8513014ad7e7be170a8d856729947bbb5a22d88c7c902f464ae545af2e919861

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/04/2024, 14:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
Size

480KB
MD5

eda10dae57f7d8b74d5f9c04354fbc1c
SHA1

e6eb06c42f35d100e8bcf08e0dcc4ba7ae1f7bba
SHA256

8513014ad7e7be170a8d856729947bbb5a22d88c7c902f464ae545af2e919861
SHA512

b850bb84998e340ba5ce92fc33520bb1f2dc9ae2e209e7238633c900b4cf9e46a31cff4bbb9fcddb1b2f17bc8cdb5c0535be7298de6bd3928e9abecc1b9f0a8c
SSDEEP

12288:Jl+ujU8GMNj5R2A4AXy5iUcZnBePlkvtyC0s:JPjVGGoA475iUcxBe92tu

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation	goEEUcEM.exe

Deletes itself 1 IoCs

pid	Process
2132	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2944	goEEUcEM.exe
2884	xmgEkgEw.exe
2628	CocQYMcs.exe

Loads dropped DLL 22 IoCs

pid	Process
1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\goEEUcEM.exe = "C:\\Users\\Admin\\vqsgkEMs\\goEEUcEM.exe"	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\goEEUcEM.exe = "C:\\Users\\Admin\\vqsgkEMs\\goEEUcEM.exe"	goEEUcEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xmgEkgEw.exe = "C:\\ProgramData\\JwgEkkAc\\xmgEkgEw.exe"	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xmgEkgEw.exe = "C:\\ProgramData\\JwgEkkAc\\xmgEkgEw.exe"	xmgEkgEw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xmgEkgEw.exe = "C:\\ProgramData\\JwgEkkAc\\xmgEkgEw.exe"	CocQYMcs.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\vqsgkEMs	CocQYMcs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\vqsgkEMs\goEEUcEM	CocQYMcs.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	goEEUcEM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1212	reg.exe
1964	reg.exe
2956	reg.exe
2156	reg.exe
1680	reg.exe
2836	reg.exe
572	reg.exe
1288	reg.exe
1884	reg.exe
948	reg.exe
2896	reg.exe
2184	reg.exe
1632	reg.exe
2736	reg.exe
1352	reg.exe
2536	reg.exe
2464	reg.exe
2216	reg.exe
336	reg.exe
2572	reg.exe
2256	reg.exe
2936	reg.exe
1500	reg.exe
1636	reg.exe
2244	reg.exe
2724	reg.exe
2416	reg.exe
1364	reg.exe
2780	reg.exe
1208	reg.exe
3048	reg.exe
1972	reg.exe
2116	reg.exe
2132	reg.exe
880	reg.exe
3064	reg.exe
2432	reg.exe
2104	reg.exe
1980	reg.exe
2548	reg.exe
2468	reg.exe
1556	reg.exe
2452	reg.exe
2820	reg.exe
1964	reg.exe
1732	reg.exe
1804	reg.exe
2024	reg.exe
1976	reg.exe
2980	reg.exe
2148	reg.exe
1832	reg.exe
2180	reg.exe
1760	reg.exe
2244	reg.exe
1968	reg.exe
2452	reg.exe
1288	reg.exe
816	reg.exe
2200	reg.exe
3028	reg.exe
2732	reg.exe
1172	reg.exe
1324	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
2528	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
2528	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
1512	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
1512	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
1040	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
1040	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
2196	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
2196	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
1392	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
1392	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
2296	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
2296	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
2624	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
2624	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
584	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
584	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
964	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
964	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
600	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
600	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
1552	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
1552	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
2732	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
2732	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
2716	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
2716	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
1996	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
1996	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
2468	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
2468	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
856	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
856	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
2940	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
2940	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
2956	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
2956	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
2440	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
2440	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
1980	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
1980	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
712	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
712	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
1480	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
1480	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
1716	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
1716	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
2420	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
2420	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
1848	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
1848	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
2424	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
2424	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
2796	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
2796	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
1076	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
1076	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
1676	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
1676	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
2464	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
2464	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
468	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
468	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2944	goEEUcEM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe
2944	goEEUcEM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 2944	1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	28
PID 1336 wrote to memory of 2944	1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	28
PID 1336 wrote to memory of 2944	1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	28
PID 1336 wrote to memory of 2944	1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	28
PID 1336 wrote to memory of 2884	1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	29
PID 1336 wrote to memory of 2884	1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	29
PID 1336 wrote to memory of 2884	1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	29
PID 1336 wrote to memory of 2884	1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	29
PID 1336 wrote to memory of 2668	1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	31
PID 1336 wrote to memory of 2668	1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	31
PID 1336 wrote to memory of 2668	1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	31
PID 1336 wrote to memory of 2668	1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2528	2668	cmd.exe	34
PID 2668 wrote to memory of 2528	2668	cmd.exe	34
PID 2668 wrote to memory of 2528	2668	cmd.exe	34
PID 2668 wrote to memory of 2528	2668	cmd.exe	34
PID 1336 wrote to memory of 2520	1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	33
PID 1336 wrote to memory of 2520	1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	33
PID 1336 wrote to memory of 2520	1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	33
PID 1336 wrote to memory of 2520	1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	33
PID 1336 wrote to memory of 2412	1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	35
PID 1336 wrote to memory of 2412	1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	35
PID 1336 wrote to memory of 2412	1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	35
PID 1336 wrote to memory of 2412	1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	35
PID 1336 wrote to memory of 2004	1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	37
PID 1336 wrote to memory of 2004	1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	37
PID 1336 wrote to memory of 2004	1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	37
PID 1336 wrote to memory of 2004	1336	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	37
PID 2528 wrote to memory of 544	2528	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	40
PID 2528 wrote to memory of 544	2528	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	40
PID 2528 wrote to memory of 544	2528	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	40
PID 2528 wrote to memory of 544	2528	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	40
PID 544 wrote to memory of 1512	544	cmd.exe	42
PID 544 wrote to memory of 1512	544	cmd.exe	42
PID 544 wrote to memory of 1512	544	cmd.exe	42
PID 544 wrote to memory of 1512	544	cmd.exe	42
PID 2528 wrote to memory of 572	2528	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	118
PID 2528 wrote to memory of 572	2528	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	118
PID 2528 wrote to memory of 572	2528	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	118
PID 2528 wrote to memory of 572	2528	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	118
PID 2528 wrote to memory of 1124	2528	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	120
PID 2528 wrote to memory of 1124	2528	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	120
PID 2528 wrote to memory of 1124	2528	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	120
PID 2528 wrote to memory of 1124	2528	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	120
PID 2528 wrote to memory of 1664	2528	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	45
PID 2528 wrote to memory of 1664	2528	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	45
PID 2528 wrote to memory of 1664	2528	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	45
PID 2528 wrote to memory of 1664	2528	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	45
PID 2528 wrote to memory of 964	2528	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	125
PID 2528 wrote to memory of 964	2528	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	125
PID 2528 wrote to memory of 964	2528	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	125
PID 2528 wrote to memory of 964	2528	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	125
PID 1512 wrote to memory of 808	1512	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	51
PID 1512 wrote to memory of 808	1512	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	51
PID 1512 wrote to memory of 808	1512	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	51
PID 1512 wrote to memory of 808	1512	eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe	51
PID 964 wrote to memory of 1456	964	cmd.exe	263
PID 964 wrote to memory of 1456	964	cmd.exe	263
PID 964 wrote to memory of 1456	964	cmd.exe	263
PID 964 wrote to memory of 1456	964	cmd.exe	263
PID 808 wrote to memory of 1040	808	cmd.exe	217
PID 808 wrote to memory of 1040	808	cmd.exe	217
PID 808 wrote to memory of 1040	808	cmd.exe	217
PID 808 wrote to memory of 1040	808	cmd.exe	217

C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Users\Admin\vqsgkEMs\goEEUcEM.exe
  "C:\Users\Admin\vqsgkEMs\goEEUcEM.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2944
- C:\ProgramData\JwgEkkAc\xmgEkgEw.exe
  "C:\ProgramData\JwgEkkAc\xmgEkgEw.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:544
    - - C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1512
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        8⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        10⤵
        
        PID:272
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        12⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        14⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        16⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        18⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        20⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        22⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        24⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        26⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        28⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        30⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        32⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        34⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        36⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        38⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        40⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        42⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        44⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        46⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        48⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        50⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        52⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        54⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        56⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        58⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        60⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        62⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        64⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        65⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        66⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        67⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        68⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        69⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        70⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        71⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        72⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        73⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        74⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        75⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        76⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        77⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        78⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        79⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        80⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        81⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        82⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        83⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        84⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        85⤵
        
        PID:272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        86⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        87⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        88⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        89⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        90⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        91⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        92⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        93⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        94⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        95⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        96⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        97⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        98⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        99⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        100⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        101⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        102⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        103⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        104⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        105⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        106⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        107⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        108⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        109⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        110⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        111⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        112⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        113⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        114⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        115⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        116⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        117⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        118⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        119⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        120⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        121⤵
        
        PID:712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        122⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        123⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        124⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        125⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        126⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        127⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        128⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        129⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        130⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        131⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        132⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        133⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        134⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        135⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        136⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        137⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        138⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        139⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        140⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118
        141⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118"
        142⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kWggMsYY.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        142⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xkoYEYIs.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        140⤵
        Deletes itself
        
        PID:2132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\daYYcUAg.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        138⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        Modifies registry key
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jmkUgYgI.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        136⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xogQYAkg.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        134⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies registry key
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        Modifies registry key
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dmwgYwAY.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        132⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sQkwgMcI.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        130⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CWgUYwUc.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        128⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        Modifies registry key
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KoQUAwMA.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        126⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        Modifies registry key
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yeYQMQws.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        124⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        Modifies registry key
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gugQYYMY.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        122⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        Modifies registry key
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        Modifies registry key
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tUwIYYEA.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        120⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BCkMkMgM.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        118⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        Modifies registry key
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DycoUkoQ.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        116⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        Modifies registry key
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VEUEssco.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        114⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DQIAEYEI.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        112⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        Modifies registry key
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wwYIYccs.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        110⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        Modifies registry key
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CQgkkoIY.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        108⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\owIIsEkw.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        106⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aKowMsso.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        104⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lwEwYwAI.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        102⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JuIUsMwA.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        100⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bYUYIkMo.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        98⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        Modifies registry key
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RWcMQwAw.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        96⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vssQIgso.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        94⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uckgssAk.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        92⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        Modifies registry key
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iKcAckQQ.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        90⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\esMcoIoA.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        88⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sUEYwcAE.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        86⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MwwsEcoE.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        84⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LagsIYMI.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        82⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TeUQUoQs.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        80⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NosMwMsA.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        78⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JkIswEMI.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        76⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kGoYkssM.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        74⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SygIgoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        72⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CEAgAMkY.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        70⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CccYcAsA.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        68⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        Modifies registry key
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GmEQoAUo.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        66⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        Modifies registry key
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fKgMkcIc.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        64⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\raIskQsI.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        62⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fCEoMQQg.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        60⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\liAsQIMI.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        58⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BQYIgEgM.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        56⤵
        
        PID:272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QmUwMQYM.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        54⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iKoYkssU.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        52⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kAgcIkEQ.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        50⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gIcwocsA.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        48⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bCEIAAcU.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        46⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VwggMMYM.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        44⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lIskEggo.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        42⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hIMQIocE.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        40⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bKEQgoUs.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        38⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dGwEIAYs.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        36⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        Modifies registry key
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tgMsocUU.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        34⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MQwoIEYM.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        32⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qqwUQksU.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        30⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AKAkUIwM.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        28⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OOkwkgUk.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        26⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gEIgAIYE.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        24⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uSMYQksA.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        22⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NgYQggYQ.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        20⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tScgIMEE.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        18⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FYoAUIoI.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        16⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PwUcowIM.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        14⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hScUUEgY.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        12⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IKIkIYcY.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        10⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        Modifies registry key
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QAcMcQco.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        8⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1804
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1972
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1832
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1984
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OmcowkIM.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
        6⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2972
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:572
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1124
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1664
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\OkYEEAYM.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:964
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1456
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2520
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2412
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lSAMUoMo.bat" "C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118.exe""
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1708

C:\ProgramData\eKMAcUcs\CocQYMcs.exe
C:\ProgramData\eKMAcUcs\CocQYMcs.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1916420343-21231293081990438680-1229675614-259611711-4868524261139396390189990433"
1⤵
PID:1124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-871014856756661823-1453829819-2133715918-1511084424871857429-1422099903-1843224430"
1⤵
PID:1984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "264286443-17986864331039443-1277249244-1263094320-3652791151715230464-1979809059"
1⤵
PID:2196

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1727783360394117182-975402994-695824004-7309782395107011911847123321699015960"
1⤵
PID:1040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1456915849-43509632-1969315132145599106925870462049376276-18500938251975501836"
1⤵
PID:2788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15695336681770355284-120603950-1296517238940332588-1476263304344033292-509555499"
1⤵
PID:1456

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "173726212731218690-1803951699405147023-130539137541713034-946198777-1414691894"
1⤵
PID:1696

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2016750106-900878504-3490649732075959838107068731247675889-412002471953495954"
1⤵
PID:2964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2126619475-933052851430287598246519253168129119-1445906141-1667580632-1257690294"
1⤵
PID:1632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2018947349785700036-1740397071688224403-13548579331384503912459131962-932961560"
1⤵
PID:2372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1191411068-1507337803-1280968953127012518015723994593243548051374261604458859824"
1⤵
PID:2144

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1784609535-4468613411482103338-11247217461631168176182762814-312300895-1218821060"
1⤵
PID:1172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1948768361-1445969133946028056-1901953049-12440053681026865898-9585454851677474566"
1⤵
PID:1720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-906959151-995439962-188075584-564135980-1211261896409954500-1898247159884029114"
1⤵
PID:2688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2088671369-5600178951592106607-2014375726-1584871489-1811566764-79790565-1286270973"
1⤵
PID:324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1322038875-62122903312103547686557837361435272226-1252520436-7601785461559988485"
1⤵
PID:2564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1455003803584315437-359546957-19414888661772732896-6323774361594665288-865945313"
1⤵
PID:2948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1124404029-1609356075-287863373-7451742991662375805-18014065019839414901773590611"
1⤵
PID:604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19103434721697916021952480444-804097384-62777474815447900291660026232-1334729392"
1⤵
PID:2660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1595504868357544228-1305737818-1647220887-1421818653687763795752587801651760650"
1⤵
PID:2736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-595311390-1910855273-1642519655194016028520923904441972472029-2113109925904562963"
1⤵
PID:1276

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1958691338258005068-2816671851680404101-981869042-70911019419029454731191453403"
1⤵
PID:2756

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1960079036-1927637943-199808705410554567181248632913-1661825136106587463273496599"
1⤵
PID:1668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1349913280-1397033384-1409955071320877936-1608624165363695095-20064516101277440625"
1⤵
PID:984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16566867824913850321129406544-20643731991184135970-1907089659206640635-1978735869"
1⤵
PID:1996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1555780574-100562517236900945436282465-170885950114902753811203408173-1205138468"
1⤵
PID:2820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1907985019-1213868678159816879615144062434150892231456890979219345494886703075"
1⤵
PID:1768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "479352310589002038-633168531970009097-11886974781839339173678865710517380260"
1⤵
PID:1980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5558611721061238425-1660257710-708288007-20446035291511651970-4288655741008311575"
1⤵
PID:1676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1268568892972752822221555612-505524521478759725536158931532427432822274409"
1⤵
PID:3044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1336327041-21149396601649707988-135118269-1367644096965575555-1651805079784628685"
1⤵
PID:552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7538839713133386941773146301-2058069478-1026906386-129469143912949995971078479864"
1⤵
PID:600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-334606472-1322680298-1113870979024765382014744368102451535415540136801616147477"
1⤵
PID:2464

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:3064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4490382567690541141222232178-1497692481-18139712521099013711130391849756250399"
1⤵
PID:2308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "857603022-939446562-62554049-655467398-16275033722080795282436715263-75625678"
1⤵
PID:2980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1975741370-798243763-1643269014-338930529-1631877520-964132382141142599-808685703"
1⤵
PID:2548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-509878026-1606264112-13811688501691852818-151731816918579437-1355447088-333221903"
1⤵
PID:1732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-290820556-28201608620028565701450802227-736198521-1883744549-1234556602-992481837"
1⤵
PID:2340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1076678300-866491464-8284692101383836818-2136077771401235570-668766178-1749470703"
1⤵
PID:2332

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "804555267-18178751418947975611730951396-1978709672-394355817-18318687191731369741"
1⤵
PID:112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19085710327024740901888200756-804958230-2070033316-1240320725-156113176-420298320"
1⤵
PID:2244

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-104378901-5586579221305978601072703595198667570-8038614971546442968-2078077657"
1⤵
PID:2204

