae501dfd146211484f7589c59d47b598

SHA512
093b32433971eab479c3693de8408e8a0aa054add9d6ee5af083427f2a0800375b8c884fda7e20d4d175e6f9b8e2d696572768990fff211165aa15b442cf83e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQYo.exe

Filesize
240KB

MD5
2c6a7ca3b2ecafd769fd154e834d3bed

SHA1
a2616441f70bebea770e94932c5a753bef5af0fa

SHA256
c3757c7d409b0277a79ccbf6a4333d854cda427260b69b54dce4d9f9bd70083a

SHA512
9ba48f0827f8c668954e50070c30e1383a35fd9f70c284bb6e387f17807920401d90104db25c70fd5494b59aba120349aa5b6627d7b8a207a31e0e12c26de6f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQcgUAYk.bat

Filesize
4B

MD5
ccc0da871676e4e50f26374a4244bc53

SHA1
4b0b786f13ea639805b0a9122e73c6407706baca

SHA256
b144558c2474cde301ab6c5fd6d8bc8b77a983e3d2f6e7100446389194aa8e89

SHA512
71aced4fbabd70356ffbf8c00aa2ca0c6f099a993f569cbe61c40835a33bee4bdfaeb465d8790e43dc725e3c106d9c1218d389f7295d6298084b87f623165a3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYMK.exe

Filesize
228KB

MD5
32bd6e77ea1bc84ee612f680a9b3c0c6

SHA1
ba35dcee9b1acf92dc3fa6c890e63e7aa4569644

SHA256
c7cd0c43b0dc58bdf21b27d60f47caebf702d717fd898f7576e4c4fac67559fd

SHA512
882f321b89871a66339dcba3cc9229925e54f644535fe164b6aedea9599f7aa408662a62a82ccb0d065cdf0035a34969f95410cfa05852190b6eb42a31e36823

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkEMEosY.bat

Filesize
4B

MD5
bec8957318334e06b263fbdecdcc34a7

SHA1
b8ed091b6cc0d0747fbf34c3bc918dcd34e5abfb

SHA256
5db19b5727966af5652d7e54137535d7e3542a88a5140a22481ea7e50ffce908

SHA512
a1ecccf7320033bbcc86ee3a0b0f5e372a52883fc99001a811017d856ba4db0bff2a54eb1f381f5dfd9db708a392b0ed98f14cf3bdf438b498048da46d0740b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkwM.exe

Filesize
238KB

MD5
b5ac34c75b8084a219e3be64687250cc

SHA1
3e02b66dfe3cdfd54ec0810684dcccef74e4d159

SHA256
353f55cd57204bc01a5faf8356d5e94f0b7a647e8fe714eb8b4b1cdfc5bd6fd1

SHA512
d64e2e2eb77d69e428be5dc043eb36f058c0438b08b72354a14d46383ce3faf6572167d0b754bea437455453f7fb94cdc88334450b40b516d0a7315a9370e007

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIgq.exe

Filesize
1.2MB

MD5
73daeb54b58c289fffe64a478f167749

SHA1
f9339c9450a95258385f9de2ced8a05ecc1b6eb9

SHA256
43de44ff6b9ffe2293fbd4c26ccd9d883a876139a2f52b3941f51add4bc7f6dc

SHA512
d6579cb87890966f5e73f1722c16941790203a95d65861329eaaeb7113e89d61b3b7f0586c156c6666e39e48f8e49d869c3250060d3645fdb62b63c35886060e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIsYsoMU.bat

Filesize
4B

MD5
ee544d2d89aa3fa9a566a0c3e3f3f2c8

SHA1
f3e14fc9edd4e21caa3f0702720a3f21850e96bd

SHA256
a84bcc877568c084830958cffd560cf3dadc8aa165eb4deda329d4d04af779d5

SHA512
aba5b857109d7fa5e8e8cd132134a249990440a61f088a9e0d6e2137584a437182dd72d50e9f575601fd1dd342ce96d8f28c8bb583efb5b550789f25980048e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qecYswcc.bat

