b8c2d66141a7bc1c2e91bf31ea61c6dd9c3cfaac436bd51f8f54f6b8b2831822

Analysis

max time kernel
54s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
Size

436KB
MD5

f742a33fcbf2320f16d1bc9ed77c4142
SHA1

91404bc7bdfbd38c8ba8b1e443c93e9889ad6db6
SHA256

b8c2d66141a7bc1c2e91bf31ea61c6dd9c3cfaac436bd51f8f54f6b8b2831822
SHA512

80deef118f8b6059b1a033faf474faf8de4e03ee2fb55e53e4776ca13798ea0443b41d7b62ff17536ed47d1fd255225255e4161aac96bde751c3cf48fb89075f
SSDEEP

12288:6y6ff3Sz70R4aHPuWV30jDQNvBc15su/:6pf3SnatHW4wOvBqsK

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 46 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 46 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
2680	mogkAwkM.exe
1132	vooUsgMc.exe
2628	kcIowQEQ.exe

Loads dropped DLL 10 IoCs

pid	Process
2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2680	mogkAwkM.exe
2680	mogkAwkM.exe
2680	mogkAwkM.exe
2680	mogkAwkM.exe
2680	mogkAwkM.exe
2680	mogkAwkM.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vooUsgMc.exe = "C:\\ProgramData\\xCoMoYME\\vooUsgMc.exe"	kcIowQEQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\mogkAwkM.exe = "C:\\Users\\Admin\\SywEIEkM\\mogkAwkM.exe"	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\mogkAwkM.exe = "C:\\Users\\Admin\\SywEIEkM\\mogkAwkM.exe"	mogkAwkM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vooUsgMc.exe = "C:\\ProgramData\\xCoMoYME\\vooUsgMc.exe"	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vooUsgMc.exe = "C:\\ProgramData\\xCoMoYME\\vooUsgMc.exe"	vooUsgMc.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\SywEIEkM	kcIowQEQ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\SywEIEkM\mogkAwkM	kcIowQEQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2172	reg.exe
2756	reg.exe
1524	reg.exe
2380	reg.exe
1072	reg.exe
3016	reg.exe
2808	reg.exe
3044	reg.exe
644	reg.exe
2416	reg.exe
780	reg.exe
1956	reg.exe
2972	reg.exe
1368	reg.exe
3396	reg.exe
3140	reg.exe
524	reg.exe
2388	reg.exe
1952	reg.exe
3184	reg.exe
3624	reg.exe
1200	reg.exe
788	reg.exe
3664	reg.exe
240	reg.exe
2716	reg.exe
2820	reg.exe
1748	reg.exe
1784	reg.exe
2912	reg.exe
2928	reg.exe
1328	reg.exe
2144	reg.exe
1752	reg.exe
2040	reg.exe
2308	reg.exe
1832	reg.exe
1972	reg.exe
1268	reg.exe
1632	reg.exe
1952	reg.exe
1556	reg.exe
2016	reg.exe
2660	reg.exe
1652	reg.exe
1456	reg.exe
2908	reg.exe
2172	reg.exe
1444	reg.exe
888	reg.exe
1964	reg.exe
2276	reg.exe
240	reg.exe
2572	reg.exe
2268	reg.exe
3544	reg.exe
1556	reg.exe
2476	reg.exe
2972	reg.exe
1608	reg.exe
1152	reg.exe
1944	reg.exe
2540	reg.exe
1716	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2412	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2412	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2748	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2748	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2024	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2024	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
936	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
936	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2300	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2300	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2888	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2888	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
1596	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
1596	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2620	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2620	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
760	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
760	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2272	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2272	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2276	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2276	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2904	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2904	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2980	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2980	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2652	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2652	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
1056	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
1056	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2580	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2580	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2444	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2444	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2248	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2248	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
852	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
852	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2100	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2100	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2660	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2660	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2820	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2820	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2724	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2724	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
1200	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
1200	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2568	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2568	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
892	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
892	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
940	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
940	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
1248	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
1248	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
980	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
980	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2480	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
2480	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
1948	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
1948	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2680	2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	28
PID 2180 wrote to memory of 2680	2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	28
PID 2180 wrote to memory of 2680	2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	28
PID 2180 wrote to memory of 2680	2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	28
PID 2180 wrote to memory of 1132	2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	29
PID 2180 wrote to memory of 1132	2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	29
PID 2180 wrote to memory of 1132	2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	29
PID 2180 wrote to memory of 1132	2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	29
PID 2180 wrote to memory of 2664	2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	31
PID 2180 wrote to memory of 2664	2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	31
PID 2180 wrote to memory of 2664	2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	31
PID 2180 wrote to memory of 2664	2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	31
PID 2664 wrote to memory of 2412	2664	cmd.exe	33
PID 2664 wrote to memory of 2412	2664	cmd.exe	33
PID 2664 wrote to memory of 2412	2664	cmd.exe	33
PID 2664 wrote to memory of 2412	2664	cmd.exe	33
PID 2180 wrote to memory of 2420	2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	34
PID 2180 wrote to memory of 2420	2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	34
PID 2180 wrote to memory of 2420	2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	34
PID 2180 wrote to memory of 2420	2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	34
PID 2180 wrote to memory of 2432	2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	35
PID 2180 wrote to memory of 2432	2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	35
PID 2180 wrote to memory of 2432	2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	35
PID 2180 wrote to memory of 2432	2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	35
PID 2180 wrote to memory of 2476	2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	36
PID 2180 wrote to memory of 2476	2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	36
PID 2180 wrote to memory of 2476	2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	36
PID 2180 wrote to memory of 2476	2180	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	36
PID 2412 wrote to memory of 680	2412	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	40
PID 2412 wrote to memory of 680	2412	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	40
PID 2412 wrote to memory of 680	2412	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	40
PID 2412 wrote to memory of 680	2412	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	40
PID 680 wrote to memory of 2748	680	cmd.exe	43
PID 680 wrote to memory of 2748	680	cmd.exe	43
PID 680 wrote to memory of 2748	680	cmd.exe	43
PID 680 wrote to memory of 2748	680	cmd.exe	43
PID 2412 wrote to memory of 820	2412	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	42
PID 2412 wrote to memory of 820	2412	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	42
PID 2412 wrote to memory of 820	2412	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	42
PID 2412 wrote to memory of 820	2412	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	42
PID 2412 wrote to memory of 2688	2412	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	44
PID 2412 wrote to memory of 2688	2412	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	44
PID 2412 wrote to memory of 2688	2412	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	44
PID 2412 wrote to memory of 2688	2412	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	44
PID 2412 wrote to memory of 2756	2412	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	46
PID 2412 wrote to memory of 2756	2412	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	46
PID 2412 wrote to memory of 2756	2412	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	46
PID 2412 wrote to memory of 2756	2412	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	46
PID 2412 wrote to memory of 2824	2412	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	48
PID 2412 wrote to memory of 2824	2412	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	48
PID 2412 wrote to memory of 2824	2412	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	48
PID 2412 wrote to memory of 2824	2412	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	48
PID 2824 wrote to memory of 2172	2824	cmd.exe	51
PID 2824 wrote to memory of 2172	2824	cmd.exe	51
PID 2824 wrote to memory of 2172	2824	cmd.exe	51
PID 2824 wrote to memory of 2172	2824	cmd.exe	51
PID 2748 wrote to memory of 2388	2748	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	52
PID 2748 wrote to memory of 2388	2748	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	52
PID 2748 wrote to memory of 2388	2748	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	52
PID 2748 wrote to memory of 2388	2748	f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe	52
PID 2388 wrote to memory of 2024	2388	cmd.exe	54
PID 2388 wrote to memory of 2024	2388	cmd.exe	54
PID 2388 wrote to memory of 2024	2388	cmd.exe	54
PID 2388 wrote to memory of 2024	2388	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\SywEIEkM\mogkAwkM.exe
  "C:\Users\Admin\SywEIEkM\mogkAwkM.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  PID:2680
- C:\ProgramData\xCoMoYME\vooUsgMc.exe
  "C:\ProgramData\xCoMoYME\vooUsgMc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:680
    - - C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2748
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        8⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        10⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        12⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        14⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        16⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        18⤵
        
        PID:312
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        20⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        22⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        24⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        26⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        28⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        30⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        32⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        34⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        36⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        38⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        40⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        42⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        44⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        46⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        48⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        50⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        52⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        54⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        56⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        58⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        60⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        62⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        64⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        65⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        66⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        67⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        68⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        69⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        70⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        71⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        72⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        73⤵
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        74⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        75⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        76⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        77⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        78⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        79⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        80⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        81⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        82⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        83⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        84⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        85⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        86⤵
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        87⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        88⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        89⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        90⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        91⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        92⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        93⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        94⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        95⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        96⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        97⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        98⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        99⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        100⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        101⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        102⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        103⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        104⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        105⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        106⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        107⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        108⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        109⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        110⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        111⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        112⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        113⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        114⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        115⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        116⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        117⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        118⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        119⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        120⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        121⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        122⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        123⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        124⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        125⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        126⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        127⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        128⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        129⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        130⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        131⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        132⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        Modifies registry key
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        Modifies registry key
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies registry key
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        Modifies registry key
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        Modifies registry key
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        Modifies registry key
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies registry key
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        Modifies registry key
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies registry key
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        Modifies registry key
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uOgAwQws.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        98⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies registry key
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        Modifies registry key
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        Modifies registry key
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        Modifies registry key
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        Modifies registry key
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        Modifies registry key
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wacoMswI.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        82⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vQwkcUQs.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        76⤵
        
        PID:312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        Modifies registry key
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qqAMoEks.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        74⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AwIIcAkk.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        72⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        Modifies registry key
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rekowUow.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        70⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZQIQgMYc.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        68⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        Modifies registry key
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SkswcoMQ.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        66⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TwAkYAgg.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        64⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        Modifies registry key
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PiMMMEoM.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        62⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IUkMMwkw.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        60⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UKcYUggg.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        58⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CGMwIMwM.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        56⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bOYIYwwY.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        54⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oAsgoAgg.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        52⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yIogUcoU.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        50⤵
        
        PID:312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RKAIcsEk.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        48⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mEcQIQoY.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        46⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nAcMwMsE.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        44⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZSEUogwQ.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        42⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NsokAsIM.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        40⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wWAMUocY.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        38⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\amcAEQAY.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        36⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DaUEUMck.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        34⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oaMcAogE.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        32⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iyUoMQsE.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        30⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xgssAIQY.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        28⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NUwskUUs.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        26⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BAAskIYs.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        24⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DAAgkgAg.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        22⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bQYYssYk.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        20⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uqgMAgEM.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        18⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wKYMIgQw.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        16⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NkwkQIoY.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        14⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KCgUsQQc.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        12⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lwEAsQIA.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        10⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nyYUMAEs.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        8⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2268
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1552
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:760
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1908
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PUMcUkoM.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        6⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1820
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:820
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2688
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2756
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\euAkoUow.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2172
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2420
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2432
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2476

C:\ProgramData\oqMoEEsQ\kcIowQEQ.exe
C:\ProgramData\oqMoEEsQ\kcIowQEQ.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15536892781012972739-4019844941049010526-5565420531027033817-7761161741173958491"
1⤵
PID:3068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "107127635912881811501867714729-63265210-17188375863824208976052747371947681014"
1⤵
PID:680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1288572749-1695232739531072031-1817927771-1866327048-642502401-7087969332876811"
1⤵
PID:2980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-451933136623752578-651829952205525979717523672591768752361-1547065113972928330"
1⤵
PID:2800

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-24798999-1974876405-16188409091104594525-5271733631885271979-6333426-260235378"
1⤵
PID:1964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "927509330-2654957741621703248201238945517470597461231759321910150435749960995"
1⤵
PID:2808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-759354712-1926245180-399874054-246235217-1608587466-1325415420-1473388722535910496"
1⤵
PID:1240

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1289191895-1389246445-2045950903-137995004-2031402190-1226010981-214641662217183446"
1⤵
PID:1556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2824

C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
1⤵
PID:268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\zOwwEkcA.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
  2⤵
  PID:368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3748

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ysIwwwwM.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
1⤵
PID:1268
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3324

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rkUMIkEI.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
1⤵
PID:2824
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3356

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
1⤵
PID:3296
- C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
  2⤵
  PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
    3⤵
    PID:2440

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
1⤵
PID:3172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:3140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1784

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hskQEAoY.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
1⤵
PID:1112
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3112

C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
1⤵
PID:2340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
  2⤵
  PID:1616
- - C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
    3⤵
    PID:588
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
      4⤵
      PID:1180
    - - C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        5⤵
        
        PID:3844
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        6⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        7⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        8⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        9⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        10⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        11⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        12⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        13⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        14⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        15⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        16⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        17⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        18⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        19⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        20⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        21⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        22⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        23⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        24⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        25⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        26⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        27⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118"
        28⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118
        29⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies registry key
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\csMsEIwo.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        28⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FaoYQkcw.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        26⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies registry key
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        Modifies registry key
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mwwgsoIA.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        24⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TUsIgUIA.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        22⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vSgkwEcE.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        20⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        Modifies registry key
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kcQoEgwU.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        18⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KwcEgYUY.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        16⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ECYYcwss.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        14⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WAYsEMAA.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        12⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LwIQAIks.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        10⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sgIoQkoQ.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        8⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1616
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:3396
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:3184
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:3236
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gIYsQYUk.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
        6⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2512
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:2716
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2120
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:3624
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\nSQkEEAc.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
      4⤵
      PID:3256
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3596
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3708
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1668
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\qGAQEwwo.bat" "C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118.exe""
  2⤵
  PID:2280
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.5MB

MD5
86d1aeb097ff43784b4e804136117b23

SHA1
609b1f09b5207b85e27066cf3c65aa45a41e44dd

SHA256
22c18830f0ab192b2899860263a890679923fbc54a9d74ddd1e5e8b2a098c8f5

SHA512
bfda6882f560a7cd26a582f03574311585b2a8cd00d3a585568d23479db230e0469f8d177f1b0768cdc5bb2ce927814fd0d904275b9270aeaf4020375d86a871

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

Filesize
479KB

MD5
33e6c347cacbc1ddadded6646f637ae2

SHA1
25fd643e854853e702923677bfef9d7540586d40

SHA256
3e327979829e5e1dbe74e595edc5855fa7e4a1c3b322d9c44fed769355407860

SHA512
ba92adf4aa3fed3a7634551d258dae6a0c6767e42d6d56a2f51956d63008ba9114083c9d5e80b858e3841143fa61701ae2523744ec8f3c04b1999d7981b18517