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6312017821231969734-1466700676614805746-1386496632129475162510395612501573865770"
1⤵
PID:2856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "211693552010794463818481713492268814201690399131306190552-14146168001696919440"
1⤵
PID:2656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3052028781519537457-30647680-1560288137-1267972667-688698701606108755322748792"
1⤵
PID:1628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "605035060-521253211661465901-2145100550-1348794867-5035559961379135814231263312"
1⤵
PID:2940

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1579328887-1409767554-5281292981856957209-1208962122-238995425910969522364379555"
1⤵
PID:1660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "915611371-1658708276-271552305-783573260-1946877174-1034324282-1205998590121696937"
1⤵
PID:2652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2143816626751906511892608410-1203252043-1927024771755999422-882421789-1239092087"
1⤵
PID:2668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "78486434750120931-1568901432590087534-6217195-2112765686-1703775502-1204240452"
1⤵
PID:3028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "82016550-8117333131604599618-1368412618-16512021895444100521341861006-531695783"
1⤵
PID:2188

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "41651537-397243473322244572187805896-9298650669010865-18038745561059505868"
1⤵
PID:2568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1320553047-464899162-1125420998-9734620911755125176-12775241351011286690-1397705465"
1⤵
PID:1744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-855885814-110038489-662326746333731498-607065674-1798839640-1490976953750630218"
1⤵
PID:564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1519057787-524590640-2008677674-1767888349305005501-4420402681724022172264004510"
1⤵
PID:2716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1518179041880555862-1007173741434339861-251455081-1056600560-1250322907674902663"
1⤵
PID:2876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16893969631221883482-1286686327-2094275737-15551452131476406981-16804853871711698303"
1⤵
PID:2240

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2036921042-125360090-17277660911595735309-456557238-9381041771335227610-576639359"
1⤵
PID:2440

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "771325542133000909545308137-1535477066-9208225651720197890-18663111251696857914"
1⤵
PID:2092

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-486151543633476138485689083-312180807-401054141262128485652191176263054292"
1⤵
PID:2676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17995855161021143082-977226722-689202729-2049630838-1905082925-717286195-1767987085"
1⤵
PID:1952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1687222627546371075-937973153-324052057820253041108395463175929294222965702"
1⤵
PID:3060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "928277714-1584217266-1117524856735243691-816850830-216816953-1640942314-1773519097"
1⤵
PID:2404

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1199888321-8581749831337297405-310199053-1093033779-584489751-4641911172144103669"
1⤵
PID:2296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1236564215-1163483137-41584602617273627081876630078-20780191451266415160-355993060"
1⤵
PID:2044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10545066751755085015-530185827-257839439201131195111211046551302816486-1794697023"
1⤵
PID:1836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16191610421188525245-1954618794-678767734-610422372-1208108548779615357-1501937105"
1⤵
PID:1724

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8154729371637412269-3665686332095414061701796891259852858-1561164321-388857754"
1⤵
PID:1272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "893370045-1554124797154463160920032369576533948415505090011324265682127096261"
1⤵
PID:1104

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-747403048-338618946-1822687933-10548872-1791060168-5681857391931146635-1846745214"
1⤵
PID:3040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "21145823239478633571985423938-4701308851046954722-1295300262-2142536413-414438425"
1⤵
PID:2016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "664489630-28810808310028193351303970685-1900465714450046865-293564484-1054067711"
1⤵
PID:1880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6872744411886970221-176514000526404752776251155-60904045481105673377684014"
1⤵
PID:436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1749158936428199251-130570336-14800398917384179-867090153-1283503527-1314552661"
1⤵
PID:2972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1751544568-1810431997-3686307171706798701-11715970781732770178-108820669-795115807"
1⤵
PID:2088

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1438162093-1551809853663008520-164810772547613564016441122232044484039-1726897056"
1⤵
PID:2764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1668475657-194031389-785256171-826489912-10400878591117620851-1140677174355595480"
1⤵
PID:2864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9554406532134824440-106689512-1198680701-1694152913576590418-1275335754-1542626141"
1⤵
PID:1700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1682600149-1114203720-10609264191273769970-11383107912134237881763459617-704565408"
1⤵
PID:1708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19342566861043151171-1177661157-5057402972788023592120394524-232833846973172321"
1⤵
PID:2148

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4041184701964983396-5025535501393558859-7328508241633861261779272756476582296"
1⤵
PID:2632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-22317641315866687191446630920-667837326229345701098178944-13685031701777018312"
1⤵
PID:1632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8169865781419899531-92579659512052615207727782061095201220-662758619-1325567268"
1⤵
PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
479KB

MD5
7b703df153908bf8044331fefe31b82d

SHA1
cb531a310200082ba2f122dfd8dff57ceccd04ac

SHA256
90799c5d239797d9e68fa53530438f9279692f33665168bd15c72f4d9e784ee5

SHA512
d87ef25e0a4d06e50f60cbfba5868bab6f452defc01f4e13f9bec07e1aba80e7806f10575a9a0541620cc572e3e50be67d7fda254be3fc7f5eb4d1e97e2947c6

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
562KB

MD5
b26d9dbe4c82b4db9ef68478b77e003e

SHA1
7478141637e2a2ae33185ab9b2c902a5d1f93393

SHA256
6d2e2a6562859483e8435be1778f4f2117ddbfb15f4b036563b6b72805802873

SHA512
4b062f88bde2ad669e901a3177e37a023777474dd2fba87229f7b80ae30f02668b9004f8c475fabb28a2438e7450692895288e2d6d06feabfc896afb63dbd14a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

Filesize
479KB

MD5
e11b5b3c35689069db24bafea9117171

SHA1
cfa9141ff046826c6e2653fe47de66b2ba9cb75a

SHA256
aa6c9634d374540b1e341c432e5d6f0a3ec012e7018c43839fde1b737ccdbff3

SHA512
4affe6d2b68a63cc4749eb77f4764f91e388133afee865d2d410cca1e8e119b206ffaef354a1ec48f54712f3ac6418a97a0165f373f93a9fea65d0f360da8f09

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

Filesize
479KB

MD5
19ecd1400f5ff3c6e92b114c4f2239b8

SHA1
ac031df0eb50b0784d4ce3c58692f39e4a7a0f6f

SHA256
5fcbb09a26ec98670ebaca44822545e4dfb4fcea27f42336b240f5655a8a0948

SHA512
332d5fab618b2e578291ed38f54be191b31a998cafccaf4f558151b53a07f49d9862ead0b2c686cddc08aeb99ef7623f18a1f0441aa6fc5ad4aa7f1e10e39bcb

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

Filesize
482KB

MD5
dd92ac3782558fd01bbefc1301b73596

SHA1
2c3b9e335e3c570e3108b816102f4bfe3c077344

SHA256
387ee959a0cc64e932b3fd6d4d9aa602aecdaaaf9f583409dd9ff1f8a25585ba

SHA512
208085a56950ca3037d8041c7b11f02b16cc04e5945ace9f50db06f92405036aa5217e73f0191565b08af67e8f3d7230e1821b1b43f4f8b9cab00bc8a354adb9

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

Filesize
488KB

MD5
e0a622fddca45943c302164a57cbffbb

SHA1
af3b7edd296f47081b9b021fbe116f2ff915434e

SHA256
906d2ff27a3c57eb9676f675474afc6f07b18d8a805fb00af5f05639d45b3e68

SHA512
b3b9442193bfb0db076421b46dd9599c3bbb20470bc769ae6d0d344985f7f18c9388c15adf46bc3152521aea498d604574020f53e50f99dc048a4a0585d3ba00

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

Filesize
483KB

MD5
fe7b788ae722db16de8012a9ca55e3b2

SHA1
2092171aa0c0ecfb0bf3bce82d2e20d12ba87041

SHA256
646da68b5e001ff0ff9ca10499d68609f5ebdf779bbd1d435a841786e8f080a9

SHA512
7f6584d0bfce3df2d040c6bb6db63e8244343b43e7f6beeeb2397a82b8b448fcc7832bb77172f325ef5da46de7d2136df5b38dae62a6db3ff487469c8bd0ce70

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

Filesize
478KB

MD5
7d2ca08e5a175f0b9d4ac37ee89bde63

SHA1
f811785cdae6f6d912cb48ed8291a8ab696b1c9f

SHA256
90e11f6bc71cc3383e16ff4d0b68113a8134ee593694973318a2307df6b0fa80

SHA512
bdfca3e0b88db6b919ac97ff3244cf2be751e91d3eb7e7cfd0d7f5bad47bc21392433a7fd8dcebe63a7b0235195c45df7e55132cf294652923fb72b6e23879cd

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

Filesize
481KB

MD5
8022e6670a9bf3ac76e518baf6bd976c

SHA1
2d9bfd704dd3f728fff2ce27166bf2146d2e5189

SHA256
63537bcf3dce32c252ccb635d81679684c5af8f30b305ca4082693f6242fc60f

SHA512
7b341ebf82184e1dfbdc4502028bb959415383991f33eb982fd40e5e9fda91e46c1d0d5b6547ddc01c4dc4c59f20fe4e675af67e9dc2aefd9fe2c9e165cb379a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

Filesize
483KB

MD5
177ecf11684657842fdc4801a8df81be

SHA1
fade2898a3922d1639530320a4a8d3cc42e43543

SHA256
b64dae7d31714bc25098097a859d6cf6cdd0ad38f2fd2a741ede0e9d21a1a665

SHA512
ed2d01383aba84d4a3b48fd3e7fe2a07a5792a467d4a3600a2b06c9a9a4e0f1716f62cc95fb9908c777d1a70169524103fd5c8ecfc5c5b521045a673e8ca068f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

Filesize
482KB

MD5
a61f50dd2ce8f5599441d58b10aa9d88

SHA1
c2308ed817645d26496fd2a72dc4b7971c879754

SHA256
a64e104d21dda7cf7b17afb424e9d9858731018852d635c60ab536448ee5fe4f

SHA512
701cdcda460b67d1544b38d128aa8b3c09074b05a1fa9461661288332a14ea076e0b77de4087f83bb230a4919b07a206190dcf32824cad1be477365fbdd21d33

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

Filesize
480KB

MD5
505c58d55e8fffb57a6f1b8c15a65cd4

SHA1
556b58b48217b60d67c43be2518540bb785634c6

SHA256
72679486962e9ae4d0c1eae8fb59e679849bfeda0992ca7637692503ccfed52b

SHA512
b4b76519458248f42e0daf37557f5fbdd1c77c778bce20c5ae3dc595533c8d8efc3631cdb6edb471c350f796aedd8492aa7e8d9d1c639ad6e11e84d48261d4b5

Download Submit
C:\ProgramData\eKMAcUcs\CocQYMcs.exe

Filesize
433KB

MD5
be07de65f884cc694967acebfe076873

SHA1
a383b4ba2223a13a52d61027e97ed57628f1dab0

SHA256
86737c887b870a3fd72f41eb8cf393f59d0c48f7c4c28e426e1281969c439fc1

SHA512
971738f78ab7c493cc98e1e664c02c4af8bf41a9421b7fd5d0c342af07678e7cbc5115a7e63e77e0cfeba6cc2d1a2443a3673a3ee39572af50edd6d19beffb37

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIUEkwcQ.bat

Filesize
4B

MD5
49f8faa3dde9411416b90886ef61941f

SHA1
5e294f0a01a06290774a12f76bb8c0018d51f84f

SHA256
8b3661d98b7cda95513297feb5d8f9916b72762e20dff0850214b786e400c45d

SHA512
aa8623a1fa25eee2c2dc10b0c95e02581de7303f8ea4a9790208077cd712497d119ac401a8b2e53c81cc2f7316b8b6cbdf58befb340debda94a4d939238a0c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYgq.exe

Filesize
482KB

MD5
789612bb7c3c2642b4aa5fcb3d9b5de7

SHA1
7d06409a48a0999afed41844b0d92bfacbeb1b5a

SHA256
a58a14059d27569290a80d78d759b244a9d31bea3331e3368b3082affc2ebf15

SHA512
24ad7a0a2e0e759356f8ee116b91cb9054e51be95478ec64613fb2d5312aea2a5092e5a1c459149f21d08713948792de69778f72082496d4115256be30a2f0f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Acoo.exe

Filesize
482KB

MD5
8806063adf00d9ac6779ab87b9783425

SHA1
15ed0269a4dd62ca94607a190a1878b8f7370ada

SHA256
87c5d66db3ca131b90db54128d75cf9555f98a531ea102e5d911d9c702a08d4d

SHA512
1b660fc05f595a63ca0f6dfdee99280bc805181d0334c5148dbd5ab0bc16f0cf51be7bf3c6d87ac8310ca996b70ca6522c11af9207b09d1da3fbdc29479a864a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAYgEUIY.bat

Filesize
4B

MD5
def4758ef7b8ca327c17d5521e8922ea

SHA1
d29d7b54bceac2cd2da33fbcb956487ed67b87f9

SHA256
ed7531bf5b98e5e0782797fc3f58920701b427d13cedda1a48b8851f07e6ff37

SHA512
6a104c7f13c5c4fe058593a8b39ef666c2b82563592e2b6b368af7c5873c2f467ddd9e2daaa8466ff4840a6bea8de6be0307278ac31c41942cfcb01f0472000d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAow.exe

Filesize
1009KB

MD5
ae26084b230f4e908a31b1b57a632991

SHA1
d71fab2374ce20934e4ab5db44f11d8b73a05ba0

SHA256
88bc6201d87525352cee42f05ceb07faea90825ecebd4f407319de6f9d56e053

SHA512
1ba5e847ae6f8ffe01e4e510a2dbf1fb542d492072799296fc2e86234e6220637f4b43a8e4e9b877e21fd815e3f93a81cb687a150664b543bdc0ff07fd0f32b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYQe.exe

Filesize
1.2MB

MD5
6173e8864f86d8b8a186f2e2e464f474

SHA1
a69f13bb88799b8cb075b810bb7c6f707347f41e

SHA256
7ba58f9846c88e688cf90ee7689843c34daddc7db56dfccca17dafb939c8188c

SHA512
73f9fd3596a78effb017a52500921832623332c206c940303a356a98d86f1d5214c2e0d608c8d6885be1b428c9a6b7fba59c40aff1184127abafaa0aeae0b5bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcwW.exe

Filesize
1.0MB

MD5
369a228128be5886a9f3ab616006bb6a

SHA1
1d28ce7fd7786e00a637d2771b8c12c7b1a2d892

SHA256
b901baec6ea351b2b4cc18e6a9237ddae9a69540c9015b1cfc0b0776ba137a99

SHA512
df63207d70d6e91c2bc6a174de0274fec305f10783c193fd357dd1ece088723ed25d2084eaa3658a5a39197a4498a694dd3a95ab0aaa24068a2bfc2014129379

Download Submit
C:\Users\Admin\AppData\Local\Temp\CicscUgQ.bat

Filesize
4B

MD5
fdc1b9bf532f89a0112a137cd32388bc

SHA1
30e252818e450f3038288777235d4728737e7416

SHA256
48e9cd763b7f14d470e32b0171d0661899921c6823834debb1800fd00b2268e7

SHA512
7d898b3645eb43b3284c0ea037ba6bdd696bab3414d61a5fabcf2cf1b968166f0348c86b223a50048be5fdfb1048bbefb0e1ada7a4bc08510bc22dcb55816682

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkQa.exe

Filesize
484KB

MD5
08f2b5fffbe69f8c95a6504ed13f5f3e

SHA1
dd12cfe52f2dfcd74de5c7fb0f015205594605d8

SHA256
d9dd896c16994b2b2e4350a9d1caee1706d2da715d70a43ed1a09f467c9e5899

SHA512
094483910e19c581fb9964e4dbda3ce7b3610f128c602fb243b7ad8c3e2d92edc3a01c6c1efd884fb9e1d6785904042e68df55e066ed95ca71412a9083cb32e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsQg.exe

Filesize
734KB

MD5
810754aa4dfd715476b46ec25948b733

SHA1
2be3cf28c89831b7dd68fbf9624643c941375712

SHA256
d503be71f0dfc332adb47cfa3198784365a5fc4ce3c27d7be2dd24b0be823bca

SHA512
d194bd09496dca4dce720dbfd61869959eb95fa14094c67e60c9db80c391813b502283212a1a0c499fe45eea93e727cafe65c55ee3c397f7f9aa602b5a4fcb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAcYkckk.bat

Filesize
4B

MD5
484fe02924f81cf30da2c48b5fd97e67

SHA1
72e5c740d42f1083f1c859f0c1a6b95a3b129a6a

SHA256
08c97e59f68e05f2cbd115a2f5c51ad09e40d52166f76d4385c02e531ac517cb

SHA512
f8b88b37f6eab0919cfe8586aa5ca4d7414b3b336ec21741a9f0554b17bb469a7b32b194c27bc221f06af742ad7bc380dd7655fed5c9c2d6e73eb5e32fdd601f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DkAAsYAc.bat