Filesize
4B

MD5
dda16faff1abdac708a6722cbc5b210a

SHA1
2e581402fa21bbb09ff3df43ec61280324541aa0

SHA256
a0c5e1af7ef763dcd7f81e3771b76614ad121676aadfba8a01e405ea3c18958c

SHA512
5cfbf9d2ea1c13859b40f6524612a4b046e4540d51294be5da555facd32fd10321e581b75c7d9db43f67261e6f1a3cb20e29cd0d8b8fd77b793e01ce24c0e21f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsYMAowk.bat

Filesize
4B

MD5
75cbfafc2615aae52a3fd03bf5a69e0b

SHA1
f2103d53020ce9b9bebed0d6f666070b3e830aa7

SHA256
25daefd0fe5646ae23363ca1c04fa90be750a43b83aaac009bbc8af036a9f765

SHA512
4cb8904cc136274435ccd3d3dccbe6c2db34c3ffe89deab8964d795155af679351719a94ec1106420a1c6004fb7585e0a3bb3e698aa217fd3cceb851b660934d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rEMI.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rKIgMkoM.bat

Filesize
4B

MD5
19e320ad7cc43ab5d741307bfcd8f529

SHA1
de76e6c7e4c8d4024178bc4725f81063c8102313

SHA256
05f0ab1f822325ffc93780a5df5f737963c9c77bd84e3ef9df4250a8c3fa2222

SHA512
57c370c4bf8d0bbae3d8b39b693d64b6e644c62f48bae6aeb35706b24be5d42fd88668bc171ca49693ac283676beee17f4079a647aa62f7d510f5df205f1404c

Download Submit
C:\Users\Admin\AppData\Local\Temp\reQsgcEY.bat

Filesize
4B

MD5
122b248af28056ec7b5a1c938e76bfe4

SHA1
9386d3e7d4c5cbb8db8b274925bc806befc0347e

SHA256
0e8d8ad216631d5a724a47c9250eec8a6192ecdd8edbde9ba2d812f5540b1ad4

SHA512
db8fbfca1e6ac373584be18a8aafb929632f198cfbed183f860dae8a770aa65048107032a23b4876332ab6079549eb679ad334f248b1a374ef336c71e0e09f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkQA.exe

Filesize
243KB

MD5
ef452e566f04492d7f0c79fde0aeb0bc

SHA1
7492f060b2cd7a323434de8bc30ecd4c50af0742

SHA256
67d44ce0d3b2258776ccb167d25cfce5aef86e0b262ace5ef4a671066b57dfc8

SHA512
52257003089b32a905fc0780d692ed71b76e5a14058e568851aef976b5af2a0db419bcfd9a8278a03a4e0de50483e00920e194742d3f096c9ad5f9ba3c9fffd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rwEe.exe

Filesize
323KB

MD5
81d5496d3164c1d3ae8e6a73283ad7f0

SHA1
137e76996769633c5074ccdaa048aeaa8c0e5c87

SHA256
affd4396fcdcd5519b0d1788f57a4eb9b79210dba3feb64bdc7a2f826a3adf67

SHA512
0f3b249c19f5334e51b5688c9718286d6e3075354c803ce56afc4846483d5d1660ffd7099b59c8ebdae48134a5f0f9a985f0df5e768d1e12d5937ff738bceef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sOUkEoQI.bat

Filesize
4B

MD5
1bcad2417dd873d49f24b8559549a475

SHA1
63afe016e82105c3a4f626d12f961899c016068e

SHA256
4b517c862fcabeccc752f41df0b211bb5d54b2031ced04d068158cf017f57167

SHA512
55d29a5b3f889f1804e157160ae3f7cd8098fc9dd5fee4aa9b85b2069faea9ef661a93e742815a1e92daf32bf0bd08ee2f9575e9c9329e1d21d13ec7b2acb340

Download Submit
C:\Users\Admin\AppData\Local\Temp\sSsYwcYc.bat

Filesize
4B

MD5
0520214a5a6af5ae5ec06b08af1d42df

SHA1
45af1eb54b44500ff929daa47ea5ffc9209c1d56

SHA256
c09850e39e3d2c4324e12deb9e4d65c94db9dd8185008b4de613e09a31b88abe

SHA512
3b71215f1e5c22e00c0c8d990e9b6375c09c696126c6f8f6a682c902817c8b6303f56dd901561ab2f930824bfa3fce317577d5778fc0c61cfe7d1c7250bed149

