cca45d77fa86177709457c2638ece6d17c5572cc41a2354b3d05443a7de59952

Analysis

max time kernel
150s
max time network
130s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
Size

1.7MB
MD5

02539c580448cf8078ca317f500e2fee
SHA1

70ddd915a550ca3651effb446af1adb4b9f5d8fb
SHA256

cca45d77fa86177709457c2638ece6d17c5572cc41a2354b3d05443a7de59952
SHA512

6a8f80f1b224a2020691bea56f850fcdb071f16d5cc7d0df863c703e142ca1b09b59d529a6a8f62489ab346c8352798df879aacd074d907e37d662011b74124d
SSDEEP

24576:JJ23eWAvbYRExX8dx4ephQYN/FCqDOvHVKUO1Fra:JJZXQx5pio/FCqr14

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 34 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 34 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NeQggcww.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation	NeQggcww.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1704 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

NeQggcww.exeksgAEAgU.exeAuIgAAIo.exe

pid process

1724 NeQggcww.exe
2744 ksgAEAgU.exe
2596 AuIgAAIo.exe

pid	process
1704	cmd.exe

Loads dropped DLL 22 IoCs

Processes:

02539c580448cf8078ca317f500e2fee_JaffaCakes118.exeNeQggcww.exe

pid	process
2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

AuIgAAIo.exeNeQggcww.exeksgAEAgU.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ksgAEAgU.exe = "C:\\ProgramData\\VysUYMUM\\ksgAEAgU.exe"	AuIgAAIo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\NeQggcww.exe = "C:\\Users\\Admin\\aIkMckEM\\NeQggcww.exe"	NeQggcww.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ksgAEAgU.exe = "C:\\ProgramData\\VysUYMUM\\ksgAEAgU.exe"	ksgAEAgU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\NeQggcww.exe = "C:\\Users\\Admin\\aIkMckEM\\NeQggcww.exe"	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ksgAEAgU.exe = "C:\\ProgramData\\VysUYMUM\\ksgAEAgU.exe"	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

Processes:

AuIgAAIo.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\aIkMckEM	AuIgAAIo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\aIkMckEM\NeQggcww	AuIgAAIo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
632	reg.exe
2236	reg.exe
2128	reg.exe
2652	reg.exe
2516	reg.exe
2100	reg.exe
632	reg.exe
1060	reg.exe
1196	reg.exe
2872	reg.exe
1576	reg.exe
1584	reg.exe
2500	reg.exe
2300	reg.exe
564	reg.exe
1976	reg.exe
880	reg.exe
916	reg.exe
2136	reg.exe
1988	reg.exe
564	reg.exe
1648	reg.exe
1520	reg.exe
1672	reg.exe
1976	reg.exe
2800	reg.exe
2156	reg.exe
1804	reg.exe
3036	reg.exe
3060	reg.exe
2456	reg.exe
2632	reg.exe
2732	reg.exe
1048	reg.exe
960	reg.exe
2956	reg.exe
348	reg.exe
2800	reg.exe
2572	reg.exe
2800	reg.exe
2488	reg.exe
2572	reg.exe
1588	reg.exe
960	reg.exe
2512	reg.exe
616	reg.exe
1164	reg.exe
1684	reg.exe
2288	reg.exe
616	reg.exe
2228	reg.exe
2500	reg.exe
2392	reg.exe
1520	reg.exe
1584	reg.exe
3040	reg.exe
2256	reg.exe
2352	reg.exe
2800	reg.exe
1664	reg.exe
2924	reg.exe
2416	reg.exe
2416	reg.exe
2512	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe

pid	process
2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2288	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2288	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2808	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2808	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
3016	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
3016	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
1608	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
1608	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2944	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2944	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
1568	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
1568	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2860	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2860	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2428	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2428	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
904	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
904	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
936	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
936	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
1660	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
1660	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2156	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2156	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2636	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2636	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2936	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2936	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2936	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2936	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2760	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2760	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2760	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2760	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
1940	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
1940	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
1940	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
1940	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2500	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2500	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2500	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2500	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2500	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2500	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
324	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
324	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
324	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
324	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
324	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
324	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
3068	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
3068	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
3068	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
3068	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
3068	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
3068	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
1684	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
1684	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
1684	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
1684	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
1684	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
1684	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