Filesize
4B

MD5
c9e804c82a26c38039a785773f88104c

SHA1
d2ff95dc8294449f161cfd523127ea348b226038

SHA256
e1699e82455670bb5587c293c0a5e4ded34c6cae903e3ff444c8754c1b2d0d78

SHA512
31f09fdd194ac87ca390eccf26c74234b9495243e1d901dd4df1eb7a6deb0a5ce70f260fc13105565eb5f9d037ad483c607e6fdb1bb3a45f1fc2ca86e8d242d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQwoAAoM.bat

Filesize
4B

MD5
3e1e260972f83d47f583978e1d8aece5

SHA1
823f7073493a96aa94470dfc966ca414117185be

SHA256
9571371bb9aef033f2b5a7ded5a746c85c12b9459c06454258122ed405834a62

SHA512
1db48578ff370cddefad8d06ac3172807a7ab7ae63b5660a63cea380bb719c7bce89915ebaeaf14f1fe1d4ab91d70b4f09b4c8c953fa94790d67059304d65319

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUUI.exe

Filesize
1.2MB

MD5
8fa6ff533ece06e1f5214e95c4ee0c66

SHA1
e11d4fb5ba6fbb64f53d193ccb168ef75de55d28

SHA256
0f044deffc93099b2325790ee306e1b5924299b890c70c5e8c363d4fa75f08a8

SHA512
2a817b557ab1fa73b76827a9220acf1588647204336748949991c4dc47763228980ea5251bb3ac4452014e633fe618d93b0a12fef2e172fd25bf05529cb5eb12

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwIQ.exe

Filesize
832KB

MD5
7c1893f3aa0de48970a5b3a5a1cecb17

SHA1
03a85d3e4dc89b906433b471120c1b722f7f1be9

SHA256
86a3b31146bdcbd176f8ada7d12992eeac562aabc525d19d3e5c30cb154aedbc

SHA512
643f633dddc5a991f4a27a5f0039e35df0d504fcc144d4c1c89f6026ffb4a459818338799144f0a32f132f062fc30f47632e43ec0ea3d1544a60a6c0c1cad415

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMQokAQM.bat

Filesize
4B

MD5
9570661623fa4015d304daaf9d86e6ae

SHA1
7d41f285822fed661ff3673e7d2d382d05c143ed

SHA256
fbc4154375408ccb765a1e26ca52a81918dcdb4be0531b66ee0c20d3fbeff901

SHA512
55f0aa076de774a2af07f0387b858ddae47d6382752c961f40f1a5b939c4b74a614a1cc2b523c84932ed0ed04b1a651d2f21512dd7959f552c4e4c8c459981e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAEm.exe

Filesize
488KB

MD5
b4d7c48d20039d5b389da641ec886288

SHA1
23294d401a37f9946c6845ba5f9a2274e0253e6d

SHA256
db38f111f5b94c44a9cf3beb8631de8f486646b9155bae6dd3d1825a656b66d2

SHA512
839675461bd9e7eb5310271439c492a90e67c7f22a8d553d0d9fe17a515e8b1d44fe071246fc6a201b1ea3567e1ce6bf93207d0e59a7e031ecf3cd0805b8416c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEgW.exe

Filesize
466KB

MD5
6bd4e7144afec63918d49fb341fd9108

SHA1
bdc81ce2137935493fce864695f5130c36ad2f3f

SHA256
8746b5fa6a8405b47c00ddcb89b22f9b0f6f0639b02722d93523c8bbbdd99b18

SHA512
f2133b1bf11c80ffadd815d64c83336f64d728644e9e1c50b782eb9bd2019d5c111308b41c3364041f6d7486e9797d0d47959ecf9c38390ad5961f3115e75433

Download Submit
C:\Users\Admin\AppData\Local\Temp\GSIQ.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkIm.exe

Filesize
479KB

MD5
334298b26d2cba532c696d809953f7e1

SHA1
1da17ad884fd766054221d76b33e4f1064139c36

SHA256
64f59503a11d4dea2d5f1cabb4c42e6f6158e67bcfe81ab3c705b734fa0c8df4

SHA512
8ac996baf17ac849d072f62d7d13865ec07f6d86ac73e8934e21873c7fc38eaf023729e9a63e52f68c9f3f9a82cb6a47aa389fb716c5332d99adddcd06d0a35a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwEG.exe

Filesize
479KB

MD5
641413c4dbf814a06995f5551469d0f2

SHA1
7bcfb2a5b2a95d13f11ba99f5e2aa69e4eeead15

SHA256
d1f60ca7aaf15afa49b3271143853bc11359ad44d332e1b4e05e2220d27e8411

SHA512
b68b30e243b3c17c074ec9702fdac2d09d1c1b64f03ad9dbd98f1bbccf0f25eac3366edf52e97b268d682141d170449afe6f07d87255cbdd81c0276766318b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwEc.exe

Filesize
478KB

MD5
8e08da05af2b00f929c3e65a9b9ac37c

SHA1
682f6a6dcac4d081d833bd05b724c3e73a7b5471

SHA256
d70c471355e575d97998fa99a85f1d1febf9560a72f0a680bd1b60c5c9ffcdbf

SHA512
e1312e7ee11d98afce6e9f16d532d1caa91180209651cecf865505475c73d1b648fd34e45ba115d4658a02dcb51d0f4dca858d0d29931212c633f59770ae20c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GyYMoUEw.bat

Filesize
4B

MD5
376ff46161c1ac743ce357595ef12537

SHA1
59e7edc7b1675234086ab5105c75a6ccea3f33c9

SHA256
4eaa862fefe10e65223a4af1dd1de2704ac406953c31e8bcc5778d54b718c871

SHA512
b23460aaa039d682b295a2b61cae466abd001a1322b8bd4c1f4157fee66df0c25c5a3c1d60a08a5b1c633e6286f5ebec4a58b09ad1ac9eafbcf49871eb027baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\HSAUwscU.bat

Filesize
4B

MD5
e1a14cc5880a751c459670333f8b8729

SHA1
971a670c240cb4a397d1531eba6182a026688fc4

SHA256
091495175b2f466c85c8ace01b802a1699120e6b6895ff75e7f37d9a28a83187

SHA512
3a15a28a60cb990d5b4d9a0e13eea74455f0c94436c6b18cd103d43275cc259c23e909cfe4f6f43dee8cd4024e3a5834b85445e4d87e00eb8a2a35df7ad13774

Download Submit
C:\Users\Admin\AppData\Local\Temp\HkwsUggQ.bat

Filesize
4B

MD5
f22074b02cf5219435a0db517b10ff86

SHA1
bee223e26c9788b338cae31c4fe764caf4917735

SHA256
6e64cfdd4f5e5a31a80bfee02916317c795ee794c0e0e62fe3131244909fa81d

SHA512
43d322b8219aea17bc645f4a427ca7c0f662226ddf1847a9f8c3e671d810b3aa3359f113f2ddf6ec085d721b8e145d3dc922764ed6ab40ebab457658ea85c6fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\HoIwowgY.bat

Filesize
4B

MD5
06aea03feaa955e29f557e69604b2e4a

SHA1
01e33ed9f681326e2bacee25d85dce636e11f2bd

SHA256
b4d4b6472ff015f8cf1a7a1d09c8bf86fed019cf25deeefc82cdee1673d04f92

SHA512
1bc7fd5b23a4aed2d48ac39f3c59c4ba3d9ed45a755185b5188bc349d3464d6a94f54f3778ae6cb4a064e536e7a3af7b3e68e4ed1c4ae3ce1b590365d953d825

Download Submit
C:\Users\Admin\AppData\Local\Temp\Icce.exe

Filesize
484KB

MD5
5076616754fd33abff828754df0943e2

SHA1
0f12dc694738a02523f5d088d4b1ac656984eae9

SHA256
f76122ff6b56678c7ce72de6c15739057ddca431b6b69b9b7efc4a59f4eb751a

SHA512
a3ac889f94993d7afc535c6ec290b75699fe7268e08746a5352053bc0b551bd54f0dfc8260c23cc5c1dd1dbbf2ef34229e195b603b4931d01274ba595a7343a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IiIcIoEY.bat

Filesize
4B

MD5
96f593c261e2d74d11453e9c20232496

SHA1
d352c4d4ad7bb0f0a9548489c2bc5b2fa45036c9

SHA256
ac4258176615e61a812b4cde6edaa0449ea0e4f9776251d97905ce09b8beadd9

SHA512
8cf8166e67ff475ecb8b3c00eaad57bcb8cd121a1993466ae3a0bb121a4b50763f0fe8b11e7c599f667b3e43b0eed2e065ebfd91ac4a5301e871422c6ea60161

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoMq.exe

Filesize
480KB

MD5
e48469d48cf7ae977ccaa7492a869c17

SHA1
03940cf884ba8fa1cebc78639364e373c56bab05

SHA256
aa2cf71f5b79b277fd39ff71fbe1be913dd1585601cd9456b3b20d05c33241f8

SHA512
14459081b369b13e67c5b75c2c6b9365192c594ba9b7696d3451897a8f3c14282e526f60a0aca5349bce6553d25108e3833c4fbbee8065b7c7c2d8ad68490f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAsE.exe

Filesize
1.0MB

MD5
3e5730a12e45e64211b25c4abcbe6fe2

SHA1
b47b6be259bd1b2f5a1034da690b8e6d94410b6d

SHA256
c565a26732c2f05d2ca916e04d2ea3c5b38911d1e5a6d02688af49c573f62b3d

SHA512
a110262f11d9eb3f6190d8144e89cb9293689b3645e3246c27790623aa72141dd544ed228c85bcec6766ecb45e0cc15f4119648e4c7d279b9a0fd99e6da25b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEME.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kccs.exe

Filesize
485KB

MD5
33aeb3cd8193c54d8554f14856f5bde7

SHA1
f81864a46f8542bf9eaaa014a2529d3ffd78766a

SHA256
ecded204e315a5a37b3b70c69666cb3afc5d3c9e118e9a34d5818b9ebeda3fc1

SHA512
82db2825b0f404710f1f2e19e008fcaa1b1d4693ea62c8dd5b1d25c927563d346d9f8a2423fbddb2c87318554b08b6c1ab476264002c66a083ce5890803211a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsYIAokI.bat

Filesize
4B

MD5
4b1255eb0aca8959fe8cf83b807ace52

SHA1
d6cc55b5bffb76b1e7fe7e8f3f70a4acfd5264a1

SHA256
89f8c5cfb688c098d6dff8b69df0946660d61c53a43843a0904a995dabe9ee72

SHA512
918c93feab93849dadfca9ab0d29a42dddd3a01f646fc4b93fbbe6cec25d265e9ebfac8f6d1c20bb02b53f5e7325fec2ecd879874185285133a117ae81025b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsgA.exe

Filesize
948KB

MD5
d7b8e10decccc8fec7e87b6086252bfc

SHA1
8d1e8c813bc0850cdfff70a26b94ab341a34565f

SHA256
be54e3a086a25ebd59842fe362893b1cae4dc3ad2197133a93ce4ee385997b05

SHA512
4df1a4777520205cb3dc4c63df1357470797fcbdfa5b0639e727dd175439fba6a938b974588875a73fdc832e57485bb82321e00e870eecc38f3dcc260dcbabf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwUokAkQ.bat

Filesize
4B

MD5
ed6864b6c0fffe3f905081a4ed4aef97

SHA1
f2efb21a1d8008ef847748a2e35de752e488f411

SHA256
4b4bbb69fc857aa0903bcd196ab5ad1e64c1d3778f57b5f368a4a18b155a7c47

SHA512
bfc382bee561e82e4b896e0aa250954650042ea897d5f711f65efa76e59782433736bd7fbc35e3559ed086db0f9345d676331d3693e4d4245b4b50216afd7b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\LWQgIswo.bat

Filesize
4B

MD5
b0ad5a833e93f687ad2e452459caf61e

SHA1
e2497aa31cb28bbdeffae93f15d1c9a583654eea

SHA256
29a3918d3e9ff41728649bf7c752adc3dfe872609b186661e4e47a5514166a76

SHA512
540ce0570b6c2c9c06a595b5475a9914d41caa399c19fbab6ee3a78ecbcce902254907a807500a9569f5e32e0b669da641c9450215231d745da745ce8eff1466

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogkEAwk.bat

Filesize
4B

MD5
4449587ee9cd0aa241c61b093ba44655

SHA1
4a317e4910d23e762bcb128e02d7c92243908d9b

SHA256
5ea06997576ac7ca69c9134ddf623ee57d03247f785fda82fe8f0d2be3896ba3

SHA512
1264cd86ad05a64200fb909320336e56407b9d5cdb1b858d0b6f28cacd2e1fe3721485e4974ec3f5dd37c72ec9f58d1d0a16c34be5d6a9ac839f2f0d487f1ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMa.exe

Filesize
477KB

MD5
d605161eed31464f5b584254701547f5

SHA1
6dfa3512e457f5fbf24bc9b6397a9b22f3a81cfc

SHA256
3b2f66ab3853c0ed1215ac07cea5709a0a414a63ec76616c02404d2a0b3da685

SHA512
25bb2bc51f827b91545ea1cc7c45210476ee64fdeea48ff3a98aa6cc03b2ff1986391dfd7a8f1c16835beaa6c2a29e67454fd17be1a6e6a4922abd2619e2bd0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MKsMIkoE.bat

Filesize
4B

MD5
d347b31741656741cbe3826ea1995730

SHA1
321ba7383fee7e21f698c6bec1bf96dddc969b00

SHA256
42d85613547a36ab3715a0300703a9f08c37d7adffa69909ec6326154312001c

SHA512
fdf59e592fe00f143b0386699b834ea2a541128dc0e05860ed0fc678400be7289157ed960d709472e058b3c854957c1dfb647d940db64a852093f109be9d1f9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkcG.exe

Filesize
889KB

MD5
1175570782049aec331a4586a498af12

SHA1
dcebae299e10270e9914bf8cb9f80e91cf12f2cd

SHA256
3b6336299c07d1ea3ee707143bea8e8a1e8dc69a3d64c297adc3ab4067de538d

SHA512
077d7f7d74fdfc6ab2414a94d7e575e37c83512d73ebf1ce7ad122c8f030b0a336c10fbd620a122b1ecd8c369cab1f51a44531c114d0adaa153667e1258f795d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQsA.exe

Filesize
761KB

MD5
8a26cf8d35179ed1df73456ec93b8579

SHA1
d7c5852a89a325aafa611ab035cbc62e7e63e85b

SHA256
1966929ffdf1e525ae3fb10f914aa70a3d002fbab82f4c68adda57e2b16f8f2d

SHA512
d423d00f60770890aad681613d71884e08d662daed74259bbca1589305cc63567a057ee7e8a16c5a017861a1a7e5b44c8dfb325487c528bc1d005e51c269ad54

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgYYMQYI.bat

Filesize
4B

MD5
daa0946b74b594615d16d01d0f1049ac

SHA1
e721b1bfa211d8aea79e45f3a225b1ab5e74e519

SHA256
5f5a6ec524d4c8850b44c88f96833eafafa77642e9e10c2e348edc7791ec223b

SHA512
4f8390d577ca953fa8037d8e39916772692aa983dafa543dc2d7cc7fed103b60aad0df6635ebe57627aabb4001d8e0411cad52d78dde2f4dd9f49c0ba72b759b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkEs.exe

Filesize
477KB

MD5
a3913a6cbb779c0055fda89a1c264876

SHA1
ef590a267cb6749dec66ffb70d545d45790efef2

SHA256
dd501d16cad2bf1d1c8d8b873ab2b3000aacac8faebf94c814c1db52d3ec8051

SHA512
08cd479433b3683b4424bfb8279a7da2fe3699c743f3830f27575e9717def575629fe71addcd5db5cbd373fbae47825c39bbacd1b566e26b457365f80f263037

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkYEEAYM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoMe.exe

Filesize
460KB

MD5
c63e190e5abbeba0e24a6a77ed1c243c

SHA1
3b3fa453e5b5220618869084724991d99f546aeb

SHA256
0b2643a2be346765368c8ad81f042a2d732b6aaf442df6cce12975cba69b2fa3

SHA512
23768f70dd20a5af0777ffc44d3dc3381475b98637d7f883d02af5e033083d8e36d3b4b07f20efb4a374d7685554b9ea988d05ebd3c96a5fc02f65a654ebf639

Download Submit
C:\Users\Admin\AppData\Local\Temp\PGMwQsQo.bat

Filesize
4B

MD5
56b11b4ac4c8c06ab750f8d1d37677d6

SHA1
6a4fa1c4aa7187cddcf25f3bdebb0454ebece575

SHA256
e2a1efb84e631eb96aa9d6550c9a2e4210c673b678702ec5f35bf2d67ebd74e9

SHA512
3af4da27fc967d3a53a5251aeda4b84b4697df7eaae3eea54d108338de54e70d75d3ef24b36cb8ba511b8733c091d69b1f9fd7b3356c622dd983c84992d7552c

