f71df94cb7a60777ee2c105d8f9fa10772ad43a36f9f9d013026704b809c96de

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2024, 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
Size

200KB
MD5

1c323571263fae709a03a787aa4416aa
SHA1

1b4ded050e06e6f69673fe58bca449463dada9d6
SHA256

f71df94cb7a60777ee2c105d8f9fa10772ad43a36f9f9d013026704b809c96de
SHA512

7fb6dec1950b29c37338712cb19155c3bd7b1ad67497900489dea54d63dc9e89daed4506a89aba2d5503a30040a92b5b64aa4378b7e920f7a055ccbf07ad2efc
SSDEEP

3072:r1LipdLEQcDFjVPKvFd4jxHMgcosvFSZjLxMmnWmjEChTBs3/JEZb2SWi:r+LEQyg9OpAF2LxxWWEChTBsBanWi

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (86) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	fckUEYQA.exe

Executes dropped EXE 2 IoCs

pid	Process
5088	jiIAcMcQ.exe
3240	fckUEYQA.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fckUEYQA.exe = "C:\\ProgramData\\KGYwIwgA\\fckUEYQA.exe"	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fckUEYQA.exe = "C:\\ProgramData\\KGYwIwgA\\fckUEYQA.exe"	fckUEYQA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiIAcMcQ.exe = "C:\\Users\\Admin\\TewMUQYc\\jiIAcMcQ.exe"	jiIAcMcQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LqcMokAE.exe = "C:\\Users\\Admin\\WgIgcAYE\\LqcMokAE.exe"	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sMUMUgwI.exe = "C:\\ProgramData\\kaoYoMEk\\sMUMUgwI.exe"	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiIAcMcQ.exe = "C:\\Users\\Admin\\TewMUQYc\\jiIAcMcQ.exe"	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	fckUEYQA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2880	220	WerFault.exe	1728
4628	2192	WerFault.exe	1727

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2784	reg.exe
1240	reg.exe
4376	reg.exe
1536	reg.exe
4628	reg.exe
1964	reg.exe
2484	reg.exe
1564	reg.exe
2052	reg.exe
1068	reg.exe
3720	reg.exe
3756	reg.exe
2868	reg.exe
732	reg.exe
1736	reg.exe
4744	reg.exe
1028	reg.exe
1964	reg.exe
3876	reg.exe
1964	reg.exe
4080	Process not Found
4112	reg.exe
2912	Process not Found
2956	reg.exe
1704	reg.exe
4600	reg.exe
2564	reg.exe
908	reg.exe
2444	reg.exe
4660	reg.exe
3224	reg.exe
5048	Process not Found
2480	reg.exe
2896	reg.exe
3968	reg.exe
4080	reg.exe
4104	reg.exe
4712	reg.exe
3304	reg.exe
5024	reg.exe
3720	reg.exe
2652	reg.exe
2196	reg.exe
4604	reg.exe
3464	reg.exe
2392	reg.exe
2236	reg.exe
444	Process not Found
4984	reg.exe
2316	reg.exe
3024	reg.exe
3612	reg.exe
8	Process not Found
3272	reg.exe
3180	reg.exe
2564	reg.exe
3712	reg.exe
2016	Process not Found
3224	reg.exe
5092	reg.exe
1496	reg.exe
5032	Process not Found
3108	reg.exe
3488	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2244	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
2244	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
2244	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
2244	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
1720	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
1720	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
1720	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
1720	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
4216	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
4216	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
4216	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
4216	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
4188	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
4188	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
4188	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
4188	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
1164	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
1164	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
1164	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
1164	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
1544	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
1544	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
1544	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
1544	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
4312	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
4312	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
4312	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
4312	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
2612	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
2612	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
2612	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
2612	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
3244	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
3244	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
3244	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
3244	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
4692	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
4692	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
4692	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
4692	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
1664	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
1664	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
1664	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
1664	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
4552	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
4552	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
4552	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
4552	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
4212	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
4212	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
4212	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
4212	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
4660	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
4660	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
4660	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
4660	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
3824	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
3824	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
3824	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
3824	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
3532	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
3532	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
3532	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
3532	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3240	fckUEYQA.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe
3240	fckUEYQA.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 5088	2244	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	84
PID 2244 wrote to memory of 5088	2244	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	84
PID 2244 wrote to memory of 5088	2244	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	84
PID 2244 wrote to memory of 3240	2244	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	85
PID 2244 wrote to memory of 3240	2244	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	85
PID 2244 wrote to memory of 3240	2244	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	85
PID 2244 wrote to memory of 5048	2244	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	86
PID 2244 wrote to memory of 5048	2244	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	86
PID 2244 wrote to memory of 5048	2244	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	86
PID 2244 wrote to memory of 3588	2244	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	88
PID 2244 wrote to memory of 3588	2244	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	88
PID 2244 wrote to memory of 3588	2244	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	88
PID 2244 wrote to memory of 1028	2244	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	89
PID 2244 wrote to memory of 1028	2244	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	89
PID 2244 wrote to memory of 1028	2244	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	89
PID 2244 wrote to memory of 3720	2244	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	90
PID 2244 wrote to memory of 3720	2244	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	90
PID 2244 wrote to memory of 3720	2244	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	90
PID 2244 wrote to memory of 5112	2244	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	91
PID 2244 wrote to memory of 5112	2244	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	91
PID 2244 wrote to memory of 5112	2244	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	91
PID 5048 wrote to memory of 1720	5048	cmd.exe	96
PID 5048 wrote to memory of 1720	5048	cmd.exe	96
PID 5048 wrote to memory of 1720	5048	cmd.exe	96
PID 5112 wrote to memory of 4624	5112	cmd.exe	97
PID 5112 wrote to memory of 4624	5112	cmd.exe	97
PID 5112 wrote to memory of 4624	5112	cmd.exe	97
PID 1720 wrote to memory of 4712	1720	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	98
PID 1720 wrote to memory of 4712	1720	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	98
PID 1720 wrote to memory of 4712	1720	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	98
PID 4712 wrote to memory of 4216	4712	cmd.exe	100
PID 4712 wrote to memory of 4216	4712	cmd.exe	100
PID 4712 wrote to memory of 4216	4712	cmd.exe	100
PID 1720 wrote to memory of 2164	1720	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	101
PID 1720 wrote to memory of 2164	1720	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	101
PID 1720 wrote to memory of 2164	1720	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	101
PID 1720 wrote to memory of 3920	1720	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	102
PID 1720 wrote to memory of 3920	1720	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	102
PID 1720 wrote to memory of 3920	1720	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	102
PID 1720 wrote to memory of 2328	1720	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	103
PID 1720 wrote to memory of 2328	1720	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	103
PID 1720 wrote to memory of 2328	1720	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	103
PID 1720 wrote to memory of 3132	1720	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	104
PID 1720 wrote to memory of 3132	1720	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	104
PID 1720 wrote to memory of 3132	1720	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	104
PID 3132 wrote to memory of 3292	3132	cmd.exe	109
PID 3132 wrote to memory of 3292	3132	cmd.exe	109
PID 3132 wrote to memory of 3292	3132	cmd.exe	109
PID 4216 wrote to memory of 1888	4216	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	110
PID 4216 wrote to memory of 1888	4216	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	110
PID 4216 wrote to memory of 1888	4216	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	110
PID 4216 wrote to memory of 3712	4216	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	112
PID 4216 wrote to memory of 3712	4216	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	112
PID 4216 wrote to memory of 3712	4216	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	112
PID 4216 wrote to memory of 1828	4216	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	113
PID 4216 wrote to memory of 1828	4216	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	113
PID 4216 wrote to memory of 1828	4216	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	113
PID 4216 wrote to memory of 4660	4216	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	114
PID 4216 wrote to memory of 4660	4216	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	114
PID 4216 wrote to memory of 4660	4216	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	114
PID 4216 wrote to memory of 3084	4216	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	115
PID 4216 wrote to memory of 3084	4216	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	115
PID 4216 wrote to memory of 3084	4216	1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe	115
PID 1888 wrote to memory of 4188	1888	cmd.exe	120

C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\TewMUQYc\jiIAcMcQ.exe
  "C:\Users\Admin\TewMUQYc\jiIAcMcQ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5088
- C:\ProgramData\KGYwIwgA\fckUEYQA.exe
  "C:\ProgramData\KGYwIwgA\fckUEYQA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4712
    - - C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4216
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        8⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        10⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        12⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        14⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        16⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        18⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        20⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        22⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        24⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        26⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        28⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        30⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        32⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        33⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        34⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        35⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        36⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        37⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        38⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        39⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        40⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        41⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        42⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        43⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        44⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        45⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        46⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        47⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        48⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        49⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        50⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        51⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        52⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        53⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        54⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        55⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        56⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        57⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        58⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        59⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        60⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        61⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        62⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        63⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        64⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        65⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        66⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        67⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        68⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        69⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        70⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        71⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        72⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        73⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        74⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        75⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        76⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        77⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        78⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        79⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        80⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        81⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        82⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        83⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        84⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        85⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        86⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        87⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        88⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        89⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        90⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        91⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        92⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        93⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        94⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        95⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        96⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        97⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        98⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        99⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        100⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        101⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        102⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        103⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        104⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        105⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        106⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        107⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        108⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        109⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        110⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        111⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        112⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        113⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        114⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        115⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        116⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        117⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        118⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        119⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        120⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        121⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        122⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        123⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        124⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        125⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        126⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        127⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        128⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        129⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        130⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        131⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        132⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        133⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        134⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        135⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        136⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        137⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        138⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        139⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        140⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        141⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        142⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        143⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        144⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        145⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        146⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        147⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        148⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        149⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        150⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        151⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        152⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        153⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        154⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        155⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        156⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        157⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        158⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        159⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        160⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        161⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        162⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        163⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        164⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        165⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        166⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        167⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        168⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        169⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        170⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        171⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        172⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        173⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        174⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        175⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        176⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        177⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        178⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        179⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        180⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        181⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        182⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        183⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        184⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        185⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        186⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        187⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        188⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        189⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        190⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        191⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        192⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        193⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        194⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        195⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        196⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        197⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        198⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        199⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        200⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        201⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        202⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        203⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        204⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        205⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        206⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        207⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        208⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        209⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        210⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        211⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        212⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        213⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        214⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        215⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        216⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        217⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        218⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        219⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        220⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        221⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        222⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        223⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        224⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        225⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        226⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        227⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        228⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        229⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        230⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        231⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        232⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        233⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        234⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        235⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        236⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        237⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        238⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        239⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        240⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        241⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        242⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        243⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        244⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        245⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        246⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        247⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        248⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        249⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        250⤵
        