NeQggcww.exe

pid process

1724 NeQggcww.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

NeQggcww.exe

pid	process
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe
1724	NeQggcww.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

02539c580448cf8078ca317f500e2fee_JaffaCakes118.execmd.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2752 wrote to memory of 1724	2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	NeQggcww.exe
PID 2752 wrote to memory of 1724	2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	NeQggcww.exe
PID 2752 wrote to memory of 1724	2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	NeQggcww.exe
PID 2752 wrote to memory of 1724	2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	NeQggcww.exe
PID 2752 wrote to memory of 2744	2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	ksgAEAgU.exe
PID 2752 wrote to memory of 2744	2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	ksgAEAgU.exe
PID 2752 wrote to memory of 2744	2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	ksgAEAgU.exe
PID 2752 wrote to memory of 2744	2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	ksgAEAgU.exe
PID 2752 wrote to memory of 2572	2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2752 wrote to memory of 2572	2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2752 wrote to memory of 2572	2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2752 wrote to memory of 2572	2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2572 wrote to memory of 2288	2572	cmd.exe	reg.exe
PID 2572 wrote to memory of 2288	2572	cmd.exe	reg.exe
PID 2572 wrote to memory of 2288	2572	cmd.exe	reg.exe
PID 2572 wrote to memory of 2288	2572	cmd.exe	reg.exe
PID 2752 wrote to memory of 2720	2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	conhost.exe
PID 2752 wrote to memory of 2720	2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	conhost.exe
PID 2752 wrote to memory of 2720	2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	conhost.exe
PID 2752 wrote to memory of 2720	2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	conhost.exe
PID 2752 wrote to memory of 2500	2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2752 wrote to memory of 2500	2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2752 wrote to memory of 2500	2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2752 wrote to memory of 2500	2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2752 wrote to memory of 2516	2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2752 wrote to memory of 2516	2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2752 wrote to memory of 2516	2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2752 wrote to memory of 2516	2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2752 wrote to memory of 3008	2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	cmd.exe
PID 2752 wrote to memory of 3008	2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	cmd.exe
PID 2752 wrote to memory of 3008	2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	cmd.exe
PID 2752 wrote to memory of 3008	2752	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	cmd.exe
PID 2288 wrote to memory of 2460	2288	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	cmd.exe
PID 2288 wrote to memory of 2460	2288	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	cmd.exe
PID 2288 wrote to memory of 2460	2288	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	cmd.exe
PID 2288 wrote to memory of 2460	2288	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	cmd.exe
PID 2460 wrote to memory of 2808	2460	cmd.exe	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
PID 2460 wrote to memory of 2808	2460	cmd.exe	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
PID 2460 wrote to memory of 2808	2460	cmd.exe	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
PID 2460 wrote to memory of 2808	2460	cmd.exe	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
PID 2288 wrote to memory of 2952	2288	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2288 wrote to memory of 2952	2288	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2288 wrote to memory of 2952	2288	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2288 wrote to memory of 2952	2288	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2288 wrote to memory of 2976	2288	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2288 wrote to memory of 2976	2288	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2288 wrote to memory of 2976	2288	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2288 wrote to memory of 2976	2288	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2288 wrote to memory of 2512	2288	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2288 wrote to memory of 2512	2288	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2288 wrote to memory of 2512	2288	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2288 wrote to memory of 2512	2288	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2288 wrote to memory of 1864	2288	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	cmd.exe
PID 2288 wrote to memory of 1864	2288	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	cmd.exe
PID 2288 wrote to memory of 1864	2288	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	cmd.exe
PID 2288 wrote to memory of 1864	2288	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	cmd.exe
PID 3008 wrote to memory of 2868	3008	cmd.exe	cscript.exe
PID 3008 wrote to memory of 2868	3008	cmd.exe	cscript.exe
PID 3008 wrote to memory of 2868	3008	cmd.exe	cscript.exe
PID 3008 wrote to memory of 2868	3008	cmd.exe	cscript.exe
PID 1864 wrote to memory of 1664	1864	cmd.exe	cscript.exe
PID 1864 wrote to memory of 1664	1864	cmd.exe	cscript.exe
PID 1864 wrote to memory of 1664	1864	cmd.exe	cscript.exe
PID 1864 wrote to memory of 1664	1864	cmd.exe	cscript.exe