Download Submit
C:\ProgramData\oqMoEEsQ\kcIowQEQ.exe

Filesize
431KB

MD5
29f05c65a7410dc7077b43e207e4b1dc

SHA1
4798297808f85563f243cf1b9737237b890e9e60

SHA256
e24ba516dc695346abc73b75c88fae100320731afbe64ca30a354181c05d95ef

SHA512
d557eed3c2e27f621512065a12573d31f3e0ad3e95a959769468f97de4facabca1ffd3c028cbadccde68aacf89873279194e9de9ee1ef511908b7a50f13dae4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AKUAscEk.bat

Filesize
4B

MD5
ed844c4c49ccc7db50a405a83dc45500

SHA1
9e2b40aea0c76a298c8cac64939ba2154bfe0a76

SHA256
056d07b0487bb82020f4eb1b563f985fdf2102efaffc0b48f50bb7a045d54077

SHA512
8410ceaa3aa5beba65489afff047b58155a1674edc821e27b70c37d0558e3e063bde925e5f36e215341981417c8729600284c4c04624ebe17afc007801baf84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMke.exe

Filesize
819KB

MD5
417861e28d0f323b93f492cc02bb211b

SHA1
a08e47202adcaf085c7c695e016d8e5af1a113c8

SHA256
5ce3c975f9f7a938a5402865896b3d526159073d19e05c9b94eee4f57b3f37a0

SHA512
302e34e7a59e100c3cb94547f43c52394682401efb9d1cdb6657d93b3ca754dad47de78947db4a8e58c449918d3bff27a4c999306867c37e6721e52249752e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkEY.exe

Filesize
479KB

MD5
e631204a869fe48edef1900514073b7e

SHA1
16998006a60ce8feb4410bd106b9d02f0326425d

SHA256
7a9ede25a85c14d7c6121a4deab17c68bf157e2102d8ec627641fd069902b1d1

SHA512
2175b8668b5fa540dd520d68e5568787bbd3260c855e660d2c20dd8135bcabf729f9e73ed5b97e6a80793d2162f2663e5ac9a5f40cf15ce11066f99760be83f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsUA.exe

Filesize
445KB

MD5
82510d7aa7f56a41c74426524329a8b8

SHA1
eb3718d2ab92d206120210dd4f1c22a1f28f7357

SHA256
2cc2d642fb449106c0ef5e8e639732806f82ccfc87c95639816d9543c38f077d

SHA512
5796bdeff63ee7b06572bf501c6aa6ec0187743d6a2327540fd5c528f0770d67137359c3edc1f7e0684cecef9517908753cb625bf3ec9bab6a555541d95413b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BMYe.exe

Filesize
746KB

MD5
8c5d8d5b84fb6cf608cdca12170ec745

SHA1
28c247816d8f21faff0e5a84fb04f4d7ade06df5

SHA256
1942acc926e7c1b99a71a9c80974efc9d88afbaa62127926c34e4dd6213fe0f3

SHA512
e0723f7ab7cf50fc04fc92bc82d2101ae99f316260ec45d0b6b4fa0ab93c63f5b4cc3281e1ef8430936845e6e4cc5d18b42905b0f2294a899c8988c02f1afe5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUYE.exe

Filesize
483KB

MD5
9a594bf67eff7b0f926fa13b78adccf1

SHA1
751599cab1f470ff15718d1c7001eb6201aa6c77

SHA256
a3734ed5cdd3bdcfd816308f176addd8a316d631faf900f469d7c8f3a55b941a

SHA512
4c9f0d41f45ef52ed52f5202b5447e5bc23f1a1a95a87c9d726f2df31cdb9638e850e567edfd958af0b8ea913afa434dd89178cc50387384e554e7976b07013e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BwokcIkI.bat

Filesize
4B

MD5
04bded86100bce921d28da3092efc441

SHA1
c3b3fc57346ec0906dc418e437ee32dd24e7e745

SHA256
4a67514a1def2ba6557f51151a374f6c7685617a64d8afafba96358542723618

SHA512
6153f52a3fcba41be8fcde1c5cc6afe667677f86f77712fb4ae062d4a24ef66276ec6d63a2c9b6e2b471c8c0474878f95f0641912bdcd100cba625bb4ba4b583

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAQcwooI.bat

Filesize
4B

MD5
d962c59efafaa7a7965181ac5214e6c1

SHA1
ee81e8c71f847b6dbf73ccaccfbfccce3b6c41f6

SHA256
14dc2c04a76d90801dd7c974c0a92041b72f79acc87e2d08e8e023cb20d74acf

SHA512
6f344654f1b1ce0c42cff43cc4071fa1a8665d68e545f698faef1f8cf79f837db15ab9b30a77ad25b25573c5d15935e4b906394f6fd03ffff7b78eac16add106

Download Submit
C:\Users\Admin\AppData\Local\Temp\CacwkAIg.bat

Filesize
4B

MD5
360248d310b253223864446c0d7ff3be

SHA1
ff06da157478d0fd30c1e0fa6268f4ed4a0e93a5

SHA256
574ae8f68ca6636828118097b9bdb576f0c54daea7350ddf60066736e9535ef6

SHA512
87d076fca33eb40e3c995fb1da45b78a7b1c20ec5dabd748133e76747934a04d3e5458bf4aef5f24348199563e23436bcb57b04ff930d758f27b6196e4489d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkUG.exe

Filesize
445KB

MD5
e928e784576a2dc97ed3fd1e007d06ac

SHA1
aff99cd775aa5d60565e996ba3eaca4213978b41

SHA256
63d1b854df77ec018f72ee93224ec4a4705de039b973047757e403a63d7a7585

SHA512
9dea204fccad6a55f50ddf8fa3ce5d0e451f551d0e854b4d14f1039f6df22fc5976b08031deea8272446b1f8ea2dcdabd94f0b98f4f0399bf112f597cae051f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkkwcQEc.bat

Filesize
4B

MD5
2aee63f7c5e3206d2ea412154353d2fe

SHA1
a5a49468e4d4a674d025eeedacb3efc642dd796e

SHA256
0493814824d60072925da788e32396a5c21b5c95e79e4e6a7e4e6e2675e37ca2

SHA512
5927b021ecea6da63dfc8b1226b40ea3b0310bb47636e82085eea2180229370b18eff111c7eb327e367c94b007fbcc08be44b704b061feb3c9c429198cd3d73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwUO.exe

Filesize
480KB

MD5
7c6acca1646451825d841484315c9f10

SHA1
f71045b667febb84719ec1b2b9da5e06db68e0fb

SHA256
8f52a8b5c22d997e668b998f48807464489861864b9c5ff074691107c6bf28e6

SHA512
bb913aadf5f773204b4c647e4797750d28dbca370083d1979e2b7d874f850f47a547a6441ded983950d56c7308d6ab8995189cf54ea5eee1de6bfb391f67f18c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CycQUsIY.bat

Filesize
4B

MD5
dcae0db07941a87c0bc4b437e9b9e03d

SHA1
9dc63eb9f6560d11e5cab9bfad03bc61629532ad

SHA256
35d5f2e63acdabc544780963e99d2d097d9ec653c539e25a33c6d50c5233291a

SHA512
7eb8cd5d260394e0f8efecde634c32d4bf6e7c45ab8a83a370d7e588edc1fd700437882491816c4f29c62e671f7211178160f556942c2e03ce59a362c2f0c2ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCQU.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DGgEcMgI.bat

Filesize
4B

MD5
08fbae4a08c37e0d629e124c8568c524

SHA1
16474b0bf2ce53acdb991e4c0a6943ae24636636

SHA256
b55c1bb9579c3c1ec112113f4c376a18b3f20b2882305652636b6f7bc5a15641

SHA512
4f708a50abf566ab16f40930f815685a9854ccf32ed94b41c632a44651dc9a1e30650d2189d71538eb1a6a4e3ce5e892ac3502929dce8dc31563b6631e5b46a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOAQYgcM.bat

Filesize
4B

MD5
86c9e23f8d0033b34a2c05395b98fcf0

SHA1
c63b74006845040fd738fa41da853d9aa53338ea

SHA256
d24c22b8d8ff6f0962948c0a8e22004c8ad0d4dabf171e21dbc1a101c74de895

SHA512
4d4cdc52a7c7a35e19ae4d9d23af645badaee531a3fa05e5ae0b0f27a016e2c3c5a739534dc50dccdefc89aecc0b739fa879865e272f12aa28116e344243bfbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUwoMEgI.bat

Filesize
4B

MD5
00d2934405215393f29811222a81a195

SHA1
d7b42bb1cba00a2680ce93d141d33f0e9f5c4cb4

SHA256
b678164aad5257a35df91d110c0518a8c04230397bfaf0efb276161deb0d2010

SHA512
098a46659e25b4c52c0925364c9f2c25758f6c75c02c3b75b86408120acdf3752362f207a2d7de7cbafdb609416302d99c3e1e0816b72dca9a5f464bc9cb088b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYAY.exe

Filesize
482KB

MD5
34d17ec815616755e52347ad71b3b6fe

SHA1
7c076458f695b1ca628202608581febce1bfd364

SHA256
c68b9d420cc7a37f86fd447e42c35a0d7a3e1a30b49586627e326db1cb3a0409

SHA512
56212579dd7b816fafb06db0268d1d79ee60bfbe3db576a04e0ef1c478c5e0b0e463bdf4cf4e7d32f8534b1c9782759343110155add116a74ad091c328c47836

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYgE.exe

Filesize
1.1MB

MD5
0abd14fe5085585e31ca9c1071a62639

SHA1
8f6c8c68d03550cd33f78252782e965f4b59b183

SHA256
72f1ebb70b0f4b0c301b1a44ff551fb56575b25c733390054f142943d9b90bb2

SHA512
b569146a2cffae271695c6d9c75bed8861a179df303bc59466f560efca1211b89bb2e79d975d299cf848fb779b9a5e8a62d4fa4358f65e36b5376038914a6ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DgIU.exe

Filesize
1.3MB

MD5
446c4074d39bfdf4f8352af669ef2080

SHA1
f7367b4b6294023b9887b75c28550d8297e0af60

SHA256
9ec3c071fd3e5e4c8610ffb935e59ee50394f318c721f6a774f9d3ad20514e73

SHA512
4e040d67726ae4de09efb78d588db4f5b64e75764162a414e08ae549cc1ace0f3e9974faffcaedc89f37d4aab42d9cbdd4fa97711f96953ef963d65748ddd85d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DsEC.exe

Filesize
889KB

MD5
19456ede14a6ec3b1a453feed8adba05

SHA1
fa57b2111fec1a799cea2c47bb5ad3d9833c39d0

SHA256
9031bd94b3fdc9aa6a79f53a5cb140f9868953ee04036c131057a62a81653c68

SHA512
8b32e7b868e9e9dc86075aaf2513279c506ec79faca77bd267357021c52838f799b47f06c8c066f866f10e539470a37df8afd0a9719a6818d4ddf125f90b7393

Download Submit
C:\Users\Admin\AppData\Local\Temp\EKAoAkYs.bat

Filesize
4B

MD5
70fea81f05a9e7df38f827e60d2be6d1

SHA1
c2ce8ec37d1267435e4cb19f9f8c969e7df817a7

SHA256
9c48cbb42760b89df8912cf783750fbcaf5cc2c95f4ba4af95ec1038111f7950

SHA512
6da97a9bdc909cbcd02ef5ea63f24563610e1798f31d6f90e0351b82f4fdd2e996075968836239661c5936d1e6dbfaccea5d0aa3ab6df6a2b27061845db0faf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcIcYUoY.bat

Filesize
4B

MD5
5aa956f501f0de2a13f1ad2e149587a7

SHA1
b0cc58e7de94355ab242328b134e0e46585c13ca

SHA256
656ac80ba0a2ac2f7e235f6cdd9f8178a141cbdaa738b83336fd951cf8a47d2a

SHA512
a3f66c82c3d7764bdf7a6197f24802430ea115247eb9b523182736d73b58e4fe232a96aeba95232cf2191da3e07cf9253b088d142779429ec1898a4569f5068e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgkS.exe

Filesize
1.2MB

MD5
c37296ea71b427a6565178c328fa54c6

SHA1
8d17f6995b86fa21a23415982e9f087d675951a1

SHA256
99fe83e7ddecf56a052787f34c441b923b8f21511718d698ae1801c2cc3745ee

SHA512
d5349fa343317711712aaa03d80343121ce68df3e74307afcf188833b3a5a6e01400c729f6c22218b2d2da3e59624ed71d6dbf55caae8cc2f6307b28936f9025

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAkggkIA.bat

Filesize
4B

MD5
6e7bb07112595e1ce355387b4597254d

SHA1
dff7463614314257f87b8573b51b9fe0675f0ebb

SHA256
50b028c075c304c008467d81eac843b9d514ddd493a34c7742efce036ff15e8c

SHA512
608492e3d5117fc51ee582af4b925eec87644f71cac571e26e5d9b76a90926923311c1f6eb7c8055896f43cdec76ce25c91d834736dac774c84561f7b13830d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FYUO.exe

Filesize
937KB

MD5
e51513ae2ea3f2871a5c5317f27c2abe

SHA1
4adc31002672ad08828f3ebb8471439ee9f08a35

SHA256
b2b00d4e5cbec887b15166a0a0d02c1110ec6bf257352e180302181206a547be

SHA512
b807f28dcaf11c6fd33a80944bf114646e4837bfebe901e0fac72f13ee14f07c0c0b40e26fdd461b54e3ba358f0a6d22a0c97add86d727c2abbb151235db0d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\FckcIMQY.bat

Filesize
4B

MD5
7417ac52785876eb0c60cbae3d373568

SHA1
488548623718c19db2951ad67975d445b677eec6

SHA256
b3209969dc64450ef32af989ac5f9e88fe7566afc68f60e94ad573ae5b3d02c2

SHA512
7ca10d4756452b00b9b4910d1a95f697fc49fe27f91cf72fcde970bbcd197e93c58d20d3858756f0d44b89ab70a7002d3f0912454ae88630cefe105e41bc4057