        PID:3784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        251⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        252⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        253⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        254⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        255⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        256⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        257⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        258⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        259⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        260⤵
        
        PID:5000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        261⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        261⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        262⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        263⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        264⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        265⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        266⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        267⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        268⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        269⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        270⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        271⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        272⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        273⤵
        Adds Run key to start application
        
        PID:4716
        
        C:\Users\Admin\WgIgcAYE\LqcMokAE.exe
        
        "C:\Users\Admin\WgIgcAYE\LqcMokAE.exe"
        274⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 224
        275⤵
        Program crash
        
        PID:4628
        
        C:\ProgramData\kaoYoMEk\sMUMUgwI.exe
        
        "C:\ProgramData\kaoYoMEk\sMUMUgwI.exe"
        274⤵
        
        PID:220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 220
        275⤵
        Program crash
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        274⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        275⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        276⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        277⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        278⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        279⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        280⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        281⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        282⤵
        
        PID:3496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        283⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        283⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        284⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        285⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118"
        286⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118
        287⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        286⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        286⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        286⤵
        UAC bypass
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        284⤵
        
        PID:2168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        285⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        284⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        284⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PugYAMok.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        284⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        285⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        282⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        282⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        282⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYckYAAw.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        282⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        283⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        280⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        280⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        280⤵
        UAC bypass
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Jswockkc.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        280⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        281⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        278⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        278⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        278⤵
        UAC bypass
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGcocwcs.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        278⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        279⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        276⤵
        Modifies registry key
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        276⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        276⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uyIcosME.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        276⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        277⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        274⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        274⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        274⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKgQYEcs.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        274⤵
        
        PID:3752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        275⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        275⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        272⤵
        
        PID:2804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        273⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        272⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        272⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oaUMUkUs.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        272⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        273⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        270⤵
        
        PID:1800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        271⤵
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        270⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        270⤵
        UAC bypass
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NaAkMAQA.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        270⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        271⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        268⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        268⤵
        
        PID:3628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        269⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        268⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUwgkkEU.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        268⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        269⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        266⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        266⤵
        
        PID:2196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        267⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        266⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XMoMIcAQ.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        266⤵
        
        PID:3876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        267⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        267⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqgcgoAw.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        264⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        265⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        
        PID:4960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        263⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IooMYgAY.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        262⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        261⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        Modifies registry key
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WuMkEsYI.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        260⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        UAC bypass
        
        PID:3608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWQEMUIQ.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        258⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        
        PID:1372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NKUAIIIQ.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        256⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\faUEUgoM.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        254⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        Modifies registry key
        
        PID:3612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        Modifies registry key
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LicEwQcY.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        252⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:2512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FsoogQAo.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        250⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        Modifies registry key
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSMwYUAA.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        248⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CascgMQs.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        246⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OsUIUAAI.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        244⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XAsIcgcE.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        242⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWYkkgYg.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        240⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWsgMMcI.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        238⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        Modifies registry key
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCMokosw.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        236⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYUAEgYc.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        234⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WoQMcoMA.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        232⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKMAQQok.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        230⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        Modifies registry key
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIQIIMko.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        228⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pKsIwAkg.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        226⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZQcMsAos.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        224⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jIckMMkA.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        222⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        Modifies registry key
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JeoQwMwM.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        220⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCkYYUso.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        218⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGEoUEgA.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        216⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZQEYQMso.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        214⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGcYkcgE.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        212⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        Modifies registry key
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\diQoksww.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        210⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        Modifies registry key
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCwEMsoE.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        208⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CqsoMkAk.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        206⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYIoMwYQ.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        204⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        Modifies registry key
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mgwowkwA.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        202⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQMIYYwo.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        200⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JisIoYcc.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        198⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        Modifies registry key
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tAksAIYg.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        196⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\figUEwEg.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        194⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsQUEUcY.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        192⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mqIkAkAQ.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        190⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkwwMoUc.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        188⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGgwQkos.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        186⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMYwAsEA.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        184⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGUAQIgg.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        182⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TwEwEMYw.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        180⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQEsMYkc.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        178⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wcAEEocU.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        176⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKIgMoEg.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        174⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OacEwEIo.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        172⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ziUksIkE.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        170⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        Modifies registry key
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQQkYkYk.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        168⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\veokwIMc.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        166⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies registry key
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocUEYkYI.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        164⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        Modifies registry key
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCwUUEgw.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        162⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        Modifies registry key
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AoIcwcIc.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        160⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        Modifies registry key
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        Modifies registry key
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MoQcwcoc.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        158⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        Modifies registry key
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LKskMYog.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        156⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        Modifies registry key
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCwUgUYA.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        154⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUUEAYkk.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        152⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies registry key
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        Modifies registry key
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wkYUMMAE.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        150⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skEUoUII.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        148⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGsQAEos.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        146⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        Modifies registry key
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QsUYkcwc.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        144⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        Modifies registry key
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        Modifies registry key
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKkoQgsQ.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        142⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOgMIwYU.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        140⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        Modifies registry key
        
        PID:3304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RkgwUsMA.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        138⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BwIMIocw.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        136⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEgQQMcM.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        134⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mwEYccsw.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        132⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sWQgYEQE.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        130⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMwAAoog.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        128⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        Modifies registry key
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGkokgMo.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        126⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOsYgEsg.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        124⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        Modifies registry key
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqwQksEw.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        122⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        Modifies registry key
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiwMkIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        120⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eeEkMcMc.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        118⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEoIsAow.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        116⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iWoQkYwc.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        114⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FUUQEcwM.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        112⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgUAQQkI.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        110⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BKcgUgQA.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        108⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQAkYogw.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        106⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        Modifies registry key
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MyAEUEYU.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        104⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSQQYIkA.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        102⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        Modifies registry key
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWIYQIcI.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        100⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        Modifies registry key
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dyIUAggo.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        98⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zsIosEAc.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        96⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tQoEcMok.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        94⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BucMMAoU.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        92⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImIIkQok.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        90⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mGAAEYos.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        88⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        Modifies registry key
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqoggAAs.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        86⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CycUwwIY.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        84⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LWgEYgwM.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        82⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYcIkUck.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        80⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCgokcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        78⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DegYcYkc.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        76⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        Modifies registry key
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqoYkUQA.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        74⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies registry key
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        Modifies registry key
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UsYIIkYw.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        72⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGMIYMAI.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        70⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqEskEUc.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        68⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NakwgkYE.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        66⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies registry key
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dagEMUYY.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        64⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XsQUkwIA.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        62⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\recQgEgM.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        60⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmwAsIoI.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        58⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OIkwIgEg.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        56⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OegUMQkU.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        54⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSEwoosY.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        52⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xeQccEAI.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        50⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEkMwYoA.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        48⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies registry key
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        Modifies registry key
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKYsgcQo.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        46⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEIAggoM.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        44⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mGsYoEUg.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        42⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImcsIkUA.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        40⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies registry key
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YcwwMEgQ.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        38⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DikEIQQc.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        36⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biooocwg.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        34⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAgUoIAo.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        32⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies registry key
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DccUoYYU.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        30⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmckwwso.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        28⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        Modifies registry key
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\akMoEEsY.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        26⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECUsgwgY.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        24⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AmQYMEEs.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        22⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TuUkQEsY.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        20⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VEwQkEEY.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        18⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqkQYsoY.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        16⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YcAwIUYA.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        14⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MOssYkMU.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        12⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIIkosYo.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        10⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCAEEsUc.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        8⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4796
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3712
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1828
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:4660
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\POUAUsIk.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
        6⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3704
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2164
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3920
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSgokUcQ.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3132
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3292
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3588
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1028
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:3720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZewQsQgQ.bat" "C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 220 -ip 220
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2192 -ip 2192
1⤵
PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KGYwIwgA\fckUEYQA.exe

Filesize
199KB

MD5
822e32b273ba805b7e9c486117c4e7fc

SHA1
647449e09f0796068e40e3a91baa283d66b98aa2

SHA256
f0fe9d745f15b89e6dd929e2d6abaf62a7f492e9fa59d5c793e4dbd6627fee60

SHA512
9324e228325aac9950ee02e75bdb992ab8400a7c209be03d8c6417eaaa4b21636d3ea700f71ab2a0abd8a8ca555cbb54907c08fdea2b8e0fa3adeccc307685f4

Download Submit
C:\ProgramData\Package Cache\{fb0500c1-f968-4621-a48b-985b52884c49}\windowsdesktop-runtime-6.0.25-win-x64.exe

Filesize
799KB

MD5
15bbf0121181f83a628fdd41a776597e

SHA1
2251709fca6192a8263594b31d52abe13ec3cf9e

SHA256
72c5a9796bdde54107c34dbdcaf0c9e7fa187fbf5caf9e5799ae07a20039b365

SHA512
8a0a139854bc5d8374664e9468be983aaa59be03978d7ee394884b09507171d8d4ee4492e442cf74c461e81a6c8c7379b424b6625aba9d5f1c222aa885b14215

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe

Filesize
207KB

MD5
2873f1001656b787758e43ebd07e411b

SHA1
dae8fffdd1fd8c1577ca25252191668afb2abebd

SHA256
81c68a58a57c4bf2c0d1340d2144e21f2390a06973ed93009d9a82d846169d0d

SHA512
beff7e3a19e13c3053610c8383b113c82ddddf295da03685a7e46f0d5bcb0b79540858ea44624096f50e301aa87b619f25ade166da2f7435df3f70513bb9da15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

