652cc475d34cde0f13c4b5640f43ee7908b17dd117a6361c07d2f04787b4c826

Analysis

max time kernel
153s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2024, 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
Size

212KB
MD5

187a052ff11cb16228342428d241f1a8
SHA1

fae50f317e402eb991e700f7133714c5409edabd
SHA256

652cc475d34cde0f13c4b5640f43ee7908b17dd117a6361c07d2f04787b4c826
SHA512

3e52a272c7d1a00ff4e8b13329a379f3232932db9aece327db4fdbdff988fed72576036aee1ca71028d6b96532ed6e6258ea14624a3475240913bddb63ec2288
SSDEEP

6144:EEd+RUDTBLse1t/yh/QdSM5KslH3v/9Od+HFHiI+pu3:EE53BLsOQQdiE3v/9OdiUm

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (81) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 5 IoCs

flow	pid	Process
36	2904	sihclient.exe
40	2904	sihclient.exe
42	2904	sihclient.exe
43	2904	sihclient.exe
48	2904	sihclient.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	TYwAYMcE.exe

Executes dropped EXE 2 IoCs

pid	Process
1612	KEUwIEIw.exe
4952	TYwAYMcE.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TYwAYMcE.exe = "C:\\ProgramData\\nIYcMQYE\\TYwAYMcE.exe"	TYwAYMcE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uKYAkocE.exe = "C:\\Users\\Admin\\piYUkUkc\\uKYAkocE.exe"	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eSAwUUgA.exe = "C:\\ProgramData\\JycEkggw\\eSAwUUgA.exe"	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KEUwIEIw.exe = "C:\\Users\\Admin\\NccgwUYs\\KEUwIEIw.exe"	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TYwAYMcE.exe = "C:\\ProgramData\\nIYcMQYE\\TYwAYMcE.exe"	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KEUwIEIw.exe = "C:\\Users\\Admin\\NccgwUYs\\KEUwIEIw.exe"	KEUwIEIw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1132	2700	WerFault.exe	588
4588	3592	WerFault.exe	587

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1132	reg.exe
2944	reg.exe
3356	reg.exe
3304	reg.exe
4756	reg.exe
4776	reg.exe
3344	reg.exe
4716	reg.exe
2400	reg.exe
2100	reg.exe
740	reg.exe
3868	reg.exe
1552	reg.exe
4940	reg.exe
5088	reg.exe
3240	reg.exe
3808	reg.exe
4232	reg.exe
4588	reg.exe
2824	reg.exe
3944	reg.exe
3140	reg.exe
5088	reg.exe
5092	reg.exe
1412	reg.exe
2864	reg.exe
3912	reg.exe
4620	reg.exe
3052	reg.exe
2268	reg.exe
1356	reg.exe
3612	reg.exe
3408	reg.exe
1740	reg.exe
3376	reg.exe
5044	reg.exe
4780	reg.exe
1480	reg.exe
4100	reg.exe
1572	reg.exe
1228	reg.exe
2652	reg.exe
4108	reg.exe
3032	reg.exe
3784	reg.exe
2284	reg.exe
4212	reg.exe
5056	reg.exe
4944	reg.exe
4476	reg.exe
1012	reg.exe
3552	reg.exe
4976	reg.exe
808	reg.exe
2412	reg.exe
4196	reg.exe
3256	reg.exe
2612	reg.exe
384	reg.exe
3476	reg.exe
3356	reg.exe
4836	reg.exe
2128	reg.exe
908	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4272	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
4272	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
4272	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
4272	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
4448	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
4448	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
4448	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
4448	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2380	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2380	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2380	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
2380	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
3124	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
3124	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
3124	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
3124	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1148	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1148	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1148	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1148	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
740	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
740	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
740	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
740	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1420	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1420	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1420	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1420	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
3960	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
3960	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
3960	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
3960	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1076	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1076	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1076	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1076	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
3696	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
3696	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
3696	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
3696	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
5064	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
5064	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
5064	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
5064	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
3248	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
3248	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
3248	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
3248	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1436	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1436	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1436	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
1436	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
3192	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
3192	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
3192	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
3192	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
332	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
332	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
332	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
332	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
3124	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
3124	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
3124	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
3124	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4952	TYwAYMcE.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe
4952	TYwAYMcE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 1612	4272	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	87
PID 4272 wrote to memory of 1612	4272	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	87
PID 4272 wrote to memory of 1612	4272	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	87
PID 4272 wrote to memory of 4952	4272	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	88
PID 4272 wrote to memory of 4952	4272	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	88
PID 4272 wrote to memory of 4952	4272	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	88
PID 4272 wrote to memory of 4280	4272	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	89
PID 4272 wrote to memory of 4280	4272	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	89
PID 4272 wrote to memory of 4280	4272	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	89
PID 4272 wrote to memory of 2540	4272	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	91
PID 4272 wrote to memory of 2540	4272	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	91
PID 4272 wrote to memory of 2540	4272	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	91
PID 4272 wrote to memory of 4600	4272	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	92
PID 4272 wrote to memory of 4600	4272	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	92
PID 4272 wrote to memory of 4600	4272	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	92
PID 4272 wrote to memory of 3784	4272	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	93
PID 4272 wrote to memory of 3784	4272	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	93
PID 4272 wrote to memory of 3784	4272	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	93
PID 4272 wrote to memory of 1752	4272	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	94
PID 4272 wrote to memory of 1752	4272	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	94
PID 4272 wrote to memory of 1752	4272	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	94
PID 4280 wrote to memory of 4448	4280	cmd.exe	99
PID 4280 wrote to memory of 4448	4280	cmd.exe	99
PID 4280 wrote to memory of 4448	4280	cmd.exe	99
PID 1752 wrote to memory of 4032	1752	cmd.exe	100
PID 1752 wrote to memory of 4032	1752	cmd.exe	100
PID 1752 wrote to memory of 4032	1752	cmd.exe	100
PID 4448 wrote to memory of 1408	4448	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	101
PID 4448 wrote to memory of 1408	4448	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	101
PID 4448 wrote to memory of 1408	4448	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	101
PID 4448 wrote to memory of 3108	4448	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	103
PID 4448 wrote to memory of 3108	4448	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	103
PID 4448 wrote to memory of 3108	4448	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	103
PID 4448 wrote to memory of 2824	4448	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	104
PID 4448 wrote to memory of 2824	4448	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	104
PID 4448 wrote to memory of 2824	4448	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	104
PID 4448 wrote to memory of 3172	4448	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	105
PID 4448 wrote to memory of 3172	4448	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	105
PID 4448 wrote to memory of 3172	4448	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	105
PID 4448 wrote to memory of 216	4448	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	106
PID 4448 wrote to memory of 216	4448	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	106
PID 4448 wrote to memory of 216	4448	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	106
PID 1408 wrote to memory of 2380	1408	cmd.exe	111
PID 1408 wrote to memory of 2380	1408	cmd.exe	111
PID 1408 wrote to memory of 2380	1408	cmd.exe	111
PID 2380 wrote to memory of 1044	2380	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	112
PID 2380 wrote to memory of 1044	2380	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	112
PID 2380 wrote to memory of 1044	2380	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	112
PID 216 wrote to memory of 1076	216	cmd.exe	114
PID 216 wrote to memory of 1076	216	cmd.exe	114
PID 216 wrote to memory of 1076	216	cmd.exe	114
PID 1044 wrote to memory of 3124	1044	cmd.exe	115
PID 1044 wrote to memory of 3124	1044	cmd.exe	115
PID 1044 wrote to memory of 3124	1044	cmd.exe	115
PID 2380 wrote to memory of 2352	2380	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	173
PID 2380 wrote to memory of 2352	2380	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	173
PID 2380 wrote to memory of 2352	2380	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	173
PID 2380 wrote to memory of 2272	2380	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	117
PID 2380 wrote to memory of 2272	2380	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	117
PID 2380 wrote to memory of 2272	2380	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	117
PID 2380 wrote to memory of 4100	2380	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	118
PID 2380 wrote to memory of 4100	2380	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	118
PID 2380 wrote to memory of 4100	2380	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	118
PID 2380 wrote to memory of 4652	2380	187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe	119

C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Users\Admin\NccgwUYs\KEUwIEIw.exe
  "C:\Users\Admin\NccgwUYs\KEUwIEIw.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1612
- C:\ProgramData\nIYcMQYE\TYwAYMcE.exe
  "C:\ProgramData\nIYcMQYE\TYwAYMcE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1408
    - - C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2380
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        8⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        10⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        12⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        14⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        16⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        18⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        20⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        22⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        24⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        26⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        28⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        30⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        32⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        33⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        34⤵
        
        PID:4724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        35⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        36⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        37⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        38⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        39⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        40⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        41⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        42⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        43⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        44⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        45⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        46⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        47⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        48⤵
        
        PID:3772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        49⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        50⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        51⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        52⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        53⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        54⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        55⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        56⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        57⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        58⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        59⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        60⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        61⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        62⤵
        
        PID:1084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        63⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        64⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        65⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        66⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        67⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        68⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        69⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        70⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        71⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        72⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        73⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        74⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        75⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        76⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        77⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        78⤵
        
        PID:5092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        79⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        80⤵
        
        PID:4324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        81⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        82⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        83⤵
        Adds Run key to start application
        
        PID:3296
        
        C:\Users\Admin\piYUkUkc\uKYAkocE.exe
        
        "C:\Users\Admin\piYUkUkc\uKYAkocE.exe"
        84⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 224
        85⤵
        Program crash
        
        PID:4588
        
        C:\ProgramData\JycEkggw\eSAwUUgA.exe
        
        "C:\ProgramData\JycEkggw\eSAwUUgA.exe"
        84⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 224
        85⤵
        Program crash
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        84⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        85⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        86⤵
        