Download Submit
C:\Users\Admin\AppData\Local\Temp\PmIIAoAg.bat

Filesize
4B

MD5
89981d743ca627de81d9197d86c0bb97

SHA1
04b4827437aa78d2a8e800718e9a2767c7af58f9

SHA256
63a70df0523cace81198a1d36fdf7c27c3b4088fb4a11674f2f3087c4de66ff9

SHA512
fb18ab625aac4c11baedb0ea908dbb3b5faf10f2b9ce589eecc546fa15f29197d3a419b01913b5df7aced32b94684d501f0e7482da6050b873df995beaca1dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAgI.ico

Filesize
4KB

MD5
964614b7c6bd8dec1ecb413acf6395f2

SHA1
0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f

SHA256
af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405

SHA512
b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMws.exe

Filesize
443KB

MD5
4c3f1221fb2cd6b3aff5f793f93a47b2

SHA1
d979ee6f7c10d0d18cce23ec4705e9ae70a0e03b

SHA256
bfa9ddd7ea7042264450730c0ac7ee882ca622d384a70fcc6d29957479a366b4

SHA512
23da5de7a2968c659ed7dcf880068a11e4d2cedd0a2b3338df1b0394a76a3ba146f4b867aa66e1645058cd6eba5fcc6a6b132689a31a80422cbdd3150b36c337

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUoa.exe

Filesize
561KB

MD5
6468138b19fe63ce25e368f3b2767324

SHA1
a518e7ed01b85fc81aa08bc9ce3fcb9b6454413a

SHA256
602462b9461e91b7547e6c0edf9724e8c3fc37493c6bed8891b14d1d9a059c8a

SHA512
0fee6d1ab0e808612a936944ac556fa31939d52a941f08f90b189f34de18ab42a65dd110006b8c13f86a2652191ea6c00da67a6f3c5cfa1d03de3fbf6bdec0e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkwG.exe

Filesize
480KB

MD5
268651da4ae41c3e7f500a98401eb09c

SHA1
aafec77edb9daacb1653b9e689fd740c30a51392

SHA256
4e8dfc3ca9f50db6d57567daafeedf606422c6648dec669dfdca8f096b5d027f

SHA512
3ba0864d6c6dbe0859fb6d358a6d224289508fab8767f2d476af0829f1104d69ea8f57cd2ce11736abc063ce9aacbf9b4b819f22c90bbe7bee2d3fa6e76fca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsAIQEok.bat

Filesize
4B

MD5
fe90791b57061fcceaef8b6d02616f7a

SHA1
64ec13b57d2a82d0a972692a13cb51d43151b8cd

SHA256
608b15eb5781ec298e1b8b3041e6b2c2324e16944b474ad01f7634113dacdeb1

SHA512
d360db8d29fd8f5493600d1cdc6ec00d94912ff06c597cb6e530da079f0d31130ce7ae6d232ad6f3f65107f0ae92fc8677c3608e20ee67c3404a14154bde8f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RoQwQkMU.bat

Filesize
4B

MD5
820e816e0e8a715fc32b1693e6f4d216

SHA1
e7b0dfb5230f3386e8887703f6ed0a0f416535cf

SHA256
0e298bb07f1bdc4eac4a5836440780b6bd4c65224785598f78695f54fda4cd72

SHA512
35a81cb8c797077ece471de354b14c482d5bdb6c09b7b93e69907a3493dfa952953e757f6289cea6a82e6519ef8962dc7d11c9148485e986ee9cf2520814f63a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAEI.exe

Filesize
480KB

MD5
29d722c1004aebce8c15bc6f35cdeebf

SHA1
e7e5a1314cfd43c8f5c008a8a5fb3eff9fa6b7d7

SHA256
d1d3e3ca829a70ed1896f0846fb286afa526c8aa16bce00e6d02281bf5288bc2

SHA512
4caf06dd7aace13446eb8a42e43750c2da9124fa9205ae74562e711510231242755f0fb0a1e67b68a3962dbb509cbf4f2e93613822b46e4025d96187ddfe7536

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEos.ico

Filesize
4KB

MD5
9848e0173c8ca1325db2a20b2d8bff21

SHA1
c4cff05a5b4bc7cb1dd687e799a6a12d7058f9b1

SHA256
8018e3bb08def89f0d13393e54e6b9a8c6e3cdbbb7b9f0b7f49cf228703f9b00

SHA512
967d1d3a57b7dac2a5e413f6972278938d7bbab192754498e50d5803b8d7370d48c9ec89938f4d11395c0ae518aa48192143b8621c665eaf1bcdebbbd53caec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SGwIYYQQ.bat

Filesize
4B

MD5
7f3e463bf237719707a48bfd9e7a5ca9

SHA1
1e7518cd5d18e8a27912ff8347b047afb805e149

SHA256
9c40266f8cf16925a383a432c965adefeb4565398c3e29d91f8581729be71bf8

SHA512
46c3e1c3e516fb3d802be3c26a7185f30a87bb32c71063cc8addf52a11b4f67111d2fc627b6cdac6c78ba3c9928624e6d1cb79fac499d1f5778e6c0e92777194

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIkk.exe

Filesize
473KB

MD5
ba4485280db558c05d298aa81c5c2780

SHA1
59ecfc03331109a2a14d4c40a99b5bc086db92ac

SHA256
b268418e2877bff8916c712e74107ed47f9d452c73e9d927c0a9acc21971f21f

SHA512
e580a5757eb64c5a3326235d4290d50bf99791447a96bc670532e8c08556dc167044e274ab14aa7ccb2f5a5b788d99a3d4b2fd8346a89e7ad8ed4b26d6e93c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUIi.exe

Filesize
482KB

MD5
533091b4daf653e0152f88078f60bb85

SHA1
9890c6dabe1476393c2a07f9c4fbe9908b967893

SHA256
dc0a5cbac98b3a42cdf3daa0d7b3f1167095f3a7a82c4511ca89f25fb9297b1f

SHA512
bf735f03e3b447b29a74fa9667bdd1c9a6299561ca9e963672d90aeb29eb293563a3a3aa68e63bad3c379d4e7537fca537af1da14f06a226caf54e9c4a067ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUMs.exe

Filesize
561KB

MD5
b0410d2e0e312df39eff74d572ad61cc

SHA1
e6c568d2a05a2148d876baae46033d6a79145178

SHA256
a82a06aadbc46b3b86ff2ea8a4b5fed6760a1915c6b28b6b8c06080b7eb98a40

SHA512
9f612dacd039c6557df4083394ad1dc950b6befdd36ea32ffe76c5ba9fe102510256ad015a64c8bbe55e8aa615150f561fe032d56993d62669978288a2351a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYYUoQwE.bat

Filesize
4B

MD5
27df9f9f7741cba4c21d3b66960a8bf0

SHA1
2d2e472dc0cdb512f7b486584082fd187719cfbb

SHA256
8065fdfa657f557032b631a41714c6320d2aab5b40eef441f5740610cdcb4064

SHA512
9e8adf33b6c537ca9e9fc41f98e189e519bf4925692161bccffdffb3bb887185651c9ca639d6c15a9e8d39952de97fe59fdd406b983665b7ed1f63d6a8f1a152

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scke.exe

Filesize
476KB

MD5
6441916f31f3f0c292da67bee77ef6ed

SHA1
3e0be4fdf6534f9f3ab0cc7b554ef20c3f200337

SHA256
94e164f6af2d50fba698f21f65a56ed773eb83fa08607ce667a50dd361352ae1

SHA512
f06f68e4ac1724a4eb9bd445ebaa69899a0a804ec7f56f6291fa3fa8f4fbf2b09680becf11e9f56c35d5e1661c555754f35f1590b17f945dfbe16b34ad5ea60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgUk.exe

Filesize
477KB

MD5
6eb690c324dcc3d36866126324154e99

SHA1
f5f91dc182a3896215825fdb36a062f1b9082246

SHA256
6fc9b0690a64a5205b471a4497036d66562f7342b1f55551d87d7202f3ab35ed

SHA512
64444d1c6ed4f5fb31b9884710cf082555cedad3fe2db82f5306a5add5e38edbddfe700e315c58be2044bfaff7a70ccb1dfe25c6d10fe86a0e23a1eb3b1c63a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkQs.exe

Filesize
480KB

MD5
87bce48d89c9d9ef2195c2212dbaf408

SHA1
e805f1622b598deed6d7dc84076459a8aaa4fbbd

SHA256
590c9fd5a607fbccfc294dac04a877c8b5970b566e560fecc5f484adc150495a

SHA512
808101a7c139a4b3d579cbb0569d5da9eca86bbec2bd58910d8a1b434868bbf29d176191aec9afb2e2294c531ab27ae8de110a13309062c51106383eda9c7a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\SogW.exe

Filesize
480KB

MD5
7ce0034ea21c04cff132410457228b2b

SHA1
14aac88a7af6ccf832d806d69edb95998f9d7c60

SHA256
7e6308b9516ff02dd0c4531c4ee3209ac743e303bc60360275942e2ef461ef72

SHA512
a58d996c63f75704ee27e1cece1cc971663064a6ec80c901295a0932a63d2a389c53cff30a22d4fa0aac3d5b3690fe698cc125cd4259db052af8e7ef8a5d696c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SokQ.exe

Filesize
740KB

MD5
a5d5262709b6e8df0282330b87afb226

SHA1
2340881c769a3799eaf0e4868a53d8283f337aab

SHA256
10363a84921522f19923e75b542e4fa2dcd07880ec9e898406c59c0e2c1405a7

SHA512
84246fc9921180761ce1ed5b6b3d687ba7724eaff65deb27302ff18bf9269c231b03f7d995dda64498a487e34d26a5ae15d6c7577467ac4e43d977d3191d8ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEEYcMYQ.bat

Filesize
4B

MD5
ffc495d647ac50be9cedce1b9653cb94

SHA1
de76b4d2e6042a16a660de98b2ba558f81400906

SHA256
9a0cd7ce16031acd6381c891d1edfeb27327103cdee0a2c516c4f19a61bc0326

SHA512
ffdb8580f3c1a5d51ec1218574008c4f38f4daf7e218a10aa7d4c3cd7a36ea1503bd52f6e00dd2025b34719e3d6cbe32973a782510791362d34f785fbff21875

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEkcMMIw.bat

Filesize
4B

MD5
93b648d429b4b9de156ad0d7a8cb09fc

SHA1
c4b86d62161a9e9eb089e955379be2052aae2d25

SHA256
339f42cefa675fbceb47c6511e089cd933c382036cdb33d6363b3579dc97d85f

SHA512
5d38143f8702c32b1546b5daa15382ea58c10975306541423b585caa0ccfbdb9a6689a3e052d5226f151d8dd619d72a850fa183f20a4973c4740c4832a20e2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWMQwMYs.bat

Filesize
4B

MD5
d36b8824f8beaf52caf5714a22dfeb6d

SHA1
93e2636152062ceef76cdd5a6cdb3da015d783b7

SHA256
23b5f7dc21c68f01c65c3817a809435384208481556116f895f261a8d2152986

SHA512
1832b6827be4f846657469b05c7214b3649e8bb154a68b7484dda7973b297fb9707f739e5463d88dd725027fec99172a7c06d282f167335b174aea84d58f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TiIgEIck.bat

Filesize
4B

MD5
afea53bb6d783d8eaee447221ffb1bd5

SHA1
f5469ddfd4491d80ff5f6ec3e03d4df0c4741687

SHA256
0acb8e61ede6a25f2327e6c4801b64ca0a396958fc1e2db1027d900ffbc2f28f

SHA512
4ed7010b997337c34f2377b70730580f897a928fc584d24da67970725c581fe93c86ce17ebd262bda78a0365dd209d3ba66f43de054dad0ec3eb522724089903

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAkY.exe

Filesize
1.5MB

MD5
6500f9df7543629207e4d6b4c299dfc8

SHA1
204235f1437decb3b7eda6e7d5f076c0cb8eb786

SHA256
0fde12993858c991cc3f771352977bf377647f9ea83bff604fb3f06d5954ab91

SHA512
8f827ceb85ce846b82a6929e408e98f919814a53a4e141c528a9e0e956164d0a2793bbb98f50a3aec7de9d10c1429784e93134230213ca202797c36075e358b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEIS.exe

Filesize
481KB

MD5
305ab81af568127a7a0a9ef121256aa1

SHA1
f4ccaa3fd14fa3f5bab366a955d153dc47f18c66

SHA256
17edb130a98e20c449f05e0d64be5fee5f7e87d2c205de41495a0b679af1d394

SHA512
fc2a65e97bf68dc805f8155dd440279c3bdb472e15d5b6263cacfb7f7604b8db2b3109247e3064df3a5e145c67d7c5003e800af0777621c97912892bf6893879

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUQa.exe

Filesize
479KB

MD5
c2d3f6c20ee639fb49fc8d3c029ed12b

SHA1
a9bb9a2d44b2ed0eee2cd779ad088825e1d04c67

SHA256
f52da7f96c7d2dade899efa4b639cfbfb90d9999dce1e812c603d47a80f0130c

SHA512
708c899c2a8af284f4961501f681d5d7dcfecbe1ec1a4d2ebd3e6cdc4a441967c242160622c7204a971016c3fa875d8b4b9ffebe01370b78524ccbfd6fdc4380

Download Submit
C:\Users\Admin\AppData\Local\Temp\UWsMkMAA.bat

Filesize
4B

MD5
d8ce1225445e12b3e8ad2ef3e16d4296

SHA1
81cc58b1fe07201215fa2236391719e64cdddf6c

SHA256
9f3e322fd39c4a9c9317afd09906bcf7766b6e7a6179f19890db1ed954adbcb1

SHA512
5c201c131258691ffca9cd233c0ac623a3122015e1e967ed3cb9c54704f9c193a556bc82c590e2a88ffa337946064f5b474ac5773482d5aa8501850d0aa9694b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgYA.exe

Filesize
481KB

MD5
76035904214d462c5ebf8ddf76f3e74a

SHA1
bd6a1035f92eb18fd68d3ded3a5f57ddfff13170

SHA256
5aab97f8b90d8d103a9fe778f9849aa392f157d68d633d1a7113fed4a3ae1987

SHA512
066b5453325700d5592d014ec014924c06a4670d35c4d570c80a73dd30c655dab10e3179d1e0d76d32a3e69e4c31b7142705d11ed2884db4909e781fe9e46ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uocs.exe

Filesize
472KB

MD5
ad72d5adb7c77559c36fa4708649a8b6

SHA1
46afea9e282a453e856d19c822fa4acd1d9d83fe

SHA256
5ee96d0b24e0e964cad12c3397cd7ae6d78118390efcf1b05cf728f05da2e435

SHA512
d879d19c75f010cd056fa62873f355aa19f753ce02ad0f19e1070b844b8a5983fa35add9a03d74ed78e2a01470f75ce9beb483231c2336c3965676d6e5ab4476

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uoos.exe

Filesize
479KB

MD5
1d808f8566f6796da7d92a5a6a03cc3c

SHA1
7e4af81c751934a472fbbd7ae35f15b4a2a21393

SHA256
0cd23c3c07ee85a051a70784005a561c767aa582f724ee722b738b0b79f61f33

SHA512
a151769df2ac5e2ce39ccac67240b79fd8b9a16601b5da71bb42d859f9db0f392d5b993120775055b85811eacb370ff3fcb1535b4578e5455b18252c9a036e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIIu.exe

Filesize
484KB

MD5
44ff325508b16acd53f0886945cc7772

SHA1
d4eccc138ac8d9de39fd8a2f4a21db7b4026bb3d

SHA256
0766eb0d991c04db5b29e13d0530958900b42f8da73c0ce78b2995a791e8a87f

SHA512
f31d21bf5d373c102e82e18f3763d43ebfb927d60fee196452e52ed87ca4d1046235fa8a9fc8849f3943cea7d08443632fe4ea8dd75bbdae3e28bec2f0f89fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMsq.exe

Filesize
484KB

MD5
84049b20361495a50837a6d6a3b09a03

SHA1
920575fb41697e7cdb7143e5433542bcd2e0e63e

SHA256
00d0329ff810057b57acb65971556fbd3ac59edcbd7fa3fa10c4ff958bbe7f34

SHA512
e875ce2d042e29b1497b3acf58ce49cb0202d723224536d9cb1319eeb8befb71f62daed02f870b607f0bbfd132bfa5221ae738028fb238bb58fc42e3ec537cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WWAksAUc.bat