Filesize
192KB

MD5
90c9acaf0df1d953c010721382c45cfe

SHA1
41e0531bf75e6069530aaf7138aca75bb0ae0430

SHA256
c0b8acf2ce1634146172367c271fd5e613b34f31d0cd3fcfd1762173242e7057

SHA512
ed0ed79cd932aa09b15c7a1f6fb5ea64ef0402fabac961c5ee5c455ae88956bbbdc6fa900deb45f78a2ae07334c93fe8c0f3dd9ed91a798bb3e1fc7e971ca43c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

Filesize
204KB

MD5
e202fdebe135701a11e41fc0aeaf3cf8

SHA1
789ff33824686974932c358254f8aad2d7a8f3ff

SHA256
0baefae4f2ad116560c75a852bf15ce183efd6ec0198a320451bf7898e073a01

SHA512
7dc07eb4a071ef1d52613c74f6916907c778fb9e70dcc3735eac1ae496bcee7e09c0f2fc2049fb7a43fe623bd6ddd4740a471db9714b0d67cc6db158b489b3bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

Filesize
188KB

MD5
e31d43211e9f6e608e9178923d113035

SHA1
d3a0dafe87ab85e3668d66cf0fd9f30d3e0b92cc

SHA256
fcf74b488cb8200316d50d43b40e45af97c4cb7b296777ac52d12001fca95f4f

SHA512
1045f29a86258345515a4a8b617aee7c2f8e88a4ccb991786c26adffe3bb3be42fad208598a19f9bf1883f3828ad095c284003eb3034accfadf1aa134fdb8f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c323571263fae709a03a787aa4416aa_JaffaCakes118

Filesize
5KB

MD5
6046e7427262489da216eabfc11c6f89

SHA1
f72a1719cd25c94523f1f209e324b1b1d2e873a3

SHA256
5643f600ab421c525797dda085143c362e6d0dd5601de0c10068fd625879bc3c

SHA512
76059d1f1e43b5db026fa330ccb66c161371d5b378991e1f48d344e29605ac8cb8461fc436cd100271f52017763ee568db08d17f7a9d662be1e204408807fea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAIi.exe

Filesize
1.7MB

MD5
92d3f781b2afb6cd8803599a7bbdfb9b

SHA1
026ec2b7247a8b9ca686f4a204ecfac2e0e8815d

SHA256
420fc59340df045587977fe0e7392c0d11b94665e88948b2ffeeb0840eab000b

SHA512
b37aae9aedb9a5fbf61dee2705e440d30e35b6e4209389979bf92343a8b01f0c003fc05afdc2ca032cfe62511a159c2df4284b07027992fec5cc4a7bc00564b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcAi.exe

Filesize
186KB

MD5
9de296a8c845ecc1b5e1cc8858287a5c

SHA1
9e77f12a3fdf075c0d4b8344b2a61d22d7df94d8

SHA256
1c3a0bb66cdaf05b507500b516bd31bcab08e43705a331d60a45b75b614375b3

SHA512
fcf4277d18a233f361be25e2169d8fa5147918578cf516f949052ad81185b57656daee39f00e2a282219e3aa2e5baa08bb8e9d432668d084c6fb29ca9fc540ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgsI.exe

Filesize
636KB

MD5
60d464daeb4575de04fef556cd5c6cb2

SHA1
96f63e5aae8548d9b4878dd261c5bbd47ce0a49b

SHA256
81ff48e0122e61b368c2d36097805bad32cb008859d891cae61504ef971e3d60

SHA512
07724052b10c6d93ab8ca9ede35bfb8599e0374de23d8704eddf0fb6faa63c056772cae7959299bc5e9444646080e319be37f3efedc93bcfa06d5f10f110414d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aoku.exe

Filesize
218KB

MD5
7767f888a241f82581d5bb51cf75c52a

SHA1
a02c2a6685f90d5332bcb0b66aed34fb4bceba30

SHA256
f9d22faaf496a25e0d781f4aef2d19a17f7b08e34a00328d730945cc5e8b384c

SHA512
97396b8e142f4779e4805c601a10d6f1469c63aa45b8b117fc2e38ebbd7c39459ef4dea15280e86e2d052beebd8b6ae2ad15f5f96df5b46257bde9ab9a2e8ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsAC.exe

Filesize
189KB

MD5
008c778f7dde16c2edc66df41bef6a9e

SHA1
3f491205e499e7fa892a3b2e56fb0d026b80c7ba

SHA256
6de65f58197d0e08166d94a0c325531a24a64aaae51916a2b94ec1f91590a4d2

SHA512
d70fd47d7cccd84e1070ad5152adf7fdd5106b646dc84bfa97707ce0709e65bdef29c5a6cc12c9c5cf02872ab1d8815924c2f168e38ad44cf7767830542875a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CogW.exe

Filesize
852KB

MD5
425349df52729ea602935f49bc131ab8

SHA1
b488655169e134e89036612b097a9a421b2eaf58

SHA256
527d9e8e987146516098820249e0185c6889df6521382bee358daad8517d8055

SHA512
281b203c92cae5f194ba9f23ab3fbbcec809b81c8e0c983ae2620ba363e6c1adebb3290977e197d55fae85f2ce24c1e0787fa195f242e4bab5a8f4600c376b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\CskO.exe

Filesize
233KB

MD5
6731599e096af23c6caed5ba21cc6616

SHA1
60b0a742c21fbf05dde6c42ba5bcced6b3b5e3e7

SHA256
125056007fa77f34fd4b7c1ccd527755039309659a24efa48c92b04d4b782333

SHA512
d8df7fdb429c797e1662040b1bce84085052ff56c47993285077c1ec1274f3a6218b3c41faf6593154571acaae7d725953789d1289463ae9ed00ce563c813d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMEk.exe

Filesize
793KB

MD5
a400a707b051809eda9a786020ba348d

SHA1
5963894cb0c58fab2c8d0ff9cc9ecaffe2536381

SHA256
fffba3a726bc13d78004d33c88fb4a9becd09c21e32945a7d30a77e41e5f386e

SHA512
b43fc378b1ac23f5096b9c55a09dbe16fd47355153d447b62c22d8db3a681094a771194aaf5c2ad830c5eb7be9c3ea24da03d7e3e7c59cc19283067fca460b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoMO.exe

Filesize
200KB

MD5
a797268b8075799df9b0ee8660534ea1

SHA1
11e6fbee2d2872f2c8c2b2af3e9abc9e59f45b3e

SHA256
c100d64168dfe65b9938f4c38f43273020feb1803a06ace08b07621639ec3efa

SHA512
8dc944bfa8a49c61b8406b95639853183eb294de012721a8b734a5cde31cdb8118f579e4cd5a520386a7f0bd75931fb1d8b3d33d19c5211e741114cef21c029b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwkQ.exe

Filesize
203KB

MD5
31b4d7fff8d75a53ef80707c29aee49d

SHA1
ca46030b1d9089a11d04f85126a31c794da61712

SHA256
4b3d1510a13dfe0500a917e3fa594d36191c7dfaa78c91ae79e46a28bbd3480d

SHA512
04b437daad7bb267b8114ecf3bf29d10fdc8eb84d07cffa6cd90990a6838c0cd61490ec824677740f6d83e25844f5a1c72b263d6f352f4360a1185ce5083eddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUcy.exe

Filesize
199KB

MD5
aac5e369feae6dd1cff99fc5fb8ca6af

SHA1
ff3801c6ccfda721f4690b4071126d618003ea1c

SHA256
62c6d8d5c2d8fbb9c71b406b351d9ebcd59bdf738b656489f43b604e6618cda3

SHA512
41d1559b7b847af414cb93e3a6d35206ce2fd0e9cfdf5cffd0b98495169733f8ee31a7e9b4b1e7a1407d8ca1f7f80d536b149ed0387532df64e89940edfb55ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkQq.exe

Filesize
415KB

MD5
9de88367fec1d9cad83644057398683a

SHA1
981de8f31206f97719c6b166ba38efdbfa41d183

SHA256
211966b117eda9166800ccd5bd79bcbe0cd93ecb65900574abd9a800614b6f7a

SHA512
3431ea1a8f0220d5bc1afaeb5eeb15c07e3b3a961493e8da9643d662468b606524c393a71054544ac68e86b499abefdc29de554b15d7fef0abe110712118a30f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAwi.exe

Filesize
203KB

MD5
49eb5a02a47039406d1dc90d853406e0

SHA1
9555795607a677340868b0c402454c9a9fbdaef6

SHA256
595a5fc51e60affede33a18e14ac71aac708ed30ff38b3324e3324c197893172

SHA512
cd87546561dbe04c1f81b6f02106b55355221a226b42927e0ef383a41c1a623061045b663ae1687f6e43cf1a1aa494eaf2fb4346c913f1c90e377e44bfee5f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEAg.exe

Filesize
222KB

MD5
7deee0bf70bbdc6ee4c820ee41cc4188

SHA1
2fe47e29dbef07423cd3321bef97b9f51c36d120

SHA256
95339127488087613ef2d8929ca9bae63dba9b31debfd2ee7b52e87997868c17

SHA512
a461a2eacf02a69f16d6d79c25f130c33f0973d02b8c70b56ad3780c5165b21a36e46fb2343b104d67048f9d6061374b226be1f3cbc6286715ce522411526dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMQE.exe

Filesize
203KB

MD5
153ff8674f7c67ef584033bfb28f56db

SHA1
17b36ac7ace5468a093d9a9c04f989cbda30b78f

SHA256
0db1ea9eb2e5bdd4b7519de4895941c873189a9bfbd06a93cf5072ea8e4fb9c2

SHA512
1acaed5a034e2afe343c3506221be90374066b277697111d7f779b1ae30241bd9ef314666b367569a9e0af3f42e86c4523d39dff4dc30017f1825fb7ad710c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMYu.exe