        PID:2580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        87⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        88⤵
        
        PID:4212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        89⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        90⤵
        
        PID:5056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        91⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        92⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        93⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        94⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        95⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        96⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        97⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        98⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        99⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        100⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        101⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        102⤵
        
        PID:2168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        103⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        104⤵
        
        PID:2400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        105⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        106⤵
        
        PID:2272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        107⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        108⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        109⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        110⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        111⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        112⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        113⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        114⤵
        
        PID:4492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        115⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        116⤵
        
        PID:4020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        117⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        118⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        119⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        120⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        121⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        122⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        123⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        124⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        125⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        126⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        127⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        128⤵
        
        PID:564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        129⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        130⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        131⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        132⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        133⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        134⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        135⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        136⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        137⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        138⤵
        
        PID:3748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        139⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        140⤵
        
        PID:3404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        141⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        142⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        143⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        144⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        145⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        146⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        147⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        148⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        149⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        150⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        151⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        152⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        153⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        154⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        155⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        156⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        157⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        158⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        159⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        160⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        161⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        162⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        163⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        164⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        165⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        166⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        167⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        168⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        169⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        170⤵
        
        PID:4712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        171⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        172⤵
        
        PID:1812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        173⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        174⤵
        
        PID:4320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        175⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        176⤵
        
        PID:1028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        177⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        178⤵
        
        PID:3600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        179⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        180⤵
        
        PID:2520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        181⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        182⤵
        
        PID:1456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        183⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        184⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        185⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        186⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        187⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        188⤵
        
        PID:384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        189⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        190⤵
        
        PID:3868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        191⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        192⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        193⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        194⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        195⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        196⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        197⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        198⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        199⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        200⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        201⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        202⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        203⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        204⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        205⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        206⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        207⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        208⤵
        
        PID:2168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        209⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        210⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        211⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        212⤵
        
        PID:1456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        213⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        214⤵
        
        PID:3268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        215⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        216⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        217⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        218⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        219⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        220⤵
        
        PID:4340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        221⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        222⤵
        
        PID:744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        223⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        224⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        225⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        226⤵
        
        PID:1968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        227⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        228⤵
        
        PID:1000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        229⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        230⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        231⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        232⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        233⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        234⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118
        235⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118"
        236⤵
        
        PID:2612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:3444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        UAC bypass
        
        PID:4184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\piowwAII.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        236⤵
        
        PID:4032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:3128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        Modifies registry key
        
        PID:908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQgYgQsA.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        234⤵
        
        PID:1628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:4468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        
        PID:2100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZookcAIY.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        232⤵
        
        PID:3316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:3580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        
        PID:1332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgwswcAY.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        230⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        Modifies registry key
        
        PID:1012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        
        PID:1660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PowUocYY.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        228⤵
        
        PID:4836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:1044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:3228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcwkEwEY.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        226⤵
        
        PID:3844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:3304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dccEsYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        224⤵
        
        PID:5088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:2760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LuAYAIAQ.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        222⤵
        
        PID:316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:3208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIwEoAUc.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        220⤵
        
        PID:5056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:5004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:3600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:4620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMEIIIYI.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        218⤵
        
        PID:3800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:3200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        Modifies registry key
        
        PID:2128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAsEAokM.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        216⤵
        
        PID:3580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:4736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKEwEoIA.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        214⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:3324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkMUggIY.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        212⤵
        
        PID:4588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        Modifies registry key
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QiQcIQIQ.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        210⤵
        
        PID:3172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:3612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XoQUwQAk.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        208⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:1432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCUUAIgg.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        206⤵
        
        PID:5036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:1624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DqIcYUkE.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        204⤵
        
        PID:1520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        Modifies registry key
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMUskIAw.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        202⤵
        
        PID:3936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        Modifies registry key
        
        PID:1480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rYEscYMY.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        200⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        Modifies registry key
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SaQgAQMo.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        198⤵
        
        PID:4944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:3600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AScowQYU.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        196⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOEkwYIM.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        194⤵
        
        PID:4112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:4612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:3632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ycoEoowQ.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        192⤵
        
        PID:3844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:2472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgAMQsAI.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        190⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tskQUIIk.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        188⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\usgkwkAs.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        186⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        Modifies registry key
        
        PID:5044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aissMIEM.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        184⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:3000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        Modifies registry key
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        Modifies registry key
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UsoQwMkI.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        182⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:4716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:2920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XAocssok.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        180⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        Modifies registry key
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qaowkcIM.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        178⤵
        
        PID:3356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies registry key
        
        PID:3808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        Modifies registry key
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmYkAsoE.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        176⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:5036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        Modifies registry key
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkIoQAgU.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        174⤵
        
        PID:4532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies registry key
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        Modifies registry key
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meMIokkU.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        172⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:3472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYUAoUsY.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        170⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        Modifies registry key
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:1356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOEcQMEI.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        168⤵
        
        PID:4404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:2232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\geYYQEcM.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        166⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOgkoUIQ.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        164⤵
        
        PID:856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:32
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:4860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        Modifies registry key
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkwwkkIQ.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        162⤵
        
        PID:1520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:2336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ogsIMUcU.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        160⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies registry key
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pgYAQgAk.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        158⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        Modifies registry key
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcwAAogU.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        156⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:2760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcokMskk.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        154⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:5116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hykYYoQE.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        152⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        Modifies registry key
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiAUwgcs.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        150⤵
        
        PID:3772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        Modifies registry key
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DmYsAsYk.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        148⤵
        
        PID:908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:1552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        Modifies registry key
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:3408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YeIcgIgM.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        146⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:3240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QmEMMwoc.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        144⤵
        
        PID:2600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        Modifies registry key
        
        PID:2864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGAgQYsE.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        142⤵
        
        PID:2128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEEIgoMY.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        140⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        Modifies registry key
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CiQMAEwo.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        138⤵
        
        PID:4848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:4764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XYMckUcM.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        136⤵
        
        PID:4564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        Modifies registry key
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qcgwQcYU.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        134⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HQIQYgMs.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        132⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies registry key
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ggIIUIEg.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        130⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWIIYsEw.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        128⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gyksMIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        126⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        Modifies registry key
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tuYkIsEY.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        124⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UuUgAMUE.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        122⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UuQkcoMM.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        120⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:4152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        Modifies registry key
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\McYEIgIw.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        118⤵
        
        PID:908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\riIMooAQ.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        116⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nmYsYMEg.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        114⤵
        
        PID:1432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies registry key
        
        PID:4776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:3376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCAQYsko.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        112⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:3476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        Modifies registry key
        
        PID:3304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMockAwc.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        110⤵
        
        PID:4716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZEYEIUgY.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        108⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:4692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KgYIoYMM.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        106⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VecUwwMk.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        104⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies registry key
        
        PID:4756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amIkIYkc.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        102⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqAUYckw.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        100⤵
        
        PID:2192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DiowgQkY.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        98⤵
        
        PID:2936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:4416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:4696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGIYQggQ.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        96⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:4404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xCgwcoIs.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        94⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZGcwwkMs.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        92⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:1012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GAMwwkcc.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        90⤵
        
        PID:3376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UigYIQos.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        88⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        Modifies registry key
        
        PID:3356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQEEIcws.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        86⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmUMocoU.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        84⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QwUUAwUI.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        82⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        Modifies registry key
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OIEswYMw.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        80⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DqEossgM.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        78⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:3404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YGQcAQUk.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        76⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        Modifies registry key
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgQAskok.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        74⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwcoAAwM.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        72⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        Modifies registry key
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIYMMEQw.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        70⤵
        
        PID:2756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkQAQYMA.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        68⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqkwAsog.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        66⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        Modifies registry key
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LCcgEccQ.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        64⤵
        
        PID:1044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mgssAAQE.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        62⤵
        
        PID:3816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSkcsIYY.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        60⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEMQAcUI.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        58⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKocAsMM.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        56⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:3388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RMEIQYwE.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        54⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AQYYUsMg.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        52⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vMccEIIk.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        50⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEMEEgkE.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        48⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tKIIwEcY.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        46⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UyIsYEUg.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        44⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:4620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\siUUscgA.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        42⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UGwYgMEE.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        40⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tSsIYUQw.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        38⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies registry key
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCIEgMgU.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        36⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:3172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XyAwIIsY.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        34⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIwEQYoI.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        32⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:4696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGAEoccY.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        30⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMEwUAMI.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        28⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UssAUUoc.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        26⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rEwwkEMU.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        24⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAkEAAIY.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        22⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        Modifies registry key
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iwIoYgkU.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        20⤵
        
        PID:3552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKYUoYYs.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        18⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ReYMIoYU.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        16⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ciMkgIco.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        14⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUQwEUkw.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        12⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwUYowEg.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        10⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        Modifies registry key
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IgcIgcoU.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        8⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3768
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2352
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2272
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies registry key
        
        PID:4100
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XsoscswI.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
        6⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3612
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:3108
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2824
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:3172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rsMgYYEU.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:216
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1076
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2540
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4600
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:3784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PuAYAAQU.bat" "C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4032

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2700 -ip 2700
1⤵
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3592 -ip 3592
1⤵
PID:4756

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv M//1wwjuqECYZQjkFOuAbw.0.2
1⤵
- Blocklisted process makes network request
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
222KB

MD5
b97b70e9e1944ecec14f4182bd297694

SHA1
386608372a35dad3412bd944542f113d38683142

SHA256
bbe1cba44916a6325436cb363998ef9c53b23203453ecc3f0d4fad8a14d675c6

SHA512
f2c74ab03dfec298a3eecf209ef8c8b090856b94f10220334ecd32f4da410f5f6e37910fbe896dd838b7a19c112b0b98c62c3b8a065c58edf4e5d4a2d290dce4