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2752

C:\Users\Admin\aIkMckEM\NeQggcww.exe
"C:\Users\Admin\aIkMckEM\NeQggcww.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1724

C:\ProgramData\VysUYMUM\ksgAEAgU.exe
"C:\ProgramData\VysUYMUM\ksgAEAgU.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2744

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
2⤵
- Suspicious use of WriteProcessMemory
PID:2572

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
4⤵
- Suspicious use of WriteProcessMemory
PID:2460

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2808

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
6⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3016

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
8⤵
PID:532

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
10⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2944

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
12⤵
PID:568

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1568

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
14⤵
PID:2520

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2860

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
16⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2428

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
18⤵
PID:2540

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:904

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
20⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:936

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
22⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1660

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
24⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2156

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
26⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2636

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
28⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2936

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
30⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2760

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
32⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1940

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
34⤵
PID:992

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
35⤵
- Suspicious behavior: EnumeratesProcesses
PID:2500

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
36⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
37⤵
- Suspicious behavior: EnumeratesProcesses
PID:324

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
38⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
39⤵
- Suspicious behavior: EnumeratesProcesses
PID:3068

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
40⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
41⤵
- Suspicious behavior: EnumeratesProcesses
PID:1684

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
42⤵
PID:2924

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
43⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
44⤵
PID:2896

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
45⤵
PID:2932

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
46⤵
PID:488

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
47⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
48⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
49⤵
PID:2336

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
50⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
51⤵
PID:596

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
52⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
53⤵
PID:2860

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
54⤵
PID:2908

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
55⤵
PID:308

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
56⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
57⤵
PID:580

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
58⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
59⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
60⤵
PID:2832

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
61⤵
PID:2184

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
62⤵
PID:1036

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
63⤵
PID:2996

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
64⤵
PID:2392

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
65⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
66⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
67⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
68⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
- Modifies registry key
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
- Modifies registry key
PID:1664

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vaIUAEoo.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
68⤵
PID:2460

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:2748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
- Modifies registry key
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
PID:2576

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZMwoUMUs.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
66⤵
- Deletes itself
PID:1704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:1272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
- Modifies registry key
PID:2416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
- Modifies registry key
PID:2800

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EyMokUoU.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
64⤵
PID:2556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
PID:2236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:1356

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:1676

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dcEIUQkg.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
62⤵
PID:1868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
- Modifies registry key
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:1992

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BKAMUwQQ.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
60⤵
PID:2468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
- Modifies registry key
PID:1576

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DUIggwgo.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
58⤵
PID:2140

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:2612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
- Modifies registry key
PID:1520

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fkcwEYEI.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
56⤵
PID:2480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
- Modifies registry key
PID:2100

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EMwoIkwM.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
54⤵
PID:936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:2928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
- Modifies registry key
PID:1672

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ROsccAAI.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
52⤵
PID:916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:1680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:3004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
- Modifies registry key
PID:1988

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IYkIYIUE.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
50⤵
PID:3016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:1448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
PID:2284

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VMkEsEgM.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
48⤵
PID:348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
- Modifies registry key
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
- Modifies registry key
PID:564

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zqMkMAMM.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
46⤵
PID:2136

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:2556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
- Modifies registry key
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
- Modifies registry key
PID:2136

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TuIgQEIc.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
44⤵
PID:1196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:1196

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
- Modifies registry key
PID:2416

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CEoAEEUo.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
42⤵
PID:2544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
- Modifies registry key
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
- Modifies registry key
PID:2632

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HWAUUQkM.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
40⤵
PID:1916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:2888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
- Modifies registry key
PID:2800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:2992

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LYcMogcY.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
38⤵
PID:2508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:2952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:1748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
PID:1868

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eoUssEMU.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
36⤵
PID:2964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:1984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
- Modifies registry key
PID:2800

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zWEEUkoU.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
34⤵
PID:1584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:2872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
PID:960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
- Modifies registry key
PID:2256

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:2128

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QOAAAUww.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
32⤵
PID:1636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:2976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
- Modifies registry key
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
- Modifies registry key
PID:1976

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DukkcIIw.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
30⤵
PID:2568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:1572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
PID:1100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
- Modifies registry key
PID:2732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
- Modifies registry key
PID:3040

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fWscIUwc.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
28⤵
PID:1588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
- Modifies registry key
PID:880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
- Modifies registry key
PID:1520