Download Submit
C:\Users\Admin\AppData\Local\Temp\FiUIokAM.bat

Filesize
4B

MD5
18fd886ff33663346e4182d3a87268f3

SHA1
9128490bd276e567d5f9a930dc596f810e6ebf95

SHA256
b67eea614d3aa0b7f609eb63b68fd3444ba068dbd40136b091115cee5f6dd812

SHA512
3e2547b90df4bf924dccdfc9032b1ccc1f6305ad8c339e84b869a8c0e39e671cd4d4e1cf46a3cb6e3323b3455a8834ac9cbd4328cb25a44e4e3b67426755ea8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FwIm.exe

Filesize
483KB

MD5
ca7170267a9d639086c92525887748ba

SHA1
7a361f2efe022234d6f31d0d278fe75415408003

SHA256
8644480374186e3e993d45d8cf3a26b92a43cd30d6f9c35083cd0fc639c44667

SHA512
5b3428382abaf8b4b54b52eaaffce53e5186d087716e6d4f34fbf9899c866c863612f545d551bcfea0e508ff8667112e75fd932c37dd5da1dcea2a98d82173a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GWEsUMcE.bat

Filesize
4B

MD5
0a6248c6c870db9ce4e1c6be8d57a335

SHA1
09b794ddb9f625b8c061554fca0f23abe8228ad2

SHA256
ed3b4887cd2f5985b1203865604dd2768f165703dd070842c370b434e5f4cffe

SHA512
dfc624c69f0b84270dadfae7e175c7fe5dcb686952796f70d74b52b0501139ff1089a0e89e99407436edc9e6cce62e5443aaf20728d9c1fabdce853e9fb14756

Download Submit
C:\Users\Admin\AppData\Local\Temp\GiQwMMkk.bat

Filesize
4B

MD5
08b8ea2e3366088400c3df7b6facf41b

SHA1
a3d5e6e74c6bd0117aabae890a956b4c995a0589

SHA256
e490bc9d1c53ce7c9add491fc705409fd079b9f4c27e4df165060917b1056fcb

SHA512
2ef147e312b9ecde5d39a4aeb96ef5f9ecb432e90a68783daffc5369ee923203e52032d3b2ac4a2391ccddb1de6f08bd2f139595794bc5eed591b068eaf6f6f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkAC.exe

Filesize
481KB

MD5
556d961e4cb37356eb8fed291436cee3

SHA1
cc6c08ee25025e994fb5bd782f7f53e8a5ee6602

SHA256
f8f162866336eb373602fb15e6e5d9814423af5ea13d168352afce9b41548862

SHA512
85744b1232f7b6f9eea5e52c23f765156919e593a8f880c16f20559c6f4e38de8b49220495f87d1acdfd70bb9cf645b28dc5f58240f326cb611b05b684fde5a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoAu.exe

Filesize
976KB

MD5
4ae85e78323623de9b0d07bc6d34dc05

SHA1
eabeb28d375de003d5c7fbb8f7ee39bd424caca8

SHA256
6538bd1be02ea8d61e5cb02bdaaab421be53d0104956f5c29831ebabaebcdc82

SHA512
7de516570ede171c61291d5b94bbe2f595acdf2c554edf033367ff3646c63095301e526710e23e53e2488018b051df448c9ab98f3ffa869fb61046824ef1afbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwYC.exe

Filesize
1.2MB

MD5
ee0595a7d147432379da97b621c45c27

SHA1
75ea516b0309a7c371103e90f12b06d7a661e2e8

SHA256
9d8cd09d161206ce38d927e8a1fa7c44e08c8177cc3b9fbc363a9338bbe6cb10

SHA512
5b48ce7e7ea15ad1a74c5a40201c77bc70abc5b81be01870f089afd8d38531eca03ffec33815d2717c011b54e9273c877c6eed58554ceed68dad5f0225bc84f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\HacokMQc.bat

Filesize
4B

MD5
fd05071996538171409ca6cdc1a8dba4

SHA1
0c19c851cf7fa51f7907ff74aa76d6a443dc0544

SHA256
6a618e75664e55461dad4fe76e47084ee33289b98bf26dba6123ef1e4faa2b30

SHA512
56d838f270022cb50053ced22cf9d69abbe80e4bbb9f1c6d6411864abc328f46742d2724e6b8977d0b45c3a6c8baaa0fba2b0cbddebc53359adc30f175e94d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\HkgYwQco.bat

Filesize
4B

MD5
13f3ff60c6669e962ff8f1157020b071

SHA1
710013c1c089831c960e7ff30673070afbaa1778

SHA256
827c31e5ff664bd8e968bd3eb4a08afa7c869878bb82dcdfd0fc46e1d25162ab

SHA512
e9ea0b32d77fab79d1cea2673c5be855ab0b22a7d7515e8f2aa31d23c6b5a51a26c0c622c4d4b7f3bdeaa54025e44d99735d2a993325c316388ad74b8ee462de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQYU.exe

Filesize
482KB

MD5
b06fc5743e99f49173ab05ff25e1abf5

SHA1
2ca008e5d482ad65ff4925afe372a32df189165d

SHA256
435a981d4e459dcf7b7df73bd5f2b8e10c277127d95c4a840e2dd371efcdff00

SHA512
dd0e45825ca3a36fbd03a8d8933802ec32a586fe9505f9213c6d0476c33e72249b63059c6f133a408bfac056627ea7107ca8329ac6340dae1690f725cb7a1aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iugs.ico

Filesize
4KB

MD5
8e03abdaa3016247fdd755b7130384bc

SHA1
08dd2d9541e1961b06957fe9a19ce83aeff51a5d

SHA256
42b58cb0928fd8fa0e0bfb129fae9cfc3b7d3230c2c9c367f0a17c4d0039aef8

SHA512
e282ec1c768aee026682d4c6a8e71d643ac4d7dcfec027536944c658d71b7c484aab2da6990c324d9677d032a86c1015020efcd92c9923dcc21e4e5ce5b0e26f

Download Submit
C:\Users\Admin\AppData\Local\Temp\JEYe.exe

Filesize
479KB

MD5
8d2c650245eb49744ff56c886985471a

SHA1
2d4b2bf6e82418240add2f19a0c15d9bf7ea0e38

SHA256
5447e09b4255de3073e0e17bda2ba9dc894b38f27ac84e870de694554b4f175a

SHA512
7aaf62fb2e7315a19009f73ff417a6581b6aa6de1c598b8d2f454ba9591231df9f742d5d25325901e770ea3a0f634fb69b2110d23211adc4fb8f3d3cd949fe1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\JGAcMEUk.bat

Filesize
4B

MD5
46f4bf2dc6a8955254727821fc413b22

SHA1
46a510cda8ed2c0a43f1bccb38c399752d9e4b8f

SHA256
3176c188cead041ab57f15e7d9b4fc84240f30cf209de5de3b9d3cd94591a927

SHA512
3dfb5a4eca3b86f20d70be1bda4e2b5680a91635ee4e1c8f58d1264a4c8f02fc3b5e69357c684189120e7d641085d6726947c02555d1209d3de37dc6cda9fd86

Download Submit
C:\Users\Admin\AppData\Local\Temp\JIoQcsMQ.bat

Filesize
4B

MD5
1a4f4c1a6f77a874fa0f186d3c068068

SHA1
57810159ae9e8b6874d8a8f53fb6010ba4003f52

SHA256
46dc48b0e59e6a40dea8a83050afc141ea67a9e6c4dada349d44af82474f8e86

SHA512
e7a18e0d5ba7b93bc4b1a18ebd2b447a41193b653973a193434da82941d4c8921537f7c715e9ed16e5887efcd28106f000fc66d83777d7ee3c00f0a83afb0818

Download Submit
C:\Users\Admin\AppData\Local\Temp\JKAgMIcA.bat

Filesize
4B

MD5
4737ad1f88a4bf88e1479fb788fd5807

SHA1
ff7e03c09fa2063df0f455409a536c8d1b261327

SHA256
a99aa66c294cbe03f23beae1aa5fa9bfad7b4c676c65aa1df7c172277171a622

SHA512
f103cde27b632c103ee53e54619a30d35a314ada241e3f4e71f58153a5a9bdb69226ac7f61fca65450ae534a5bdd1ebed41557ab574790a344a70f62ba039358

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMoU.exe

Filesize
483KB

MD5
5153a9682d1ba33e99932a0fba8066ca

SHA1
310af0cc1483553eee3630f03573b7a8527f3d6b

SHA256
d128ed04dcb423ffddf7bb99b0d3a8416742fa9f48e216207f14b7df9560ca8b

SHA512
7db1a57349d9c82caf5db3ab581f49d2ab9cf89a824ae95eb898757f97bf7ca41b761c42d017e3480ee09700e1b4fc42fcb2fdfa521fa6d3e2af6a73c9187e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\JmoIAEUQ.bat

Filesize
4B

MD5
ba7733d2e0144937ed4c63ad47ac71fd

SHA1
10de2c4953c4ffd3f72e1ec03149075fec92d228

SHA256
a5afb0fba0bffe19cda0499904822b28cd839186f468772fa897d97c85b4afb6

SHA512
9c7cb7b3878bb6b62ab8baf274183933d7f0f33ebc1b54faf20f68c4646e47d2c6f92a78daca80ba6c97c9a0ac3beab7be8c38f9267eafc64d4fceee1e8e704d

Download Submit
C:\Users\Admin\AppData\Local\Temp\JuwMAEgM.bat

Filesize
4B

MD5
4e5bb13c521d2ac62f9533d83ee3b93a

SHA1
33f0b993ec91b7e40fb0b4817dd8ca38af17e9c8

SHA256
61270f3b5782ddfc87db1996ce25b30e61da02668afca547362856152f5fb924

SHA512
3d971b3eef822f329b758fbd70ad70491c3343f8f840bf88dc526d3d5e7339056b9f7d85441c444be34efda0a68fa38b8ab5ad855a585f6d9b9e262491f295cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEUEsUYE.bat

Filesize
4B

MD5
7b3d4fbc65702e24a9b9e3b64f00babf

SHA1
a1b77d1e699d9bc592dfa5d5df627c7c04872116

SHA256
482c2b4819bb42bf027849bcb0ee7a28dd5d8cbf948315a27dba45042bfa7103

SHA512
98572e8b324988fe824823a756c4702178005e185b06b0feadd83d3d0c294fa7dea88cfd79d73b20f94706b390da93d5b0a535e09606d27c37ddf88d1c4f1a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kcgs.exe

Filesize
1.4MB

MD5
79ec141bdd96126540269b6d094c84bc

SHA1
1d40199b804958c1a9e93b84792955ba7d080a5a

SHA256
3323ec37bf117413df55355e0fb07cd78e4be566cd10aa63856408016bdfd379

SHA512
141715bd0e33f847573a51e785fec1a10517043ef1e21221f719b7c10f7d219075f4d8df56e52d84898fd022f216c60b30e67567658cf6ba2acb68a454cc6678

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoMy.exe

Filesize
483KB

MD5
6370889c8728c3abbc93c8cf528ec8d6

SHA1
8881451cb10db5fe18016f1746f5d573d7e752f6

SHA256
6d4ab13758479b29032ff3815a680386942e859d41e00a2d2d8179e0d3ed9e0a

SHA512
f96972e4e5e6103995f931578dc4077f952d14c2cfc12a318faac4cedf2f6d85f2993c3aff37a3ed4ae2e8d52d692b19a028a5359aa12dd20790236530cbf3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwIw.exe

Filesize
481KB

MD5
9dafda30e23beb38eb9eaa1f17e28b55

SHA1
db3407edb30401d917c8ef75ee46c3e2619930fd

SHA256
959734b0ffaf38d3802c9c2ba493b77678d64eb52f37de83171d717ad4d6f303

SHA512
e40618cc6bf862093be5ddcf531e376b7d1479e1b5d396330c9a11a8fe3073d1e3a11339745442dea2665692214ad8872211c935e1b8ac8f3aacd4618a5875a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOoccYUg.bat

Filesize
4B

MD5
35f3b659c5f8b3a22d7b2ab35052da56

SHA1
df7550afb870986b878ae6478f5902753532e944

SHA256
f058b92126e2543ea578f4dbcd27ad57fee6d7a50352c8a2c0cfd87d5977a769

SHA512
21aecf837a337f15c721f66d8e93b5ea38b790609ef9afc1cba96bceabbb5ed9452279082bf2bc58273820b6851e06911e382e206a497ec4f8d60506c542d2c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQgMIYcg.bat

Filesize
4B

MD5
dd4471baaa8bebdf0328016e0f9915df

SHA1
326e556c6fa602a4792aee9fb53be74c480c1ffc

SHA256
59c21648007eb0562f6798bbbe2c8c1214a4ac0a050a16842e84809a8bcffeeb

SHA512
6b8bcea2141099ff569087a08bf7bdbca451f6d691454227dc9361edbea2cdebd69e7f934a7f7b5c7a8d41da033c564dccc2346cb46ddd6e44be2f4f294c034a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LaAskAIk.bat

Filesize
4B

MD5
275ef8a9c2df72c7a11abefa8eb0e771

SHA1
8b53141598d18075c12579a59ed5c66b8dcf47ca

SHA256
c251a6176ff0cef5715ab8164fb03d63ad5b58ab0621888a19b1fed6c60c40f3

SHA512
879b2c127b9956d0165a76af22138e70f2f63a46072bed2eccb0c28eb3c044d76d72760ab67c902e4d939353e24079701b179f45cf8f11888166ca64dc1765b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\LmYsgIsk.bat

Filesize
4B

MD5
d58a1f8e7215fd3035ee653c0494f46a

SHA1
072d686b78d4241b34ebe9447b9c147c3cff8e4a

SHA256
21e7391f0c59758ef332d4940eafcc1151a7511ed8b9afe731d0198bad05da24

SHA512
594fa8a64c9926e5e11b4e34e987367e2ebb5859249350512870a0170fc328af7d22aeb52eb3bc52d913ab7ef868fdf52d3c57d24ea1e195a83aa5802b4b7ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\LsUe.exe

Filesize
484KB

MD5
ce1360f0e8e0ee4a724f0dad1361c1a0

SHA1
0342fc422c4138e075d7ed5711fe43bb165acddc

SHA256
b9fe4818c96f709a4afd4204f671aab9b730befdbcc1b0912e22dc8fd45bddc1

SHA512
7d8957619f56d6a99af9f870368cc2a79aa5d8d2c478795421e29155730e654e9150910b4e81c059d1ab080f87dcd528c66d60adcfaf5baa567a776fe292624c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LywIkMYA.bat