Filesize
189KB

MD5
a61da4d7614cb10ba6ab12ab9bcfbda1

SHA1
2d62c5256e0577006346a542b4a105af9b0be2cc

SHA256
de91d126a3b4ba4ddcbf31f01102a85160ed477540940bd2c8ffa338481bdad4

SHA512
cef7c55a1dddcf9ec5a45a8059d6cc8136ef4a9560a130ebf73cf71157a362b2dcf00cecdf0b690c17e4547cc5ad8d66d257cacd52c4e014d66789c05b6b9ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQwa.exe

Filesize
194KB

MD5
ed304850c14a2996a77122f331f17af2

SHA1
ad0435094ef0dd1bbda5cb57d609fd7021ba2a9d

SHA256
8aa1994d4c4aeb2e8c0f22f2be045d64f1f310f2ffbd849ddb83951f8194e09f

SHA512
1eee907e8894d32b160155e109fe9354cf29c62ea45968f12892cceeda02da6eff3240e0f8d22911fcb75d26644cb453acbc4aa1792692a8119e9ea5c00c1922

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUEy.exe

Filesize
183KB

MD5
cdaae09266353516ddcda8e9f10125c1

SHA1
e57e17993e3a80f09d7e359689a3559cd2f47e6c

SHA256
ff3df9bcc31c664f4d0daab04cfdce31ff64367154e9c07a9b070ba797b0b2c4

SHA512
fb4588d87bec581eb92c1a611735bb0ff4cd249d9a5b2fd38847fdc65033e81e530fa729ade9e76cb0b6a5ceb1df47b15ee87f0b270f8712fe29b523ffb9e13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kgco.exe

Filesize
231KB

MD5
cbcaa1bdaea6ea056e8013cf3c100874

SHA1
db90de9e04ec7041a500dae6701d0908c3aa0a76

SHA256
bd84fcf0057cf749d7e0f419e07f85fb444c33ab3121e5517391349154516575

SHA512
4eaaf4646454495e64a92a6a2bbb87f1a2c8b2b4d876a7849f44804b31e902712b4bfa670ccfd4a1f4950a62ee2c606011497bde92273bd74273b7f3ab3deefe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kggw.exe

Filesize
192KB

MD5
ae02abdf2adf70526d1ad1b43725522d

SHA1
a233a0862a47e40842a707f1f9a7b1ff8ee2ca82

SHA256
0f3f4fea77f9d9c75ea38a820f44a4b81471a9a09d2843516e7af20f3c2e07e0

SHA512
15bdd8b7e0abc1fc7a8b80134eb45c72dc9c7c913c38a977f0710f334888f6c022b4bee41bf2dc876695caf9d77b135801de4b17b53897b94be7afdd84485f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoYO.exe

Filesize
185KB

MD5
5c533a101d78c8a3274a5fc821dc41e0

SHA1
ae2f56e8b24e4858cd82bdefef49b7409ea8a821

SHA256
38c449eb381f4f40088aee8a78a89809380340192da524ff54b0a0c8e45dd32d

SHA512
fddd7d5517fb12bcbe6b9f728ff8099a5a3fa5359dc574844bf225c5ac9bb9199f709808c40b50fe771156e8ec6cf84060886aacca20c2d5646eaee9957dfa47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kowy.exe

Filesize
652KB

MD5
44d77c2000d6dc6df2703dc2dd4cf098

SHA1
f8759ae43192498d5075be4ea53f65a268d6e83d

SHA256
c3fe001167c41f9332b5d980dd412acfc56b17ce94d772a3b6647bc137912efe

SHA512
be16cdb1bf249fb6f5cfaaf0f9a2a6c85e191fc1c5707332e57610ad4aaf4f534dc5e18c7dd864690f2f9b1cc9e719109469d3eb38e8ba3ca716c8a491ce6b6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAki.exe

Filesize
652KB

MD5
6a8dfe5a0cd2a543ea720b20d3c83d91

SHA1
57d8ddfc102c470d7f27b0f9821eef4b25069433

SHA256
8a84327069bb98be698b1e17dd8218aca427e9db6d42594d1e3653f9fb1cfd52

SHA512
28ffa8a1c66bff0ea93d163fb561c02c80891d165bce4074a55d1d67572379f414dfb794adffab080dd9c5439a9b66f39a0dfa864097a128195942673eb10ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIwk.exe

Filesize
196KB

MD5
49a2949dba1aea14a06714ae16d58c3b

SHA1
a3d0887fab670933d1005bcf24add71cd414fa31

SHA256
f84cd79da286f0d6e64ec57f2dfe0fbfafd153afbf64d482ddf0809f923e8ebf

SHA512
88d65dcf80ae4be465f838dff962cd1bf3e24d4204816020407e74cf6023e68471acd5e8b58cb21b533ab0b112d98c51aebc3c75e2c4e96ba537a5eed41c3bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMku.exe

Filesize
201KB

MD5
b22be9789a73db460b8ffe61c4d1ce18

SHA1
23eb2aa1e36aa435c0f1cc0637c7b86d49b7cc33

SHA256
c04b0e841dca4b1a843a463c8dee3e02f1f6fd2d78c5d88b38ac758cfdd88179

SHA512
27bfbf2347d3ae9aabe770c656261b05fd4dbbe71a9eaa3c58e623bf6d7b3653953c09a63302d599b4703f2896a2e0d51db32a71d9a7f373b204bd1f4817b82c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYAU.exe

Filesize
196KB

MD5
17ed7ba43156a2e97e1c9b928ff258d1

SHA1
0d773824af3c5f4ea87f4fdf6f04b15de192117d

SHA256
94f71e3bef5666bdc77a86dbb6ba436ba00f9dd4af3e0050958eb42a5f8a9128

SHA512
f0c400984f25869dae0af4364b81c5ea8e969d2ce4834a5be5812dda82f41fb4020ada5ce876ffec4ff75910ae6857ac79609359e751eaaf32587bfcd3f37477

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYUE.exe

Filesize
307KB

MD5
93f9d38928bcb8aa8709d955f120d339

SHA1
7f953b956519cb3179419f4e8597df7ad2263012

SHA256
1992799041363f8ea409caefa7b858dc1b477a8517cfa16c9518a291887f9ce3

SHA512
cb4d6ce5da70126268e88df3683206c03efe2caa6d3b2f46476d7dd045d965269f73975ece0ba37f1089f440125aa80207c508e5b47c918338a2ac2ced82d824

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mgog.exe

Filesize
959KB

MD5
111950e0343c73d3bd6395180afa66b0

SHA1
d203404e013bbb464d77be36a2054eaa227904ce

SHA256
dc7d13daba13875ce3ee0a90775ef07abb269760011c399a00236c9c3bdc4067

SHA512
a93018db0f936de97340e0657cfe194593dfbc90fed47b097c11b7ad0e5ae58ded6689f05b932ad7b505ad5bcb2ba33c69a446936518e4c8f14f7502bf3923c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mowk.exe

Filesize
194KB

MD5
a386764d516eac59be76f2f4698ac989

SHA1
e734e9f77632b01e2e6049cb7346313f9b3fd730

SHA256
7ce4adab7fa60bc6491a1a574df096403a818f401bd2907359d499c2eaa32935

SHA512
d8053fd924565cd94a3c90b9379e5272044fc48986a74fbf715667cea3aa25161ab59b2298f7dcab7a9e40bdccac900ada1e7ec9cf8e1cc67fe4152e437a0557

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIsO.exe

Filesize
209KB

MD5
6e9a2bb3a2aed282333835c945b4f685

SHA1
a3aae5072c8358acca72bc82972918e52637db45

SHA256
c539d9043321adc687d962c2f48ad6bbc15ced8976c5c229518b525a732a09a7

SHA512
ce80ac84a1322352c9f80b81b5b853570002d7039ee3f0f1c4d32e0e2877709c2998588ed9f25a6447ea68e6c6ee88a3d35338815aec060a2877e73e9eeb8ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYAU.exe

Filesize
202KB

MD5
11f2d9dde6cb9c3f8358e5e56dc013ce

SHA1
f7e96822a2efb83de1bb4f15693042b74aef82cb

SHA256
f943d8c87c674b7695144945c3a61c4ed517751d8358ef45200533da309ed627

SHA512
3896d2ec13e8420b8458eee748f8fd90f43694e2e0f9db41ba2aab2ed829baead1b0fc6d828e4058d121f962b73df7a25c748434441a6d5d861351bf0cf66af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgAI.exe

Filesize
5.9MB

MD5
568007356f8db06b15340c08948e0045

SHA1
9579605f1d829a3043074992df3052085e8ace54

SHA256
e99e7283c9822f94b1e88d0356e40085898390c934e6294917d511529d13ee4b

SHA512
7f951694dc95d85b1b0bd6b151fe8a4463079505b0222b68d35c24512ab0e37f7e3c9f3e528b77d7b0131d0f669cf9c15dd73b178d8cbf6b33c58cfb532e993c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oggo.exe

Filesize
315KB

MD5
0cbe77cfadec0502573f370806a14f2a

SHA1
f46761c6c03dbc46d1d08ff34e4f23152c387af8

SHA256
97217d450c0d44ad267e78301f733fac1c5e96b0b66da87dd91773355cf4c69c

SHA512
5beab28ff0bb241cd3988b88110032bded43629457ead49fcc1f9391a0f547cb5e3d9b012d407b4c16a230a81e894dc383f9e7ff8afd790770ce607ca1a01a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYkI.exe

Filesize
796KB

MD5
3e7efe511d5f75d8e9ad9d173afe06b5

SHA1
8200bd4f274c02858b08425fedbb74a19bd457e9

SHA256
9882c482200cdd8e602c714b7c6b38aa28170248fa8f0f8a5aae8d52a3b2048b

SHA512
b079170a828c254f861768b19c9ce4dfc64f1dad667ee13e1bd574f4b853afe619c1ee5a02d0660f74ed0e0a76b7f681c813e1d3603a11873b358ba342d5a6e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcAw.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qkcy.exe