Download Submit
C:\Users\Admin\AppData\Local\Temp\sacAYwkw.bat

Filesize
4B

MD5
05b490370490ed66f36334c37a6b0834

SHA1
51ebbd8556bea6a66462aa0159e00bd4455c4d23

SHA256
ea8be25907c925b876d82da42ead8edea6d6933ad68b19db1dc5fb9053d32b85

SHA512
9649648f63439842590149354e10b9c627545d9a9cb66d7279dc19ac5877b6b1351487f6772dbdbecf9764e82e3aa0439bdc62b884e923e86e174d1231e91b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\tOogIkAY.bat

Filesize
4B

MD5
88f129d11ebac791581c74059f304713

SHA1
a8d4e3c27311479d04e99358ee8d3e30bc8f328a

SHA256
1cd7dee667d9513914270d9769909cd6939e78a9c3fba4e28d1ed6733933ebbf

SHA512
46862f50dd37ef04e051180556164af3429da0c75f16665d42a40875ffb43b5999147a585b7e7432e99c504e33aeeb5ab51f4aec33c288919682d30003ba1237

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgMO.exe

Filesize
1.7MB

MD5
34deb012c619f3c68e774d9513b1f887

SHA1
b9c051ea7cfa6cc3cac499dd063506d868041a97

SHA256
c51de9534fd997eb7b5c5457bea639276156e6f7cff72bd0ad12f11747d9d0a9

SHA512
5ecb3d0f889380646f325fe144e7b776bfaf0f2005291807380335b735c9d67970fa4cf157a9547fa4f58ce5fef32800f3d9dd1b04099bacc6b24bb35879f7ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\toQu.exe

Filesize
236KB

MD5
b0f65215e46470f9ea0694027cdc2e7e

SHA1
66cf976416bf78435ec9620f461e939b8ade51f8

SHA256
e779d4857eb8d807d9628097b37775e4e667172def518c9d8b14cd0e991f836c

SHA512
270e09aa40ef6918b8155ce63e650bcc10b320d9e562b742de8265548a28c5c7cce0b373574354705d2823d144e885dfc8b2ebb73ac2be047466563f1e94ec37

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEsI.exe

Filesize
226KB

MD5
97b3439f61c40633aa9bff5183ce7aed

SHA1
d2ecb3b816e02c60374c8bb0d85fb666594a06be

SHA256
fe3e8a71806425ba8095cd871a86172c7394df9aded12c88ae93abe4a8461191

SHA512
8aa2fc12e4c155fc720893bfc2c61ef37e2c6704ec8dda239c9623fd8dee75a629ee7068aa6d531ce5b1027eaaf913d7900a4accef4b2b2a636e0d71e933cb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIMEIgwQ.bat

Filesize
4B

MD5
88d28354ea720cdc7383bb590bc8849f

SHA1
6b550f6e5536416ef57c295e0e94ff66bdc76df2

SHA256
1d53d6167dd77b419671ad1be940545a293ff171dd3d4bae8d7694a365116ac9

SHA512
af19cab56dd150850c2ec8e46876593ba4e3fda06241e26da414c09615187b58e7cbdce695ef71e3b60d57a63818e651485d50e81a3d64553cb034ca6c32c34f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucAI.exe

Filesize
212KB

MD5
4829f3c68bf5bdb07b031873ac8b3e6a

SHA1
d827c6f4710673c4d8c9ea365cf9de098d457a09

SHA256
c1c7b8510ac5f275d633b1ed1aeb65698275ffe6cbf5dd7d622b1280af594775

SHA512
25b0c39988174b043d93236c4798fcfa55c88f24eeabf83d94bf9b46f7108db3afc04bb54f4657912b19adddede024bf23ef228ffe8f4ce0b67f0c56a51ba381