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
237KB

MD5
0f0e3355394cf4449e032abeded13419

SHA1
ef585249d0af167fda7fdcaa76298d92510a2272

SHA256
ff66ef85c2546e14338bc60cbb53d502a25697cadda085a022f9a12154f6b671

SHA512
caded668f8a7fd91e61ef8e604c159f540bc1eb13915fde4a8acffdf0e28aba38a9d83819a83fd940f92792cc42bedeaff49969c38feee72e611e9083e9e291d

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
327KB

MD5
30914e186498e0cdb9c684d3d894f44d

SHA1
a1887761b2e32eaaf0e612448fcefc557b8df53d

SHA256
d7dbd7c8157b88ac0f158d74ade8b17ab24a39735307b01929a1541f0fb7db7f

SHA512
852d5888040686e04253dcda5fd809d193521a76caf42ea0d9c92ec5e568aa6fdf9d31d3b2db9da141b48d906974ecca7fd1937840f942c97df68feda31fd2c7

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
212KB

MD5
7cf309e4e67179ccfbbf631a91ddbe88

SHA1
96bdb06e24cf549f50ef63a7502e71268900aa97

SHA256
747a3b55fbb7308dbbf374884ad6fbc87ab72494cbd573c41e5bed2fe6e1a747

SHA512
4f23db17ed369c8da4db91fa6b60588ff840cb049472325d3ec3e1463ebb8ccaa8b6d0942779692633d5fd868730639a34be8492052326f0d149078c71df501a

Download Submit
C:\ProgramData\nIYcMQYE\TYwAYMcE.exe

Filesize
197KB

MD5
2d003a28a540c3093d93a8b7259a1bc6

SHA1
e814c1c4b306e4ea9246016fc628fe6a489710f0

SHA256
e5341e6c25ecc5144cec0d0ae1425df8c7ccfcce29c1f648d135db68ee382927

SHA512
8c3c74ea08fc5e57c25f97f889de574f8270483874f1422e41b895e34a024015ad9824e028e17134f114fcdf8afa54a6a883fb658de8dc19506271c039e26672

Download Submit
C:\ProgramData\nIYcMQYE\TYwAYMcE.inf

Filesize
4B

MD5
f4b01bb20fc0ec9604a7284bba172255

SHA1
7724b75d42e64d5258b8fb64be853dbef988d9e2

SHA256
6a83fa134e74dee0fb43e14b1c370f6e9cdf3201138854c5745a6166a2679478

SHA512
84574d1c87304ce690faca4bc7e4f851a830c10aa11a90d44c23b342c754a1ce7b4beedf7a2d79aa5cdd7dd518ad2a673e8db4139b3ed95c937481d492d03ac5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe

Filesize
187KB

MD5
f60116238414e5f9d3e4552ba45db9f7

SHA1
77a543bc78358458a73964b9bcbb9b514f7626a3

SHA256
b55324bb780de515db48105708dba91abdaf14e0e2aca68a075c06595c0baa62

SHA512
b02ebb39f8cf611691dcfa753ab19d1469a45609cc8044577afa36348f973631c4df5b1127cfa357cd322ed7e7df1251611f2715796694e5ca21cc88eead3eef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

Filesize
205KB

MD5
8fe7cb93b976bb06f228550314dbe016

SHA1
a3672ed4c26ea2237e798124326b135a8979d65f

SHA256
60968dce4b8ade49c80ba44bb3daf343eb478b3dc4b7955013b7f5daded2a467

SHA512
003ba2e578695100a59d2367d2fdc9e13af5c5f94e82ddce702de0d3e4d87129dee692c68b6ef1be0d28fc558fe15b7843cfa54a3e8b33633f735afb1b640a56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

Filesize
197KB

MD5
3a782ea796830efdf8b8cdfc639166ea

SHA1
deacf513589ef001e940e2a119eef8e9f7ddce6d

SHA256
05ffd193dd9754bac49f573892b39cfed76246f98f4606161429a4ca18ec5e84

SHA512
5b45f73584fb2c8c6f03bac6ee3e972dabd3d722792de9c8b824fa8078e964ca65422c122641295a37ba8da19edff907a2a40c091729f727a89e958db078faf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

Filesize
193KB

MD5
226fc37ec38f03317d2f923998d4eac8

SHA1
3eadeb862e8625797bce798029d5180c90986bb5

SHA256
90238e375cbfd54f90e69c38dd3963e4059490655fa87f4c573cbc6c2b681bef

SHA512
3740dbd04640fabd97dcad6f7aacd355de61003df8f3e632a31b87f89142725a5c5132359771df02d86663001a4e5ef0d4a031168c67a06ec652aaee3aa2a9c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe

Filesize
566KB

MD5
08fccb8b688af4b35a3c62d06d616134

SHA1
3e0f8599818bc5abf092f06eb21b916a3e2b4d31

SHA256
b3d2b208d76388eae3691c89214fa4e973529314efc94db67132e9529a618d6c

SHA512
ac4349f35462a6cb4e4b3ebfc498389db2311eb8b0ecf5ec65b6cb14ca5b5eb9278574978ab0ae5d5e1dd60f3fb47a7e7c0bf9a4760951fc701f3b53536f1857

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe

Filesize
196KB

MD5
3c98a5dd2f2bcd82fff93611463aef04

SHA1
30d7ed29601ddb037a2bea997af47232e5959695

SHA256
715d66702e71ac9c252afeed5534f9c5118283b08509332ad0151af0b142939f

SHA512
5d90cc8b93c702ed907adec9f0a1c359e84ac269e332a343d3d7bf6ca955f9e54751ab201213269264ff3a973bbdaa58b6c962e926f6bc33754fafe3c66e0a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

Filesize
205KB

MD5
239f16e4fad3f0f33350130114aa3b4e

SHA1
9c9f06962f58f809e10019447e4c418ac64fbb9f

SHA256
8222bb3e7a7d0485d71bfcefce21928af8b3cdde8addb5c3bb6e4894a3522d1e

SHA512
e6b5347d9450c66078349cc1939c1ea20284d91c9253b4fcc1cb301763c178898ea86114c096b283302780df2127b8bf2dcb516ab3b50cd5ed7078587cfd8b67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

Filesize
204KB

MD5
9abc5c868827cf63abf108c71db11fff

SHA1
cff7a1bd24f09a42a2c7f6b60d24457ebf2b2b75

SHA256
170bcb38b89a5109e66312a295c51203699532f7f6b1eec28c148f5dee688219

SHA512
611f28e6c91942f39cf0d1e348d23696d0078cba466554962ae014c191a9b362fa20c26efe08f2ea67d2ae711834332af2b629cf6d1e03167e971845421a67f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

Filesize
201KB

MD5
9b11bf785d63ff5b6111a6cc832392fb

SHA1
204f9729d6e706d529157c6860409f27a3b7452c

SHA256
fa40dcd0e096a31c9e39b6ff3680fab60afb0b608f28d35f3172016e7da490ff

SHA512
03c706fcd9f6818f7c13adc469d69fb5fd29a375924133e0fcb64e55c9cd26539764f606e2ca72b8539319657c2c24da7c1fca9c30683e3f7d774faa914e6573

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

Filesize
198KB

MD5
2e3174821653bb8a9281e0350f16ff1d

SHA1
a7bfb4e154595274c75a5d2937cf948a107c3cf6

SHA256
57abadae3ec8d456d0763c8b20e1122c4fb9bb20e3f045c500fa8916191445c3

SHA512
9c72ac22e3caf19b6ee6bf810afdb3f33a9f2733f98c696c2370653d172b12ff8ae2034898f3b372f2978dc9b9deba1e0afb88d9e52993f2b6ff6385c0fae64c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

Filesize
194KB

MD5
30a402d29af195fe576a7c4e4918ac01

SHA1
d70f44232709880e445f5899cc309a16a416581f

SHA256
1da0ead7dd786ac39c64037e6fbd94dd65a53295bb15a88a4a66009f07b71c59

SHA512
cfd2f2dfe63c8a0c4eac33361b74edd5393c7710ab90b29c32f566a9646dce376314ba0526ea3ad42d0d60f9baced635b5bb27da33abe6697872a143d9222430

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

Filesize
189KB

MD5
e443f2aba53c0a46e561c9e1bea73998

SHA1
7fe70990d39021e7f806e0312c2ecdf249e615a3

SHA256
1c452d3add7df51c2f02975bacad61e2eb02d396e3ea8745d4ed1327eb856f82

SHA512
c1c6d2dd8805ee540892e717033e05f0c384aa7b937e4623289cf8941ea507cf5e3c919aa62dd4fe925e565edd4532bdaa1f612e41c3b2741d39953d4f6139c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe

Filesize
192KB

MD5
3c3412cf3ca5581f075248b6542cb6b9

SHA1
01f0b0569ef6f5e249c0bfc3ce284262a348d10a

SHA256
3a83b6212a1338615a23d36ec4c1ed447c568eb7906fc58e3d3a6f0912fa7c90

SHA512
a85fffdcacc7df92c8507930177e366cb80f2eda0a9d4a74c2c4592d63930add1ec63f7d68fa21864a923b7ff9aa639909434d77da73416e6e1c4a3b68d4f6cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

Filesize
193KB

MD5
e856eb838c031a7fea84a8862f9dd324

SHA1
6c26bab0e5735eef9f14e948428e885da6d1ac16

SHA256
7e94ae2b125be8d51fc7dee1a559e115e6630b604b68597cfa0c3a659697770a

SHA512
834cdba2294ff17d3503ff3909543ff90abbbfe99da740a97da13f15968b4c289347db14d4379a054f41d127da5d1ab1ed7543ff5d7c6696669fd70b15b41a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\187a052ff11cb16228342428d241f1a8_JaffaCakes118