Filesize
1.1MB

MD5
d71e04dc63e502f7f1f53a37a73e7627

SHA1
85e1f629d4d87a3af6177a5ef90f97bae638e17e

SHA256
db86e958be56fcef8ae140e9d9df5fc867d303626d95afeab97653add3529d2d

SHA512
4ee4270481aa0a8bec6d470500792850eaac7d9fe9b48d5d56331571d7647424b18e0db804ca26a4613f450690af35438ee265bb5c6650a86c1d0bffb74901a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qwku.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEYM.exe

Filesize
824KB

MD5
08effb6073c5a7bad44d61073649bec2

SHA1
9f02be0901ce715f6cb28cef52583c9e765bfbf4

SHA256
a9a14a7ebe6cae3dfcf537a6d0a84b9518953bce43518881dd9f3f0a90cd8f66

SHA512
8181bc1abfee5a5b349d729412d13158eb5bd1f98d54ac34655a3b0e398ab8a990c18f1f54a29f01f672758fc49e1af21b653e8faae0dfde20af0b492898e855

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIkA.exe

Filesize
880KB

MD5
db922fba400d7e31bf6088e92c11af67

SHA1
940f4ab8c4c5f178f476ebfbf105584de5febe84

SHA256
5e675ca3e69d27dfcc799ae8c967030c6fcac3880d29af59e50e7008a2e264b8

SHA512
f92943831902ca766a7419aeed0edd5c89560ae64b36b28d89ec0e45b1afc3ce37a382ced2885ebd0564ee8cf5df788669457bf0317dbee1f36a3818c92c6db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMEK.exe

Filesize
675KB

MD5
69cd16244826b22a9f371ae38a8f792c

SHA1
28d780949c45df44596b4fd87dbe40aec7c239b5

SHA256
9ef0b94b4f5026f70c86ed9147c0110a6294f9d4b01da3b403aec8202f68ee17

SHA512
04b97553dd8f125291b37531ea53ebd9b4f9fda66e26b326ad72aa2c802b3d6fadaf520a4766d0e4f54d9cfc3321ef56291ed334335bb8b3d996fa51f4a82743

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQMy.exe

Filesize
186KB

MD5
151845090ecb93d684d1407851ae75fb

SHA1
b4435f925e91c0354f8d9aa08fe9b4d616adc8e9

SHA256
81760a5d1307508d28e79a9bc47e54a89490d39337787d1f5fbbbde811367a17

SHA512
5966c75a91db64a78d5fcf84e786ffb25fb95907561268c102fe3732466d0ec523ae036af95b58cc5a5c7d9868d8c47a6b425179180585489d45584ff3d94edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQkE.exe

Filesize
755KB

MD5
a601a81e68197e7eb421748c67f5bdb8

SHA1
07c109dd1ef160ed9ebf6db0af547c1654002fa7

SHA256
af9b405b15d83df2c8d69cc3d88bc8647b3bef32b229aefb4100d3ab9c5a6962

SHA512
b11864d7208c505c6af3fbf0c7c2186b90a7c1ffae153b18e54be334838c250359072caf98c20b9f12bce371b393d79ee96f2100f4953a5c60deebf005aecbc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUwO.exe

Filesize
322KB

MD5
239cbe56eec52659fabe613cd53a24f7

SHA1
a7a59068dc9c45219c130f61679e3637dab33989

SHA256
c4cf18597bab104522ac269c02d89ea7ed26be78fdbb2988d8d5e987a0831902

SHA512
2ac06ed1999624a3157343e6ebc5d375bc43cf0ec46083e988070025f0772be6fa43cd564b3f68495d19c0d7f908b695718b8395202c1a4c7760551f7b3bc93a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYQC.exe

Filesize
195KB

MD5
bb6def25750d30e66ed2fb2080edb15c

SHA1
18fd8c049b7716cb4617834d130ca2c7cf4bbcf7

SHA256
d880bb8610c2bc10433a2f24fad8cca7f577c92de568aa042071eabf915a3c20

SHA512
ac2eef33b68b8061973c0da7d42d234129ae07cdba7597d0b404812539e16ca1b5157bca3ff4f525e86eea77b579c4c097c9df21f9b0f27bf89ee264766eb21b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgkQ.exe

Filesize
201KB

MD5
c20c2a29fb953b75642caf868d0d3414

SHA1
d1c3da9f64ca1ba6c0e0ec1f859f60cdc642e98a

SHA256
26253f7225e68d917678f9ed77a2eec87f64c91ee45f0bc68c8321d5a6407713

SHA512
2ec450e0bda4793e619b188a363845090ccf1691626929c33cae08ac70ee8da8fcea176a91daa33af742b0a12decf5e74b5cfa01f604391532bb6c286ecabd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkAu.exe

Filesize
436KB

MD5
be1f0d771ea874fedcadffe3304fea97

SHA1
fec93d5cfdb145099568d443548f17b175954d37

SHA256
e7e7f02470d673232ca7735720cd5b5bac5552d38b16f1689b60cd9486fdb4d1

SHA512
c32520189f439b38c94ec5e46b32c1f25302d8883247f765a542d9a7004bf8426f7db3710c916736d86e9f924be066f2dff2e0c728e9f057600756534926847e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIkg.exe

Filesize
199KB

MD5
9673f9256d55e2d7f6f42d60485a916d

SHA1
67f85426fb01bb849b857e4aef5d01ae2ac91778

SHA256
47423739600321e7dc65922d65f832a1c9179f335b4b3f0dcec1533c4bd52ee3

SHA512
52a7132c952302e6aa571623e9794ea439761b1f00b2822a8e5464913df88519df5f1316f7e8a2316dd390651fa97c2b39726188f24ff6226b667666d4af6fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYUq.exe

Filesize
193KB

MD5
d51ecd251f854c8abb557dca80eaed97

SHA1
62e9b90b0a6860440ada0033e245731e317898f2

SHA256
fe00814101bafada43d9e1923d0ad2a17c42b6f500372dbae787d8c704d1bf09

SHA512
f99c867311beaf860f163032dcf9e1f110bb5e11c7ecfe568f5c2782508a4e380d5721e572275cf086d7d7b42c35faf0d65e1fb69c7ad5b772775789c43a67d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgEM.exe

Filesize
189KB

MD5
179e64a1e3108dd86ef3f79cf2fb5d8f

SHA1
335d5d508fbcc8a92da7cda7a29750a203b08a31

SHA256
b4b85a3642c37899fb96b011e308b60e9992ffcd6aace43e0340e1ada0c1dc87

SHA512
6a8bee77d269cc0b59fac4be66175159dfe5f25a1e526bb0ef1e648dd1a8138222553be5ade3f668cab245445374dd7ef95a5562fa72be9e128f94a189f068d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAgy.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEUc.exe

Filesize
323KB

MD5
85997b61e44cd9c60718293c74eaa281

SHA1
fb3df2cd459e8965cb95a68fc7e90e66cb1ba490

SHA256
b43927670a8d831349191f038a90055b5f53b258fa30447ef257c5b0a5ce03b7

SHA512
71364104d8b7693dd1cfd417a3948abad3e5ed6c11a6ee82497c5f4d5029b5e7874ca85b8cb5887f62a8e2b645b5e0c42e20cd51d27298f2503f324f7f4139b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEUg.exe

Filesize
641KB

MD5
08f3315d28572b39bb3f43547a1891b3

SHA1
9122792ae4e6675383b082f8fe202c83c0d3804c

SHA256
af19547b52f7f9f8416f75724a77923344f24dcfdfe3656c1dd901900ec6378e

SHA512
43ea1c30412adff21b80d59ef2fff212ff536f374678e482f22cd281eaac4b6b15f4dd26d32c2053092d8b61c4e894cc3697e724da7716372f49366363cbd23d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMcg.exe

Filesize
189KB

MD5
9a3e70b18ffa8796b71e6e97ecdc67bf

SHA1
2c9fe0f52ec71b4013ce6ae80a2c35bb43ed2b49

SHA256
cca6bbd78b2a73425056099b5ae45aaeb81640fcf99f4f1769f358c97931ff23

SHA512
3ab28bdced85c716f41c68cc07a25db0b267ddaa9563e1b90c04b822405bf4bedea6121365ae3246d0b697166f29006edfea7b9acef77588527cda6dcc844257

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQUy.exe

Filesize
589KB

MD5
d8c943af4fd7e5718f5fe5319d57bbf8

SHA1
95357f173159b1a94ce71f2967e2254d7950676d

SHA256
b8a5eccfa2da748396941fd2c031e7e681bc6948bd229ac14f1f1836f79eb279

SHA512
40db1dc3f1f5a1d16f69e0d100fd94c0b509f5f41ec2f9618f574642b2233c72c0478401164716ac254ce54b822c46bb089a377087a9e20d279c75573e8dc6c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUYw.exe

Filesize
186KB

MD5
b2abed6d85336190721877f34283e600

SHA1
6e69fc8ab4d22c07b4cbdc6a45e7bdfeb0bb42b5

SHA256
5a4ac434a06e16d3f425af77d47923c217e1232a6537f1d5a44f1cb4e06e3f61

SHA512
3e33f1099d3b2fa4b6049e199dca5b848dd5b0b84bcee6397c35d1b7d9c779555ea2c5e2d5bf584730905f5bcfdc17f097f9e263ce4a778133f0ca2b576e42eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYQM.exe

Filesize
207KB

MD5
249436d5fb88c00a0d36d08bd657f3a0

SHA1
bf12452eba407ba1ca7a5916a4fc1be5a53cdc28

SHA256
5e009a5458aa5e14ad369493d84853430c3b08dfa39925876191d84771776bd3

SHA512
1eb50bacee389c5287628a06ccb590cede45c342e209f797a865d9d8e4e7ddbc07cc8d347eba12197303727441c65b0ba529682e5061d72457565fc3a6f0835c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkUW.exe