Filesize
4B

MD5
8cae1b6e827685f86528a3a8731354a6

SHA1
cefbe17c894b70c3c80a0fbbf6fb7de4a7bf9935

SHA256
8991debe51a3b3686a0c099759776d601ff09f3b2dd6981f3b9053988cb58902

SHA512
a8fae985e16aa0aee134b2b5df714b32ea0dadfd9cddff3eebb648aa65d046762474ed2440bb18d31476d2f2e5ebc876e0c2e55fc20a28b7a4776811060c5327

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgEO.exe

Filesize
871KB

MD5
d9f4928d76e885e1f15634ec9401eb67

SHA1
e23d2bcaf974d4935c5b741fe027dc2f702ed564

SHA256
cfb3252eb07aa63eb66b7475afb9c7dad1ea8a4711458eb935ad8b3b71e37b60

SHA512
a755412d7a8a17aa020debaaf0cff55215a36ebd2b7e9084df255fef8741b728148f65e2b48b89a9fd8d8c0e4d11193cf97ad9a2d7555d9bff7aef5713576615

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkAg.exe

Filesize
482KB

MD5
d0f81ca3758bc2f892c8e7f31d485ae1

SHA1
bda5f19a413d910879e25e3568b97285b916ff76

SHA256
b4be776bf0fd4e9c5a7a6cdd349d406341552f5fdbdd6aa77cfd36ea3f7e2520

SHA512
3255aecec5ed320cadb14a61150299e7572526386b1bf95be2f75632bc9ba12ac89e65a4c088c6a23d8d18822be321a566f444a775d8917be885c20d9b21f0cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkEQ.exe

Filesize
481KB

MD5
7dc2867275d365906426b3be28aafa95

SHA1
66a7e497790775aa28391575132ae887d6736eec

SHA256
47f6531fd9ec1b6887e0e89693c01e0d780042c5dc6ce9f22e992152ecc42bb8

SHA512
22d420588c8d6e943b6f15c04fc4d93e414321fef759dc52f4c3ed41020019554facf1d50025e87cc7b74669e7f0c9647eb6e491df5869846f1b899c17854267

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wkom.exe

Filesize
480KB

MD5
28b0fbf7bb996bf3bc86a586792376d7

SHA1
e1ad54cd72c08dda08b6df76c9a9b889c1293b99

SHA256
c2cdebc7ea0e6d8a852df3e7873e1aeb01c2dc71fef720eada8fb7065546772e

SHA512
4dc29c4e45892b73496286bce3418b02151dfef33a5b4a0babfeeaefcd3a0f2e7dec5eeb45d5bca8c2338f571e66e1614f93b5a497737c2ea4878e02475a77d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WoEk.exe

Filesize
626KB

MD5
07f73fca9b4767306af07e59cfc9a66e

SHA1
e68447938f879174604f07dccbdaf91228d2a586

SHA256
347889fde68543f1de6727aa16bd685d3c0c0fbe78b19100bca704ee890fe5af

SHA512
08cb0e7a5ea22c30f436daaa6a1f48d616a27e5ae3d59ca8bdfb82ed21cab9448e2eeb9868f222182f5f7a457f50f9be53c90b8e674027d1ddf8826e3cf7a255

Download Submit
C:\Users\Admin\AppData\Local\Temp\WqEMcMUI.bat

Filesize
4B

MD5
38c1f16ab19c1981e7a05110cdbb069b

SHA1
fc8146ab7d7a367ff29116055259fdd709596f52

SHA256
330340117cd0d9026a4f27225f0cce9ce275e11a2925bd3cacca628ab003b609

SHA512
29641b438edac3558fb4a3adb9e98e754831cde0095cff0a338dcd353738924f703e19fb283f87011ef8d7e44c531f577a0f12d01c7fb598e2c5be28e8d2696b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsQG.exe

Filesize
921KB

MD5
29b9b36f9bc3fa983c4d08775160b341

SHA1
626116aa61ffa8897c3ded278e629530e3f8a80e

SHA256
38457ee8ddd0e06efab400cbb6ab815348877f78d8a7e39eb56ae76192d8f398

SHA512
3766ca3841c51c5fe2804a85a6b052b4fa399901305f33b1a31547a7365f9555e139299c570846394a191b4f667e30d2544148a657866b00c200508d3f52a012

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wwos.exe

Filesize
480KB

MD5
13e00bc69956f986472ff64ae43caeaa

SHA1
50bcbf61c7d1d929b922a6dd7415a12d5cf23870

SHA256
5ce558c98a2459027579774f6a4deaefbe1a96c8c0369142c4a56818764d366b

SHA512
b8db2f72bd753ad4ffc508d462a87fd058940d6a94ebe948efcbee79adeea16fccddd4e269f9eb0346500c4dcdcc21c8a59bf518fa708cb42f556a09dbc35932

Download Submit
C:\Users\Admin\AppData\Local\Temp\XuUgMEQQ.bat

Filesize
4B

MD5
36d15172e1bffa2ef55b6ae95dfe832f

SHA1
b20d1ac7caddffad04f374ccebf55d0d53bb9634

SHA256
78688927c3cd7026e8debdfe91c03c04d1f980693a742beebbb159e53a09d5f5

SHA512
9d6ac10e9f7789c51c7e4cbcde60c105aa6b40f18f18297e95eab2257e78e9ac30ca30842be409dbcffc1b030fb3e57794b5502de027e752b3b80ea4dd527b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAIK.exe

Filesize
479KB

MD5
ca7e74433396f96c5abf8402edc21ce8

SHA1
6b8ddf46868060e624eb21c09ea5bd4ef755aa82

SHA256
fbabf6277a436c7751060d41088ad559e6c7ef5630ab65e58673f7ca4494d8a7

SHA512
ae877dc0f210d1020fe4d99ae16484fe325f39c7866dda5d356decf58674c92512135bb55be4441ecf54e70824be37c5e5ddc435ac8198263511d7a7992de71b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEAO.exe

Filesize
638KB

MD5
a892144f7aea866c68e2fedffaffeb0d

SHA1
b54d6580d0a929913923bd1c5430c3b43aa37d29

SHA256
fe977ea50d370238edb702ebd3c925b69545df94bae57068b49b3e468b6cee23

SHA512
7437379266ff75fc9a90dda4dc37cf61d8aed55d6b752fe1817e036fee40fc90ee83d9632cb1414a2af2eb39d2608ca0b8183b6bcbb7ed467c7801abefe87abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIsC.exe

Filesize
995KB

MD5
d60b62503cad11ee3bbc21639c6da5ee

SHA1
8c4c4297899e89b41c0fd92f9332699cdf521087

SHA256
aa5dd6c973b840fc6bce6c011e79db5ce2d09d945dfa661806ebbf852009b439

SHA512
49d5bb67d1272a3b2c0d2a58a92f6de0b4372fdd4f8b8e5320763153154d8b04bbd06175fd4d1cf68eb19cc5010dbc7af96f0d1cf52082c52938d74ddc8d019d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMgG.exe

Filesize
441KB

MD5
3918a6a13af9b69fdd960a5cebdb9a1c

SHA1
033b0609ff8dd36dc6d6a9e8018c0d977150c61e

SHA256
6acd3942690f53e4ae6b09ddb053609f77f45425ad682c69a99d912a015d4962

SHA512
e0dbc99a0e40497b68b3d6dd7c979f865fb2dd2fb8abf5f44e9582ed1792c5da7e288df93b92b8e256066af29c9ff0bb2a2b7fea59d27df1efb65cdac30bc182

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMwC.exe

Filesize
478KB

MD5
1c0b137c393afbc001d13348dc3b78a8

SHA1
9179a91981b6d3eedd3cdbfbf4c1160330d55e0a

SHA256
9a03a94491f27ced5ad12e5faa8e81884e70f8695eba96c4fd0c022fc59b593e

SHA512
1f9b642347384c2440d776512a2a21f90b6d08490f6f8a22c052c91de1b6ea5ec8b5578f85c2c67f39f55064cfe71edd0d73f4b97099996d88ca5763892b1c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQwu.exe

Filesize
875KB

MD5
99cc516ef75168d277c22c896bb70681

SHA1
e287532e42734c8311dbce2c9cc1d70b5f82411b

SHA256
f9daafbdf0074f181277abca2c8f71a2b50a0059f9ce80b261527b4db25eec3a

SHA512
2bcae9706ca0a591cec72a5eff04b392a8b2a4c86392a176cf22e5d33ccefcc548348d6628a365e9b6f4b06ff3ed137272964a1715ba21427abb187fb767e694

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYwq.exe

Filesize
480KB

MD5
674ecba4e7891a6de3b864c6c4138669

SHA1
f878a8fe9801dc912ea063ee770aba5bb32e0a19

SHA256
ec04f36728fd1e40b4a9eec2386ce51fb4f014e3894f6ac6efb7b5b77dd23181

SHA512
249720db1ded0bb34b04c45bdf7f0163d3782c4d2aa80687195c4aa634816b330e220730c997534a7105d290801b3d1ab6ea07f59ede06c45a241f0ca01bda0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgoQ.exe

Filesize
439KB

MD5
f3c6ed090b01ccbcaef65dbc1f257084

SHA1
175e613527dfb2abf3437d402e2969c1b9909df8

SHA256
31cfec92dadbd246c168fe54ba88fa601acea369d4fb81ccbe52bd7385845f5a

SHA512
b4d29d273175d3d99bc0f8581c1bc56254b19856d6c032dbc0653453eb434067cc484b599d01cf349bd20664928ff967742ce3647c4f661977ae0ff4840c30f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\YigssMAY.bat

Filesize
4B

MD5
efa41617cc0776a86bb4913834c0a3a8

SHA1
ad7b3254e1ae83caf60dddc3adde6be02d23f27b

SHA256
f98da05cbebf51bcfa775a0d6ca1c2d65e85e5ad525845756975e20dd29f09c2

SHA512
b1d22b8faaf2aecafab704d3524a40abb2ad55df6da70b1dbfd7595e613ebfb685ec567e992ed8fa5d0c4b0af9f45d9717174e7c7821cd8e33ef5476ac23080e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YmEIEsYQ.bat

Filesize
4B

MD5
4c21559721162f9b963c44a832178d3d

SHA1
df335c4758cf128af856d54195c2438517d55a5d

SHA256
e192bcfaaa37f3900db429c20cb2f1cdb1d4f76c0fa593e923c71cde42a9d255

SHA512
a6f4bd8e900e1509fc9611da21383bfcf39d3c7c9c48a460f51f6af006ba7678145f6b43f4cf0bffb1cfa9b3bb3c9b6eebd9ad8c35f56fb8cfc47827602cb4ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsAy.exe

Filesize
442KB

MD5
f734428d019f349a8061b357a3f4b937

SHA1
b9df8df7998bd65140a6c9029431cc9d8f24284b

SHA256
695eff6f3cabba556fa970023df663ea8ac907d3ed4d9dd737be8893d9af39f9

SHA512
3da86c6d491cfad78dbc8b8d66b965a97cf52d28db8485f4173749b9aca640a0957682ec22b0fd3fdcbb4a94f8246ce8966d5bdce546db37e70090ee4305f8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAgYYQkg.bat

Filesize
4B

MD5
3a689d0583ab245839404ae595aa8be1

SHA1
e261b24bacf4aba2a9d17d02d657cbee7fe2d009

SHA256
00f518afdd74e659db7287f83449a7bbbd4d26f603ac03353172fb52589559dd

SHA512
574b0bf3c05757bbfe80ad197c0bd5f6f269ec9ffccba0b8d08860c05dc277104f2a8579ee747eef1fda63cd7504f2201672a7b58323705db74220fb2ff2fdac

Download Submit
C:\Users\Admin\AppData\Local\Temp\aCkookYw.bat

Filesize
4B

MD5
c6fe9138171a5e17bc8af3d810ba1318

SHA1
11559d410123aed6f019aae85d67869a037c1525

SHA256
be0b5b02cabe545e09061b91c1505302e807e63fb5a1948c64faf82e57be1975

SHA512
3cd88efd70001593e333c7349d21c0eef49ea3bdb70f40ea2545d7bbc0d98f7544f77426aff480ca116af33cb48d4135269913dc04dbe6ab2ce31370ffeb181e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMwM.exe

Filesize
484KB

MD5
29b9db05d78f054ba9f13d544e3c571a

SHA1
da9e6abe5feff6a8cc7bd9caaf47a824aad03d52

SHA256
87e521ec89089e0d25d3ce3634fd8e8d4a99643c89f163cf120ca815c5a208bf

SHA512
3d2dd2dd5d08bd4f1182a5c9aaec99a2eeb341a56a7942b057e7e5e58b7bf6361f0f36457c3ba79118211f9c9002f07101e4b68d55bb4f88b66bbe9963e23dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQEi.exe

Filesize
902KB

MD5
b17e960997b933c737c83e36866eb15d

SHA1
d83c1ec2a80b5d692759341ff5416f54dd7cbb40

SHA256
0f024388a0d402a530350f3a431060b6dddbad5d20c780afbc20fe1c1318e7d7

SHA512
6415a563b25b58f49404661d2c64b6fef708d3632290c3d8d56e2a5cc79a60fe1c72c307f42089cf4ad2158213f8bdcfe33416146f7d5176040be5426b18d392

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQkE.exe

Filesize
477KB

MD5
8e2388f97aa44c2020669683ec08d878

SHA1
8aa386eb73a2464637d8c5b85b03a524950d6369

SHA256
ee97ac6099e4a44283381552a6083371fee139ba9756b25aa77dedcbb9539118

SHA512
be1973f2adf1f63118f7d00ed6ec963fdf326fb0f1ab1fae1e3c16a3dab3e13a2ee4adcec458605d4b1ef8af0ebdd04ee4e3a489286c2993ceb295337903d2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUIO.exe

Filesize
480KB

MD5
04d7cc62d90a3cc29f61164ffe094a2f

SHA1
79d130da049fe18aaa8250aab3b123420fcf8b07

SHA256
11b26d85026e0d27c6fed152c54b2aca6dba489f787f4f60674c07dc038b1411

SHA512
9711245aa8b632811ddcbb8ec47d1b28a6facd777cf5589bffdb099c049ea46d2113aa033fb9ab9c0b76973a11f375aab6de63a834d6be0be60800bf46767cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\aggK.exe

Filesize
480KB

MD5
700b9a8f1db20e8f7eafcff704d35d09

SHA1
28c49fb7033ada32417323b4c4ebb29f4885fc63

SHA256
64553638194cea29eae6a9cc4114edccd7d272a2abeec930212906805f75683a

SHA512
2dec0a536184b6e417f970359a39c9f9f51ec25dcdf3a4da162c3f2f13901cef2fec6b047e2ef239f8dcfd58a9aaa46b70986eccab5a12096d154ac0665ea0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\aogIgogY.bat

Filesize
4B

MD5
6697d1dd895ebbd791562650ebb35cc3

SHA1
93cb54f24f063705e15b69af0fcc1f086970c403

SHA256
4fd71db79487e4c36f7d8cf06dac4177e9187c291eb9f5774ff200ecb5475dad

SHA512
2f30fc0e129fc2b77f488dbfca0123b683505596a18ba92cac11a03e614e8931d0a0307f6841933ca5c02e0117121aed5dcde627e69a9b5109ccbba38db2698b

Download Submit
C:\Users\Admin\AppData\Local\Temp\byQcMwoo.bat

Filesize
4B

MD5
7f39f9f627755911896a33f6c793ccbc

SHA1
d861d7ea26605e34ba492aea3dc22b4d027bca2f

SHA256
ff2dabce5d90592899c6030b5d681d999aea5c5d0cf3a929a8b6c679bd9d6e9b

SHA512
39308d83477fdd08ff155a4cd3825905116ce8bdf060f2aa2864373e1ab8cfe56af7e86bfda3ff45e7e962dad3b1bb15948875c8762bda0e75cf2c84aee33e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAke.exe

Filesize
876KB

MD5
3a87df3b8fa33f5f86b07c2317aba7e8

SHA1
10f3073bd7304d07bebe4d4f16e92089c6416556

SHA256
2a2e1bd1ae2a3456f57dfac7e3bf9a68936921c58e9ac9d52a40f5cfc90e1b65

SHA512
d858cd572a74ed4d5cc040012304e705cf7877454bc46dd28c139eadf78ac825bcdc669b0fb7e00d00a894ed61652006f7bb546dee9d853223042958bf5a440d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cGcMIcsI.bat

Filesize
4B

MD5
9653188d941c88250e0a9f3dd2c3504c

SHA1
994f16107b1e9362583416c8dfc4cc70319e92d1

SHA256
b50e082d11892c67870dbc91bf428a332ebd61a4f007a76b315f5c886ae7342b

SHA512
a22aa75b67cbd31f198ab86cc7443ebce9708e42ec4c2dace90489c7ff00cbef105401e614e02842485de29e391a86635ba95295f8a63d7d388ff8f95073d118