Filesize
4B

MD5
1d1ece1cdf979f9004952ac9844c426e

SHA1
fcb2e46f82e08d882f92a8709b26f236f5c63c12

SHA256
849d0e95dd75e317da267f160dbdf3a2655b703cc7fe051cef6a985d710879be

SHA512
274e1ab9f8e9ee1b2466a2cfb6208c32a0cac2a8ac44cd7aabe76e71d74665f66f990a5d63480f22093a35b4cc660dd1eb4da1ce60365fb1b3d97dfb019c1ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMwU.exe

Filesize
579KB

MD5
220e1d6f60e39b872d7b1aa4e587eea0

SHA1
7b67e530451e571cc202d17e2f441bb05ad6e859

SHA256
2401c9b15071ae3b0d02199bf237b3e80dd282883fef9cdd6a08c3709e7dd760

SHA512
e539e57ab11a9396c115894ef7626205f4d7afa2798025ecbe23a70289981c60164bc2de31e212aca7c23d4059c06208ac4305465250baccd989684dd3e2625a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQwe.exe

Filesize
878KB

MD5
5ed8fc1f11f30cce6760bc65e3bc12b2

SHA1
a9777042b54204e9aee567f2d9a273b8e44556f7

SHA256
402cb3e9ead76f44a81a8cf72a8ec3148cfecde0f102edee2e40779670cbd542

SHA512
425c30001a09508f39860557e51a0b7eb7667f58d0369e0deb0c7f3e4e1d0573126961eea351ca5defd3248c92d2dbeb5732558ae3f2868f2604f0b18bb69cae

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoYgIMws.bat

Filesize
4B

MD5
1061695f873025b48406b169a004691c

SHA1
78d02b9d18f731d32688fcc36168261ec862099e

SHA256
39fdf8723b4657735cb9cbdbe48c9bfe503aa42cbcd566a5a5ac4547c3d74e1e

SHA512
c74c31b6b2d7464b029f237256c52af4db04819473cda591d015d601e06f65972e516aafc9975eadc636b6b3e6ebd45333fa7cc6629d7ee814737e723b0e5492

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQwEEQgc.bat

Filesize
4B

MD5
b586ef01eb352d224af5b12f6c768c1f

SHA1
df9e17887e7499e70f3b6c5f77d9c9a04a58b7c5

SHA256
d11c2874d21fb3d4c1e496f638bda6966e6e2ed402e04fcaa95c1ed3b88d896e

SHA512
d86977f96da8e6137483c19aaf3d986d1a5ad54972ba037da1dd720276a9b39ea00d676061d7cc409e43541b3519e7a597be115087fd4aaab1f22fe8499f9b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\NYoUwIkE.bat

Filesize
4B

MD5
6788a6f64ec7bac23eadd0752e36fd6a

SHA1
beffdc3397b1015799fff228b26fb20767a8f565

SHA256
dddb7fd35f3aa733036a777471b6f09e22d493a0af9da8176c522f93c0da2703

SHA512
38daf612828cdb564499537682e15abef5af7c5cf95aa57cdc03f79f6f971726c1aba194a1ae821c8d8ebf4d165d3735564b51eeea923447b0029933c900f772

Download Submit
C:\Users\Admin\AppData\Local\Temp\NkMc.exe

Filesize
1.3MB

MD5
b61cf17ec379017444c3b21b42b8f93f

SHA1
eca6e24ade18597311ad41a16bc07f77a87cbb47

SHA256
6f907315aae76374d6642894f7f75c8a6ff4ffb0e79e994569093be2c1fd26a0

SHA512
d834a950c1ec6e2479d480ccd6d626340b9c0dd69f8824d33f218ccf7ff571f566148d43303f70ea02cf663c6de044d3d7bd330f9902f5db8268d43a9d642322

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcMY.exe

Filesize
463KB

MD5
a7e1fa5185216630b54c3c2aea9db658

SHA1
5f82a6cd74c3af33fabaa1b71268cba48ec227a7

SHA256
846ce19e5772ca3648cff0c5398b78f50433f1246d0bfb49ba1c9f06e7bf2b7f

SHA512
8d570520bc6875a03aaf0a86080d5ffead3833ba222b4a6f6430273bcb7fe015ff38ecf1056ea7ab6c45e535b1340c40bb2955541c5bc773e3ca7809352fb131

Download Submit
C:\Users\Admin\AppData\Local\Temp\OqcwoAQU.bat

Filesize
4B

MD5
c495ceaa0c9a6357184c50fc845f6425

SHA1
f16eacc9fbdb9b8523e7c0ace96fbdb6e8e9fe3d

SHA256
a9f52ab6a36fd4396fdb6140d62c606c1c808362c267a76f653a60a311827273

SHA512
1c91eac7dfab350df50c6c0cd8bf8177a60abb60fb759d306478d8292d6576d45b85668b710c8988d4f66938dc023a84801e1a5499884c97e486ece6acefd1d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OycsAUkc.bat

Filesize
4B

MD5
5111b163ccc13de2c6ee3008053e0904

SHA1
1ebbd13a4427c6296dbaa179409e09c24fd75a92

SHA256
21305668133b8a42638ccffcffdef5eb5814136921d57e7f04e764059d923682

SHA512
5f3628b346a21d414a7165dfa2e3b3b97888af39c9774cee186e4272ef4c44fbc74176592be582fe11393a77714dcf5a801e2091ef584667f1bea4b4141b3753

Download Submit
C:\Users\Admin\AppData\Local\Temp\OykYEYUk.bat

Filesize
4B

MD5
5ec0111d3d1f27cc3833a2758c5e41a1

SHA1
fb1c0a460f872346e53529d316623a88b065d115

SHA256
5ce960273d8d454f19d7a02ffc96da680ca64abaa1a943081ffd138ae3bb7e99

SHA512
5e7822f8948a3219c7024b9fefaea71191375d00366633ae4a8efb3ccfab03a42b19bf6700d6ab9181896f8b6870faadeb69fd35dc639c4c46d712484c3fb1d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\PMUI.exe

Filesize
479KB

MD5
db6750272e1bb318ba9643f585f5cc92

SHA1
8f66cf350f3d4c750b067404136e6ed84a797c30

SHA256
edcf3f0c5bbeb3ed65db81c7ab55ecf6575f8c29dc0e8f36dcb106a449d8a98e

SHA512
aee18382057512bb33855456185a56eb572abf4b3534f25fa8f51caf208905d64c5b35ca1f06e95435d80362b33d62a4ee39fff7480f3a3bfc1d80387101f68b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PQcK.exe

Filesize
484KB

MD5
d38840d37984ab5c30bcd1b10873c377

SHA1
614df9ab7f8195f03c2682084e026ae2d015367e

SHA256
8bd1927767b733c91e08c814ff5db0e787dbe19abb3764ce751bbf5d1757c2c5

SHA512
1494972dc030b83ba898eead36557376d8ace864e8e3a617ae550482f3b3aaa3dbcfd69eec1199ebb866f26d41226ae6dd8fd85b8f5abef730ad4103a4d737c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\PsAm.exe

Filesize
1.4MB

MD5
a7826954d38286908bba506f980c4584

SHA1
b28d7e48fbf1ace8a0dd5e77464d449a91a89e67

SHA256
daa381a049d322e444d3a55a0213046d5b12c6eae9b9970daa35ba244fa23d72

SHA512
a3f3ce55ad4f22af33b8ef6f938f0698a02a3f70fc86bd22baa6f9ba494317bcd9fc9c197693ca23b1ea214dd422a41de403fc1a984dc9f5dfe15dd113c44458

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUQgAoQw.bat

Filesize
4B

MD5
668a9f02676ed2d9da2ba7fe00c1bab5

SHA1
12aa88cd2e1e8147ecace7567a293bff8b952fa2

SHA256
a2eec692b348ece46ef3e1fadf91a2a16c9eb99307f3648326a491863b33e65f

SHA512
36a37cbda1143fbb2a693270a52a18ecc4ed107c9af7b194520316fbb94bc4872dc6e5199d2f488c94b6eb985d5bb289cd37f3d92644c820966f64f93238b4fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\REYU.exe

Filesize
482KB

MD5
a6458c17eab73dc3aedaafad6e682826

SHA1
d35d645889196b41e370e55302ff088b999f83b7

SHA256
68d3493889a306a447e78b606782ca4abb32e5e840e4caec7384844b211567aa

SHA512
6e20262f68ecc196da11bcb20dbd509cb48dad866d6eda5782867252a511a7b907c6db2ec125471a2a819712361a9038a4131fb0b969b923dfb455fc7ffd0a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQYg.exe

Filesize
482KB

MD5
9b11bfaf1db8dec9d50bb8dc63b1826f

SHA1
5b5d07e209eb8abd97b38d583f03c545b72d9781

SHA256
e6dc265e0c9aceda1bcf7743e2001da101b1b75a873328d3536c0172451d16dc

SHA512
8876d28c58dbb1f8a1f7c9fafdabf1e122376701aec74701cb649cf940836512210583c37274b34aa36574ee988a9714813470fb23f72465cdcb7ee031721d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\RccG.exe

Filesize
877KB

MD5
05193e3bcab9c8401a22a41427d31693

SHA1
a9f52a6200041b34806050867100d53a79a3c79a

SHA256
21433aa06a6ad1ec6aa306b3e9acdf76d81c9e5c1aa2d3c877e21389ada76cf5

SHA512
98bfedc66fc016fc32fe0f6f5fbe713e88ffe5c5dc175dce91634af27e842393f5a5a2a415ad5e2211fb89792c366ae17d09559e7ca244ef7b946ff829328bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rgsc.exe

Filesize
5.0MB

MD5
0457dd4137739fce7be7621b3bf90a85

SHA1
ff07d2e8f7b91967cca9c4adbe6dde2890e5b0ac

SHA256
0831595fe176355a794759a051cf965cf27746dcd4548270f64c05026d50ab29

SHA512
9ffe3d8116c847d1e0abc48c28e3f972a57520769788f08051eb1ad90cc6c52a7e9bb9e914e9f321443b5ab98fc79756240f5657da1b60cd85521dc1438fa3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Roge.exe

Filesize
478KB

MD5
6ea4a25609875a35b74078a1e705ed06

SHA1
01350cc01e19100edc7bd5a36b3bb32c4c7af9d2

SHA256
8c86c2e270d792a6a3831828a6c8d0792dd48159eb8c838d5d6b4f904a4832d1

SHA512
c891458f9bd59f26317a1c91f659f646f7f3869b3166dd35c3f814ffc0eea5cad1d47b5958e99d0a5f3d7fc42983c0c0999486bfb3d0b92006e2af66e5d7f68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RwAIUccg.bat

Filesize
4B

MD5
d3842bd54d87c60b8647d0ad4c30bb4a

SHA1
13e847348f31f984c8a4327c9af331ed022cc975

SHA256
146cdba94c7a0450bb4ecba5dbc287c6cf359cb277ce85fd72ac421222b2761e

SHA512
2f4720d608e12fb3279ead1b7392dcf59d7bc3e4ba25987a798b10d7906438050c18afbea4c362971f61fae57ae5cba060822fd393294823b60c7655545e9025

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMAe.exe

Filesize
460KB

MD5
cd17afd110cee8f2649a93e9d44fae27

SHA1
dd415a2d7c87f3d84f1218f5ed76aa8dea9b3d0d

SHA256
63aec41fe799a9fab2d92925ba9916eb61f1a9a4fff845261d814e147e6b3175

SHA512
5fd8ce5e899dfae55ac1d42a20cde30ac7902fb32c6693715fc647abd970f58540e23abf581b39639c9e77c1b3c13d0f891f21c90452e87abc792cb37f090a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUgC.exe

Filesize
4.3MB

MD5
08831f7e62fd42fa1236339b9a5a3d4f

SHA1
7064f66ff8fb045df0d9f0e0258c42bcdabca02e

SHA256
1f9a3a0ce0fc09a7614424a1b144bb0e434d88753c9e2e2633cf9b45a5e9411c

SHA512
d9bf196c008e75e8a86d63a8df625ba26c38ee0678b0921d16e59275b5650ba5504af94112a5b3803ba9fd88e5dd223ebcfab1024b29132a79f32ba0c34e1e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYkG.exe

Filesize
479KB

MD5
ee58fbf05bd57290fa53bfecc3507c16

SHA1
51bf39887b390158bcbd4063f9122eb77546c12a

SHA256
ff447d2c828b9fb020e9f5337439fa3ed51d08495c3d1e628676682250ecc786

SHA512
d51b49e75442012b4948c1bb21b98e0ccfcc7ad9d05fae04a077a1f1f27fbdbdce43a9e3c24dd765f087e6595f6b082b832455fddb22f4afe113314ed20fa398

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMcw.exe

Filesize
1012KB

MD5
37561bc3e4fd5aa735029ef6c63dd56f

SHA1
980c528600fb697340cab2eac236fd8f1ff01e0a

SHA256
8333b06f951ef435a2967bdcdf9e49d8b2c3755ac1a751c3aa39fcdb2c8241f6

SHA512
a3d386f36f623b01bf7d1cf09cb249e3b58784ca1b8df88a434ccc44ae106dd7d5d76d8a26df47db097e78876b8bda60088207fd69c36b06259cef45e992f718

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMwm.exe

Filesize
915KB

MD5
d7b9682f869712d74fc7e511567511f7

SHA1
2318cde0634837a28ff1a44a18081892d2e029e9

SHA256
019f81e848365d106e48c2095f449748b59146f5d97bf449d967b42784c7562e

SHA512
321ee22adcb54929b8a5b46637012556e29e065dd2a81d89a9a529e46521f2b98228b2bd28281f9d7b21c4cecd5e3e9d5b8e543118453c7b260c58fdcd6a03ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\TUcW.exe

Filesize
2.0MB

MD5
578954bf3447ef79bff48f88e343ac42

SHA1
2550a3c1aa496089b40208703cbd6f5ef5c267d3

SHA256
588fe8d7ae55a3fe2d1f00551a3f3b10ddec900d35c8f403716f828b9aa9a1d3

SHA512
89b51f22ebd616ac2caa39497ff266157c089de815204988c5a273c1b1db7474e86310f0c3a5d9965fec8c7aaa17b7dfce44cc7e8758333ae42f10296337be11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Togi.exe

Filesize
481KB

MD5
72f650f74b427afcf06214fc3c052982

SHA1
e09156326c45cdae03956728956446ca43f9ba78

SHA256
df2e4c0135c8119fa5a1f648cf32d6659e8b75b8a7821c463323b09dba0a1f71

SHA512
04fdfe1e405e09cef1c3b6c7c3b4c0fd9da8523f2ec419e44742dbb72a4e521ee0cd80bb8d82d52e60d7aa1bde03a9c091125c043ad4a6bee46ff04b4d2de2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEIw.exe