Filesize
194KB

MD5
01e9ed4884132fe074e7869037d25002

SHA1
ac4ed8f07fedaf65087f53ea802357b4477c1e7a

SHA256
c972c98fbf1e7387da3bd25f1dc75391c6a0b9926473885cd1f07d06b10e8e2d

SHA512
2b2bd2ca6ddaf4572e01f1d7545f2794f4b29838e8d43ae5640d4d6ee81131669592e3cbd027cab12cf542da6321c961b6eed1c167bdc27b67d92476266ad1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wwgw.exe

Filesize
190KB

MD5
4c8b8d55bdd3dfad2ba3933fee43904e

SHA1
cb9870b721c21e63eea046d56db1c64158d7a5ff

SHA256
aa334aa77502250e1bb4163a560351847ae53781d52dafe7edbb975eed92b3a5

SHA512
bf6fce01ed5feb0beefb8dfc538dfe33bdafac3b5236d1fb9ed1972ba743307fdb517f448a28c27099cb3651e73ff5cc02461298f6c02ddd5d50969114d2e5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEga.exe

Filesize
183KB

MD5
2accf02d8f8809489311f237aa9d204d

SHA1
77b4cf52fed5b803b351145d05ddd0d963614c79

SHA256
6a97fc597acedce35928f7aab7e6be29fef9a60d523644eff97a0c305d758075

SHA512
333152385496eb2efadac2e6817012c91bd00fcbff25fdc51f54a6d445925ead4a56265db551a800fb413870e2ad00da9b0a7b71f632f31d9899088687552c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMII.exe

Filesize
504KB

MD5
884962bfa4ac8898131ea6f3d3f799de

SHA1
6c2ec20b2fe82d88112b9d173bc763bcc3556570

SHA256
066e39d64c4d831fccfbfdeb0cad12ce8ca633a64497073bf7e05f47bf6b927a

SHA512
8ffa3b244487f18f6d7076bbd97a05178f1ddf0321c167427b76488688f60cedff8935de0a0ace70e1de42a3a85c6f842d4b757455f52327727e262094516ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQMS.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQkm.exe

Filesize
197KB

MD5
8fecf92c29bb5ef7f67ab4c53a578de1

SHA1
14bcea4a7ef178a87e35d86d3227d6289803689d

SHA256
1deb0f19c023adbdf39b49fbff481a9b29efc04398f4da16bd0a00b35bd55a3d

SHA512
c5407cd69610d1bd93aca524a747ebe8a165533afeed3f4d5b6d61e0a0a891ace942937df408bd7b4c1b1fb21d1f4d5e2e396e4403547725c8f071e873295378

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ycwg.exe

Filesize
225KB

MD5
be3b5c2d661a1858d4e6ede9d166002e

SHA1
7fadc55f3f4e7138a938502dc9773e3f7cfc53b9

SHA256
a87cdcf1cc47e751a6a58c4b34eedc1f917c1126f033e4ed143816664c81d8e9

SHA512
e8af0c85abb5379c0419365bccfe4a8b9ccb9cd18ea08f532a3d2fc7eaa1820806a4fae843e2485fa50c559d00b5b48405d1d763ba321deb6324ab6e3cd4abb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yoso.exe

Filesize
624KB

MD5
a4c78cbbfb69ae2b184f4427f9e6d5ac

SHA1
2738185d0ba252d722e05cdc891ff8aa23e6d0f7

SHA256
684847cb410a55b7ad61092f29ee119c2d4d00a7b64d3e1a614ac6f0f3ea328d

SHA512
c570b50b305e0de82cb879a198755470e6a189c170f198014934cee6880a44929257d297dcfada2a1b84574f4580c9f61f6c0edda84730df479f58284a841cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZewQsQgQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQgO.exe

Filesize
201KB

MD5
75313bb81576e816313e1832a6d02b6a

SHA1
cb28b01eef6014393d65ade386fc088774704039

SHA256
61b88267ce73c7727d23b951378ef4a3c1d50096d83abde17fd4d4dfc65a536c

SHA512
2f7be753d4fb31f7eef20b418d37dc3888796999dde219511adc07da450d0a6382c45e43b1f928555f0e0965efd6795b1c4035f1bc44347705c5ea88ec62bfac

Download Submit
C:\Users\Admin\AppData\Local\Temp\acAG.exe

Filesize
183KB

MD5
2b0c4d7d891d54eda0808955b7cf2623

SHA1
d2e561d7cc26e395e098599b402e1b38ca92fc38

SHA256
d122589c56aef2c7542d691eea4684c704445978652929bca2eb211584d57024

SHA512
7dafa0484b8e272847875683b62545dbcaae1e7ca768d2ef4f7794e0f8efc7a532e0479f6bfc8845ab6e30f95b4e1d8db07d360de28a52c47666c131f6f22adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\agkE.ico

Filesize
4KB

MD5
a35ccd5e8ca502cf8197c1a4d25fdce0

SHA1
a5d177f7dbffbfb75187637ae65d83e201b61b2d

SHA256
135efe6cdc9df0beb185988bd2d639db8a293dd89dcb7fc900e5ac839629c715

SHA512
b877f896dbb40a4c972c81170d8807a8a0c1af597301f5f84c47a430eceebaa9426c882e854cc33a26b06f7a4ce7d86edf0bcfbc3682b4f4aa6ea8e4691f3636

Download Submit
C:\Users\Admin\AppData\Local\Temp\akQU.exe

Filesize
199KB

MD5
aad04a72e287ab8b4ccc022bbb72e9d0

SHA1
d4a10b9b39b0921fb9283ebf9a9f58da1eb4762e

SHA256
eb957f62b9175ab28d88576640532a1184aa50bdb2799482b0ce73f3f87f93c9

SHA512
49df4ff467cc474437222bf703794647a1a3f32b6e74fb06972ec7077488aa4f1b71436e969380a6fa6f8c46fc4f24cd8576cd11fd62a87b910da222f5a65498

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEka.exe

Filesize
747KB

MD5
8a8abf674c676a7a8983f6925c1e7ebc

SHA1
1ca004489a4a5e05d13a6a3f13bfa441d9010a7a

SHA256
89b626d96229fa3df981d769e263598a996d636e8025b9f161ede66f73a49105

SHA512
2de07fe243e5bd72f1914e777b9da230d88cf8cd77a3cddead339488bbbc766d4e34cb0b2812ed01b9549c4292414089e1bf8e734298fc2cf1ab7ff31320fb3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIAa.exe

Filesize
217KB

MD5
04423cb80e20651346d68ac8b0e73b56

SHA1
7edf277a7004a92b07367af807d83599a8223188

SHA256
9395e61ead29da9c5d960a84ede532c8453353c628d2751658452d4e94d9be39

SHA512
4aa946ce1ec661bdaf36e748419be4b26ce6317e2f04f96104e86fe41819f5903cc6f471bd1f8adae7658d404d555da587d1bfd882e7240843e0d8ea98ede913

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccsM.exe

Filesize
189KB

MD5
a14c40f0be9334815a50b76c98553878

SHA1
284258f293b5701c15250f35a1f25edeac9d442e

SHA256
8e98480e9bb02373618ed775d86ca78bd0ad0ad361e2eac64e6120f8a188dbc2

SHA512
408c80b47c19b79073e844334bfb5a17e6680808e28483801bf756c9c6689878985cf08947f84154e0309eb55ae50286162e792e538b695fbb3bb93d780b0ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\coQU.exe

Filesize
190KB

MD5
68d246b5d428475b743a3de137567f70

SHA1
c568d0fd505ff46d7b26911449160b9f8d941065

SHA256
bd1514cfd8dadcc8f99f1eb8535ff4d76ba9776590e0171bf3ccb591e60a4875

SHA512
da2bf367f13732cd8b9844c1b7c8a6549e36c396c56b7332975a2ee97726d27a50ef9f01b039230a4ceff318a17ae14d7d759c9a4556000abcad7401df5ca64c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYoO.exe

Filesize
693KB

MD5
8f5f0691560e21406bdffc21bb4676fd

SHA1
0264bff47e5ebbde5cd356c3ca0c652e641ab2f6

SHA256
f8e2980d42aad9310cf5bbbb2430f5ab72d69b365ab456be3addba6af7e08747

SHA512
ce254fd9e6072a17583b2709512adeb428ad4fddde091ff626e0d4b738331961ecdc326db92afd9a2fdd423d22eb009732a119847395f5a64817ed4d5c9641ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\egEc.exe

Filesize
187KB

MD5
553f061596c4426365dcb900686cb715

SHA1
8e56c37d01cdc88b4af6608e9f86b36cf31e4960

SHA256
69fb989da07980962d5c1396371cdf42ca9355218d276891a61a07140c75988c

SHA512
d6933040e16a7f60b1991a73fec6ee0448ed3c6b8347a894e5fd47014afbe7f4d7b85f20fda30bfeb914590ea74eeca8612b20c5e360534055d64597f778702c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eggC.exe

Filesize
786KB

MD5
a71764d97a2c71ece8b0a0f3e6990782

SHA1
7234d0c4758e68a8964f3b48c8d3ac2e7b71ab85

SHA256
55450125f7fb44ba870649d22d41723526d9e5fd99b360a1fe54bb914410f6b5

SHA512
45d95a342abad90be57800259e72abdfc15e09e0080c1f03474358ef8f6794ce0b2e9e3e7a044bf75ff7e4ff9f9b34f792a24f81b9fcc28233872b2a8aadbe4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewsy.exe

Filesize
234KB

MD5
9ead9331e33c49e1d51fa943f59b8b57

SHA1
98cfdf43f4ab90fca843f64592cb633051c2e540

SHA256
209a0a3408a3fd878245fe916081af886baeb8faa0c2ffbb08e1a74e76ba0830

SHA512
b06d6ba47e7717bf1a50697533e78c6a559417d0177861ed7cd33bd9ca6e092b90a1cae71ef7a2c33a570e4620e0843d15e4f6d9e7eb3fc0809bcee29004b534