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucMi.exe

Filesize
597KB

MD5
188820ae95e272d56cba619e7f06379a

SHA1
2d68d0dee4e9f7c12a067850358d2d59d5cd2ecf

SHA256
8210f2ce183445b0dd095df37b64c6767fd38982d0074e8276264659b80dda9b

SHA512
248d3e7c645ffe747bcb5cd72dd0341a5dec51b97eba2569c4a054a9771344ad62d0859018b32458ceac3b64084c4800955b54c00de623974b4ee0bf6a4b9268

Download Submit
C:\Users\Admin\AppData\Local\Temp\uiQAEYwM.bat

Filesize
4B

MD5
6ca1151a4cd6b5e2eb9f10476ee13d96

SHA1
10df9a37d9d96047630764eeac23a0a6c80e14ca

SHA256
d1e1462436f53a1b4b185cc93012273f16f4615a1b30ee3c885721e0cd1abe0d

SHA512
ab07bee0bf775940e6f27b55e8e752fbf627b9a0d30090f611155091fc7cf93a5c09b4406ed8ff6fbb2e04341e80700efece04ade1fe9523aa36bf79081c2d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\vAsW.exe

Filesize
240KB

MD5
00430bb05418d839b70c5f922f0c8038

SHA1
5ef35131d1d6fc2cbe96aca1940c9f384e85f5ea

SHA256
87b490b2537e7643338a8a29e3eeffcaeb4d37fb7727d9b80ae48bd626fd510c

SHA512
9e2e3a46b07aa9aa955b2fea4077abb0f42249c0af9a2de45ad38bb632846659e3db28e3a23878ff91d5921f8d3bf2bdefabde9136b8449414671e7d22e6f5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vEAE.exe

Filesize
242KB

MD5
52a4162b394f5626a8f8d92640b945a5

SHA1
3860d508d6d6715093fe246844680c38d7b330cb

SHA256
143a073e148d803e959ca065e9401c20ec9a010597288ef71ed2522be237f1b3

SHA512
422e8658eeb2839311375de2a2a0e57dbe1aba9b811ac7ba46c63f2af5f1ac07aa10417cf5c2c30bac7c3ba814b31a316e31e2bec941ce25fe5d2b3af3f9309f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vMMy.exe

Filesize
624KB

MD5
206c437db92837a1242ecb98bb7d9ba9

SHA1
635b9b238ee304b8e632710977b25bcdf5709f4e

SHA256
6971c2c9cc0d88fdd885e19fb822e09715c6f2464f61fa5df541a13933f107c3

SHA512
92b543747a935140c0375e935f4c018a798c63f7c0db8ac7272693e893b47892915e732b11da2b1f87ad835efe31257cda47da2a7f70806ef760cce48e864280

Download Submit
C:\Users\Admin\AppData\Local\Temp\vQoS.exe

Filesize
4.1MB

MD5
2b71ec9acf0021f2fc6cf8082fd6c51e

SHA1
e3a570f08f56215b019815ea6ac84a65f5855f6e

SHA256
b6b9de1b476ad1ec2018e4cd39d27f9a59ab3d3dccf3735ae85e4383d5a4bf81

SHA512
d544c995c2a6d9e9d171a592e9b9e9408a819e5d138908c136b9b8e5234c3d3a47cd73a70c2a914764385bd83cd98c967fe156b404071b561a387757b1d3b539

Download Submit
C:\Users\Admin\AppData\Local\Temp\vUoMQEMU.bat

Filesize
4B

MD5
ec1b5734a546af8289fcd10f417eb645

SHA1
77576a291f8a74f7437cba43a525509e5cd603dc

SHA256
4198fe562be39ea993fc77904221fddf53f69765848fb7cb3c69b4dad9cfa824

SHA512
e7cce126ca335a57386cdb1ab27767d848371b8259357752c80c84315e163761397ce3dba800e2c7b13ee05aa9fd3de412f69bde849a8efb8db21e7d8a833721

Download Submit
C:\Users\Admin\AppData\Local\Temp\vYwc.exe

Filesize
237KB

MD5
522a2c988e241bc965fc68688f500b08

SHA1
46ffe41d364c86aa1865a574f572e5e618605f78

SHA256
1a179edc18b5f00bcd052706a1b6c7219f86360f1e2f3b4f9637bf556a115f95

SHA512
3bbeea01b9505114ffa3ba8cca4d170c9180c9929b4375a98674af54311c821315f43374ba73ed3cb379daa81cc72e8e6190996f85805e4c7dae175a03d6013b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcoI.exe