Filesize
483KB

MD5
5d0cc6e9f612d224ee4cec9ccd9b9ae1

SHA1
1f04695d330f83062071e40df465ae3685a83edd

SHA256
11a04bff63e7d7effc618556106b071667923f8e51806770e4160b34c9a2a5ed

SHA512
d022c4aeadab6692b7eaf41a04ac74853021dfd9bf39d2b9493128466900153a759c69a1ea52faa86d9b2ec3e0498b2d5118641b98d401c733fb70468429e6bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMsm.exe

Filesize
1.0MB

MD5
8c1e479531bb6f9220c3ab3a6df5485e

SHA1
8bd7d799d8929ce3e00c1af709f1cd138637e0b3

SHA256
77b64f9bcd5632e1f090db04e9d8200448d6d2ce014f6cf0250d9160aa1aaf00

SHA512
8bc9059b0483ba9dfe67012166af811f9dfb45855826d873eebdd20352edfff980d6bc59c23739a8bf79c324f0f0b97da418256f8c626e46e90fffaf8e62b35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UosswUsM.bat

Filesize
4B

MD5
48e453a511f65857b4feaad026083cf6

SHA1
686cb23f53ba04264036cd8c72eb9e54d5c92f8f

SHA256
945c270133afaa1cc162aa09bd8a0630d4609cbb79d5a6a9d67895c84671329d

SHA512
2d9845971aa6d2c67efb40b669cd835069bb9374d87c2e7a40953c211c5bddfbb5680a1ea35e8a03c5d4280164add6b6e238fdddfb563f1d0d57895fe36c1344

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIsq.exe

Filesize
8.4MB

MD5
4f566f88bd8368e1cd3086b6c7285ff3

SHA1
5bd8f25ee79bc36dd5af7c18eefe4ea58613003e

SHA256
875e7f497cc4a36ba126bde921249c40173e95c0554e9a7f03b1641e30105826

SHA512
eca9799f61ad6437cdc1d409ab102992a9b4ed421974a143d88c949b38bf38d6c4030812c4ae8aa64b11f0d8860bf1ac6d83b07ad8dbc17ce2055a26e266b8c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMgi.exe

Filesize
480KB

MD5
6cca72cdd6b56c75cc792cf672be15ba

SHA1
e577b43367013e6dbeffacbfe0abaaff4c1cc6ef

SHA256
48fb8fc3e2dea0c1e6a3d4ef7aba38d998e5a21c1708ddd8115e086c1f4a337a

SHA512
db238dbb4801b5838b2ab2579e6034522a7b775108f1995579a23ce4642e043d28add74069d773b57ae45cf7a5c8d0562bfc62e03dd7d2828d05813f7b5a4e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vcgi.exe

Filesize
476KB

MD5
8fbdcc1d520cb41961f7e862f3965ca5

SHA1
7a1b902414466559cb7b8d791bede9a9f1ec01fb

SHA256
a6b666d9ca4004215f9fabdfca4c27e0936cad3bf8a35a27253abf8c8ef245ee

SHA512
dde4b58536b670c226efea2003067aac1ada674fbf752c5570b949c53e635ba0b8c042e9fb97e554c7133742c7144101cc68548c256b78bd6d47670e6e5f560a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEQA.exe

Filesize
1.2MB

MD5
089bca0fd616c60e4e05b9620032b4e6

SHA1
af310f2543f72371f9b7a289601d3b645103378a

SHA256
10820e4d6186b85ce473c2aa9efd7369c0a3614d96d4296694595bafe250b235

SHA512
4fe7e1684c9fe77a46e09513f20e30131c9e5e8ec53d1e1c3883cda1090f684eaa2b67cb52e20691d7a792b8331bab68681e65866b7487cf05e56719835a7acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQYA.exe

Filesize
481KB

MD5
3f2bd01400b8cb7c8f0b2cbcf188ddcd

SHA1
eb279679b7b3ac99ce1002691d866132aa11b5e4

SHA256
476fb588c08c1a8ad7fc4bc599697b79cff8924dca577778efc1731a553d989c

SHA512
b0589bda848846ad36f348470b3b8a223d05700961aa119f9f0f14c8f8049557aff2b462866e809125a59b5951abd96a285314dd3d9da8ec7829c6a4c1719b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\WWoskoEY.bat

Filesize
4B

MD5
654f81a2aa721f9ca939ac4dcb9d5a9c

SHA1
696e6eb507af83b7bfa985d0eaddef0d33c8098b

SHA256
35bbce9b097bb65635a23d6f5984eb7b96e7b7848497eff66df0752f4a7e0fb2

SHA512
aa486b60b60117b253c2fe7d0224c4972c8d9ea75fbb4e0138fb542674266efdf34efefba4e60fa0bb7fd15ab39efd8e9198d20d804f02fff4ed8f82e2bd234e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WiUAwQUk.bat

Filesize
4B

MD5
398069951c3abb4de53d31758f4f5a96

SHA1
976f634f796672101ec1236278e619278a4d00ff

SHA256
3ceaa9abb6fac4252035feb20dc7eb3de4cd2663ee04ae9bfda0c669cc5d1886

SHA512
b51e2a738a8a2e46bde4abda545372dd90c427bdbd9e452ac936a9e6576d79619f4435da6ead5395e09416f5b4065f442c19133ed62d3f2fd9416735d394bc7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsIa.exe

Filesize
668KB

MD5
b0ab30434dd35f5d15ea26625ea2408f

SHA1
b42f3ee4482a99713fa5e65bdd8a7a586a067ece

SHA256
7946e9cdccac7219d26c0660be6f2dae7295c676215dcc46e838ace45796ea69

SHA512
b973a493dbe09bf10c12b97e4fb9f41376ff926310d5fa9bc5c00d7ef0bc3b3fe2dddd8cdd88e8477ceb65a7563aa4e34b5cc0d800e187786e3c5d962af3b235

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIwq.exe

Filesize
474KB

MD5
41c6339fb90cc98b798773192094b19f

SHA1
2c73fd72645ce0ab2d1dde4c92ca2c1f8f7b5690

SHA256
cade23821325fefddbabd56ebcbec4e60a43e65bfe3d29547df61f1afe7c3a15

SHA512
3492d70630a182417cf5fb768fb8e88b88bd9c95e464c0caa0bd325694fd16ac3dc225de41784cc33061442c20bdd4f33fd3696ebf220098b3be8328df1a1313

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUkI.exe

Filesize
861KB

MD5
7b7d09560002c3a67491590ed653e26f

SHA1
66c3e7c268684bee00baca971f32ef1dce507d5d

SHA256
d2ce227a19debca9189d9c3dd70cb396daa026d100e5f9be5959bbb250547d84

SHA512
667ee7d9c3c1c957d5f8b66e946b9502268dbd56c00628c68d48943821471a07102030e4acbd4cee94caf6d6708c2b22ad43556adbf163f1699ffb136d4e2750

Download Submit
C:\Users\Admin\AppData\Local\Temp\XakYYgYE.bat

Filesize
4B

MD5
fed6cc476f892c298e830df1b1026459

SHA1
50293e1f403f47c85de84e29e01b2005efdf291a

SHA256
4f60fcb0e29ba4307a462270109b0be4f233dd39af9d2ec6d05076f65a7e136c

SHA512
6fbb59e226441858382f670b428a6c2b44faa9a311b56ff953d679cb7c1a9400eca8b9fd036a73d178d3c3945fddf32066e2de7d262684d98dfc17939024966c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XocO.exe

Filesize
480KB

MD5
a00a744bb203f02727c5f204f0ade21c

SHA1
64808b2c961a66d9e54b664855f28cd8745925f7

SHA256
241525bf710a18152aec74207a06b1d1240b0cf80fc2297173e261e21e9d6249

SHA512
5b49bfdd19b4c4625ede70256681a157a43058eabe0b770e186fd45ec2a917bbf2c1d63198aaab4c0b2efb2a015bd0231385693a58c39ae5f42f9d9e0b2dbc59

Download Submit
C:\Users\Admin\AppData\Local\Temp\XsEu.exe

Filesize
481KB

MD5
42a80ab677e3869ae534df84ad6675b6

SHA1
bc34eb5e9ea3d952814bb13929bf9db310532e2f

SHA256
5542c350d11a67ef926ab08e1e3296f2c4b91afc13b4a14d223093107d598fb0

SHA512
cba0ddba4a5623844c97be705e6156b5d75ce734f11a467b4d0d7a522163f22bd76f438139e75d73001644adc4c0ee642cf97e273ae12bf102e08e7830fe0bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAQe.exe

Filesize
483KB

MD5
cdeca583f46dd1b6381a5714afd27721

SHA1
ddbe678fba479cd190e10ec194825aaf020a05b8

SHA256
21cbe986c9995b53ed7d4c8e0f315301db37fe7227c8c3fbfeefe1525b59b7bf

SHA512
bb517c6772fe5a34d3d00edefe271978197b0975fd36e8f42d95d5b1656efcf58cc0baec9703c0e7016de4e386d91fe45ec6b958434700eebeaa8e690122eedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgMU.exe

Filesize
480KB

MD5
02fe20befd613053ba8ea80145af094d

SHA1
ab2f8a15548664a2bb36ec11d6c8f333f84110cc

SHA256
10c8dcd063355171fc16f57ee2582581d9fdd03086b4ce2bc1ce6763593315ed

SHA512
25d29de8134198a049ebc3591bdb291f7b5b4e7a586dec03d11229ff4624ede6ad39f28eb15fde800e2b686d7dd492dfdceef6bada3f3793369c84c52ae61ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkkEQgks.bat

Filesize
4B

MD5
ca5209356300d5d59c0168dfad0729a7

SHA1
940fef87b47bf37e2485913e43b6960d20ccf075

SHA256
f1fac28c3e7957760d0c57acce9c348b30cecb53dfd95a9f33a2da2fd92048a0

SHA512
ddafd5841d567018f830c756afbd4e850f38fa8e2d869a5f4457f8e74739f0030690dd5dc95883f7a2552f5edc0ca31a501dfe6ac7cae1bc4c23b4a1bd773326

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZCUwIckM.bat

Filesize
4B

MD5
2c6ceadd99cb35d2c60a7d4322726210

SHA1
b7f224a746f69136320c91e406bba643d86bd7a7

SHA256
a001d01843f0182ef671bd8fa302ead5b5230d234a06847c17dcef65ebf18808

SHA512
a1319269348fdad4b6cc0c42a212cb4af2a9c5347367174749bb50154710d19069cb6939de9fc27f12f791992a106eb1fe1c2394a7f085372855186c6264422a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZEIi.exe

Filesize
480KB

MD5
d6df8e3980a59134ff5dc236def00198

SHA1
85d197cd245236e0df1cd6369a7a99af4a667975

SHA256
867dfebe0b72e5f2a27ebc4dee1cdfd389421554c759f165fe0d8150f4d9f690

SHA512
fa71e7d4ddc9cdfe8a7dad468bd90d1c09e4c2175fe48158d53144a8d8f07c95cb5dcce71897c8c4d977b12390ec17357389def034444c86fa884d97b7b85539

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZEkUUYoM.bat

Filesize
4B

MD5
657a788eb46fbd75081bc67d54b8e90a

SHA1
bfa57ab2e8f0505fd2e996b7f1c7b5a428d268c9

SHA256
c21a8beec93606cbe02f35945da72ff9efb520b0867e00ad5294c0f5e11184a2

SHA512
304c1c5114fc48df52b7b5c32a71dcbf53622969c48288ffdedd26d5d3e03b07994b0bebc38451527c4d534198919b147c49e261b9d2036bfceab96a6d78af40

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMQg.exe

Filesize
481KB

MD5
48a5e4795e010317d0687061ae793e13

SHA1
82ad9e010a6dbcabfb42c9526c6f822415f48684

SHA256
30664e948e7a10872b7feaeaa425d4191ef23d130f10d6ae7a883fa3b49a6adf

SHA512
ef5976ef05dc6ff0c59dfcfd14fdfb7946ccaa475e5f3cb344bcf2a35a9f5d7a940ce68cd0d2c5708f02a1c3f408926de88ffde184982fa6d531b96f79d95858

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZQIU.exe

Filesize
480KB

MD5
ab4184c37ccd4845ac103a58b2300227

SHA1
b6ade10838a7bcae75d92246997e6d69694945f9

SHA256
d14ce09b6a0d89cb1c88bdad220a8ad15c022f3c20b2b43c4248e27b68bc5eaf

SHA512
c7ae314e1e2c00b3514570f5d62320e37e8ecf820382fbd5405b34b13a7b30faac91f548e15e79c1657e9eeacd0db3b6b8e1e88fdbfd2a3081a875b0c9dc9baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZaYkAkQg.bat

Filesize
4B

MD5
b3466edfeecb5b7dd78ac2ee1e65f07d

SHA1
83110531f6bd5ec26abfe7bee148a93ffbc45f61

SHA256
440412a89ea4374ac045678c8fe9f7e035460fa0143e52ab93890cf4255e265e

SHA512
f33a526b17e3e306b3633acd0f88c7067ac6f989bba5ee8a73741298a3ec1b0e27bd1052451fa3ddc9718a5b27637b5816ddc1d5e0df492445489982cc2b2b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZeEMQMoA.bat

Filesize
4B

MD5
2d821e767041df9722e7ed84cfb1cb21

SHA1
27a68837cb857c96f8c0edfa837d98986baa619e

SHA256
d98ad958cff01e26c9791ecde44c94926200d6808a7b9237c6872f09cb8ebb18

SHA512
25acc621d5c6899825d6ff379b86f9c972ef1a4e5bcf1495d1dbd32464f5383767465509e2679345c2eb36850cbfee63f9905d0ab9af487d45c852c5a2b96b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZsoMIEEI.bat

Filesize
4B

MD5
a3e1d1606b39bc5d2b2326db329fac60

SHA1
4b2e9e62a10f1dd4adde661f042b887d917c49ab

SHA256
4934728d2eef837bc9024fba512201c0104e80609fa9b62d1185c1ae87367b48

SHA512
2070efbe5d43f8180c8151336500d98bc60fe48afbe7bbee492c2a1489af7f003dc24c324185012b5935fe578416d25f8c5ca94901956bea23bdbc3084d797db