Filesize
16KB

MD5
ca649352f8c5eeb886e439ff4fc79ba5

SHA1
276774d2c9f1d93cd398ad3ada3b141452a5e877

SHA256
b1137e2c17c7d2e2fcac46bcef934b0915c77181bbe99b90556dfb3e86a2b0ce

SHA512
757845fef605f0b1cbbc6803f93079619a08376ff57831ef0319fe5c2aea787d3a82d1a1a947dd579099c8c64f03a90d9a764f87b4cc6ea3c42444c6388dbd3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAoI.exe

Filesize
193KB

MD5
6aac2b3e3cd989a7da99ec43deee21cf

SHA1
4b33962bc21d06201eb501834add7569344a6794

SHA256
1c1ecaa326f83acd73cf096a46a5f3353d8c46eb5d81edfcdea5840146f28ab5

SHA512
3b01deaababc670837a253c96ad57757c542fdd83681099e966bafd8de2ccf8a6f9425e7f54103a3c1e5f6ad5d758188a8ea12f5066c6bffc1def156d9245b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIEc.exe

Filesize
821KB

MD5
fb7885f8d21e214bce3c1ba60fe93723

SHA1
b4d9c59e92d078885069ef9908962dd4bd0ccdd7

SHA256
7a8f6ca57cf74e6d16d328f3b4627442b7e6e2276e8e9f808e1cc0d924245dc5

SHA512
1f71f2f3eabf3a3df91f348acf70da366da023a244ceae3ba7cc1f8455d0d76fa182319a1be6ca0c1f6d77f10ffe465e0de7d35f04a0a2afa0257333e9de3db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMQG.exe

Filesize
798KB

MD5
e93adc1f5d0ff953a5f08dfa1e821a65

SHA1
5536b28452368c89bd6685b089ca9a2bc6a70f19

SHA256
4e1a87f8c86973537df4814af428fa917441a57c2343c816a01feffde4961ae6

SHA512
b77c9f8d60af4bbce08c3b8b0edbe37a0f53fb9baae9fe80c4f00dc980b9677d5ccc31f00105a849d66653a704c07f91178ef1da3b3f43e7806680de035f621c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUgs.exe

Filesize
645KB

MD5
f57bb28091d7ba1326326e01275331b7

SHA1
455edb4feb675292384aee478485db995a7b56b5

SHA256
1e66e52ab044862bbd49f296377aaddba63d64e6b32f29103fb4cf8a58974258

SHA512
937c46958b73c0049938ae4b09edcd025d66ec233c1ca02581deb6b549f709dd8684e0d7a8c51d423981b538d01f9f4d392d4d33419926eea6f61e125807a06d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dooi.exe

Filesize
187KB

MD5
31f515387a7eb2a1c5a6c7d955d71289

SHA1
d85285aee51b0462f21d12b6cdba30e309d68b61

SHA256
16ce0e9494274e0ca44c5b0d2f2b04d52bd62ba25b9b7ba2be347872a0bd9fa7

SHA512
b31ef342b53fa1ce4d26b9fbb88814a9a0a626a425a33c170fab0b1557aca49559452989adc76439cec9f4117c0c308b042e5546a847e5aa3d034afa1721e6d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAAq.exe

Filesize
271KB

MD5
62b1370d1d33c85e308c736a0218545b

SHA1
53c2d854026b1894740ce7b2b407243cdc49e9dc

SHA256
20f886b18f488032ae1e7445efdd042de37087ea0cb14253bfb7b991ffb77385

SHA512
fdf31c3056abf6331dd039929c16a4882225a0525137a65d2f015d62d2aec1828ee78782b3b92c6b226f3f4b58027d79ba896a1427cfdfca1df52c451d8e1c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMQa.exe

Filesize
198KB

MD5
dd4e7305d29072981b487335206041b1

SHA1
4f7d63b25cc6833e0fa59ad301cf3e720beff14b

SHA256
ae5759b6415c83c1ea9d6d3ea9bef45203ea267db6b40d9a98d137d7126bdd1c

SHA512
b0f9a421bdc242ae8189e8f8bf2f3192f96fe007fabea4c97ee443fa9931661ced9be829d96dcce87e2b19168e51ed741414ac5c76ac2f2a4f004af5d0d00dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUQO.exe

Filesize
1.6MB

MD5
3d8ef76bbf8c787387f6474da4760c7f

SHA1
533fde49a71b2994cf3e78fd1c1fdf14c7bfe041

SHA256
870fa692dfb992bc21896be9887afb405ae6dc6082d3d4777b9b68e59de94b3e

SHA512
be0a0f06a938e373a4154f6413dcfc36913a7b5564610258fa825bc585bf166847996ac60c1ca36e6b48997006f52e733e217ea13361aefe5b53c8a79e5ba9d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eksc.exe

Filesize
200KB

MD5
370a37efe4b7e9d59f843376bade27d7

SHA1
b33e94f0b030331a7d89080542abd14a6a2587ac

SHA256
a5c8c3c6621e1273b9d54fbc60c79cedbfe031f9032175d60afe1540bce89ea4

SHA512
1fa552eb8e371191855d7cb28ef5edc0af4f60ab8867ee97396ae90eba4837e7d6cc73501ef555b027464594813e39d743c84acee11e769b832f7b719ba4fc82

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAYk.exe

Filesize
205KB

MD5
fba40796d9c413b1886bcf9deec05585

SHA1
18f10c6a0c8d320beb9a8ac902e3f6a4e377315c

SHA256
fe70c2b884b5f26728bf65f29f64ffc05b334e557f118503daac5c359fe86f17

SHA512
0c1b89524eade5cc895168805dfa2c175cd4f83e2a498955a97eb3886456ad9dbda335f320d37866056c822087a0a78053d86d4e626858597b46d9967bb5d2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAwc.exe

Filesize
471KB

MD5
b54e90bb954f5bb386e5c09c97ab9c6d

SHA1
0a39297f6bd3361368884ce712dc2a03b1c56a1f

SHA256
c7ebfeb47eb9db08de66b2d68e54134f9b9b381a988f2389a6d8599c7559acbb

SHA512
ff399bee68932e7133b87836b51c74ea6536b5694fa7ce470bc17289dae457e28e6cd24ca957f30227d809d40df35caa5d9c9563d6b14176a46e15d86f0462ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMcW.exe

Filesize
324KB

MD5
ecd6e369b6f30b70ed7f6826ec2f5eda

SHA1
47e6180bcded984b25aad2d15b9e1595a6b7fafd

SHA256
2f6c0528ee756b7ab2695575df0a82f1b7e108cb3d90ac3bc7513be721006e08

SHA512
986e1fd31d484f34f2821824c5b0d0b86f70757a8abb58bbc6868e96946dc0883ab5739963432ee5125749d5f201a8355634489b37f8db974724edba82f8834e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkAU.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMwY.exe

Filesize
195KB

MD5
b2a7bf9eded25d9fa3f5dacfea62a750

SHA1
0038939e6f699463ac9a1aa2d90377865fc0cf70

SHA256
9e8e91593109c09dcf82b07ac51da0cdef6cf681d6d8d91a113bd6c7127a2c4e

SHA512
a6230bd9a3e032576e66c3ca26f497d8564c2604817923b3c8023ace20f9702d700766fd8f567ae5778d3a659383e9ba1c7898f109a14783e2834ef59708619c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQMU.exe

Filesize
183KB

MD5
7882ba9acd6686f9f82c41963da095a9

SHA1
cdbdb3cf35c384e3b5ec636aa48363fb90f5e37f

SHA256
ed7ea4bdf7cb78c7a3127924becd7c8de58b7cefca13a687ea6af5e7c150220b

SHA512
762881f14930539cba8157ae1796e7c80de5dc7ba1a1609d0b050b45cdcd25b9b603db64b5d59856ec11155608e9b438245fe5fecdcb2424da4147344bc988fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcwM.exe

Filesize
211KB

MD5
011599ffa3b6b259fa22213d4c4a7929

SHA1
8e453541e6a02939120ca32761e39e29430343d4

SHA256
867a1aa285e79c797eeffdcc8b2e0805a6fb2f4cc6522c8a680db31ad6de238f

SHA512
29511576318501ac8188090d84f13ee275dd02de28f9b06744c482fe531f7dc79d7d77c249e3417100e1ba2edec18b7ce4ba1c931a16e47058ab30c6f9e06fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMcQ.exe

Filesize
201KB

MD5
94667df68dd2b6185ba8ff2139f65838

SHA1
34316facd88a7b5286704ee6d452dd2a5c610e06

SHA256
2fd5af6d3d7e546ecff1de7da5aef6e7f8639f42dcd518d94a84ebffcc752003

SHA512
32e33b4e2d014a99e374bdd784496a46521ca25f81324a39cf044e74e78f1fabbeed9014478c0b44409a5d06fa50ed5f816b7d75b5e582f7d9954713ab198a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUUQ.exe

Filesize
623KB

MD5
5eaae31c74867648d71c1cd599623f02

SHA1
7080d1854f2d2fd4f3cc54b7fc51fa9d477fdbab

SHA256
2b7aac92a6fa17c2f7701c62968772cc8f454c2cb99a63049d336c0a4abdab66

SHA512
79305ffa519e7f6f129661bdc22ff10c95952b96d908ff8d0f0b2c541fef670033922a6e293d467ac969dc8bc116f9291ab2e89aac94c853e81db41e9c3c6b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcsI.exe

Filesize
195KB

MD5
499a5879c4aeba4012abf5e19574dcd6

SHA1
fb56a4f6cc4ead9555784548a372688a5131b76f

SHA256
c73963f0fd79539f43d3dbb8dc18dd655d8cacde15af5442096d4a38126ff17f

SHA512
b45b3f5128b8805e44bbb37faed39dc6e4309441c9152edca30ad3d326771071b1bbc17460d0f4fd9e1b56814ddf4f1b2f4449e1a254837e849a17921f7efcde