Filesize
252KB

MD5
40318edd635de7c056f96bc971582804

SHA1
19e7c8d36cf4cc764560b422620c1507b838e122

SHA256
6ff6396a86dee96c1bb7ebb9bbfb8ddf1f7055eefcf208d571d1314dd664e57e

SHA512
caf379d43be2b62a10a68368c71c2d737b6b780bd7a6e496488fd62610f9e8249a99eb245912d2a7374046129ec645e85e6a989f47af2363a78ee764460c957b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkYw.exe

Filesize
233KB

MD5
e03bf62f2b645d477d102bea7f713364

SHA1
5f52f9284c3be6fed818ebae604698d3b9c2e268

SHA256
430b73f6c1a847a3aad97df4764cb331b7c136a4e7911f5b63947ff50f5a23e4

SHA512
c316a5091238927cb6f5c82ff8bcee8718aefecbe9da3244f9a5670885e596dfcb91dbe57316e42a422aebe24f0b929ecba6253558770e9cf13b3830d9166c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsMI.exe

Filesize
249KB

MD5
81b86c301e4b805e038145a6d49190ff

SHA1
b90c0675afdbd90f7e306025b94573cc6a0a8eea

SHA256
c144c03109c6b19484e1d72ecee8b63f9d725bce2070199d8f3bb2cf3e65f71d

SHA512
4bdee2883f989456e8a2a53ba852a36d5f4f1edab69dc5e7d4640560c42d2f2ea1d3d76ab9e27968374fb9d6de63707d80461821e0d321f3f85660997b39b6c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vucIIoMg.bat

Filesize
4B

MD5
4394b95c287fcede217dc15fa8306147

SHA1
ffdcf8a31640e0c8a03e547d950491df5766a474

SHA256
18b8d66a141cf7ab59f77b3a4dbf91f9c44bcee020ce64b8cb411472f6cf1b5d

SHA512
b98fa1439efbf5c8715c16b9eb7d76b97c45584a1a57f1d5f92e961ebf8e52bd31b22365608dd10d3311f8ff911f40aad560c492b672aa3401c9bd3164d8af21

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcss.exe

Filesize
946KB

MD5
d26143175028527abd583c6c419597f7

SHA1
0888128ec7107791cfc10f4e7aace283ee3f905b

SHA256
3ad9d5076198f3c8d202c9484008b6f8d17d0fae097be1352f51cbdc934b99cf

SHA512
69a84e473f928afdebb600a94809bf2cc84c2b5e451cc3c53b92d063125ea7eccd2eaa242cdfa58f489d1e3fc80aeaac266d0d5143ff695829a64f9776c7155f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkcu.exe

Filesize
1.2MB

MD5
0c8b6008d708b6433f877ec6954a8605

SHA1
12a813860af08a58dc60da7289615ccf19379937

SHA256
34624adb39413466fed7ccc18a842ce0502bbd1ffea12b828f94a331133daaba

SHA512
4453bde709849d487ff828ccc19bf68c47354e5dc9a6d1372a3672beb3aefbe0cfcaa7ce4ab4687acd87ef6069703c7436abb81a2a76c2c5d50aa55a010d0d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAYQ.exe

Filesize
475KB

MD5
0e33fc2ef811aa3311767ecd3ccd5da3

SHA1
d6410854a23c5e8d03e48149898fd99be33d7536

SHA256
b2a502155e3d309df66977c0471821634b6bd668e397096a15576098e2bcda9c

SHA512
778022414dd53cdf4a62b07c8acd5025a9e0d298447042064c0e2dc55fe8b3adc855db9688feb85fd11a1b9d54a549160a160707460dbda1b5df9cac050ac333

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEgkEssw.bat

Filesize
4B

MD5
e0bf439ae90a2d59f258f2bd8d635560

SHA1
1c90c7c5be140458ee45f8127c992bcb6fb851cd

SHA256
23c226d796a43faf7e999ae78a3cf662dca466d7d9555a70f0841e3158bd68e6

SHA512
14b1dd18bb61f29a692715334f908acca33bb87b4564815b26d820e7882b4722c58638973986873a298e627f38095c295cdcace40059edc15db8de4dc38cf330