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQMi.exe

Filesize
790KB

MD5
e2ab912d6392a85ec5bca85d5f962780

SHA1
e07f1d939abc62ac8d4f23d8ab554d0243b23185

SHA256
3635c64d44ea0f0d180d450de1e4a730a905449c2f237f56964448d044658a36

SHA512
bfe45f64c81dfb5d6191f2aff64993e28f2b2db6a8bbd29fe99c80b0aedef997fdb71402ce61a642fe085d88b4be13088cafe83357816f4717ddf1c068a07a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgAQsIMw.bat

Filesize
4B

MD5
d4c0be78de8b94f4b8bff9434685c32b

SHA1
a1d390349a52b84e6495b8fbb9859e63be1263d7

SHA256
b963c0cb4b7e801acd9c0a6f596eb922f560cd509acc6f888d5304db9806104e

SHA512
ecc9f9a1159dd5dff191e33127d8166ec35340ffb8a2647104f0c273f4b60878ff82f834a0a5b2e22bb0d6ba3215fc389305bb6b372742cec8e8c33b576bee04

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgka.exe

Filesize
1.4MB

MD5
969f11ddfdd86c70f756a47037ae9631

SHA1
bf988cf02eec927c3568159e4b6b93300fe6d14f

SHA256
95fd57ef662753bd20dee200f78594da3c37ae36bf988f4282e2160c32db9636

SHA512
6c9c6416180426ecbf47099180afe90a7a58bfbc2c0fd5a6268bea6026c7cbcd4df306bcd3080e1a126e60816119b40c0e9d3c78fdb0c6ad2d08439b08579f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\coES.exe

Filesize
482KB

MD5
ad4e696e7ef11fc4c218bd2b3329460e

SHA1
bd8803759884ab495a5a7e3af5713d65e54081ed

SHA256
90bfe12cfaba4fc10e550c630a2bc98c6459ec2d18fd11505394d9da0be633c3

SHA512
7e0365803b8cce97012d205c096d113dc7aaa1f37892ac28f91ec36687492c88dc08d17a7a31b313531de57eff4f571bd7458a3c37779235e8490e4c9bfea028

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqYo.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cskA.exe

Filesize
480KB

MD5
932db8f02cb3cefc34f4f18410c740ad

SHA1
be293dc7c319382bb33ddb3cd5a8b62ea794d852

SHA256
b1c57a0a8833d078272bb5ca4025afae7966cf33b2d8097504aafc5819b11450

SHA512
ad4f4515009afbab86601a3f6e062f3ae9fd694cf10baa5fa499dfe6d8605fbdae4495e3225bd72919c623bbebc38ea581b6958f6e6d1953af6d1543dcc35b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dUkUgAAQ.bat

Filesize
4B

MD5
3abd84059caa201c7e8ac6ff1abcef3f

SHA1
7ab43698f47b399861dd58d5c18b9893e83bc33c

SHA256
1fd3173196b27117ccb96733c05d7e61b1190cba828bd7cf1d11aafb4b592883

SHA512
402396858bb47f538a968203e2ce03357b2a1d2e5176c5e2c0a88e8c068b1b518acebf0af9f65b4713b42f1ea7637185a7af0b36aecf2063a9e7ee5ba329c306

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgcIsMcg.bat

Filesize
4B

MD5
ac460884683098cf341ebce795440fb3

SHA1
9c8537a90d408360e27d7719be83099247ea1bfe

SHA256
9d21c54ccfba724dc4c46a46a1b7e82e8c923a20ac7f6f4acac8c147933579af

SHA512
a3e62c51068585f092ce38533176a06e40603e8481ceebd5ca9e27c1d99bfe59b4a786b7fa0edd40f4ab082ebe7f1fee688e13cf37961d76deb3037af5745196

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAoU.exe

Filesize
478KB

MD5
b19509d08781c24462eade003546d627

SHA1
81b5c437eccdf63f06840090ab4c8e13eeba4c87

SHA256
4cf5712544788507f18a8c972a000cd7233a25b5b0a6599f18a80d850397535c

SHA512
847ad4eb9cfc7c081b26de9d6549192726a11ec25795ce4d425f23f3ed8937917617353d83739c4ab5fb93b0c97ac3ac5b28937738034d5da6d72748217b4d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQEw.exe

Filesize
4.3MB

MD5
40cfc8aca7db4410864877391e670fe1

SHA1
d56b7c0df4eaacea6c14708e27ac33458c9f9eb8

SHA256
92fe6fa208b3845702af08c00e8bab97b0dc8c6f7a9c06b61ba23fd4c23e4e87

SHA512
fbb36a4952bd8e94c6364bcf72053852839733c9d55d2a61a918d49e8aeb018221159d58974a2853baa3ffc65122721516e5ab6e357d3694610a3465cfe50e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUsE.exe

Filesize
480KB

MD5
b21e96425a55d0d15b431ee4f4711af0

SHA1
1b8235df8b1770a6697ee01f9c07eff196238d6d

SHA256
ef98df389db00b2758c97056a9359619f87b1cb2752ed55ee2510fb8711a4f11

SHA512
c497bda89cbbcce9fa26467e1cb0af56d37430487c4579169acea2efc141f733a5f99269d056883d0064348183e6c19cfc362e9a14bdf086b445ea0b1aea69d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYEK.exe

Filesize
1.2MB

MD5
5aa9864a272f6730de6a3b3285dbef98

SHA1
1ad8a9f848351906d67506958f46b6dfc446f936

SHA256
bd3946253197191d3a9de52938a1c1ee64c9ade94f3f60df73356341fe062520

SHA512
c55494e3c43cd54aac823185e0f531c3041ba88943496ccd0515c155a5203589038e4159a7909060630900c35a50c9b37b6a99d4e9e8cc1ed76e966f5f6aa662

Download Submit
C:\Users\Admin\AppData\Local\Temp\eda10dae57f7d8b74d5f9c04354fbc1c_JaffaCakes118

Filesize
48KB

MD5
f8b0196d4c0afa0e8e014ccff735cd82

SHA1
b80b339cc8ea6a3d5f960c5646ce8d3a32b4c401

SHA256
973dade5897208ac53e79d90c3e69997dcec89085800f00c231ec9dbff7a2038

SHA512
a5d24e3555ee08e4fdc23230702632fe049773fe2888b4b64b5eb433e339c7d9cb1d09edbf41edc110f112250fef095f0e7477aa14f7d3abf7e338e6dc0b2bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqAoQggw.bat

Filesize
4B

MD5
a9c4b6964cd0b853e80e74127a1032fc

SHA1
f57b7d70c44ce72b93f1e52675fc7b5bd2544e08

SHA256
cf9e33ce8afd103f73ce28faa5f37b0a1066d8bc371e73bb234e19743a93b862

SHA512
ee1ebb19582c79360e5c9cd13c3c2e6eb075ca2d8c4bf5ae8900e67b1ced983e0c43262a69b7ff46080cd3165965fc2c770f22de98b3e986ba4ac27fcfb90828

Download Submit
C:\Users\Admin\AppData\Local\Temp\euQQoQwU.bat

Filesize
4B

MD5
47774290c89a4a2b6a3b7f25dde4d2ed

SHA1
93ccfbf3068c670395f1e9d97de0c262bceca164

SHA256
f97b67507d6fcc6ddda9bad76f0169078be1a85abce8c04103d8582927d3b887

SHA512
69e652114ca57de8adac35a5feefefe167d4a155a2e949a95fde1a07ae1fa9a8b6ce74528cb958f0056d8119038c51f4e0be4b00df6f6d96ac848acb8a29c6a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\euokIUYQ.bat

Filesize
4B

MD5
d25438103efe453ac6d97f36702d49f0

SHA1
b8008d57537d501eeeae9c1b665e5ffe17b2007d

SHA256
d43cee4f363327eae6f2e5962c4b2a56b93f8cd475782e5140fe012e22dbce83

SHA512
ed3abbb7d97657b17485d71fc2056f8acee44191bbb58b12c972b13067d8bc7ef1a6391fbb8d0014c822456317d99f5ce3627fcea5bd41a0698987cec3adef07

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAEg.exe

Filesize
477KB

MD5
67171d6016cb7aa4e722ab30a55b3b5b

SHA1
646b75c64a6881c9f0f4af9c68d85ac710392595

SHA256
e99ccfc501a1e6f0e2b9f3948841c955e8be45d090d6917017f6769abbed9d5b

SHA512
eb6b4c526358de6e9462ca42a74feb95697ce2d80554c63cae2da62e3c90d53e0ac9798b78929b1144c44806c6ea97b0ef879120b05f5dc298671172e4fe003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEcY.exe

Filesize
481KB

MD5
00cfd2a6fe05a54c450f01a20c887132

SHA1
e2d7ec3a5e0cf66d4ae47114dc94cdb94169e5b7

SHA256
17191d9ba66cb0013d0e9b6a11259b9668182d48fce73676f47ed4245f1501cf

SHA512
733e1c7f1c8e340d1fb2b873f96e2a569d6400665dead6dce0e71c0f82618319ff938046d064e1a8fcffe232711c0b691071c2f66c851baf9e35e3d62872b1e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMUa.exe

Filesize
484KB

MD5
f5d5ad74b179f1ec0338d940bf95bbbd

SHA1
0a49c047872340661963c65cbc67a45a5a711dd8

SHA256
4752ecf035b98daa487ef1fe5d28a8a0c396bba636b3d754803e744193f3e535

SHA512
6f3d4fa7463bc329bd883a6ca3cdaf4d2cc1cd1c11eba4c09809b00c1541c9326f6fb6b34a9a26994e6ea07882b9225f7d8e9c323fe94b33ce0730560b7442b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQYc.exe

Filesize
484KB

MD5
1bb2b25fdd7e50fefd7e9bac4c71cfdb

SHA1
a4b75788f4ad27953db02dde94cda45e79cf332f

SHA256
768c399e15ba8c39e096b925ad9d1091367b1783e531d5e876675c85a39639da

SHA512
8de23c638c0691c841d59add2647f6a5269758dbec492ad24eb64180db2ddc0ffeb6bd3f4bb07d2041cac030ca186c58f412751b91c7ca48faceceb35583d15a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQgo.exe

Filesize
484KB

MD5
539771ef8d99d3ae0d71456251b9acd0

SHA1
109e5ec1b3e0bf02823dc1c75d2dbec033a2019c

SHA256
b79e2a1dcd471e1decf4430e859c7a39c5a9ce54516796871b8fc2c5e26ce114

SHA512
b66d0d748ac42356811609cc56279016791f5fbd05db4f32799f39af1200ffde9d90b664f365b9128e5cdc67a3c8559c9935645ecf98ed297e81ccf343e39d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUsm.exe

Filesize
481KB

MD5
3ddbd6c13ed254f00815fbc6cdb7b1a6

SHA1
5c1c6d1740f13abaf614e8cd4c5c1240cdad6f8a

SHA256
2345bb1e235debc7f8e3872f867960cbb20a8e3c6b23c7e555420863ec0df1ba

SHA512
514f737dcbde9703b106145902cb469eeb5940188699fca33cbd9dd79814aa30ebf190c5d8ba3f14bca38c07350fc9301bd84623daac4c674b2fc7c7650fc26c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkwO.exe

Filesize
760KB

MD5
e49e1cc03af5e32439c3a18edac1c807

SHA1
3ea571aa012b6f49236420881357f61b20e68c33

SHA256
825b5fd4e2596b303a8cbade66efdce7712f0b5f30a75aea33762df4f04592f7

SHA512
8fb843172ae85201f54b511fd141a3c08254689c73ac17a965f512f4ef4f3fe19e862955db46ff33bbe18d79a8446ee6b24fb4aaab2c7cf9565ae2d2fddf9a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwQA.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAgG.exe

Filesize
1.2MB

MD5
afbbc543e9a3208af055bdb33453d829

SHA1
14ded36c5559920c18d8fe999f21aa3d26e1bbff

SHA256
b052b4c80a1bb51d2a5cc7148ace7d6e2c9fdecf33acc14df443c655d718f705

SHA512
c38092c2e7af04c8f03b30152cfce508023a1fcdc21b395e38b9d666da0ebbcd1c437b51481323500bbfaead594ec80e7e8dd2f9acec169bdf771c91eedfac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIMy.exe

Filesize
715KB

MD5
c68cd299efb42ae8457436de94ca0f09

SHA1
668f68497f85e2e3fae75ae93880e9e163f03815

SHA256
7a22b30a42e462ca11215a5cc948c91df15b4f3c4582ffce6de1e1131b7f484e

SHA512
31a1102237432b2703af188b22abba7b48419e8264c63a025bf337bdcab378409bccfb27523c2121b7a81c77845609fcc0fdcd617ae4c04364c92a65f6359108

Download Submit
C:\Users\Admin\AppData\Local\Temp\iKsIgcMc.bat

Filesize
4B

MD5
d454590a2e67ff104d995de8e7e2b7eb

SHA1
79d06042a948abe1fd0f7a320a98b855b908f701

SHA256
fbc7969c6fc1fcb2ca064242b6e8daed73f0c1655dfea399fb2778edcaac9d27

SHA512
7758ef680873ea8a42d80bc03f4fa2de0198f13abc34ec87a9ce6f530b4743d14f8f6ff494c29919e8978eb666d18d60f82f33bd51ba9e6f6a8da0077bd60a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMwe.exe

Filesize
870KB

MD5
cdabbfab98b8270afc1a24c33d8f8ed4

SHA1
d4026d5dcc76d92dc5bc1286556f9b0af44b3289

SHA256
8ed4de41911a3e2141aa7a8b2bda96579c96dd597efe1ea557cc4ac72f35a856

SHA512
d8aecfb9658ec29fc8d8008f03ba244f757d87c0fd7ccf5ebbd0c9b411d42339fc55162561eeecc34487ee53f5afc7b4d0bdfc0ec2a38f7462e620d06610fa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUsM.exe

Filesize
820KB

MD5
4cf9fc293086755f89e57bd86010a3df

SHA1
de06d2b2576d5e46229649b7094af12744aa2739

SHA256
1689d97e8998ae3b5d23af39c10e3770b4394ae4d12877de1d955ff9bf92a17a

SHA512
25a7aafdf15274739db2880ff23417f0ae92c211d82c98db087a8d4eda8aad639caa5191954381b0a2366a5b18356273ea4808943d5cf51552fc30aacede1eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqMgwQQk.bat

Filesize
4B

MD5
ddf7f1e657a46139e210952a9b42a8b1

SHA1
4f996a7a091d313adc85029673e828ac9a5eea57

SHA256
a8103db7dc86cfdef8e95afacc72c79a8ed7a223073f4891b28cdd7c0854656c

SHA512
5d3a59d172b1ff52b03c68032e58b9517097985072be1c140be10a7b106b57995c15b2ba8b32374729f65950505e492babf7a9eb6aac74f09e7631e9aef7f697

Download Submit
C:\Users\Admin\AppData\Local\Temp\iskg.exe

Filesize
457KB

MD5
758b486a9cb1fbe882ffbd67cd770d92

SHA1
f3fde7ac27a13515fb89282daa7d88eb2820f60d

SHA256
89f5abf37df9146ac2e74af515560f1404273035027966d58a8003dd43120afe

SHA512
2c262634413b8b4e20c33aa2311d342cb0136bcbf28c904889047ddc41ce93d8725cec7c39089e70cd7bd2159dec0dbe7578a13fb4afe61d276957ff241c30e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwwK.exe

Filesize
481KB

MD5
47096909d4be3158fa5bfb27ac263e10

SHA1
17c654aa9422cccf7b82627d073d61c05108e375

SHA256
b551feb8c5869a710651c890f998fe76505375c89e5cf8e6ef13455617e10475

SHA512
c8284ca83a6cab15947c488a7e82da75f6a0a32ded04f8cb7361c6b7a8c2b8c36a5406cc47c3a3493a5b234899f85a706541dbaea0388ccef4808d6d201d86ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\jIgMIUkI.bat

Filesize
4B

MD5
984505c5ba87d5954436dcccc5b8c05e

SHA1
b0cf5e0ff5adedfd893dc2f651c0d736a553fb40

SHA256
90b8caa55a9c080e6cd89031d0711ec6e872843e5e25b97cc440874a8f640406

SHA512
465d135d680bd90dff82770ec4fecca67b352921d2c1ec63c1b674a0a0e032d842b11324226cfd4e5e3d7675228f73ae86133a76d5c061fd7d4449afd0fe0a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jiMUIsAY.bat

Filesize
4B

MD5
6770a7bc156bb16e9a033846a948940b

SHA1
3841e96485ccc59d087389c4b21df5e6961b6cdf

SHA256
763a1673fe1f5eac6ad5a1aed482cdc959e18306392c11cdb99a12542c91a450

SHA512
3ac32bccc7eba1918a1176924e2c0c48f2e2457bcbb7c75c0a05ee297765732885694ea672aecf64911ae33b83435364d5f8330ce14711a560bbca3cd074e18c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAgEsQks.bat