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIoU.exe

Filesize
614KB

MD5
7d2e83f684ff1fa8c70cedc1892e9b0e

SHA1
40e4a9df71de96cc37f67380bb4a3d1613c03026

SHA256
43b9a3bf6371a7cc622778e5865203421bce0d9092b6c4607b6ee1a519af6b73

SHA512
2f6e9e830354323cf0a59c6527491ecbd73468465537e6c158daa0bf908b14c6cd7a993d64801ade0c90a49160cb840270250f4cd05f9d495d0cd34b0319e9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQEI.exe

Filesize
480KB

MD5
74b7a996658b73c6730ee378ba4f07ae

SHA1
4f40146074711a55e8ba5a21ba877c84719c0b50

SHA256
d56b71042c3e315da389e5ddf1df07367033386e244975a6a074011c0e8bf90f

SHA512
310de33cc98b4e64d5c38b666732ba99d82a259f70939ff07e4629ff7fde54364b1fc40aef138c87535ed7e1a050e777d4fa0921263cb4005408e1d7e46b7d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUwa.exe

Filesize
483KB

MD5
1dc4fb1934ba1c24010a3379b012fb05

SHA1
61afcb860213ed645822422f439041299b2d8c76

SHA256
205bfa3b238499094420391336b1210210334092bba481b8291d13003d2c6767

SHA512
78e148adae7df0ae86c39cd71270ee91589f25edb9677556ecda4e8916055f16c840a374b0e129f73fd5013de1d51ea7bf67657ae72cc9fd4b962de828daf162

Download Submit
C:\Users\Admin\AppData\Local\Temp\acIg.exe

Filesize
482KB

MD5
1f9698c8b8932c30d8c0af4d74315d04

SHA1
f387a4400c23347b7c6768c264142e16c8350c50

SHA256
372eeff5ef5cc60aa0c40dbf7e49f79195fbcc8076c4329e6bc7f8d002c4e390

SHA512
a0c2e38da823b3a78473c72945941ede4b03662a720f7ded59320f2b3b9c4f4c28422dc8a6de97fc6948bd16ef4a116c21fe910d4f7e167e8465a44f6a6508b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\asYS.exe

Filesize
1.0MB

MD5
08655b592e9c5683aa9224c96f10d3dd

SHA1
84bd6b5cb60c5ab14bf26f81edc83c8916ee456f

SHA256
fa4f3df2f8049ded67912187b08c2d8e22e2bd0a427058c0c32355b2ee29157d

SHA512
f786444e66523f850de6d24bb008df3e0103a74abcea6279f6ad4e1303682ae8dc917d81a2dcdc78344d49aa89ccac1eb4b336b6ca634de8c124db9e231774f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bKYoEAgQ.bat

Filesize
4B

MD5
823b2a7e99048bca1ee3b573afacaa85

SHA1
23dd3b58d37eb92ecef068077aa4f39d28bb14d1

SHA256
3637b4258b6bdda639b46b123ed86670058069c83ed9dcc90fc71becd5ccce20

SHA512
bc1fc67573c32cfad8af4ea628ae0db3c8d9537442aaea85b1214891709d6807f5fcd340d953f6d3a8fff6dde3d4d9b0123d8cc13f330e870c9aa165e6e1536d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bOAMEskw.bat

Filesize
4B

MD5
2353270738ddf77144ca1cf38adbe47d

SHA1
ba793e9439147bdabb2e644b967f80e8870de2de

SHA256
e334446dc3a1f9b4e7b71072494d00a018c1aeb59b2d0c4217fdc47a22fce4dd

SHA512
e4979a1b76de36f72367162fff3636e4cd7a2edf4ffdb4c67947b18725d55431e09fbdfe4950d20036fcb129b83e64b27c0e6c021c9ed7bcb28dadcea1bc5e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\cKYscwEA.bat

Filesize
4B

MD5
08afcb6d53fb94b212878886965ff6bb

SHA1
778fcc47885fd86549611deca55d4d9dbfb3ae4e

SHA256
0d5f638dcdf51cbcc968acde3cc49715fccbbc8f4e75eebf941a72dea6eec7f1

SHA512
b1b54c1e0225dbb686aa3b714545e48a9ae437b33a4e8d7f68feeb619c1309fc07e6c222a3fcf853a94ef952b53e01d8c1e95544b2b34693246540c8a9d9ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwccoEYQ.bat

Filesize
4B

MD5
123d7c73d961ef9bbba0e3f250dafb29

SHA1
e26bb44043ae76d36cde761d15d2d38cf4424026

SHA256
cc245b81f2bf24ea79a578511075c4f7965c62a4e0179bdbebb6f4b14dcc8c9b

SHA512
30e3cefd85149cb2e253c4e91bb9646b6ae644b9252665cd33714be6a6d467775e61f1fd43147a339285929041b9b6390a565d0b75bdf66ccced685b409fc0df

Download Submit
C:\Users\Admin\AppData\Local\Temp\dKsQYscA.bat

Filesize
4B

MD5
3293f49e761c147e2bd46d37b3f1bcb7

SHA1
259166d530193928c5a16c44a7c6835a0e926804

SHA256
874a4eb3ec12c348821a9f19bf6a415165403e35cbab236499cd940b0790dc26

SHA512
3c79839320037d90fe7e0927d946c3f66b8779031d3fca7c70089f226f26b3bd171bcf7fb485ce030f204755a400cd91ae70e77b626edda603e6145c92e90c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\dMUUIwcg.bat

Filesize
4B

MD5
0bd434e8fab9715d92b3107b5bab110a

SHA1
c7575ba7dc2b2034306ecb3f6781bd8e28c00026

SHA256
6e561d95c1af20307e1fbd72d1a52789b39ab904a34b410958ee8470709769ea

SHA512
9224f936f8c0bfb0297d8b4f8a26ec9d83bc0ad77ed7249c941914b50ad42324e0bbee1f2eed64244f31771906ba26aae09bafac029cfc344db001146d776a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\dOIkEsIM.bat

Filesize
4B

MD5
906c05d284ebab1edd165127da57d7f5

SHA1
a308cf21e0ae792a908519a037cac326be7430c6

SHA256
d9239c675bbf7e4443bdb097ef5b729d6afde1fe8f4ed36da8995456a6cf18d1

SHA512
004ac5a8e77d449d2dad1fdf1071449b5665ebda5bdc24a7cbe5b7b92c9e230c51aaee872f914702980d009ac3afe167176a274c7a3a055bdd9139617ed066d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkAC.exe

Filesize
483KB

MD5
819800433c48103b54152885488d4386

SHA1
80a469dbf628fe3bce7661772bec9e4b379c646d

SHA256
f9f3f97f377417a5006bf3f0d0551110ff7ef29b12acee84c58bfaa91662f56c

SHA512
ea66074f37f5e5be273370c194db15e058828dfb3f9ad76b251beb8507cc3a624fd8ca8b85bd6347ec2cf4b9176f0c81eaa0cf47c9ca4f28b79ffea0fd4d2873

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQMm.exe

Filesize
562KB

MD5
0d8da381763441221c547cc3c9d717d1

SHA1
0b2ad10f24b936ce78b7da14e180c5bc3cfb1aba

SHA256
ef9a57b0eea8d784dbd77ae38c26765b9b965d0861fbc2f1a61ce14dc7f5508a

SHA512
d94505e18ca45d769ed694437442f470adc12042fbbce04ee684fa3399a546ea8d1ff1a997139a23fbdd2d15fd8bdcd44a6106faddac953f239373217ed1880f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eckgwAQE.bat

Filesize
4B

MD5
68ff64c26689bcffba9af529fa556c12

SHA1
41823bd126cbd3fc95189319ddcbfcf07962933c

SHA256
c0a8a0ed3e7f75a0eb4816c41bff29330c6a2dd5c41cfe15fb223c4768c4d270

SHA512
1be818e2385b85d47cb3a799c6bd6cb6360bf865c46792fa354cecda2a9d80915932db98923f73c61e813222c7dc72f16293cb19f3ba21300c997193075f43d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\euAkoUow.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\f742a33fcbf2320f16d1bc9ed77c4142_JaffaCakes118

Filesize
2KB

MD5
da5fb10f4215e9a1f4b162257972f9f3

SHA1
8db7fb453b79b8f2b4e67ac30a4ba5b5bddebd3b

SHA256
62866e95501c436b329a15432355743c6efd64a37cfb65bcece465ab63ecf240

SHA512
990cf306f04a536e4f92257a07da2d120877c00573bd0f7b17466d74e797d827f6c127e2beaadb734a529254595918c3a5f54fdbd859bc325a162c8cd8f6f5be

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuYIYsQk.bat

Filesize
4B

MD5
558e3ccdbddcc2251d27b200f92c0f8d

SHA1
2cc8bcd080425ba9555e3de082a2ae70857bbd37

SHA256
33fe676930d2aeebe1b3cfa6b3ef4dae517afe1d8ba13c6d2ec97afc4cbb7d8b

SHA512
f77fb7dac8b0213929782c345c8ef133c0f7aa0699cfec053f20abaa8069ba3598d3bb458777fa055fbcfe6127417425cb8eb347260b323139add019d5d42b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIkc.exe

Filesize
886KB

MD5
d87e4a3a890ca556d634d80e3af5adcf

SHA1
83d673326100d542b7dac2376515deeeb0bebacd

SHA256
972038902d9e360e7d3bdff08d067d55f8061e8b9df85378470a73c162791220

SHA512
576e835e06cbd0ded4ef9b055240d88d3a10726c6273f7243cfea710ae82fa6e57dfa6225e12224f4445d2525857137b6a35dafb2b152453a23df8e038fbcba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\goUQ.exe

Filesize
479KB

MD5
4dc242cedf7275abd6f455e965bb0eec

SHA1
597230e47a9bb0ffdf11f058b10fb575a8b43d5b

SHA256
e726714611fc90af947c6f48e3e28c163f5a033b90d6389f33652ee08bd1f6e6

SHA512
cf5ae42f6abc6979b41ff61c6efc2c4f3838ffe69ec1110620979ae4519c104ba9509fc824b86237fc70fa0125491ff2be02f5ede2128a00d42017d731636cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gswu.exe

Filesize
561KB

MD5
1ee2ec6aa69fe9130ec5f58013f5b0a8

SHA1
4f7341383bc1b32a293afb9905c87af404190251

SHA256
a69baa33252df4d60c3983d31bda6ab48362bfab6db52b40eac0c5738aac947c

SHA512
d5abb2acb728328a7b72f5f35de811af0878a164c04c8789af5094a587863ca3f4c490461002855b34ad608739c2193a0a0363cdeb3cdad2877df8b24b5e43dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hAUs.exe

Filesize
1.2MB

MD5
4da946cbd05e6560fde51d31db22e6be

SHA1
be4fe39688f40bc4c59c269853aa2097ff833d21

SHA256
87188c85d78f0c54443f6c40e1044d6f4e19e59d57679f86a7d5de3e9094fb78

SHA512
e59c1bec4c1808afeb3dd30469956c665a3e4b7cbd585a60c86509a5c0970e2e0d2554b56e055eae67576422e231e39867ed35b374924adf962ffe737a55f7db

Download Submit
C:\Users\Admin\AppData\Local\Temp\hUoQ.exe

Filesize
502KB

MD5
93ac56c6871755ca032c6ae5e127c673

SHA1
a1b9676637aac9924f1d21d8608c4d204da22d9c

SHA256
6d835dd32f9e42b680c9f925456d3fb4a786ec42fda65cef4885626c96c4f03f

SHA512
a160c2406ffeecf1baf0a2dc28186571945e87714acd7376cb9a9ee4404b074f2aa2445fea43f2c6da5317474778dc890994414738e465846f6967801aa9d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcUu.exe

Filesize
477KB

MD5
96f7ae8868645c1c7cf7e71dc8b4597f

SHA1
ecf6e8fb46e7269865a3a63503c5630ba24f6990

SHA256
8c367270b34aea65fb74de82cd266406296c22a9e1620db3e9d3d86f3e90cee5

SHA512
b79aeb45a870de72d7899ee25c1b884a0e42921f51714b8512d871f6b1ca2334e335f66246bcd6a614ddd825fc41d57c78ab880e1e2c5d5c1e0d6e2e6aab39fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hswS.exe

Filesize
479KB

MD5
ffe71a12e2ca66d8771a8de677f24da0

SHA1
89b8f635cad47b0dcf87e36deb411fd0c505977b

SHA256
24dd11582dc0dcb04d0832865f80dd6811b9a926c01442b901ad42b4470d806f

SHA512
88aaaaf586b358ef7199dba7f1673e9e103b103e382f5ed5989ab502168e64ff774f11f6c992d9a690e4e70bd85b6f627cde98b6adf88c802870e812c89f9575

Download Submit
C:\Users\Admin\AppData\Local\Temp\iCUYAIYU.bat

Filesize
4B

MD5
c15f15259da444de80e02deaecffca5c

SHA1
6f38bdc1c2d69a03742f4c20116e45beb0a6bc52

SHA256
c47f3f1bfc210409728cdca6875d89c6a17deff1f8127bbb03c8ef48ebe6481f

SHA512
b18e1a1bb8ae74c7f994b6a3d335b97d0e2447311315d91f4ad5d62e5b2bb3c780de2aaf84299ac42d26ca1f37334fad87ce6812341296ea6a6177d02004362f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQMwMQwY.bat

Filesize
4B

MD5
fb75913bd1b2b2dd40eb2502e6f8f043

SHA1
20b375c5d257e1d2abffc8ad2141fc3184019356

SHA256
4fc295f9d162326250717a1bda91fa99fb014f647e47ff92c8ccf9a4c282f33c

SHA512
458e2eddd00ec47ec93d1f5021e8f4d10f5f1bb67b30f454d0c50068998474f7767221168df4002034bf41b1f0a0b35149af885eb1d8251996f6f9577f587c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\ieIkAIIQ.bat

Filesize
4B

MD5
445727f7d77d1b082c6be3616bd4f64f

SHA1
00cbce42aae15d828a172932fa6dd203a378da08

SHA256
9dd238f7c6163e96cb3f333e4c41fcfd93bd6757a4ba4de92c33c96996129bef

SHA512
8adca52a321b2f65e20ee410cf452544f3189868ef18c00e479852ccd34b9baadd2fb36ac679493fd1f3b9a28f788130cefd3423f8f4bd15f523b0b5b1b0cb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\igAQEogE.bat