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgIkUsoA.bat

Filesize
4B

MD5
ac39cf2dcdbad580b3decddd1530b19b

SHA1
870b62fad27f651c0e116717444e1d62077dc370

SHA256
50845afc1e2f2549e1dc935140831ec50deb4f5e9483609493dd985e9172fc97

SHA512
f78e32dfa0c8c764ab05d59b4d096c5d926fe29fe45134e071ff7d5b17ba6c1aa08b84423fc8450c2ddf9677f17f2dd6bf0cafa0e35c5e5b0722c50053ac22f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAsS.exe

Filesize
241KB

MD5
b55adb64e34cb374f93a1f525355aae1

SHA1
876b72410ba21a44991f22ce79ee5f5ed75c2096

SHA256
8071b6a8409e81a912aa849a1732d635fa30569f821ecacb4b1ccffef67c1d11

SHA512
e85a3978f0bdf853672252146e821f2ea96102ed2e2c020a64cafeb74f30e777f55cde7db0e87cb2ef31ccb8c7af44ba6623cb00d281d4c5a0955750edce4b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykEG.exe

Filesize
242KB

MD5
7c20aa8ed41f564394b7963c2dbea86b

SHA1
ff213756fef3cc375054cc47ac24ce256ae2a8b3

SHA256
8b577229c312a8d92d166cf4b45ecf8c5954bd8f045225a19c09a177a78f923d

SHA512
6e3f3379b1990817e2e27f878874e60358a708fa8fc5f7972c1c229e9241c0e53cd8f00b6763fe368d6fc935ee67f61c2fa5a35afe498be49af3a841c5e9b13f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zokK.exe

Filesize
229KB

MD5
984a32c5ab6e2700abcb4221ca709e4e

SHA1
758a0688b5f06cc6145c224d40ed79cca0a2763c

SHA256
a50970b7eb09f43dbd765f3e0d34d6ff34929ddbce4a849c5f70b98fcacf0db3

SHA512
01582911e9211a8c8fe32bd816abcf5c1ff8e6729f54e7497ae877aa4389a74e93bc7f3ff2bc25db4df71fbbbd75cce6df8414d889c619223b747dc901c1a9ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\zyUYkMEk.bat

Filesize
4B

MD5
b0433d0f8ba47de2d59a28f651e273bc

SHA1
4ec86d9b8b2a69b3eea66893c29075b51aca23aa

SHA256
bdbb5f424f742552c27ccebca4e79468357250c1eb4628bf523915b6b60dadc3

SHA512
2e29b449f289318facbc073215653c1ef7868733fe47f56602f779c36e3195c6b6d93ec9b5ebc5b48645a9e7acca34ce76c9abd1d49dc0dcda553f5d79aca20e

Download Submit
C:\Users\Public\Music\Sample Music\Sleep Away.mp3.exe

Filesize
4.8MB

MD5
3976b1b81258dfd48168f022f161cfbd

SHA1
6186ef4e13c9897cda830d63f89b09d13d735b75

SHA256
4cc7a076c42750ea8dbd3a69c7a43a5ddac28b90f65eec99364cd8fa22d356a0

SHA512
eb313ea2e3cf5c7611df6458768a937a233afa7f612adcade2a3d2e210cc9a1dcd7b044b32bcd0c0d16d0de99c75c9c2b2ac8ba94f8582ccb18146907a20c70a

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.exe

Filesize
771KB

MD5
64e9155e4606bf10ce7c15fa334da3d2

SHA1
18ad77bb6ccd22dbf274011cacebfbae8183f40a

SHA256
c7af2f7df446be3d29fc395d80b9fd09c7f8ced55a86253bdbe6fae3f117d80d

SHA512
d52d399e77250e81937f3dfb69d67a09f7e991e29ee0142c4fce06e6f4e29d82d1696e61f9d664600496ec91631b71016e38529c9f26368651fac2898792a1f1