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMEs.exe

Filesize
209KB

MD5
aaa25666d17a404d2a792613f3beb317

SHA1
2a6c4cc4a839075f3705e5d45d9b0f4244b551ae

SHA256
8e4b0761d88287f653d5b42a95621e79b472d6e20c43970276416273b80c6506

SHA512
9d205ad19b6a9bbcd9f16707ebb8efe76739f29059779e5d12fad18c2c73111398a0d1a9058495245c60ad632098f8117a685fe49df2a647afeb50eb77b1ccbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUYU.exe

Filesize
196KB

MD5
9fc1fdf9a3674743bcafaf6767dda37e

SHA1
36767e5d4085c4e8d7ea7ecb2207337cb00e288b

SHA256
59f7a065b0c9acbe6709382cc9b84d619d101e5621d13b1d033b5b6f2765847b

SHA512
c59063ba937a9b2758f23d40dce68ad386bf3b9c911795fd33fc740f4e408f3ec46f826018db8f163c91b2a6268cf64a1c1de7cd045babe8c39c21e93cf4f06c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYou.exe

Filesize
200KB

MD5
507187de14d746ca0163a3d6173ed5e3

SHA1
ec52754f7b787f4837146c256e0b09e3d667a1c8

SHA256
291c65448af65466db6b9d71d34ac4de31a8038bae168b8c700289807e65fcb4

SHA512
a00afd56c37d9bd620e192543ef02fc29d8b63f970c9796473c190e7257c94714433e8751dae94377de91e35a119b6fe256fb0ed57b1c0b77fb8192986eff5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcgO.exe

Filesize
189KB

MD5
513158ed790eb7d7b3773c179918d27b

SHA1
a1a0a6f08cee65cf33fee3af1b57260d92724b7f

SHA256
bf58cc3ca7a5e26b51eccd4cc4a9c0f3549b3603acdbc497dd95bde0e08a96d7

SHA512
304f4bb8b5bc922fd4f5e252a2eb0d4ffab0608e499dda873aa9d76d5f73c2af652c7668b9ddee0dd7320d35a4b1b09b8da81bd4ec685c74c833859ed5867732

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggYS.exe

Filesize
5.2MB

MD5
18e941d32cfcbf0fd2749f9a92e50abb

SHA1
16d75c4c6659bbfdadde534831bf306bdab25368

SHA256
f5a48a3f214cc667c335c590a36225cd34752adffa4c9b74a555353ed534e188

SHA512
f7ba4c721adddfcb6a65b0364629602dbd99da9b1803ed0dd4201ee8951178a7b39332844a0238f5f77ce4df79ea078243269c90d7e5a9b66f0e600f8cae9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAcg.exe

Filesize
188KB

MD5
a28de98d52272dc55ee280e79f37bbd6

SHA1
079e9779ca43ce005610d365f06b4671777a022d

SHA256
168a25705c8be986883a9c8a2c7ce610d54df57748dcbc780224a3eaee1b59ae

SHA512
f0d1e078e1964f3325c77a7c4b940d49d4fffbfe9403347432efd200524211b06c69053e90f3c18702c5179d83d46bd44dbb98d2b15111ca5af8bd985207fc90

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIoi.exe

Filesize
198KB

MD5
11878e59aac866a0c55be681616cfef8

SHA1
4ff0ddc8eea008b61c0eb73527b8e6ec02e7f538

SHA256
679397fcea1a55e45686e5531bd5e679adfcebe2966468bffe1f08eeb1e4f9ff

SHA512
7bd89f674e250898531091f8211509e7c1c8c035f5fb69edd450194ebe9adfcbac7689a34a864dbb6ec896e97ce7e76a49c520eaa59cc21f3f5c52dd218bc0ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIwa.exe

Filesize
790KB

MD5
ed91c3536b2b4b5206a7eb1a97bb2677

SHA1
a833b161d26cde9f1bac3763034034b8accbee24

SHA256
d15e00929d34cf9206cb8ccfdf9e6c539f87c5bd63a720f6617cede97c8dfbec

SHA512
e20771b3b1fa1369b4d40efcc1185307bb151f51db137a014501245324b719376f9baf20e67f23addf675f25cb332d201af476dcf0b9d5af93443091a625e88d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMce.exe

Filesize
209KB

MD5
529f92a4c7455fd0f5aa2b0bfc7dcb2a

SHA1
22dd4795c8592b61034adb2eedc49169f5325c2f

SHA256
c11d7412266350a950d792fad628348b99c9602abe1fcb285a3889fcfddddabc

SHA512
703b0bdd569694f724fc6808d3bd40bc5eee6a3129dbc8c377d836dbaacb02533bc4f46ca832cb30c00bdc88c30d529236b01e46a8ae59d653063ba01cb61c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUYM.exe

Filesize
194KB

MD5
a473aa4c1ff550b8a8b97a7b82202a45

SHA1
aa11c41ab4cd553c76758d2e414123599994bf3d

SHA256
735bdd36c7ebdeecfa21138b2428eecae05136f8313edd8e81d7390ac98bcea7

SHA512
a2e05015ac70d93a60d69052eef91ae9e4507fc2867d7822176ed06af36ede0a4edec841ba2ebd16f24a5af626fb3e729c6facdfb171369f4565877257f3bc1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioYa.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\iogG.exe

Filesize
666KB

MD5
880cb2538e69ebbc0c32de760af03915

SHA1
1db371b147f341fef01d7396da47f4a440a8d12a

SHA256
925035a849fc533dee7baeea0a7fe19ea5ee48f2e3936ab585ac0c8fabbcb11e

SHA512
41dc9df6c9f6cab186ef1b4f698e3542e0ad38b3bea372fc93d1f0659ba926a441bd0bd721f442d98fe77a0445273ceed88d51c087f25fbbccecef5db605ef30

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwow.exe

Filesize
553KB

MD5
77cb4b66d1f9a8ec1ea9e948fa630a05

SHA1
768b657929d3dd33c3ea56e1963052fa054ba9c2

SHA256
a87481ebd515488243a374715612f2bbf92a90e432004f18b8dc96e5aefd7074

SHA512
5e1e6aa7a5393744af4a17f22c2ba66b153282181976f3b18ec95826c1d78a6b0dc9f3c361afa064ac1be7b8ba269f58f1992e8e648023e9e2cbc068d7f97ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEko.exe

Filesize
210KB

MD5
d7a4b494d79d9e5b1f10ea97fac8661e

SHA1
ab5367aec7a27ca3c98ef436bec1aa2c5ff1aa6f

SHA256
5c83b0d9e9187d6649dae38369696a8bed0c3a996a1b0f7257d4a523c6813122

SHA512
d32df278c053e375528e9f0abd28e94ad6d012d9ead00e6b726f7515c3f50b88eeb7b06daece12ac40663d98d8258fefd6df287dd6d18296a5c3c25f39d74aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMAk.exe

Filesize
576KB

MD5
4cc54406c14cd96c3a2fb504cea7fe4e

SHA1
f5d8f5139e8e6f9b7a9809e4d68b64be50156504

SHA256
7583938b6f1c3ce56a0d3ada2d2d6890165f81fb94a60a0b4c52ea90d39c7281

SHA512
a201ba0639a4a3c000728a8432e3853b68652032b486b23a9f2cb3674125eadea6fae32816d202ef978dc4a74104bb8308d17d13e073693846c2262f68029148

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUQK.exe

Filesize
205KB

MD5
ad8dadbce7261ef24086943a5208b9ed

SHA1
3ec61499ede4f627a6b3976d9efa9780c6f83845

SHA256
fb3001c3030711f4321d3408de4b622d38bc6c6be63881d663c27bfdc4c14e4b

SHA512
b0a6c30e3aa34ec317fdb70a627dc17f55f8045b8eee982a99c74982f0252281065660c6f3a3ce9bc50f017805cc66c0d92ed2d5f8803a1737e28add2f0fdac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kssk.exe

Filesize
199KB

MD5
b3102a00fec235be24cdaca351da23cc

SHA1
aeea789c66d2c72961fbbfbe47779280f2879180

SHA256
b37ca1c6ccb115888d586fb5d87a68d334d67ebc39a0579dbf78b75d9489dff7

SHA512
a1530935d0a4d418ba05842f71ae5074177c60bd97a7ce724c2efd2782813515357c613efecd85eef15188a20ceeb95de11b3aa97ce391602fa25f2db02cd5be

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEIu.exe

Filesize
820KB

MD5
a514ff1c51b9ef11a606a0d4db042ca2

SHA1
1c5cee965bac6d8f3fb1012a2cbf8fb6189a3e9c

SHA256
10bc832910b466b30411e902f53a648623886e55ada741865d8b26e83f469874

SHA512
15a3b289f188db39254bad5cd2301ba750a3b17d19b1eae19fddedd8cd8efd3fe2727a3a4c2b54894d42aa0952558aa900df03837c2c568e8355d4ebfac3aff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEQk.exe

Filesize
193KB

MD5
ecb4b2f8388572a6d5738ec37aa78791

SHA1
d9e31154cd65fbec75131841db89dd915af90161

SHA256
09611302fa320a155afc14ccc48b356c20be7846f5b7da92bb2ea87889e76281

SHA512
ee4907a4c1838a03868e9d7687598f152fba0540a2d15e312cb1a947de08b70e33a62598fe85ccc2df7c298accd85ab0aed85a463d4038ca8bec1764ea1144cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcIk.exe

Filesize
196KB

MD5
49fa1aebacc10423e20de93a8b21424a

SHA1
b9c35984beb1583aea2361a5dcea16b54208d106

SHA256
49537f50ae3f11faf2f95e25cb5c9108dc25c32e1c6425d942f0579cbb7cac4e

SHA512
cb9f9fccfe24e89335ce3f09160759e6817e4be4a6746379c3f70db318a653e34e93ffc3506e439e1640cc256f362ab5a8260bbaa644b944f564c98a87fe1243