Download Submit
C:\Users\Admin\AppData\Local\Temp\JEco.exe

Filesize
203KB

MD5
ce2567563bad787bb2b6963ac3cbaa62

SHA1
6cbf8e843f1ef5700af88bd056d57ca609d91c6c

SHA256
83ceb1880809be56cb1a97d609f8c4235dae4c8fb90c4b618ce9b8222c971f1b

SHA512
75d4977f4da4615d77b3c6882cfb648723f3c556420a772bba00da7d30afe59aeaeb8e09f5144c2e56b48ceaa932f8a1e836121dd19a1485d809005f127929eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMQm.exe

Filesize
430KB

MD5
18348d9d5d7d7fad466b35f9fc98e14d

SHA1
d7bcaf47a227dbc93e8bea0d5de298aeb8de747c

SHA256
7665cacbb662dadb2d7e553b2b3a3e53fc897363edd3366e97f5d60d64374b9f

SHA512
9f9d4094f6495b7dd571cb7bfe0d6968c3c001f752702244467cabdf4fc8cc2844d8765650b62611c4faa7a8faf6e51c37ed5bb229534175bded4b599de606b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\JoAG.exe

Filesize
204KB

MD5
b1ef014dd09cdeb82465a1a74b0b1f6e

SHA1
a23311850e60f690d8183c30fe951fc10a12ce3b

SHA256
b1bdc44be7f6e151aecbd6640a31ad1bc6f7ca9e566604eff0dac1062df9eb9b

SHA512
43af6f583ad7579f38c3fd9383f23dc3263b27ae622b43b781c59fd245b023fd29efb38570ccf658707b7f1aebf34c094aade5165a9bef1782bb229845082787

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkcA.exe

Filesize
221KB

MD5
2cc07f3f7cd3c8ef66a4704810afd0d6

SHA1
75700432e011663da3e76af816ca75d2e8a903ce

SHA256
b811fb886156293ebb438a820b23be6969df1eefe6722118b97aae00deb76a8e

SHA512
1583a4ac51f51295513f0694116d8c957800edbc24b80a294b1e6d3b08de02e119b1bb2d7de474017cacf7fb066dd5fbb9ee86e771c4a9e5a7fb8235b860fda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEkC.exe

Filesize
654KB

MD5
819c710a823f5a840f6a816da649388c

SHA1
7bad8010e75b4566cc89fcd4ab01a830f816c993

SHA256
bf5f3f2b97e1e458534f0c26080fd7797f260f129d4c54af58048a2cabb3de49

SHA512
64c0b2ca8a58a56bf5b6e8c55344eb45408ff7055eaf3ee5a6d334109db497d0df70cdc7a8894e7d7daad5ec85a34144f515edf2675f8d30a3bbae8c869cfd74

Download Submit
C:\Users\Admin\AppData\Local\Temp\LMQU.exe

Filesize
649KB

MD5
0aa86d7697f1a53bdbcc9ce299aa40db

SHA1
e85cde07343750a523b61eef6602817e9b15c41f

SHA256
5df68ac0c92b366c6ca0bdba91ecfbac13ab2c9fe6ea02a4f179ba80119279d1

SHA512
62f20ca8e91a938abf3849ece0992e8b0e89d0b872ab1658d5a595f567ea8bd7117150fd02d5e8ac8cbcbf3737530fbb770d7ec82504ea4f887a67ec1804170a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LYEG.exe

Filesize
247KB

MD5
6f1fa74fadc9e08e7d22e2ebad58e76c

SHA1
9775fd7580eaac0cc3b2eabed2edcaa06e337d53

SHA256
158b9828860e59710b1ebd1db4808c8d4fe8dc5ac0f799a45d1a2605bdfe9042

SHA512
7c23063ec60c0d4149532f137f2ab382b679fd71a27363ae49addcbc8c220da95ad103edb81d1f89ef893ea357c42a2418af8bd79af02ad8f4a70507929555e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgcC.exe

Filesize
183KB

MD5
16130646ca2f2d444ecf4803bf15aaa8

SHA1
bbd85f80ccf53a9c9474e1e40eebc14a32f5af73

SHA256
9768dcebf9030eaefbb97369b6d196b638fd9bca77b21ba8dddbad342a9de725

SHA512
7508d52918ce19bc68fd8c3bf2ca8c25f1da4c6133e9d30f1fa8d18aaa8e07992c62c7b873903d259648e8b6dd76103008a8615ac02f57af1708eb86143df0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NUgm.exe

Filesize
211KB

MD5
c6123066e3f013c03702bab6b364a0cc

SHA1
6966aa8c84033bdfe4f064c8b5d74aac6b7eb987

SHA256
e34172efaad87f1be3e4e81546b6faf8d24d9a39329ecc4234280bd8983f6126

SHA512
c64e059af4afe151a38b6278d5bc4f7cba53aea758b045da8822b921714255d18df5a0affa95d0c1fc12fb211957e9e87f767472beee3a06c1b050714820760b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAAk.exe

Filesize
196KB

MD5
fcfdd816ccab88ffb6cb9e3894d58c0a

SHA1
1171b95a9603374553fcd7dbeb1f049568f13ae0

SHA256
bb217baa85dda7eeac7267c4d975fffe19c2a956ce80afe14174436409edc162

SHA512
1722ede2227a13c7ad81b5176a70837e077829a3f8b48ca4fd7e8df4b8a3e0e9ea931959d4f9878eccfed273d366e1efd31e66c974ec801b69ae0f419f1fbf32

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgoG.exe

Filesize
202KB

MD5
d29b4b740bc370af887d1ef87ece2e73

SHA1
d174fc9caf3b38b3f05eeb44bcba5b4bc036752b

SHA256
a9160a01f4914a2f0cd1454c59cef1a014e0802a86f9229706933648a8ed0f97

SHA512
58d9dff5a8b302d0e366c77fcff02675b2eac676dd2776b864e6d1c33607118d897eda89d29989c5800b94e03a0a6c114aa8e5d3c4847a5d0392456b55c41d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Owcg.exe

Filesize
209KB

MD5
b1f6c3412e3f0e00fc207d34ee046ab9

SHA1
3d2bca8551a20933a1fa8869beed241f2020219e

SHA256
6bf1888dd8a1c278d0d1a830207d829319f7b6a2647e037c5be4b81fc151f18c

SHA512
ff449e66d58347e9807f7089dd2fd23555ffe02c96c32ce4ee5dfbc7f6c2af6a224f6d7c0214856c85e3d426b67098ac22dadb97c6bb0d31d4f4b86a3356e0c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\PMgY.exe

Filesize
201KB

MD5
143c481267a875ebb860e74b70866ba4

SHA1
1724691c511519217177cdc902178af7620cc26d

SHA256
23035022f7f581130139ca27c3ffad68d33e14f36662c3eb703ad3702f3dc198

SHA512
a17f479a0dff9f7bc4ce495527ad3a4dccb4c17dfabea2e8b3fa4ea535d6ffc1b6ab1fda1a8911325ba106dd5e064ab180799ac0c515d29bfd65b098a97123c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\PuAYAAQU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIki.exe

Filesize
792KB

MD5
6656ebbde69f8ce75a8a5c14d3ad691a

SHA1
9e4d556f748411ed5a689ce275a1eba2cb858c99

SHA256
5c96cd7174d910f467e9b658b8c7f381a189b5cae54b312bb3487f2980b6bf44

SHA512
2f2a05fe22c2787a1785fd9f72beee957a45b26b701828488300fb0969ed7104ca37ec498b00678bcd9dd4a2c3faa877783a4193810650b6bbb433a17a601a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMom.exe

Filesize
1.7MB

MD5
6d086c8d727ed36259860009ec80b091

SHA1
b441ceb93a6d6e489898ade0c5dbe62af313951e

SHA256
cf14fdc6e77124b9f4f9993e0e5bdaa0680b748b3a03b185300b72a13814886c

SHA512
68c47e7db00f4ce487a43d3d20f303ec94230bfd3dc27cba62463729f815ca12b3955c794e26c933929d54b8cefb5192292ea408a1d2a442f88acf0c51a02887

Download Submit
C:\Users\Admin\AppData\Local\Temp\RoYu.exe

Filesize
202KB

MD5
0b9a448a8c506b6287d858704db0c7f6

SHA1
8e79b75d6c0db42d6a9e85620ae6f29222408120

SHA256
e0c50f0c728f5415d188a594bfd90c2e9dc5ac6c6f3e74324807abc7b4c4e928

SHA512
9a4211a6e14aaa07d23a8a162659b41d26ba84c79ee6fb898acefd627199ecdb8ffd35b911c3cc2aaa1564bbc720605788c5873db3a197b2b157a680bee5430b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RwQe.exe

Filesize
705KB

MD5
77a1d8a97189bb2cd449421a84d7d684

SHA1
a6b747b2f7f5ca0c06f3c716db1e6f88b145999f

SHA256
8189ea59f675a9bf54257e65d7516337ab58cda969e0a261c7c0936def6b0f7c

SHA512
c681cc39157914aacca8e60ea96dd11e9013a60b76a0467b35e8127cba7cdd2dc0d3c9b2cae99a0b9458cc04262df084a701bcb92bbfcfe26da7a6851324d9ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEgk.exe

Filesize
221KB

MD5
ac1b8f5d50e49c564e165db59afd69bc

SHA1
1bfa5841e9974c062e534d3ca8a0c2fb78367640

SHA256
727eb14bd845155bc52564dbd7f02fde831f3644ac8007f6379f96070501852b

SHA512
0519d8623a1ccc992dfde69f522ca6bc581af1e032230b1427979f29b09fb15e8f0afe86b8b095be136029f9655984c5cbe25341ab48171b811025de216b7877