Filesize
4B

MD5
cf5dd09cfba31c19e8471b834a38c8de

SHA1
cd5df954a111e014cee5bd39c0e3a10a1e982302

SHA256
7a159b286466a9951a65b28125d9701ba03f3aa58931d36e918feefa345de549

SHA512
6a17c7f0a2cb5ba01d2801155591f82d8be4c33e4830bf91d29e382e7241c3f17f145aa0cbf6dd4fee9a62319cd16666c299659e569b497b8380a790af0739a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kGMYowAM.bat

Filesize
4B

MD5
254d0e4b451286332c0fa1a852e5842c

SHA1
d402785e8196acd96aa5e93b558684e05b5c465a

SHA256
4f6368e7b737d45288a724c1104c3355628ed82817c1c15601bb221c2494b845

SHA512
06e812ba639116bba054eee7812ae3b7a11198cacaabcae0b960edf313f6439013cbabbeb92f49319551a21b987efb07d9360d0da8ffd985c455a42aa196b909

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUMG.exe

Filesize
461KB

MD5
c2780ef9efbf7f16cf85671eda506ae4

SHA1
2b29cfb96ba9dca4989080096426a32d267fe00b

SHA256
0f18a717c5fbf32aaa9562138a0e073bae930883ac9e4a1fffa71660c7929313

SHA512
b658d78c99e1fc5c14c003b52e553ab31a4ac5b8e32e163aa54f63d0f503b67657fcfdf64b98e0fce56662c5bc7081cca127a54da2c1b2e562efdb9d3d54ca51

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkcG.exe

Filesize
891KB

MD5
26926909441f22779e0d2bf0bb1943cb

SHA1
629f27445089d1b7a5f764b291b83dd7dd165294

SHA256
836f1d5c7edfb2e99f105572665827c56dc4ddb29385ec14d6ad934f921418d0

SHA512
26b88c0eff98e35e7caffc5605290a5e0c6e55f7b4600b52f3fe6577c3ff5983fabd80e9fc5423a546533954b909799ce3a0a93dce9dcfef079b202323f07e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kowQ.exe

Filesize
1.2MB

MD5
f875b108c6def0c2f6e7f2e00c6c3b35

SHA1
ed6b785540ddefacab5e7db8b0b0b323dd28ae07

SHA256
193de3664164c4791b8aa1471c101b4e0f820e2763975880b59dd75d2527eeef

SHA512
5a0effb66da27cdf17cb426fea0db865699959ec0e6d431e76a157c341e9aaab5fd0d2590e8ee3f7cd1a493a4a79615c013b68d58d8ca841278ab021b2a3d903

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksIa.exe

Filesize
480KB

MD5
bcbe24d7ea388b5549f7166d7909c48f

SHA1
7564e391e68fa35285744080886509f00cff819a

SHA256
8a880961912074cf66d9c428c6eab3117a15a6fe4d191569a17d79185043ba83

SHA512
f27372701330079592a5b9cd6a2ab74baa23e753443555ee8a6e0d999b458d26f6bcc5b7b637de8b009f5d70521894fa5ebf0a878bd55397b8ffcb4a0b7c7ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kscS.exe

Filesize
965KB

MD5
373564502299e7e727fec7342b2cffda

SHA1
11c7b4b3abfbdc4ddb8e3dabb4a1fa64a1e31dff

SHA256
d4a302846a2899b7268f5cee9c49c6333e33d226ee7900e9f82f283060dbd651

SHA512
a4f250008c48275a0841144f17bade5c6242687a27ea6fe1e9b8b38f183ed21b7a3ce3527658290481fc1429fad684edf34c1e5b25bfcd38d2b7c8e85224a904

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwMU.exe

Filesize
976KB

MD5
8597ce2ed69259fe1a7b0602c9698c95

SHA1
25331b74337dbcdbd35adbe01badb4db8d45a3bb

SHA256
092b86719ac74c613bb6724e01e8586381603323cf07f61755b0301bfa809cae

SHA512
e0cc13bc62606f9d8a33468baec1f8d7c83109bf7ec66c5b6c859b7440bd89bb59a258977982ba924dbdd5006ea70a00102e5bada882681d440a21e1aa37b948

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwsm.exe

Filesize
444KB

MD5
36eb94a70e76d1d41538b5c41436feac

SHA1
eeae6528613d17bfa507d0fd967aee2c9af5b203

SHA256
a5c3169d80240d0d56f4682d203a1ae6f26f779f52f8d564593f1625478e9411

SHA512
9d1458ae274b228be0f5349a59498940c4e15f30e745311f057ca122ba56161588ba27961530e516e3abd973ffba88c7d41aa53b4d8d123421691719452aa1e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\lQEkgMsk.bat

Filesize
4B

MD5
cb604087689ddb8d15d76b229ef784f8

SHA1
cd465c24503b0e4937d1b0a2c04db9264425097c

SHA256
75919720539add162ab3c873ddb452379582977ce1ee8b20ae1ac15e3aa40e9a

SHA512
8e6ea26253d3107451fd103a3daf5e48fb41eef6e7478eff0fd80733aa302b49cb1eb20b395028e7ec8d3021ff97c28f854e579718fa02d25010929920a04d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcIAQkIU.bat

Filesize
4B

MD5
f46fcaff04be697fdc7659b82639715f

SHA1
47ad68f64728d3b2fb776620b216047928a749e9

SHA256
cbcf193978742bc3d3720a5b5eabe3ab1000038b42413c1722f7c83ccc2eb660

SHA512
a442393f69de8c29316242f025da475f1915a40e44d5b2f7ed47ba84a476af4db06434a421b697865faeb872dd59e6f4f25a99d91631bd9714972bcfabcb5331

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAoE.exe

Filesize
717KB

MD5
7d14654811478e72505be3167311a59a

SHA1
62a6ffe6d71392ea31a0badd3f53ef19e48fc782

SHA256
1652506c855557c00b885e379615c9139a6085ae3d9263ce98b779869f4b803b

SHA512
878f400cb7b6e32d48e9439924188ebfcafe4ad1a1835cfab83d879c006f7fddc8fa0f53164576b360e4be8eae1e21a9e6a79075c804e090fa895096a0e59c6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIkC.exe

Filesize
1.1MB

MD5
6fd472119fca8c8f1c39a5275be0b87b

SHA1
5853d89f9e45f2dc65cb2d68da829d2eb6913c7f

SHA256
5508722380a20d544af701ef991577b0d3658eb720cd9c36b42a796e866fba48

SHA512
8875db7f3033096c4fe2c69e1949d1efb3b69bee1f78c3bd517e734a4f7e1a2e5397e9575055ae2f311fa4ba97f2c58e305732d6d75c179da1fb84c72297959b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUQocUgU.bat

Filesize
4B

MD5
64acb40d8a9d6b49188f55a5b1b99997

SHA1
1da32ef30072fe7a68583c77a04435551cdc9ea4

SHA256
853252b0db47510a09d640895cf0937b971a8429965450b0b9476c1a8a7e8043

SHA512
eebad2badb312a948be66f88ee4e2298ab7598310b7adc39c0bc40962ac70f7fbf4a687911a32d05ff592eb69fab7096e54be9ce8b531d35e56ad9460f51a8a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUcUYcMg.bat

Filesize
4B

MD5
5774e9101a97cde25b67e8928eea75af

SHA1
a060944b7c27c68405a821d5de07019f23df82df

SHA256
126b1f34fd4dd685cede001a6a41f2eeb02a76184961a0895c1e8f0fe01e051f

SHA512
7189f8741d7b53fa9be25a28057aece7b6b8f456dd9d426af9b8097a2e66106dfcf097e1944bdb56fe5511d08ccd8dd925a51a2e0e36b5aa4d319fdb870e9fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYMg.exe

Filesize
481KB

MD5
166a6a1ac5d713cbf02bc0cfbfb7f9c6

SHA1
75cc6c1df6b98c19eac80996d5072ffb706baada

SHA256
dbe3ae8695829cf27a95f0460506cb95e3b2f873d7552b58248dcca88294f79d

SHA512
6ba75a118a684d2bcafa714334c96a8dfc239ab4012edb4d5bce592c754971650116a39e7c764387c30ab6fdd102bed9d4fcf3070d1d5ecff2a73803ff274c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYoM.exe

Filesize
780KB

MD5
8875fe9001a9211cce173b4642bd2551

SHA1
14d2ee41ab7adfbbd92679875bcfa829f75afd8c

SHA256
091fe7a7ed937a6ef23c2920d3851df3938a26040b1ce23d21cb438fcd89c565

SHA512
b367db8a6f5fc1e1e15d3eb722eebd7145e00d10f87564d5d5427f0b9afa84071e00f34fa467318fdaa199cd93a5150c440f77b3a972e05cb8dfc1dc4d90f814

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcwi.exe

Filesize
485KB

MD5
f0b0a2840db72621c0d3e3c7ecb40042

SHA1
cf880a77fc8435558df9e777291fd6704356d955

SHA256
85e9362cfff3b662a45e77c17e141b7811c0c505b53c37308b889a0ea844876d

SHA512
45f1a86b08e81a1c835d1523195fd5c26cff88ab0ed62893854c66b098a45c6aeeadeb8c820d886767052e0b5b0aaba74c4ba47dd37dd1ab120bf56aa4c959c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\migAsQwY.bat

Filesize
4B

MD5
9e581dbf62db26848bdde1550424c26d

SHA1
0e79d9628a3fdc54cc20cce73202379be43eac83

SHA256
69288bbd300352f5e30bcfecef6a90e114b4f53bcd311a8ff74ae8304d80773a

SHA512
4cbe0dcc9c101d7f2b888c22522c1dd46af6c462a39439f745554a91bd2c5f1623ba635fe8394d32b508b1ca68c24ba730f568c244eb7121fdb9a55fdbd32cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mowC.exe

Filesize
478KB

MD5
d284a0f1777259124a9b6c4e1103b078

SHA1
94a7aef30155cb3e376f1ecbe14959f735a6db91

SHA256
8b80964c6a5fc0a6e753eaaf0bd871c2eea19550d3d9c4ca49d85f7edda18abc

SHA512
8f968e431010d7741f5dab10d025ab02584fe639eb769341b1d0d8320cbb318725a8d24e44410c27c52a9e89a473856dcb7703b30729afce1edb60ead34e9c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMYEwooU.bat

Filesize
4B

MD5
578d4d70e4fb20eb304cbf0c174ed0d6

SHA1
58a4c812ea8afe110953896eaadb2f08bfde067e

SHA256
882f35072a9b2f9d6e7d36346a06a00ca59431e27444e580cbc6ea438ea2be2e

SHA512
07e68e2d4ebda12e0e06709c09df21263a4059c0be492c7b5592c4f4ee52d92f2577bfa7db7730049397d8bf017856b8538fcf80dfdbc0bab088f0d182b55c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\nUQgUkYM.bat

Filesize
4B

MD5
fae7813516bd7c3bbb4c54a573caa1d7

SHA1
d34afd776396e1a5332fb4bf29d2d296dc4348cc

SHA256
20720636975a9ca449e21df5974d40c7862814a41dcbf67fceea137914266f85

SHA512
6e66d0894a2c93b10df8317334d0de98f4ee57223029415b8a6f9e14130121206266a488dd4fe9264d69025717a5f2af0855414bdec11bd5bf723050921a971b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nuwAkAEk.bat

Filesize
4B

MD5
ce4fff85ed125ee5a57cbf7c19898011

SHA1
7bccae086a07bfdde62761ed2ec80c352da2668f

SHA256
ab402d0742f3cc9ee7d177dc6d7dac54932a9e417983cc4b89f15b609cda9611

SHA512
5c913b46e39c2b854b5c575431c413d958742114138219884e1318e3d25a2b788d10b40e64eeb63cd16448d7970957a1196142cb3e9ec5b915d71997acd26350

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooki.exe

Filesize
480KB

MD5
f0c4b8cacc3e921a2848e1c8e25c2720

SHA1
542e3e0a040623396aff05548fb2c38b1476bdd0

SHA256
db1cf5160a065b9e62b2ef2c5f0a8ed57e71d85041ef69b70950370ec8957d88

SHA512
782a5d26779d4bec8645514064b8fdb5f44e66864a2b17a36fabfd41ee3ab3f7b8be66d74c0d0a9f9a227674f71da9384cc3846481f13c25b16718f27486aef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pYowMAoo.bat

Filesize
4B

MD5
62c2dbd3b07adb13b16db68891029458

SHA1
9e5b3b37aad91328743dfcc0227e53d85f6e0db8

SHA256
e98fce271940d4f7d638bfd0b2be31298b66ad0031b430171004d278366b19ac

SHA512
d3ec4c6a6015586b74389d591f16846d75cc3226139960a0a4e6e32b671355b99332ea329fff7f2c35744aeffca040f8b260fe32e8a5b2dad814faa49add4eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\pggMIcAc.bat

Filesize
4B

MD5
35f01fe91ed6058e43e3dfea2d06a786

SHA1
25d6a94e46c7f7968d04ff5248c1a2ba5a02a12f

SHA256
07d2a7087272aedf2e700cff7b5cf89931e0ecf0eb1551f76748e3e086e510d0

SHA512
3b09b7642a66b8eb524898529384e45d8ecf06bed9368c3692047113bda1385c6cf5fce9eb56b48573d445a48f61896f542766cc15d04cc90e6df651542e8dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAci.exe

Filesize
479KB

MD5
6a8e9399daa5948e60c72700fc837163

SHA1
8c9898c963b58d42b4479cc34c252d1dcf8daa33

SHA256
78232ef6b1d9e3dce1969e5666a13a87abb0217b8ed0c6944a9256895f68f428

SHA512
a41df0b986166f4b356dd5f81bdaf1eb056a18c334d73899484863696752c3f160fbd0c282f76add2efc90ff3407f9d664c82ffc731390d7bb4b44a285612a6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEQY.exe

Filesize
770KB

MD5
543721d1263e1b410ef454fc4d27209f

SHA1
7ce686fe8d3f53d8374415aec64786e6f5808476

SHA256
fe489708268f8963e15ef5ddc6bec2fe1798a9bf5177d3dec07aa33740d36e34

SHA512
f49bae42c8bcca110626f3e2d1258881e99ce343a90bba370ba611dd4b8b723d705ba9ff0bc499f6ca8b9cf294e70ab98385e8c7b828dda8cab10b3805c00ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEoU.exe

Filesize
480KB

MD5
989db5eab6bcba2ca2312f600d6113a0

SHA1
ae1881130ddec3a80a0e6c1fbf9e77e6a48d0028

SHA256
75c33623d4f3ac5837c391bf77d6538d6ad915d1e231bef50aaa781e0720ea62

SHA512
42a76d50f2c5c56bd7d299ae80fe7ec64ef3cc71bde15b930d420bf4246953cca3508f67863dfe16d3c35c603f9eba0d02785b0b1e8806a86de48f2412bf43ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\qKgoYUEA.bat

Filesize
4B

MD5
c3335164b322f13a8ee7e141bbc53518

SHA1
faab892a0dbcaab9a4c1c6820fd30ffb6efb7829

SHA256
2c9c05207cccf1cfa7f00c8ef8e48fd9b6fca1dfbdcf8cca0e2db9e03e90ddc2

SHA512
a373b567f002642c01f43d81c48f115a348a12619d5d01b0bc82e716d6f6da98653de0836caebf8898e87732bbf7a571f188b179ced49e171e48628fcd942dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMYu.exe

Filesize
462KB

MD5
b13d29344ae05ac9227cf2f03bae7847

SHA1
6354dc0b6898089c1447e76ec4d8ddc4eaa853dc

SHA256
79dbf2c15cfe4c125034823da928ae0600df36731f260a33d90c997c92a5ea21

SHA512
e46b0a95ba0797d0376e5755b7f9545ef520787422751d489ee93412f746b717c173b53f03e2f0ed5ce3a090e404c7ec4b49f61496557667cf57e1ee072a6039

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMoc.exe

Filesize
479KB

MD5
dc263ba8c5abea108a7dad6efa90f257

SHA1
eb8037774b0dbb9c7d1f6473cb9ac8dfbb3ae44b

SHA256
38f7bcfd3ed6fd3184c60edb3541fccbd46563d52a24101cb080f060f9ca34ab

SHA512
470285a93a79ba0cf626c1aebb2b6bd3b42f8ce76358e0aa0281be9f617ea289d705d72b6608b32428f51ed5735c1e541bcdaa5815b19efc9a84984624ec8f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUcM.exe