Filesize
4B

MD5
9c6526181e2e31eff683d5cb81a3872b

SHA1
dcd980903cca0ba7f8cda819fea596bd99719668

SHA256
3415e4f7e35dce0b834b17706a84397c1d9bbea89f4e76a37896bdbdbceddd2e

SHA512
b57aa1d13cd0705c7c70c2e5e8565be99a223b2cad27fc766bc04f6e842193e834d9b97af6e4ac3ee8288842a381306315cb72aeeadb29c57028eea3f738b529

Download Submit
C:\Users\Admin\AppData\Local\Temp\iikAYccg.bat

Filesize
4B

MD5
aa856d603317c25573f733b13a5a8862

SHA1
38921f707f88085b5b39a12aeca760f285816fa2

SHA256
ce293bbaea62e1f56e2c7fcdc05aa8d22307ae9584d7b3200500a947ede18d5f

SHA512
4aeb35e0612a16f295ee11b6f0be5e8490e289019809cc205036a11121070ea99c8157dbbf843e066e439ff349bce94408298d1e12a35049cbf7b2102eea5763

Download Submit
C:\Users\Admin\AppData\Local\Temp\imEkUksA.bat

Filesize
4B

MD5
2dad13d587f2d5737c261168720ddb87

SHA1
b449bfc5c4a38aa2970bcb27e22ab2160ba54950

SHA256
cc1cfb5ed6f07cf1a8a1b0fc91faa2737067ebddff95b1a8f157037d4218b76e

SHA512
710ddbe4b857063ebacf9e29e4018d1dba3bcee1155d25dccc04436e6daa99d15b7638832723af4274f555d6f02c62f228f31e335477cf47da2e9d726f3815bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\jAIIYcws.bat

Filesize
4B

MD5
5d1bc28ecd8b4467b0ee9dd1b8e24bad

SHA1
0481fcaf10a94ae52cbb7fc7995c75123c3852cd

SHA256
0810e3a26fe7aaa7c6b2cc546790475b696b57b715ba1e6ecbca5530a001b2f3

SHA512
bfa4a383301bc75be9b814abf8b2060ef391f1586d419a08de427bb52bee23fb095a2784bb44724ebe0e9d01eb9abddcafa9caaa2be77ab38d3bb992edb752f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jGAoUoQo.bat

Filesize
4B

MD5
78405275e5636afa2a2d48704ac89e0c

SHA1
1ed7c906e626a9a48005648eeea58f8966f0756a

SHA256
e6c7fa2c6c18c539ae78f397b51c1c7b88982d11453e55780f9cad6e5bcd4414

SHA512
b8a99cc22b6b9460a454fe91c4b45b2386f4465e294dfece6d5f47f5960baa376cbffd1e93bbf4fba1d6ee978643d7642bfbcbaa79df8777b3c5a6d10109130b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jIIK.exe

Filesize
518KB

MD5
0f814ded91149ff9d0af5e47ddc0fd18

SHA1
b468eeac3a06e7c8302c16b7b410d3233e4ea6ff

SHA256
2cdc1db64cd8e8fe62b22db2268fef6a8cf1cf12a67836e0061c0880e56526bc

SHA512
d426e46642a1b41cdfb9e368458de4a370ca4f3a0b52f5a4aba0c7e9c6107a82999fd9fba50741419f4d47dfe3d31887437b01d10ebf99ab9cc67fecb2035525

Download Submit
C:\Users\Admin\AppData\Local\Temp\jSEAMIUU.bat

Filesize
4B

MD5
0941d6ba68b4412593b0e1dec6939808

SHA1
5fec028c72951a6890fc730343bdf0fe8ec1e84c

SHA256
22c2f3d8d4c09c537af623c59a4ae2f437b6ab85bb685ccf9e6b54545d072276

SHA512
acc77e1c81c4ead260eccfce8627a1e5ab6c4fdc7973600c856f8e68df3a6384be1a446e941afb66abc8e23d8f6bd7590a4f6e84cbb1cc2343aa1d3a99369a57

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcYy.exe

Filesize
483KB

MD5
dda510225541e5d629b26ffa9e2cc85a

SHA1
e97ef2faf2917105e434420c408b78b13d3e72c9

SHA256
7eb34fcf4edd673abf688e0c6df35d5f5ff2775e4790fe390200fdb992754179

SHA512
0e2038e6299addcb1431dcc416f2d662891633c3ff9d6b2633688406ad36dd340463917f112401d03bccf48a4180003f6889cfd6021c246aa1e1134b128035c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAsM.exe

Filesize
478KB

MD5
68e53dc7da2484ec117b815c82230247

SHA1
3f43ad15edb5ddcba856c0212d5e7bcce842a850

SHA256
5cc579571fa8e3ff4a3b80025f814e2e230d40857d9d598d5acac3e487cbde3e

SHA512
6668db8c4ecbb28e9ed7ad31055db8e4365ecaa105cdcc9fff0e077f833c53acc8c786dabf5e6b2334928c02c7f5a3a3e17d592b88af1b6cc1e83a02e88bcc39

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkwEYsUw.bat

Filesize
4B

MD5
3d72fa5daa9a284aafb452d3f0d90790

SHA1
3bb832820632713e47607050125d161900dde40f

SHA256
3e1e1368748bb48eb2fc327c8cfded8f024ad437d04b5763a6d4c5732e15f4df

SHA512
6f8d5201842b6594195ca563215b61b329987e7bb85aacd58c6d28186e112f02634460be8d4079c396f1406871298297a482eefbd1a3104195ead7d1a3d9e2a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kmEYcQww.bat

Filesize
4B

MD5
e78a83b41a512cc2b8d29f5fe5b821ee

SHA1
24c27b6fee5ecb935a34fd5bf1da245cf0bd09a5

SHA256
a319975bce1341cd65c5e3a3f9d16425ee5d5acdc44ffef4363e9b7d89fbefbd

SHA512
24603edec5fdde5b32da086e03cffc049d2469890751d39d5e69c4a6ff771c8a3841db475a2a690913c145c1817fa97f138bc0180af3153d4921b797ea36ee98

Download Submit
C:\Users\Admin\AppData\Local\Temp\kmYkUsko.bat

Filesize
4B

MD5
820258edc1f6ae603ef8daa72ef70f0d

SHA1
e7962b198546d137b985a58a27127a507a2e9e75

SHA256
b03aa1e110f58e30fbe5e05247dc6f1bfd7a6bbe431079fa83b0b39a48ae5c5f

SHA512
8c58c58f4b07c4aeb5693da0106125c38c8ca9ab00e265652f6bf07571e88a5a28c364b9c147b2934cbe80165c7b2e6420c645bb7d45b87596275bc2f62bf805

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwoAAsQw.bat

Filesize
4B

MD5
6adb7daf3c13cb35e0451a25c0a824cc

SHA1
d42a09b61ecf4b040dcd4d0fafb30e691317666e

SHA256
3515c7f52648550a140f6d07c6683f4339c8dbe1827671c409f95243174011db

SHA512
3584c11f45a8c76b593441894e78b62c5148f132a0310335e2f82146b71997a3c097ac817b0d9ba51ad3bf3cfb44ee07fa705eb53f88641938ac19e46debfc90

Download Submit
C:\Users\Admin\AppData\Local\Temp\lyUQwckw.bat

Filesize
4B

MD5
f52edb6987813fb546d69ce4f7c526ce

SHA1
6dba9cf09de6250a74aeb925703e6f7286775113

SHA256
d06ae81a46ddaee92edd87972693251e889ec99f9f49440d82ab3a396a7dbd0e

SHA512
be9a35419776e84883f1d3962a3e9d5f9d11958818e1356836af8aa08fc384faa0846179481ffb3ed8414ff605f0212547b2bc0f1993db0365665a32831cf300

Download Submit
C:\Users\Admin\AppData\Local\Temp\lyksgwcc.bat

Filesize
4B

MD5
87ebb007dc4028887f7fddce09271b1d

SHA1
05608f33e9baeede41323bcf61f98d7e4214536d

SHA256
d35ae40627bc0f11a2cc753bf681d4a3c9da5cc0a86d1a74e347d04e62d14fdf

SHA512
e8f08eafd753fd0b459b2d9ff32460a853e20a26a0cb3f134b377b793a00ef59c80c4eb49058389c62efa3da4803b31aff12f314f2199d85ac1469d584f57569

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIYUEYQM.bat

Filesize
4B

MD5
05c8321f09c90acdead9464433d105bf

SHA1
d7d286fe410bc77945678282fd5934d51b20d10d

SHA256
cee3a42d14e8d4087b4e9b53811b74659cf3b3c712447762a62eb0c046aed62f

SHA512
41f407c600bf205ed985b186d78e3bd6c2067612d92635e0d0e8c6767992f16b72307355cc0acece93f017c851e854be2af45423a5348c942deecf892fc531ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\muAYkQEM.bat

Filesize
4B

MD5
5bcc31481b13ee5bbfa9c8acf220a87f

SHA1
4b55823b4f6f72a174ff915411b278091c15266b

SHA256
081c1bef40df1fb0ff8762e7f71fc6474b62b8623c4143ece9c879cbb7563c99

SHA512
2b59694a88bb16d2578a23a493c7ea252b0e047719e874bb1cc46da66bcafe3d3c623e629d01642a6fb31596debec293d8b75f0a964a5853f7379b7b1b497454

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQgMoMwA.bat

Filesize
4B

MD5
05ecb533ff64decaf5193a771efb0f2a

SHA1
8baacbd2ad9729b8adfccc376ec325f28ff7cacd

SHA256
621c14bfd16572159ec95f5a88eeedf276aeeed4feaa728c1a6f7f0be1a37bc9

SHA512
8f02d42b8ba246e3aed9cb54f95a4b4e45a09c5fbbcd923b1891d1d7ed1d52d98f27de631dea87b00199418dee1a528f09b2da6db380b125b1bd94cb2e8a8b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\oGIAEUoU.bat

Filesize
4B

MD5
5c313ab4f002555bb30a5e005e90bcec

SHA1
98e9cd41d6cb5392be5a34a9f59d7ec45aa8da82

SHA256
4099d98d47edc2115da84954196eda3ff2272075e9b4ec65c70e69a59d8514a0

SHA512
c57622f247f3ecf99b1a80c9fed32f1f961ac2aa78b2963daf712ecfd5ad203c323436d9d548d21af05cc2b51c6ea675df1f1ca6205ce03948dd37f9d8cad3b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIMg.exe

Filesize
481KB

MD5
eca90b9746fe67f176a827289be426a2

SHA1
17e4193bb75ff5558b2553ab7b076fec265c2e9e

SHA256
01d7da5bd5460948e32626ba6324e040aae1dc42646ef74201705416c37c5efb

SHA512
f75435fb18ca27fd37ccf0b0d35f91d904d49aaa4679149171cd708284789f78416781ee28042157770e7aee93a682b08d429211b435f1dbd45a80efa7a3c558

Download Submit
C:\Users\Admin\AppData\Local\Temp\oSwEgsUc.bat

Filesize
4B

MD5
328efada74846cf5e5b8b81524686bf4

SHA1
3e0e8e4bddc065ff5b7f9dbfd2b5d1d79b3414bd

SHA256
8a1055f30fed24e2437001da819e073a74137b33c99bd690e810368972981400

SHA512
b86d7a9904472d1458c9f56a0e491710dab9fbf5e5019503b8014958849d63a9166c6c2fca5dc4f5943a05d88cc326647d5caf4d9845c7c086a7772b49a563f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ouEkwIAQ.bat

Filesize
4B

MD5
b1fa7beff14c0efafe3e27364d0d4c06

SHA1
0163ed85c7ea8e2ff09712811b6bafbc041f7020

SHA256
c82d72824f49de91b82332efc92050765e671c839fd02ca0415c4c182ee474b9

SHA512
e0b6d4804daa1dfb2af0cd123ac056c276c8b6a5404cb5d9113506f22ffcc1b92303e5118f9aea2b4ae39f9ccbd7f444a5bed9185b154a287a89b02ae41c1c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pogA.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qakMAQUM.bat

Filesize
4B

MD5
83352dc9b9eb9cd176977cdb0ad724fe

SHA1
0f76331a8a67f7323265f154c0d855cd7a221d3a

SHA256
6263ea69da9d9ed65782aa72ad4fb22bf3c8ab1062dbbe401b7eb9f9ab2f5992

SHA512
7425869271bb8a6654fb1bae68b9d97e1546f83ab9f50f000c209378737f10580a07cc22d71efbe78e68d797461188b9d8dba27d656358de396b2439d396c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\qasEUkoU.bat

Filesize
4B

MD5
439a0c6c85a98e9d07c5bb6f0197202d

SHA1
7cfc088858f3f8b5aa3868a496f06df8427e19f3

SHA256
450f258ac9efe434a9e269048ad4eefdbeef213c205e928a91741585b8519b09

SHA512
401c9e0ca8bc55316e9190c80a5034ac0a3fc2ba3362b420f6f8b1b6d13f2d133fd173091efec0abb63cc9ab40d826be1d4f408a54798e4dac43b5318cde009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rKsQoggw.bat

Filesize
4B

MD5
4e744ae8ce2fff61d399d66df6ef2d64

SHA1
ae0255156320fdb59caefd6ca57f0e7d06b586b5

SHA256
9972b6e92e1552ac296d60ba8e19788ca7245a181cf973f02dc5e2cedce2b6e9

SHA512
c3c69af7fb785b44d93bad589f74fa2b093baa6cfadcffa23224451fe54c61981f4e0eed9284429ab10ed568094aabb1d298c4799ace2343bdc7d86165dfedf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ruYQcksA.bat

Filesize
4B

MD5
44fe1d9b3796c9f04e5f4ba4769bcce6

SHA1
ad7ada0c1e2bb1af3b756e016588afc7c124f619

SHA256
85e1203afde099471485d0abd3dc732865604124fbdd7a303ea10419a0fcb2e1

SHA512
d6e54373ab921c6eee93390d5e92c71fc9cadea0f390000cfa757f9ed97ad9674188dc09fead82656226832a9dd1b869f16b24bc60c99d10d798687cc3cc61ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\rwEe.exe

Filesize
445KB

MD5
3c274cae961e435b41e3c33589b4bd80

SHA1
356279d90860f07bf9bd9ec0dfc4ccbc2646b6c9

SHA256
507054305a9e310eef1514eb8a7c435c2c5827ed514886aba51f82a6b6aace12

SHA512
37b5a690efca275e91b71dccc236ffc03d51ddac28376c595bab14ec684f93a952a3b81f31a15cad863ec861f2b59a33e1506b304e2b8ac843f6715c079efee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rwcE.exe