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIUE.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEEi.exe

Filesize
198KB

MD5
6bc6b7457cae8925947aa859cd4c1ad3

SHA1
bdfd3be2f55f2240c1f56b63d93be981893a67a1

SHA256
911223ce324e95ac62d11d54e70e1cc0843da5c42f2e72b3d8826b7347f1fe69

SHA512
9f0aad956619729255ca2712e70ea0443fc7ca4e7a0a321d731abdca9333b00e3d4fe57ba52173ea166d1d8e29b5270cbaf65c2b651aceac676c53d737f01066

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMsw.exe

Filesize
664KB

MD5
b4746dab00485c6dfb6fa07aea529bb7

SHA1
4a577a933e3e8bc4943077f375eb56475894c302

SHA256
c9f154c258e2a0bf4b91993316396db7d3699864625b04f84137887eec323a25

SHA512
2719f6e5984f2c66cfd16b6d79d0f4f8323bdb4c7701cfda4e442c572eaffde044726b3b6eb6b43b0687c4d349934a73f4108e05a6ce779e95d83d3a758860ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\TUwC.exe

Filesize
190KB

MD5
82dae94e78e9279f224891ba133ddf40

SHA1
5f007a700949dfdf25bbb272870684e78cdaafe2

SHA256
6733016a8ac82abfca78765ed26b728e6c289db4c6d0ee475e5b5a6d13c4666b

SHA512
a7870246b12cc6ab88506b41369fd167ab90ddf634d83fcd906498f1eb988acabe7149c7af7400431cb856b1ba68c9cd7044f7e3d126952613cdf7f4a5d0b502

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMIw.exe

Filesize
633KB

MD5
2a71aba7cfea7fb5f5977ba879b8ff0b

SHA1
805326a31191775c72e9680feef9c6d3fed83053

SHA256
9774fe641ee5178e7c3d90110649744db49ff90fa34b11c7946f6c0af13b7961

SHA512
bef022397132863fab0fb14ad785aff44ef02c438b5d897081fbd5d06efe282c9924e52cf8e3ea34e3dd8c85d5a61bc2d139273e0cf2a51f1170b84826481720

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xgga.exe

Filesize
191KB

MD5
b063a7a02f38978b2271961541d2b151

SHA1
a33e1b5f765653745a61ff9cd1cd9a584b38701d

SHA256
430f0d91dde3e9b6886c8be4692ca2af8a4abdec9fcdeb95104b2e2172add7e2

SHA512
2704e9d175f9347787b5b364afb4d61284375e46d77d3175091a98356b637e320f0928c691fbba3fa23580a72e5dbee04e7881faa72734043df563f8c09a1da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAIY.exe

Filesize
241KB

MD5
a36b9f9e244920598cd3a849b4b48774

SHA1
e5088370bd3e8cbe3a3d52deb5e9a4db3dc8c651

SHA256
719148503a8646090aa6be4d4d654b83efe92c86ba23d986c6451d8bafaaff59

SHA512
8e3695471cb3403ff8244d01c4b17015bc0ea7da28f98a2f13faa4be66fd807c9dd0357e72b6e2a4abe74849dac686004d7d88045a6a4a761c5f56ab0f04f74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQQe.exe

Filesize
195KB

MD5
b6177a1d4f724b2ab409c1be31704d1b

SHA1
79e927f365fb4a2783d706c29a95dd27f1385daa

SHA256
b5357c58de68ee98942921d0379ae5f9d4502dc0acd624b10cc6c70c3af03762

SHA512
95db910a95668b7d636f92739f97b706efc158409fec17b77ec03c00d7da2fceaba17b78c0b2cf08a24cf9e8d304d244d1e138221f82a25fbddf394a95c90051

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUsk.exe

Filesize
183KB

MD5
c0188f1f81d3b554daeabe4b14349098

SHA1
2fec3f280319801114c5e7c812dd1f4ce51e2262

SHA256
56e49a4d3a82b0ae6d32dcd0efc4864978ed911ddaff763bf80eab3e4f2e9e1c

SHA512
8b392d094ab42c99f5b23da4719850b7d7c40c82f0af0cf50310a6a4483736b432ee9b4e89b0ef11f4c8b986acb1f2e82c9af37b8417d1875879e45f3108cd98

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoMG.exe

Filesize
200KB

MD5
1e8bf30b1840aba03c54a872c40013ab

SHA1
e970d4831c564dcb99445f13f1842f155dc51425

SHA256
d4f49ea9be57cf1023f9ddcd2dcdb7baefc85a3e617a176d4b92415878199f94

SHA512
fd17aeced9f277e8b0f7528cd8806eb117486e012ebfa20aad751dcccd6ac65cc00e03d4b95579574fa52a2b60f797d88343c1dd0dd10a10085d71911d8d549d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YswC.exe

Filesize
1.7MB

MD5
e3bf6ea7bbf860df1666cebe8edf6656

SHA1
5f2615fac80b4d3b3083f417f641d24669d0ac14

SHA256
0e7cae15b0b6a27cf6ae8bfc700c32bcbf0acee76ac9079b05d173ad3a1e858c

SHA512
5d24454fe66b7f349ec4bb7a8d4c08215fbdc0bc0b332795b8bdb931cd9f0e1ed756a8dd22f2d5a0baa88d8e070f0ce08ba3ce43cfba5d8fd0b7a6fd6e78c2fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\YswG.exe

Filesize
202KB

MD5
bbbef38aa8656c164536faa9a0aff0e3

SHA1
5d38d29b7a78ad6e48a7865a69db13ba8c4fb7e5

SHA256
082c3b9bf6e9dcedbbd5b60ccd63ce26200b60178b7b763546dcedec17c47419

SHA512
f3fc6ee1900bfeb2ba80eba6822cdabf10a623efa0aae7c0c6930da17b102b0708e4281bf704d24540ccf51047405cac26ede456bfe314da02a52d523b48e67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZsgA.exe

Filesize
188KB

MD5
72ded341a210d7b01c64187db6c3148e

SHA1
ed14c9602d207d604ddf738155661f46449cc4c7

SHA256
9fe373f9ab2b9e74e39254c4967d7185f453f0eea2a2b9e44541f77f4ef1d4c4

SHA512
cc9ae69eabb4ce70e7c774fb90fd8e1e75a5789da6b8a5b605d04cce554f5ae1186cf33486360d8a6335be5001ff189623af275e390804b6a2eca00bda619ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZwIK.exe

Filesize
204KB

MD5
2586280382eae45f5f14c2a514b00701

SHA1
7202056e2157cfa44bd543322527c8af79ba4700

SHA256
fec07a66b6a324f908ba5db7d19339f510b1f0f7fc7551b683b21215f92ebf10

SHA512
2c6516d376d41b8fab01ab1fcd2c9f8b5da73d76b7ea93920934b51b3ee218cd190d8e52691db27492ebf13ba30902548d32e725381d3884df136674cca95029

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZwUM.exe

Filesize
201KB

MD5
89db9c13ac0c16300fb12c2d3950de3f

SHA1
c00c32c8c8cd74cc504f2e0ce776b18a4f0ecd5f

SHA256
75db4724c122a535a859652e89fc66e4bf3c07647913b1b4d1f00477715cfae2

SHA512
9465a6062a5222a2f854fec9d1ff984e744105ccfd0181edc667543c1660387fb476f866c42cd9153ab74a4772c455e2476c5ee0060e57e0f3e6b74efe45e85e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQoW.exe

Filesize
225KB

MD5
6b845fe4b7e4dfc1ca8787b3e2700ffe

SHA1
99e4ebd76d611d7b2c91ce00a6617b21426988af

SHA256
fa124b5fdb445d9f529ef8afeef083e9444d8a5824d58c17fe5c4d8bd6f216eb

SHA512
d49bbf041b4ddfbf0328e568c00b53bd392393bc8c056c7ac4982e73d553b302d22d97ee0a2d76824fd597a6c1981018d3b40c59f368ba0e3b03621d2d768a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcMw.exe

Filesize
185KB

MD5
411816c1b818ba03019d6f598d741e56

SHA1
d85f59955549703b0b241e88c608bd8308884609

SHA256
f6fe28c4c78b4ccfb4e46944f45ddb8d85b572b3c056878d8a0d4fb419127af1

SHA512
ada277b6f0f6006935b53beeae5191ab3640631fd69db373b4b4308d0dc77654a7ff7b7482b2abb8be25e6941fee46eb90f32ea152f09731478c24bc4fff37c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dMom.exe

Filesize
203KB

MD5
18f68ccf183b86046f0bfa3a53403236

SHA1
28503782bcae5fdc1a38a1e76cf448d670fb50e1

SHA256
c73d3cfd5c4a45668eec34531830c12e78b5c2217cfd3a3c3eeac987991570a2

SHA512
ce14d4c68a9d4b0ffdb60b5a196cf26633b6efa7396979bc17568e2e227972eeede968e1ca8b7201cc112d3a66db5388ca69267ce2d8a49a4ee1863be579c30f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dYIG.exe

Filesize
199KB

MD5
29723098be41bf1cc33bbbd90df3792e

SHA1
5376808fda557c903002d5d350877ccf02673da3

SHA256
fd14161b194e340ebdd4b10d96e54d4117ae7a50f2ec2f5a0887259740ecdcaa

SHA512
ac69b2e739f0b322ee92d5f9b43d305016ef640d878cc262dacd32c6ec4756942173f0efc10a804ba41201c8c32a420b1f42df17d8f6cfb228a30df3cec528f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcce.exe