Filesize
619KB

MD5
d49ed27508b84d35f9b1c1095b648cf1

SHA1
9ce89dd766b3ef80d8b318d7fb22f5fd6f72bdd0

SHA256
6b251eab83baf8e0a7dbb65b0a3da8af5af2bb9758ebf071ba8dba67acdf4abf

SHA512
50e9379bbd726ddde7939d0d74e37436969998a778eaac253de77259c0c5573924678d43803f42f5343629fc750498f0d7cf5e2223cb29dc2397660fcebb63be

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgkS.exe

Filesize
483KB

MD5
d1c32ea636540623ad5580e99f721761

SHA1
36c48c7edd386648f649a161e897443d6196eb58

SHA256
f021cb58a12115db76cfecace62f435005f9262ca73c780467e25b60738725b5

SHA512
69e3c892e485381161bc488b5c04f8347085dd51bfd7d84607380e57eaef86a736a8bd86fe33a6d2d98fabda96d973fb805cc4a0ccb8635c2de5a0d188ba0b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkAEMUYY.bat

Filesize
4B

MD5
ef12376d0c7eb4a764b3fd19e3e5cf7f

SHA1
39550aed474f7457de2f247ea616d33fde3b2e49

SHA256
0b90a544d9428cbf0ee8d84586fa8cbe0930efb95e33343bb8b632afca671d09

SHA512
c4315cebdf6a45a9a701a1e5a71834094e01e00b3e0fd4f1a7934c41651df0edf61d419945a7019f97adeed55944b919d8dd7e2e519a7428c1777f5b13d3a55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgkMkggI.bat

Filesize
4B

MD5
74c69c38f13d7409451ee57a7336f282

SHA1
671ecf4a7c3f133f473b4d5e60e48a8148512b91

SHA256
c6c4ad2d5c503e221f004b575736cfe9eb6333d4c63af6c949fcb1f4c80f68b6

SHA512
bf63013db433cf4738af6cce2cb293e4622b180be888249aaa65744b468fcda3b6608ce9b8641ae2fe320500a2da4725426e970baa2ff7c07f1752a6e983d972

Download Submit
C:\Users\Admin\AppData\Local\Temp\rowwUsoY.bat

Filesize
4B

MD5
7f35d5fccddcbe947d2f3f22675123f7

SHA1
8df3b7ce4f82fdbddbcd5e8173e78bdb9a6a8014

SHA256
5d0450e223186423717f3a21a67415af0cbf62898b1b59553649b6ef681b6cc7

SHA512
a6e8631979480eb12f6d9a425778d7402c184ecdc83fba95bcf08162cef7a499d9543b8eab44000b4abf9a54e403c49d147434923acd3c940efc8535bec2452a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYEw.exe

Filesize
485KB

MD5
f5281bbefb29f3eeaefb337ca2377a9c

SHA1
38c998ec47374b9750e2a6d3abaa292e8b76b1f4

SHA256
2e68e4f25a02bea127ab6303db1eca00e4183770417a0d8d81ec33add3f3ce9b

SHA512
09a6381c1e164237ab16dfe2274f4beb01a9901856606465106ee9febc6886507930efc6140d7ddceee8174aee1aaa019b490b53c199080eb185edd9fe3a4c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\skYE.exe

Filesize
483KB

MD5
cea3146532c79ade9bd6191219876b84

SHA1
37e3dcc7dc426b6720db7710746d250fe54ddce1

SHA256
56ffa453d84d6d875ed4a24f884571a31f25adf0e00329a22e7344641cf33322

SHA512
3d3cfcb21a91f74378c6d80af36ab34a577895f1d9ec953c621de61a6f74f8a4e4636a8dee92d3cac41446e05e3c9b1e24082c11a0d25e7b74f37b22c5dfaf99

Download Submit
C:\Users\Admin\AppData\Local\Temp\tOkEYkUc.bat

Filesize
4B

MD5
d17fa928bbe71a4e019bc38df41fd9b1

SHA1
bb3f2f15559fa0e7acee0837925511b5e03b9eb6

SHA256
018a8c47c496b9cd6ed8c80a006f8d89a253ca60f56bc784002c6f7e51d77008

SHA512
ab8b986a14f268176c23bacf7ee3d02105412a42d83cce01a804a0b7dee2ccfdf8ac0133fdf254a2650811d6a8d9186cc3d1e7f51d731aa10012a4981bf02cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIQa.exe

Filesize
1.4MB

MD5
730327a75451c2978470826f504d3c30

SHA1
fd254c9fa235808d95eb5ed5d0abd8929e88b9bf

SHA256
cc11e9a64ba665f900b7cdabbc5fc28edd6ee4bc818208b8244daf9b8ebcbbe0

SHA512
5ce8aa763d202d160423771e80d53f2078b229798f57242f21a2eab1f114f429787ba79d40ff8c1636dae13c64cf990fc2121ab8acf759c1559655fc06f35348

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQYkYwEc.bat

Filesize
4B

MD5
36d5b7f2e2398226778280c43193770e

SHA1
8ffa3902368f9d3de252cd18afa0fda52f4cd5d4

SHA256
d9a7f89fab2dfc09703d9e34a78cd85117a9d41fc3f20e56459f8b3ffa9acb1a

SHA512
e80b39c000c5f8213c9aeee89168e4a6338694f5cbf1ef107406ade124bdd4f333fe14ed52ecfc0575f2f4eeec460c526628d65f9b2ec995992375e3b1c3d008

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucws.exe

Filesize
481KB

MD5
97ff8e8cf734821375b7067e77b18114

SHA1
4af974de47456a314b15634ce3ed1517a6c944db

SHA256
c7ab95c85da606e7685bafbf9ed235823ff41f1868ee9f23b97d98fc9675bff5

SHA512
2d3d3cd7c648ba6cc0bda60d1a597bae92999b10b54fbd12eec93b870e2f7e2d6507824f0bb045fa29a8298badfae8d4784f06dcf7f882a5f83c9e82df2f3e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukcU.exe

Filesize
481KB

MD5
90cbe276048cfec53f46c324829adb9c

SHA1
74c973e3b18ea59d73ebbd54513a68cc9ac10edd

SHA256
5334f20bbba403f47f41eccce22e6762b62c74bc67426a2576d305ced9b9619c

SHA512
bfe3733ec6206f1ca193aab606024ba0eaec79512d7ab18b7c4fa64a56c98a0d2c069b1df45415a62d5c353c9d484784d7c97365a436ceddbfe2a207208886cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\uksA.exe

Filesize
862KB

MD5
563abf25bb4309c687ffa7822608adc7

SHA1
2c24cec7dc03c8ab37d9a3a790d44ad99bb185ea

SHA256
8590d699238c3835c03a9bbedea9d596b362b3f77ca331af2a09a8d248df093c

SHA512
741d5072f8fe650a59338c1a7d9dea372a6d3a2c18e48eca87523738bdf63a5473df79b5f1c2dc84b4eafb4530696f63fb22301f31470f222c04b777f793b113

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwQM.exe

Filesize
1.0MB

MD5
537c8e43d977806816d8d996f123ee2b

SHA1
9a73788355f4924a896b4e21789863a1a2d9133e

SHA256
1edbaa8431b0fbed0feb964b82019f4cff2cdc084b099406d2b33002773e093b

SHA512
c3b6b737d04bf5ed2a7c4f57e3a373c415aa968c7110776ae718d4259ef87103ee9f4b41553643931f95cfd5a43c0965b3b38e01991106d9ce73c3e2d8dea142

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIAgkAcc.bat

Filesize
4B

MD5
9fe186d877f315987d0058a9a5aba29b

SHA1
8536710c9ae4981c6dd608fc2efbfa7e7b7982e7

SHA256
59818964fdd6e5078e13e0ee81fd19ef7e963abee617e3ece16803fdd995493a

SHA512
cd93b31af608dfd10a6b2720547c1ad342539e7891adce5162cd610e7424ee7db2b1deb9370c30223ac79874e85e80e8e31f595649d7fe9336eb688930678efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQMg.exe

Filesize
834KB

MD5
c762f49da040411c5be583532fe42c6a

SHA1
adc57272225e1b88a61ce908ebb10de1ea308f1a

SHA256
b315f295599377cafb777088a149120eef842ce1915b31e2927f19732e940b89

SHA512
2544a8ca660d51eb56bfff2725771e470f6f15014a819a6a0d722a95719bd6ea9b22a6aaadfc2b15b4048a0f34cab75e7853affa2c1fe91cff186fb0d1b71cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcsc.exe

Filesize
482KB

MD5
c8aee4a38673c06857af0a6dbeb2f0f0

SHA1
9e9197ced9266e1346bad1b374f66f8490c4a237

SHA256
ac221fa01b1d98cdd4f4534eba2554723873c601c266f909393844b80814ffda

SHA512
2ffaa8afb1ac06279b6580ae96c762ff27bfd1019cbf8851f258a9e618122d8e56f107bc85f2ccd2afff9b04689b5e6ba4f71b5cce335830020caf0e6ce95159

Download Submit
C:\Users\Admin\AppData\Local\Temp\xUgkYUsg.bat

Filesize
4B

MD5
bf9f93cb96b1459bc5498dac1e3cabcb

SHA1
576346b4dd78f57f37afffc32723589a452da9da

SHA256
939f3a0706d3cd3203ed6e7987193d63c7d4d70d76027d2e89ff5cd86c5dd7a1

SHA512
fea9f3f808bf79e030555d7d5b5a3e8d0ec8afe1d75251fec38a0a300082a1952848a210c28b4c4dbeb1b2500df1c4f7f54021c98066a1179e2b638ff4f1b7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xykIQgIs.bat

Filesize
4B

MD5
c7fa15c0f0caaaea98ba80f6fa497134

SHA1
a75475e500833500d16a2f81cf7eec5606504fc3

SHA256
bb75bf08f19604e4042d3254a01c655b5260ce7603e131c9ab93152dbf2de265

SHA512
88aee6e3217d158bb3b8d5bb17e7e0f4a720e7f5f105daed953c74af5f71c78cb250d787c6b598cc4a2a868a6f6efce754ea01bd79185f1735685d03d0907f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMsg.ico

Filesize
4KB

MD5
8e03abdaa3016247fdd755b7130384bc

SHA1
08dd2d9541e1961b06957fe9a19ce83aeff51a5d

SHA256
42b58cb0928fd8fa0e0bfb129fae9cfc3b7d3230c2c9c367f0a17c4d0039aef8

SHA512
e282ec1c768aee026682d4c6a8e71d643ac4d7dcfec027536944c658d71b7c484aab2da6990c324d9677d032a86c1015020efcd92c9923dcc21e4e5ce5b0e26f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQsi.exe

Filesize
1.5MB

MD5
a81c0915266165034a8219d88e095d5d

SHA1
6ccf000c3c79875ea1f5dace0c912b510874bf65

SHA256
0cc712fc0c1fa9010a0a16efa03b2b189b4c9d8c93e4888b9eb6a62468a4223d

SHA512
4d365de35c85fd25ecf193045a356aac28d95527a422059748973a9cd8fe0cd9eebe97ac596b14a878ef100d9c56f09c975f11e8ea2d366ca90d52b85c0cdc5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yagokoUk.bat

Filesize
4B

MD5
e636cb7ff87184e9b77070f4ad538147

SHA1
00d9381f777675b1e6dffc5d8778012c80f7c3e7

SHA256
e99b8d7dbe6f2a578efd5f68206b2cf1030af16f3d628cb5c80bfafce67f1cb8

SHA512
e952f91b26bbf847787d58f21b7a02abccbe9bb49520113b886dc6be0efed4d0b5d51383840e9588f6c0c9231400b4567fa01c56f81e83a32e76da5db4a68bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykYc.exe

Filesize
8.4MB

MD5
ba232b1c320118a5f5586a94c5a5a994

SHA1
949e6791ebb360b25c1a05cae3fb603206d2ebb6

SHA256
80a9d224de56ab1f37cb260e1d3c925c7dbddffd33f34158dba4dcf99ecfe342

SHA512
c07c6ad360f67f93b32e902a35bc6cf06760dd7d40dfe2e992b65ec8e0fa59cff66fe4db73acceb5ae5147437e1c068ad32751501ec358b3cce20d7988d0f843

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywMA.exe

Filesize
478KB

MD5
cda482e15b293bb548f72cef58c3c732

SHA1
d4415ae911123e70f0bbcb4ffba33863f37cf7d7

SHA256
ae11336f7e388b9410d16fe6b77e55dab64d15ca87365cbcecbc51212a3eb34c

SHA512
cdfc6a7089dad5938d3aa99ab1e90795dd6047ac758f1aaf733c2a2a828fde73e457de02fad13e6ab1869e5e4aec48f3b83a7b8031b3ac27e822fa81009f6882

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywUa.exe

Filesize
481KB

MD5
559af05c63addbe0a7f44f22d9e1e4e2

SHA1
1be7df5308dda606ac4e1fffecc6b1aeff5546df

SHA256
26b719380e7ec9a157a2b0aa77cf59d0d0d6b1b6de65d54086b457bfe2c176a9

SHA512
d1e968af4572de826167e65264f2106ad80d37c16cac1a5194872f8ded6dbc15848b8c3ab3dfb24ba03ba78c05b0bf5a8d961565fbdff851ed8cd2a6c34d57fa

Download Submit
C:\Users\Public\Music\Sample Music\Sleep Away.mp3.exe

Filesize
5.0MB

MD5
4c35ad463071785060478fcb8909ced2

SHA1
a30da1f12b50e31db234e941b423dcdd543c95e8

SHA256
f43097fd094aa6a4bf1309442e5e0e824c40a2b42d288c626e082117ca06d71b

SHA512
473cfc1fc67bc30e236654522699e90d61ebe57c3eb4e78b2752e9614ee12c762105a455eaa4a91e482f230ed352866ad57eb563714cdd821455a4d66bb453a0

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.exe

Filesize
1.2MB

MD5
49ed68a47c451c0feecf26700a59d900

SHA1
522794ca3ae98ef80bf8f3c83191c64d2ee481d0

SHA256
af7b59448ce8787cdbd1143fc997fc9c9104a086fd89dd74541384a5aae5b344

SHA512
b651491c01ef0f15751674028c4f505995201688d2c85416dbde9dd1790a16a3e9d744b9858f38a37573c5679a54ef9821dc9ab9913bf3b0d870e7c4e6147bfb

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.exe

Filesize
1.0MB

MD5
a9e731d6a2339e9997f9ea5139cc238c

SHA1
9ebc23f99920d2303c86020f8c702aa0033c998b

SHA256
240ab089d17501ec3a4af5ca00e5bde19f41e70752a1d134a787fb314ee316c3

SHA512
90d78a1c9aba7bdbf5f71956966bb9bf298fc456878c5b694f3c5d8f984c19b84adc782ee01777529eb38d8540cc1e24f65fd5196cd210f7c68ca47f2452940e

Download Submit
\ProgramData\JwgEkkAc\xmgEkgEw.exe

Filesize
437KB

MD5
3eb5363e405fcdef90aca08051d82f0a

SHA1
004cc9e3e0cdc1fcf3f53a47c2e06de5700142cc

SHA256
5b1fd6cf9453a10839f9c73eec17f67498eded5a8efa216ed39e8ddf0738058a

SHA512
636aad3084f6ec72c421671f506375ea5f80681efd618e783dd13a4c9c7ab4fbef9ec01c201a9cdc0c6ff04205ecb2e01e27fbcdde208abeb8fa7cd426d8e00e

Download Submit
\Users\Admin\vqsgkEMs\goEEUcEM.exe

Filesize
436KB

MD5
c2dd09d2cc3694e9e12949a9400bfb50

SHA1
12b71fc0a1f36d478305527bc6c401304005216c

SHA256
eed828567e08cbf52a69223588f263d252dac75fe14690beab7479cdf71dbf8c

SHA512
d4f5519c3fc19b55f55315b9bf563fb758860af5312b645912941331323a349cde048a9632d30ef84013f7990a1e83515359f2871cfe351357069000ea0c1d18

Download Submit
memory/584-176-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/584-209-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/600-265-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/600-233-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/712-495-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/712-460-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/856-391-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/856-359-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/964-234-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/964-210-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1040-66-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1040-97-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1076-663-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1336-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1336-485-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1336-154-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1392-110-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1392-141-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1480-514-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1480-486-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1512-75-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1512-45-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1552-247-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1552-277-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1716-515-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1716-549-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1848-578-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1848-598-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1980-468-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1980-441-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1996-323-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1996-346-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2196-119-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2196-89-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2296-173-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2296-133-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2420-547-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2420-580-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2424-599-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2424-626-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2440-449-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2440-422-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2468-369-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2468-338-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2528-34-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2528-53-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2624-155-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2624-186-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2628-24-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2628-224-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2716-322-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2716-293-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2732-302-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2732-278-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2796-661-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2796-610-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2884-22-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2884-201-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2940-411-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2940-382-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2944-174-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2944-10-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2956-403-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2956-430-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download