Filesize
479KB

MD5
bcdee0ecaac9315b92902ead4f2d9cd9

SHA1
3f0c78c678089cf4526e95fcfc1278b8feac131d

SHA256
78dc8f6331e9c2106497cb0a04950657a798bf08bd0ef0e45384e6e7a34b45a4

SHA512
fcef4606e6f3519b2f482f04714c9bbd1fb714a8710fdb660434bd458a2fa830b2935fa5d69a655800123e80f04d4bcbc8f5dab951bea9091544290bb40e35a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIYc.exe

Filesize
600KB

MD5
8714915021ba75a4c77d951dcad06b7f

SHA1
f5c1286ba0206b7017c772be80f194c6d429c7ce

SHA256
3ab19b0d7a761c2d213f0f684313279a2c287d9f198de9e4cdf4306e2b550c88

SHA512
aa5338fc8e5d995946d02941fbfc1294cc8ef2541e6a58c7da31c589d353d2308e42e3f644559c792b9c0893308e50e50d4aa74d85fd7676aa503e62e4c40b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgsy.exe

Filesize
457KB

MD5
29c4bd6bc8a9ac25bcb7be61617c2d45

SHA1
b6a729d54da0c331f9f0b1a2de4f3b6ff8a609c5

SHA256
f892860c372ab8139c8ccc04f60074e82ca9fe12837fd397d769c05abbe7f668

SHA512
50d125cebe684b3f2aac9303f8fc502284a28fe1572a2e6d721473cbb849d728115c00e869f883676942e030f69af71695982481943c00f4b1d9b3284a6af713

Download Submit
C:\Users\Admin\AppData\Local\Temp\tQEQ.exe

Filesize
1.0MB

MD5
2a4975fbb18d47399b9296a02685369d

SHA1
23626477cd0db9b2beb9c5bfb687668038959d4b

SHA256
33431798c3143fe37399cff8efc9567e65967ffaea289f2cccad7b91b5c116e7

SHA512
51be1ef5d73891be7b4d78cd39729820a23b4ba44cb72905e72ac6009402d239c10fd6bed68028551838defc439eb946cbab9095a9a23166eeaabaef346bd878

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsAC.exe

Filesize
445KB

MD5
0f2dd81da44dc4766834c1bbd24c0881

SHA1
e1b539aa84968a177d75ccbe352542573deadf04

SHA256
640156ac0bbe1ac84f9d07dc1a3461b48818f02cf628db667f4c0553f1d9447f

SHA512
571d68ab536311a48901180a1c34262e4cb6a3698771d2a1bb2c47862e60a8a1a534daf1d1f532ed177aa11495faa98ddc708e4df6c6f6af7cb251082b0fc191

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukIQ.exe

Filesize
528KB

MD5
2e2656a84d87c1a0ac5a2c6938668407

SHA1
ad467b04775d5b30c9fe29c646cefdefd55d0cbb

SHA256
251a711e101cc73052eaa0ecd49836c78e54881ed92a1e7729e2d329a8f5198f

SHA512
df3def76191d1e26a8c4598139587c3badb45eab4042d69dddcf8e0b77cc02f3e6ed20dcc35c48acc9bbf105843154a4f4ac0008406f6a608e1d84a3c4cc5e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\uswAAAQc.bat

Filesize
4B

MD5
01b82841aa9e8b0af1d3257fb01a6e16

SHA1
aee4b1910ba48013e3f13a032205ff3bd2f9a1b3

SHA256
39873a687713ccacc657c05135eaedfbf964e20ec0ca0102b74f203dd0688ddd

SHA512
e29100721e251302532df1684d9323219b0ea8c1e701af8469c6e722dfbbdbae1ac630df2916c38143d7b8a088b842ce189fb57aaadc83fa709cbb0371f981b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vAoe.exe

Filesize
482KB

MD5
e7373b4ee68fdb30a45e1911c73b5ebc

SHA1
3abc5ecd3cf1ced87a9c5406751e17472c1b36fb

SHA256
c27bf58e67f2f6349b27fd7edeb26abdaccd3cbe653a86f14977d8a5824b4d91

SHA512
ae97115f0659888d5059a0f95cdccdc8350f60c4c446071abba47d68110b33ee772f144ef096bd604bfd3cd01dcb8505fc11064f54f7cf2027c6dc73036e2482

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmsU.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAIK.exe

Filesize
1.3MB

MD5
3ce90fa6e85fc5485ee37273a9383e4f

SHA1
699220553c6665d8d5cb18c8c2ecd5dd3a3fd2a8

SHA256
b2e44530d631ced86564104f2de9cfd4cbfc9c5bb7198f9e15b55e2fbf8b0f47

SHA512
fc6bc0be97a692fd758f4700b8f46bb2c624e5d129cb30bc2ff896d9408a88a36cec525cb9029de102757bf4f663d029eb55bf210b73ed7e0adbbf0638e728a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMAe.exe

Filesize
481KB

MD5
0b054a7691c64797d6065d1ce95cc6ec

SHA1
01a41aefd1077a3497de2bdaf0e8082afa36ed07

SHA256
5ad2cb5d4d0dfcdb91bc43bcda797d6b55279a3656ba8e851b06fa2dfe11a6dc

SHA512
1bf949ae6b6814845310837b2b877cee689f539b877de5f049f41c4a3c81d3f40fc5117e98b1174d96e845e94a10d2f77d68cbc2dab04a36b8850156f1263264

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMYa.exe

Filesize
482KB

MD5
058a2c59e7ebf1ad718f2abbaadbc1e3

SHA1
759a78f2ad1082636740c97499ce82474693d999

SHA256
7a7ae35c7f3ca964da1e14a50ef886a9c7d48e582b5e4908117a180cec0cf8e6

SHA512
e40cf96ecba4a17668cd713eb97404be8c3c0d530f97a865f7a2a02a5c850016ba8ec5a601458b612b17c68fd03dc77b73a5edeeb13743d7fab007afbe3669bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYMO.exe

Filesize
1.5MB

MD5
a9183baef3bc20edd6fa266997f3065f

SHA1
e77fc9899c470ba991272a172f9823520be8719d

SHA256
f4f59995a743de7b90dd180f409edb2c36b6aebf48b692697b5ba62687e678c8

SHA512
b85e15b1068e74297c4d6f9854d6270e490e3780a7ced60bf8dd7799b9d9ed1a820cf182835470700ed62f2ade672d4bde5a213d0b2489089e86bb05dfd095ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcAw.exe

Filesize
446KB

MD5
0e849bf4d4890b0e7376bd76e371e60b

SHA1
0405f11339c0ff809b0154da150ebdbe6a5ca29d

SHA256
1be7811c3a667c596ebd1a594fda234426d7c4a1de42d37930eba883a7efbf85

SHA512
af24c2bfdd20ed58075ab5ff76b397563f520067ed11d4cb2194f55d15122af4227e49481bfeba841800defc4ce9c5b3d25a8d7a38a17f940d5c307a7424491d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xOgkAEYA.bat

Filesize
4B

MD5
6f060471b8e1df7ec7480f33792cda2a

SHA1
4fa162269f5801db8e3558558951756914eb1a78

SHA256
d49acb21919fb05262cd17f2b33622a42decdb3611499742a418aae40fdf410a

SHA512
53eb5e07c2f987688a081f8a6c89c389c21056dbfdad49ebc773b5c07ab5616a36ac6f780e87433db6b5115653a11961573bad9509a8857498559433183d5db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xksQ.exe

Filesize
457KB

MD5
3dc418e2a48da05d395af264ff31488e

SHA1
ec6c562b717aa7b0e1f8418fcad29d4045ffc979

SHA256
a067d6e9fb8e096198a0a75c9d3c0555787ba525029619fc36f972456fda3308

SHA512
43912394e8d2efa7b1babfe9db3ae3785761e0c554c1d866e737030c77ea36d2ae665dc84b27aa21aa3bc37ae05996c2a76692a66bc200387e6d39f2f29a7035

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkwEsMog.bat

Filesize
4B

MD5
9e0688dc537da40b102b0ab773c75bae

SHA1
f40b179672e370bd38615838f93c24cc2d03a07c

SHA256
3dd77092ccc02f8b531545112a7e56952dc7842f53b2830d4d6455c77d02ec8d

SHA512
7005e1ea27e3677a255e5e36eac2a2c966b77e062fe52f5e2de0bb616b5b1f211862e197607e9d89d96c3e19d241601be259a505ceaeaf38f780c474001986bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsUQ.exe

Filesize
480KB

MD5
bcd23674b9db15fbd0a077620d182674

SHA1
09623db7f9bfe52f2f8c8a32c04136e125478afb

SHA256
970d95c7da28c98ddd494bcdc3c9e45973b5cd93abc370b1a24cd92c59fc8b67

SHA512
6ccafc576cacda1b3e5efdabd406ff7ac725c124479365e9acd4dd78dc2261fbd77c925b7347e4a42712a7a0f14415918cb9c01645615ab9e86f3a5d17370dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMou.exe

Filesize
481KB

MD5
010109f43ea7a19b6d6a628d6db894a2

SHA1
ae3b645617440fcd854f30431e23ed7f20008a57

SHA256
027fdbf0e37b1ce9ff94d988a6246a1f5a40eb06ae14b1b35a42994c6d46bbe0

SHA512
a254e8c7d60c8b953824d592519058c332536e4a7b613d00f9280cdfcd087e3b607bcb5f4059202582ce52b773d9ce1651d78a76da11945ffa9bcf939ffb6760

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQowQMYI.bat

Filesize
4B

MD5
6499ae874cd700e9f776dce0325b63f4

SHA1
d8856670e402701cc001bbc0bb2d82e34790373e

SHA256
2ebb2c82f9f338e7841694fa1af81a8f234218b983e67f79e098c7049c9373a7

SHA512
ba8d0807e5623d7775c5f8c9d16cd7b5eb2a066474daf11071e6a42df858b4e089973d840cad8bbd65974052223b3ca7d77a51238bde488a3b9cad632eda7517

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykgK.exe

Filesize
776KB

MD5
e840d6eced22763dfcbb212bb7417003

SHA1
e39651d8fb52ef1b05be1fc324fccf5170416ee6

SHA256
9b86723df8c1a35482f5b999cf15e9aa42afdc38f728ad94dca5d25a8f4a02cd

SHA512
1f8aa7d93f9f545a375ca80eef065b610a6977bad2ae6ddc350621f51f8a6cc6e1535918ae5bb9b8827bfc3dbb660eda15039b7d024b4d5923a58a5dcabc176a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoUU.exe

Filesize
1.2MB

MD5
4156f06cecba92ebb5e328eaa2756999

SHA1
899039d2e97aee29d436eb04fe2660a033f46cbf

SHA256
38b02efc655465d378af577b4b9963f0613feac927679bc5b212a2d819d46f14

SHA512
59df10e2a50d8122370862ef646e3fda359d91a7a2199f3281d0534154f211cc81d12be614c06dd840ad4a2e7d3ac0412b7090f08d88cbce1f1c6db33e56e755

Download Submit
C:\Users\Admin\AppData\Local\Temp\zwMg.exe

Filesize
1.4MB

MD5
bbefc7988a03bff53d9e3332294c6a6c

SHA1
c054725369ab79fb6388c10bb3b71797e029aa6b

SHA256
db9b28b51091ae2c31372d7136ef2ac17bbf401132c91fd4d53ffe4aae70b16f

SHA512
22fbcfa176f4fdfcd454bf672b4f69b003c225d7517fab317b1581e5f17436eacbfb39f22f8dd92e4374a320e57cc20bfcd3dbeebf408245815c6e1be13e9db0

Download Submit
C:\Users\Admin\Downloads\ResumeConvert.ppt.exe

Filesize
1.2MB

MD5
b8d13762953fa2fd5ac9579b411e35b8

SHA1
f68a9745856558e5e8d0f2d89fa06dbcf146a1bd

SHA256
04d041db70df3e758bb45c1fc3a64eb2ed9b28ab0409d54fd9be5741eb5fffcf

SHA512
e6b4f5fff1920cc866ddb37fb49b7caed7534a587656003ae60960a68c04f2b231436809a8768c915bc639442e002da74fc7c0613424f33f2e2162ec84a75a6e

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\ProgramData\xCoMoYME\vooUsgMc.exe

Filesize
436KB

MD5
3cba3e4f39f6b3e164373f2d648da59c

SHA1
42d48aede8cd29431febf0bc92b94df4eb015ef5

SHA256
3d2bc038ada42bc73869ed75b03164de0cc9509385635e3f3b0bcb4e467dec74

SHA512
8b5a74c4a0a5c243ae82386ae1924b869db85300511da1095bbf5bbf83d78f7b6ec77f360466b90097d1f86efd2988d94c9723db11b8f4c83020ba6cfe56c3f3

Download Submit
\Users\Admin\SywEIEkM\mogkAwkM.exe

Filesize
432KB

MD5
c10563b297883dc1dfae0b0ae2730d2a

SHA1
adb16463a60b35ee914205bcd3fdc961bc26245d

SHA256
c18e2f1e42aa893b0e0a7849ed94d4fc04871ec72c52ae202200b693a1212f15

SHA512
4eed9864c9e8875ac9b9da29872ca6e942c033e089e11a5a6a7340b07d527fffb23f2941bdf5dcc5d675f9480198d5c1949475ebb58e1b42255cb865e88f2ab0

Download Submit
memory/760-344-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/760-320-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/760-194-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/852-514-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/852-321-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/892-482-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/936-115-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/936-77-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/940-493-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/980-515-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1056-264-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1056-470-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1132-192-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1132-20-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1200-455-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1248-504-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1596-140-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1596-191-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2024-92-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2024-66-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2100-533-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2100-333-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2180-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2180-138-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2248-502-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2248-308-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2248-531-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2272-332-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2272-208-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2272-443-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2276-362-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2276-435-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2276-220-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2300-106-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2300-165-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2412-34-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2412-53-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2444-492-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2444-295-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2480-534-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2568-471-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2580-481-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2580-275-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2620-283-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2620-174-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2628-207-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2628-24-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2652-428-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2652-253-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2660-363-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2680-10-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2680-172-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2724-396-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2748-51-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2748-94-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2820-384-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2888-127-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2888-164-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2904-383-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2904-445-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2904-231-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2980-242-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2980-427-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2980-395-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download