Download Submit
\ProgramData\raAcwAUo\jeskAUAI.exe

Filesize
193KB

MD5
f17e0d58d6ca7deeeac0109411c422c2

SHA1
6c50315c74c87835ad0dac31f859479e465ab5c4

SHA256
4d859a394c1e7b1534f0c1c956693c3cd72a62e102ba34a811d65212c401ca5b

SHA512
a89d278a72c440aaeeb86d5dfe87a97134d80183acc5f72ecfae05ae4e2f542f157fbef7b5e35ba8036b66b1e4f3b28415b8b81be0977871ddbe85b33a0a3524

Download Submit
\Users\Admin\rigIsYkI\zGwggQIs.exe

Filesize
178KB

MD5
6e7166ec669528ffb91ba534caa28a5b

SHA1
64979b573fab0add9e76dd96d3802fc5e03c15ac

SHA256
699789eb2d85d03251ebef3c769a392e434d18b10e1bccc9f80db2df89d74ad4

SHA512
3fb4df4434209ea0120855072a333d5a7f9131723ce5e1f6eae052ac5de7acb8efee7fdd19ad60f01b87daee65f870b70d6c237539bcdd3a41c5736d9e034d44

Download Submit
memory/576-225-0x0000000000120000-0x0000000000157000-memory.dmp

Filesize
220KB

Download
memory/952-131-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/952-161-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1080-162-0x0000000000390000-0x00000000003C7000-memory.dmp

Filesize
220KB

Download
memory/1080-153-0x0000000000390000-0x00000000003C7000-memory.dmp

Filesize
220KB

Download
memory/1088-83-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1088-114-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1188-113-0x0000000000310000-0x0000000000347000-memory.dmp

Filesize
220KB

Download
memory/1188-451-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1188-419-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1188-104-0x0000000000310000-0x0000000000347000-memory.dmp

Filesize
220KB

Download
memory/1192-139-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1192-115-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1196-280-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1196-258-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1632-373-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1632-401-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1696-186-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1696-163-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1708-285-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1708-304-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1732-29-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1824-347-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1824-345-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1968-259-0x0000000000300000-0x0000000000337000-memory.dmp

Filesize
220KB

Download
memory/1968-248-0x0000000000300000-0x0000000000337000-memory.dmp

Filesize
220KB

Download
memory/1980-13-0x0000000000470000-0x000000000049E000-memory.dmp

Filesize
184KB

Download
memory/1980-5-0x0000000000470000-0x000000000049E000-memory.dmp

Filesize
184KB

Download
memory/1980-30-0x0000000000470000-0x00000000004A2000-memory.dmp

Filesize
200KB

Download
memory/1980-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1980-43-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2128-427-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2144-282-0x0000000000160000-0x0000000000197000-memory.dmp

Filesize
220KB

Download
memory/2144-281-0x0000000000160000-0x0000000000197000-memory.dmp

Filesize
220KB

Download
memory/2248-178-0x0000000001F10000-0x0000000001F47000-memory.dmp

Filesize
220KB

Download
memory/2248-176-0x0000000001F10000-0x0000000001F47000-memory.dmp

Filesize
220KB

Download
memory/2332-257-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2332-226-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2344-332-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2344-312-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2352-440-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2388-31-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2480-82-0x0000000000160000-0x0000000000197000-memory.dmp

Filesize
220KB

Download
memory/2496-348-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2496-381-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2540-210-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2540-187-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2588-324-0x00000000002F0000-0x0000000000327000-memory.dmp

Filesize
220KB

Download
memory/2636-202-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2636-235-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2668-200-0x00000000002E0000-0x0000000000317000-memory.dmp

Filesize
220KB

Download
memory/2764-371-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2764-370-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2820-418-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2844-44-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2844-67-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2912-57-0x0000000000180000-0x00000000001B7000-memory.dmp

Filesize
220KB

Download
memory/2912-59-0x0000000000180000-0x00000000001B7000-memory.dmp

Filesize
220KB

Download
memory/2924-91-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2924-68-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2960-307-0x0000000000120000-0x0000000000157000-memory.dmp

Filesize
220KB

Download
memory/3004-357-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3004-333-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3068-35-0x0000000001F20000-0x0000000001F57000-memory.dmp

Filesize
220KB

Download