Download Submit
C:\Users\Admin\AppData\Local\Temp\msok.exe

Filesize
203KB

MD5
b32d71dadd24aa0b453f141b903bbb02

SHA1
aed99374c379d54b4219bfb6838586c0f6c46d94

SHA256
a6f53fdda33ca6548e1f53ebda26baf3dec7bfb941e690fcb402a642d4801c25

SHA512
2da830e00d977742938c9eaf9e8c4236df0dedf5a0ca82c47e2273725f67c01980f3330787b634bf6076885d895ee5bd12d830f0ca16636f5cc9b1f099ed5f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIIs.exe

Filesize
617KB

MD5
82ea94e3a423f63d2466f122a5228b7c

SHA1
7e6a42459df84ec0cd286c1b106309b686dbe7c7

SHA256
b7746a7fcf2c4b7df459c724f67ba6a446e4ddd16c277e54453c7befe2d51a7b

SHA512
638ddcd0ccf89bce3f5b210f364bc2d83f6b09f15b41cbd9d6c40f488e941b9a4e1d40adc724d14891749adabab5b5b3f79735a5e72e4b8c31c26e194a34bd28

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAMA.exe

Filesize
248KB

MD5
47403b54a8afd65d274ee1671be11799

SHA1
4e950231ae9c86c0033d62d2455396564f7744d0

SHA256
ad737b52870023db0cd855b63de9337e82d8e5f0d82a3c506dfd0e857b860320

SHA512
466113469d430029721158766450e70d396b14e7c4eca61b166b65e6fc0c3f4f92dd8e3f0fba1a0e33bdb05fb2bc9754447db4adf96a3babaedc07415fa1e13d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucEu.exe

Filesize
209KB

MD5
b6eba2c4456d3050b72ee6d538e1f861

SHA1
e5a9ed86c40318ea7015cc390998061dfe8c03e1

SHA256
f4374fa7759d44330047baed5523cadfc2d4b950b515f2fae8ba5c7a971614c7

SHA512
8ec45bbef1c3a97df59a77c7d792d43f889f62d98b21c2ba0f1e7b37e72b2315dcd1860693e544cb2bd2edca5799590833238399cc636149e6de5437e7d7128b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoIU.exe

Filesize
195KB

MD5
172908e3cbb872cf9ad29376cf051623

SHA1
dfdbf1635f8ef82cafdbf77e36373190d6e115bc

SHA256
f29e8f147e71d196b94cf80190cf0777ff8c152a63f965191e3f0a384db65f0b

SHA512
8940f72fb5ac14ecd4b6c0a3001c0ac2bd0f7fa7c8ec8602b9eac8547e6ad520636c0bb13f2189fa936cc8b600669c91939ceb903a6f4042d467ffce55f30679

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoca.exe

Filesize
630KB

MD5
59bfd7190f9dc460dba04a027f3a7ab4

SHA1
f73c8440111ebcac25cef38dafbb4b97a26e685d

SHA256
928b87f5ce22e705cba5c983cc91b5fbc395f4566b1f75eb19d8bb1aa06b231c

SHA512
07c6f24fda731ce35db4d514bb8c760eaeec1ba36e91612bc3538bbeeaf6829c64477a0232a7ac3090036f8bbe639a98faa1a264fce237b89fbfa8caf36e6535

Download Submit
C:\Users\Admin\AppData\Local\Temp\uogK.exe

Filesize
199KB

MD5
b5e6316410b7bafd602945ef0023176c

SHA1
22e62ef46035117dfb19052ef6d7fea46f7259c5

SHA256
cdb3847f912c29a363058231d7110ec13bfb571a92fd2f41ea467d69663d749d

SHA512
8ec80b3454a81948cf7600c9e7b6744b08c8a86e73f4cfa8edfb8b8cf39b05afa8956ea3352a843f3d93e419572d8fa4e9e61e8d18646c30ef742ca489e80142

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwAk.exe

Filesize
193KB

MD5
ca583690c642a736e46ee688d3037c61

SHA1
9df4fa55620f2b7b1233527350107d3b194e03e3

SHA256
d4a570f1c8a349c2d188f6ad58765c5cd41be580ae004f101350cf50423da094

SHA512
e966908d95f1c58b964cfa0f8bb0b1774a0bb4688cccb375ce71f0bba87f16b52466285bf9a837c1badd5b46daab385419a843e8a40065a9a39beea30c42786a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQca.exe

Filesize
226KB

MD5
d288a653f468ec1221a6999dd5702c20

SHA1
c498c006ee7e6d09b43ed059eac40576f683b06c

SHA256
63563007d33d4495a82d7682e6f40f5eab0f10d6f1fb5a2c6b947e180acebef6

SHA512
6e7eff763d025cba0e06ea651b42b0242fd81c7a4a5d52961f4e2b05921770555849d14c73286c1a3ab55628a6d15708b3b8fc1cdcca8a4362774c1fe5e5bfbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYwo.exe

Filesize
659KB

MD5
093c3d1b065a111973df9ef889c354f1

SHA1
a6999596f7068e77b08f322fc045342dcb7d08e1

SHA256
87f560bf044c3bbf4387d415bfed70f85f01cae9eb09a5c8a22763064e41a6f0

SHA512
0977ac53352d22eb8d74f07ecf9efc5c6e80c547b64686426373ebbc64f66f4eff33ee8a25de3d3f85e154dfc7791489b63820baf5dd152339ba370b027e4477

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykcY.exe

Filesize
202KB

MD5
4022e2e6e80e43c1f4962b01577c2653

SHA1
9529eb68ade9f63bb7ce7e4fe19acd973c062f63

SHA256
050b662d7a725da90373ebf4711d9e15b9d6db26097aa5b964853e58dfdbe98e

SHA512
4cb3f4bf2d1d1d5cbbf5900020482db4b863952b4a1618b45674d186649dae92b9bcbe7c96ff0295b750ebd65a03936554c496477249247f2b670998c8465e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoMw.exe

Filesize
1.0MB

MD5
9542d92e5c3d3acbc3bb8527fa90205f

SHA1
c36370b057aaf9b22620dfecbfbba2ed05d2303b

SHA256
77da05ad4518f56581bd874839c278397a90c904be92863171d109a6b619093b

SHA512
f63fd9506961dd081a8376c73e4d61ea0ed0ab8a18488c3e4ff0ec5bf8f41bac9b6eb5d59ed8f800d1d03f492da14b60352dc573a3ff022388440b0dd71b5508

Download Submit
C:\Users\Admin\Pictures\EditUninstall.gif.exe

Filesize
428KB

MD5
89e18366be85789cbb7ec095c6dd5f46

SHA1
0b2264a15853fdd23fb6ae6044b7603f60056b91

SHA256
ac2f2a3c3b9b109b80c2f23a535a8ab4fd73f60e9cc9c2f9171d6768c2750c62

SHA512
e742e2344892ba99a262315477f9e5dddc2b71557af0f425d2df2ba704259777c181fede12c37d84738bae5d9b93aef1106184539786185a6259e44b62872b98

Download Submit
C:\Users\Admin\Pictures\LimitConvert.bmp.exe

Filesize
498KB

MD5
21cc6377b5117f323830afe340bfaf68

SHA1
5de400d27880a655c58cb036ba60362db45265bd

SHA256
b4e59e0f441e7236131113769303fb8d2e3d80205bc6ec4e01e69b02c694a9e2

SHA512
2cf0fc63ef8607933b34c52a9f2bb17fcf3de4d7a9489ae956a6179ee9a3475024f996ac1aacaf100c1dbd9381b7876c6f03b6e6379fd00f7a5ef1774c7329d7

Download Submit
C:\Users\Admin\Pictures\SplitDisconnect.jpg.exe

Filesize
394KB

MD5
6cf147a6256d10cc90d093fc777274db

SHA1
0e33423eb7ca1a1615326cd9296a24232f827dbe

SHA256
7941b56d8c078f0fbdf4e25d569f32342e5eca1993cbab1ce50deb38130294cf

SHA512
60699625b12dae375ec111f8d834a2e4d49867d01b272b825e38f49d4727e1e7c9cc930e58599f38b7d8f53b0eb89962a18594cd7e8f8dca4523f31ad8ed3f2d

Download Submit
C:\Users\Admin\TewMUQYc\jiIAcMcQ.exe

Filesize
177KB

MD5
fa3429da168cc01438b3aacab6bc7865

SHA1
d5f569d966ad627eaf32bb2cb50d8c3c4bba36f0

SHA256
20a37726d2763004989c1b21e0cef079b9121a3c0d4136704748b0b0817d1e1e

SHA512
9b468d861e98de06d4dcc01dbe5cb59b1aa70cbcd50b5827b639ab3622c5747861d4ce21489752a7ee1aa6009385ea9b025428e3a23f9a2b41b94565caa36d82

Download Submit
C:\Users\Admin\TewMUQYc\jiIAcMcQ.inf

Filesize
4B

MD5
3f34263ba9ad4d3edf5af7c80703aaee

SHA1
ced2b4328fc6dd4a3be6892d40ee20cce21932e5

SHA256
42362c241c73f897d909e1f873cb1afc72b457290b762277a9c60c9fcce3f6bb

SHA512
80bcbf94c2e3e6acb1cafb2646ba8908de56666b1509aef04bc94ddaa390ee2f6d06702daa401e15bf23bffb23a579efa700801d9008f2bf32fd28189c9e7233

Download Submit
memory/324-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/324-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/628-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/628-218-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/640-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/640-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/716-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/716-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/792-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1104-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1104-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1104-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1104-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1164-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1164-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1204-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1544-83-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1544-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1664-142-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3224-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3224-230-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3240-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3244-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3244-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3532-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3532-203-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3700-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3700-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3824-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3824-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4188-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4188-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4216-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4312-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4312-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4312-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4312-94-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-154-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4660-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4660-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-131-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download