Filesize
199KB

MD5
2e4a1daa7e660fdabf88a631e81d3646

SHA1
cee38bee4bd25f414ecf77ae68b020535d6445c9

SHA256
3b54aeb648ca89ec38dc77a20b202e69d513992e3cb56fdac84712cde8e06887

SHA512
1e19296bb6daf1bf2b31e1bf3db99cbb23c4d832a68f5a7212b158c1233832add78a84a7b3d2d16b702f6085176076737ec283ce3faf168948f87facdbc50133

Download Submit
C:\Users\Admin\AppData\Local\Temp\dggo.exe

Filesize
187KB

MD5
a4b4bc2b65d49b584fb0ec2c01c81871

SHA1
e0171e7134ce50aae39dd3811324a2bed074ef18

SHA256
660a46ced7bf39c227a50d464015b02786f12a4766ece43a28a9b226ab9a21a0

SHA512
593e5cd04ddff628fa9da069f2b1825c7de659270b7d4763a94c3d4de4be210c4c1da60aeffc5c574693cca3271cb49a048037c805bafa5f3a4ef15c5315afd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAci.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIwO.exe

Filesize
2.7MB

MD5
9a954a926c8e87ff87ade8f83cf59b6e

SHA1
b9b524ae708d140731b4ad13b5a8cb5ff7a593eb

SHA256
a858de378e6d15669026b0cafedaf59e8190220cc22263b75c285b57758f5241

SHA512
f0866de7ffcd0bc302607f2e99df449975236b46b16b88ef7400263607c3233ad80dc214a0b879b8a5aebed083627a35fd101f5a13b34e34cd71f1162550d637

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQka.exe

Filesize
223KB

MD5
55fa27b03239e1e3bd12448bdd5bea1a

SHA1
c5ab1907f62f391ae155236ffb362a1123d3f0ec

SHA256
d7c3d7eac564c0387fcf9de0a7634bd57332a63c55832be9e508c465212e563b

SHA512
2a659809ef1c7f64cfe45a3ad720c9f5b0ac2578b2c502fba0fa08f96bfec6e89fad0f9900ed96c0e808b1db360dd6e41045b7603c6885ea37808f4be7a8aa34

Download Submit
C:\Users\Admin\AppData\Local\Temp\fgkM.exe

Filesize
1.3MB

MD5
6a8107d94d54a795d5bab026b84ea678

SHA1
0b11cd8849d151a4b55a3d66eb3e44c51f18177a

SHA256
fa87fa3cb0ad5ecfdba16f10e9a229cf2f791753e77e5338848ce9450f1cea25

SHA512
dbc665832a6dcd0af2fea560bb5e82dece1b2d8abd5ece09988fb81b61247e0c76f02ea2c7094c6c917124b7c5b4237a28c224e93711cdcf361c8599aead174b

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIQQ.exe

Filesize
320KB

MD5
cfd9a7cfcf93b64d850b7fcb88a58e62

SHA1
46ee0cad0d111e800acdad72a0908c230ea086f7

SHA256
9f57b8492ce14d6e56fe6ed2a593282b06c6514cea5196cc1853d0fc50e0da4d

SHA512
18786821f7b80e81b9454d814eff9f5fa8005da0a4d3def6032b9ce9db429d6fb4efb4a2de82a1d29750c6158776f153840dd68cc74b986129f8c4a87f9d3883

Download Submit
C:\Users\Admin\AppData\Local\Temp\hEAS.exe

Filesize
212KB

MD5
1358704f6d140dcf65b1f2cd55936e57

SHA1
dff34929d54a277aadb07ac317141d6a515bf49c

SHA256
c241c88586add5abb19fb49dcdfdefcffe107d381034109f8525a90133e4c8f6

SHA512
b34213d0b089c8f6eaf7aa012ea51077b3413439ab913ec7bdaad2d582b2766be9bef43be43f4f79dfdef3340a6e91c4c55924592a928a5fe9c9e446b4f58187

Download Submit
C:\Users\Admin\AppData\Local\Temp\hIsa.exe

Filesize
214KB

MD5
6d05186c0bbc75479b106ed12dc06b30

SHA1
2153468770e148c96b34bab00c21507ab9c01baa

SHA256
139569874cbc88b98c3bed115f97aa0a4c703f34a37565b00da000ba77bc6693

SHA512
a311291cf1fe0bacd4c49507be8bacb1f7c276fb7c1841a1ca16caaa3a82d205c9299bad058eed5fadf9909e4b9d6090befd61d9590a5795ae70f59e089f1f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAgC.exe

Filesize
202KB

MD5
51a948872df1afc5ba41269d8219a738

SHA1
998f53b4da4dbfc1fcd38914362bde2bf76cca36

SHA256
e1d7aa3c5073b88a34bc1fcdc04990484cc90bb2a5dc6eb5cbf133639c51bf7d

SHA512
74bf416852bc700f6f3dc68e03171094eb70c17280aee43f41cbd8c9cdcf0d1707912b8624c10aeeb7b2cb1f0fde424a5991430c55122d51de2c1c680040a63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikYA.exe

Filesize
195KB

MD5
cffb7d1a2e4daf810dd41753ae28f079

SHA1
babe1e16db486f25a4cc2b6b3a30b5806d086bc3

SHA256
6035ed9b30477aff6321ecc511111bfda9ce24d4ed8a4be9459a4c037c6a4300

SHA512
5b369293a7611ca200978d4b3a6f5b1cbcb1f36bf04163780be1066b2a20645f61e9cb51f55737001a379fdc39d37e8927b341d6a3b186160849ee1a1ed81f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\jEga.exe

Filesize
189KB

MD5
81b804a870a1bce993172c9e9e87cf4c

SHA1
f6681891fadafcff125b2bfe178235ad741654b6

SHA256
780b3ea92453e247b7ae2ce9faee725adfd536fc56e0ad50466d313a44a6c01e

SHA512
171c908b6fc5cbdc214a24d330f81f1bf54311c2b1b72d33a6d55e64669d1f567c6f229cfb06e90090748f52c54926b83cd1de7266ed48addf378d090d5b59ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcgG.exe

Filesize
209KB

MD5
bbfe1b09c402c257c4bdd5221c2c7514

SHA1
621b4ab1e9cf3407d0988f594dde0d5f45916614

SHA256
3abaeceb15b30e583b1ba973dd2dc069a805f982d2fb8b0c9a3c2490bf84f947

SHA512
20426c3ae24021e820043b67ce243c308f891793764fb1561d62a12f67a6758f03b4bcecb36a8f7e76daa4a3be8fc68171fbc8271e6714374d50a88dd18c449b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kswe.exe

Filesize
198KB

MD5
5ab771e50d1b128ac755526dcf16415c

SHA1
93631d712f73816aacdebe44398c4828659cc91c

SHA256
4866e39401e61974130ffa5d3365da3afe7c014927e0d1377267662825b3ac41

SHA512
7ebe17bd3f74fa1136c047dc6fe3510b7cb0375b4b8f273684f51b4dbebdc16ade4f54d2afe5cb1200dc4dc1309e8263f97a944f39ae1f694effa3a29ecd7f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAAy.exe

Filesize
189KB

MD5
8d762c725f8101de4230f8b172e5554f

SHA1
ffb9f86a42b4de8194e9d47275fdb55348051896

SHA256
3f0fcd3b06616ab6d1419a86abb3f7c88f584d5eb5863969e0ebbdafd295ac3d

SHA512
274515c8ce658121aeeb6678e1738b440f0fd5ffaa9057bece1b6c2fa145fa3a151aab379aa3cb1108a0e8eb092ee60eca228b2b1f3216f92c769d3f0b6ddab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIIE.exe

Filesize
1.0MB

MD5
bd8d79c273dde4f643b1da9902ae5c7d

SHA1
088d6791eacbbc79e23af094d021179bd34996e1

SHA256
98ef2907a7255bda218cffde6fec17d3bd43c502401a1bf2718091d5b5c8d98c

SHA512
b8bf527bb57cbf6e0a82b85befa9828225542759f722ba1a83a0489287407a04a903d765b10b1aa042194207c480ef4cd83e91740ae36048fa7ecc99b8ff1ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQcU.exe

Filesize
190KB

MD5
a9c0681175653d916b6240233df61772

SHA1
6a0e0f86c66114d2b5524ed867601f3531d9597b

SHA256
3a031457e9222305e3567afcf74b0a7260296507eb9ffd94c0b992ea94908b09

SHA512
1a092dcf20060bd4d8199bbe4ff40141c05e0fee2f06aa3262719797eb285475edd371505be1b0bd7d05814e10c987f4cb5e8c92ea2a55f157f3fc635037973c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nIYg.exe

Filesize
687KB

MD5
a7bce957c85fce088f55b82c8fa98eaf

SHA1
b54d18048600495738bcc163473ace001a8a3407

SHA256
b8dfc1a415f786616b4a1797cc1e55096f7282ce76551dae488acd0a5ab5b447

SHA512
0e247d9f133ebc4267457317b947785f08df854610adba13e00d478b5b81e36826c616af39102c0f52fd0ab7885593e7a83535423cdf32119dd6a09f74d951a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMgI.exe

Filesize
832KB

MD5
a9945cc573b2c587c618437c2f69d4bb

SHA1
6491b698c41e8cf4184ee5e63f0b2a6025512252

SHA256
0e32d07780a2f2e30c87df1e77c520f6f53bc6fccbdef7f2652696467295f199

SHA512
b6a35a80243b9a62e15ed7ef11221bc0c341675a8b06e1e3c0cee492fd6ebff0e87cb1bf5bbdbf0c1d11e8617c0c8100a6c1785ca2923c05faa160cd18b70e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoA.exe

Filesize
308KB

MD5
00225a7cb6621ffe249025782ea44fe9

SHA1
cbbf58dd524ef98e42f77e066cc83e6f9fa0ffa9

SHA256
151c2267f5ecdc82eaa5f77d34f096f28e15b43060cbd989363c57abca2316ca

SHA512
76a89938924774201d2dd8a29705ecb1848dff271a1a6e819d457198e9165fe7bc965b173851904f45158d2dd893f416a40bf3f67ad0c5d957a2f76cda1805a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogAy.exe

Filesize
188KB

MD5
9005b2e5d3088e17f3a6cfae0f9fe384

SHA1
02fda026a7acfe051cbad95f45fb9dd5edf75c45

SHA256
cfadb2ab667c5047333fd298d8fd7c7c105f60340aef46d75dd5ac43bc268258

SHA512
5bb37b8e28c7d0bf92f26c476211d0460f6eee14747a31b97946f827e770810f37a5d51d2e53c73bd23466a670521840ce84fe5797b486736c754365c777f407

Download Submit
C:\Users\Admin\AppData\Local\Temp\osUo.exe

Filesize
785KB

MD5
214b9c09784a2aa132830f74e28c084d

SHA1
b4957e0beb325671d2fbfc3cb34f6c0c19cffc9c

SHA256
6d60a6eb9a756f9d4b9267b36b2daba0b6b2a3087e3d01f4ddd7e355ee8234f8

SHA512
475de090c3eb9c6924be7084a054f5d0dd26afc4c934e9fbf1b2a935785af247af45b1c00e92c3d9c695524eac2b7a100f6111929327b31475ff3ae88f30b8e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYgY.exe

Filesize
1.3MB

MD5
20bb22838b7dad0d9e955159e7b92e2c

SHA1
b943e9c93c4cd7a8ebf95fb5e9b2856ce2154fb4

SHA256
9ae4d7964c8ab0a10d30549654cce8602ae5c047ea47a17f93441004a2b23ce1

SHA512
45ddb4117776ce93f25a86c83a3b6c17080eeef11ce9a1ef6887310952aa78bd0a63c01e7b9f4cf602998947174b46fd4c4fd03de4e139642ad29090035b0662

Download Submit
C:\Users\Admin\AppData\Local\Temp\toga.exe

Filesize
220KB

MD5
989b0b2ad2eddc90b4d07ef27d740364

SHA1
08e781656d9da5059c61b85322f49a3e38543137

SHA256
687786a3002019890f026933e9d8999411436f3da35356568ba80e889a04fb66

SHA512
88ca2be69a171da400305fef00ccabd91005eacecf26ed503cf0c50f0c064529f8cbb1cf238a406e9a045a739c621e7c84541483fdad4ad1f08b98a4a0862d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEQg.exe

Filesize
194KB

MD5
0c0aeb1a307f3958870a1197ff836796

SHA1
3ccd7c0d5665c06cee885c354161487351b7b070

SHA256
b1fbd8a5e6f9433dd4f704f1a1f9246820a92d325648b4aec6c829e1adcf604f

SHA512
0601cd07b53c027f6e56c5d47b04cf1e744d02b471137cb5b263490e8db1f734eda3d394ddffa9c50ff1cbf9be9c8af7aa180507b5cb36badfd5517007562c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkMo.exe

Filesize
5.2MB

MD5
2d31286a318f6bec6f95cf124ac495a0

SHA1
33765e91e943dfff4d619dae00dcd0f2dd976b9c

SHA256
aa3e965aeb9ef5954e60ea3f3dcaf101075d81ad523383324979b5468ad53a36

SHA512
0fe4cef7eebbeed841ec00cccbc0aa784f68cb5d3b266b5e33d985953bf00522e76dc8617e6ce186f3781d30d266887561e3dfcb31c6431b65d5a93287bd7aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsQG.exe

Filesize
800KB

MD5
d8ae358eb89a688d7d8bea3f458c8d2a

SHA1
7bcf93718430885a8bc1e21f4e3986fb258680d6

SHA256
9dc5126c5afb3219f8676b20de7764f9cb0022578fd55676a36084305e61ac63

SHA512
6d00dcbf38bb72928835f640cba65025e7ca3921ba50fcc2ed18650e8e5e1bf1cf0462ad9e1543c9a954a4a4c040d2d0db88cab1b6e0b63f3a82ac2de7742d39

Download Submit
C:\Users\Admin\AppData\Roaming\BackupUse.xls.exe

Filesize
499KB

MD5
d79de24eed8b382147452dfdad17e4b3

SHA1
7b45b454fe3559c35c67bdccf841eeb9ba16cf15

SHA256
4d9a4ac3048f8263bf37f5536169e9142e6a0c895879c43e9744793075849044

SHA512
35f8f066fefaf2388a302fd727a3ef4c07cb8f1f24c13bdf903cdc0684f29fe1ac8af0a58d73d98342becc66422259e9a2f5542b811606545c4d07976bb229e3

Download Submit
C:\Users\Admin\Downloads\ImportUse.png.exe

Filesize
1.1MB

MD5
f9e17ea22841c135ca2ff992becb6843

SHA1
5e0fbfc4b91dcb2b355f2ebb6bf8eee6903f61bb

SHA256
f2fd91bbdbac837dcf03b93718c1f0a5480b4dc08de63daf96da2e6deca6f690

SHA512
7d7ba1b2cf0cd6625bc6584729c95744bd9f749157fda27eff4010e69c1d414630f95cb33ff11b90f03506d4a49dc40395e56b61d7a1f7b8cad0b5293e2d0641

Download Submit
C:\Users\Admin\Downloads\SearchComplete.pdf.exe

Filesize
962KB

MD5
216593dc098bea35d2af448a4f867f1f

SHA1
ad5d759e6a165d8113623aff98a556be8a992ee9

SHA256
eb257eb90dbd2438b3e61be49fb159f524c325135c694a612d626689914fdb08

SHA512
23d6358e599b48c81a14a91499cd6b2c6e9f5ec987f8f5a9b9244d3470f5426a8060fe05acb414bb5210461dbb5d33836265e2659b86acb73f685ca4453bc00a

Download Submit
C:\Users\Admin\NccgwUYs\KEUwIEIw.exe

Filesize
185KB

MD5
b58a4996b3906a4e72544912e79ac5f1

SHA1
50662227054df40e040057aca7163859d54866d1

SHA256
53de84eb431de858af8f4c2937372c1b9309b4765e900dc093bf9cf4a7930518

SHA512
8e210c5222ecf2adecfafbe3c5965e30f9bb06c2a6aabc3f0e7ead5819986e6ac68ca48f1c993e788df49139ef852fe688b6fb386d1551c4d856bacb608d1b7f

Download Submit
C:\Users\Admin\NccgwUYs\KEUwIEIw.inf

Filesize
4B

MD5
393c7cc8c738b1fdd4240375881a88a3

SHA1
fdaa07f8e555d251e3b22749ef0c4823ed457d26

SHA256
c24b235c45524cf92065e4837f8ba08509edcb359d483698ad969402c7a8aafa

SHA512
416b7771e0d04c70d29f8cb7d55154e6405e6cbe0c05999634f10916adac00ee21ec71794870310193c84c4128d22277e4c0d5f80834034d84421e84015b9c32

Download Submit
C:\Users\Admin\Pictures\GetSave.png.exe

Filesize
1.2MB

MD5
7db2fcee81b4899cf987010c6262d2ec

SHA1
516af5d0ef7a6a32594877d0a66d014925dfe227

SHA256
1c476852b0b92430fadcf85662e5336587e5a040a885cb940856056c03cb9b3b

SHA512
59d58ddbd78ee7f2c69aa615bc5cca476849cab4646b54de9647001dcfe883f96618fd50533e72486a31a3e61c7dbf370db650654058458e7f00343639e32fe3

Download Submit
C:\Users\Admin\Pictures\ShowGrant.gif.exe

Filesize
642KB

MD5
66ca70a03f16b5901da90ef5f9b56cfd

SHA1
31c8beaed3dc0305d7f9e11a570ace9927346635

SHA256
214321f52a98841e5184411d4254e53f22cf0b11c688df908a3efc21df93aef0

SHA512
69d83a42575b77639da516dd35b48fc624219a5fefd4361f47b5c3e285d83b546855d181b460b7173f8cfa79df59614c2ba47b6196d4e057c344ff4342837a0e

Download Submit
C:\Users\Admin\Pictures\SubmitLock.png.exe

Filesize
926KB

MD5
2704bd9b292fa054d6afeb6bb43fb101

SHA1
55abd299df8ec9b75250e20261db28285924e718

SHA256
a3f5c1f62c93063ce27ab21d4bc7e691ed42aaef2063c8173d97a25087033a59

SHA512
dce8ec5884fc573b1023ded85a06ea02b134d74bc6d92cf4eb1122878b50747cbff1b1c8e2012bcfef8114304c0d00774e6daf3645c2dfb1a0615b1fa3493200

Download Submit
memory/332-176-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/332-192-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/740-63-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/740-78-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/768-371-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/960-208-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/960-219-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1076-243-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1076-228-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1076-117-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1076-101-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1148-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1148-67-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1256-268-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1420-81-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1420-93-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1436-167-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1612-8-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1936-361-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1936-353-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2196-377-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2196-389-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2380-33-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2380-43-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2644-397-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2936-321-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2936-333-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3120-287-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3124-188-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3124-39-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3124-54-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3124-210-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3192-180-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3192-163-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3248-154-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3248-140-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3352-380-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3552-278-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3696-113-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3696-127-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3768-292-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3768-305-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3960-89-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3960-105-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4196-232-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4196-220-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4272-19-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4272-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4448-32-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4480-283-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4480-296-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4524-385-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4608-352-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4644-334-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4644-342-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4688-312-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4688-325-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4740-244-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4740-259-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4952-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-301-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5044-316-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5064-143-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5064-133-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download