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gQkgsUYI.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
26⤵
PID:580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:2928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
- Modifies registry key
PID:2652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
- Modifies registry key
PID:2572

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ggYEggQI.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
24⤵
PID:2548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
- Modifies registry key
PID:1588

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TaokoYUQ.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
22⤵
PID:1872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:2576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
- Modifies registry key
PID:2228

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mqsIgUEg.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
20⤵
PID:3056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:2600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:1244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
- Modifies registry key
PID:960

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AaUUgAQE.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
18⤵
PID:1804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
PID:2680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
- Modifies registry key
PID:2156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
- Modifies registry key
PID:2572

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FSQEogQM.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
16⤵
PID:3036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:2328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
- Modifies registry key
PID:2500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
- Modifies registry key
PID:2800

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xIosMswM.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
14⤵
PID:1596

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:2660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
- Modifies registry key
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
PID:1932

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bGkkgIAU.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
12⤵
PID:2908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:2776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
- Modifies registry key
PID:616

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:936

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AIMYMQoQ.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
10⤵
PID:1292

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
- Modifies registry key
PID:2392

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:640

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pioAcAcE.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
8⤵
PID:1272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
- Modifies registry key
PID:632

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YkQccQUI.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
6⤵
PID:2096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:1164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
PID:2952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:2976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
- Modifies registry key
PID:2512

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aqwYcYUc.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:1664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
PID:2720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:2500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
- Modifies registry key
PID:2516

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BCMcAEgM.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:2868

C:\ProgramData\EaEYQQAE\AuIgAAIo.exe
C:\ProgramData\EaEYQQAE\AuIgAAIo.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "553925315716716710678128101437837681-19617855602854217021379139692-420135958"
1⤵
PID:2568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1505667428168619970212206958661439415672-1671646031-1909683428-1141953882-1205317073"
1⤵
PID:2300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1433811340-145557450710566515731222791348804799837-996355491-28307254-97680180"
1⤵
PID:2404

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "109908765377174817-402960641-117090384918229649161715300089179435134-1049041362"
1⤵
PID:2720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4297569520834245981810619854-50531997-588765494455129842694886538-1240108785"
1⤵
PID:1872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-885950397-1108167084101796184-1012488256-1715436741564792432-9915461761957266275"
1⤵
PID:488

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3652405171281728476-2083572501-8024455621428912809-7748912-248501247-1502180845"
1⤵
PID:2788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-736301461-1102359248-717569334-1562599237-452734023211782765314912026551792282930"
1⤵
PID:2136

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "405072126-15247092532094755241179677415-20077825621743408763-13753941348967350"
1⤵
PID:2924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18630062021352757392-275182672-1381518560-9225514231851195991801929427-922123719"
1⤵
PID:1388

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "614323265-789487835-3524949601423303932-2001732283-13610573021362576516-1582167419"
1⤵
PID:2440

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "99047151-1661055023-1835230390-1989781457-1411287670-1835889095-1794397761-646698596"
1⤵
PID:2392

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1238692591-1381610252866582621791616672-204157689512598487321299243591367898539"
1⤵
PID:2944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "760002708107127084-1908978256-74311434-1805035849-16883332199548887772133253369"
1⤵
PID:568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13962877011819038459190212790921253129781877498933-88703287388460326065195329"
1⤵
PID:1660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4520600271618475917-633648395-1771304998-1292409702-421303145596636854-1103083480"
1⤵
PID:760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7618946951487260405814418309-12376049501539625941-161720349315570226722041753828"
1⤵
PID:2952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1620954715-1807774894253987127-168015601186280853-786934732612091182-1752064093"
1⤵
PID:2732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15143088905045800812003064032-183027772017422488418510221821220159851-371555834"
1⤵
PID:880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "399836371-8338734305203019249332888-1779326359-1910704688213164162889923524"
1⤵
PID:2284

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20633721191423749366-1489730911-505584770-18060540721289213712-2120200693382004395"
1⤵
PID:2228

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-433883633-575926011291561825-11098905871796542753-323645294-991987300-987454075"
1⤵
PID:904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1560260819-1548210216-1431045636-12197374851801496868-854242590-1073093032432949566"
1⤵
PID:916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-675433905-598408492489875380-440275990-203905298-30148716-14486184751498826542"
1⤵
PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\EaEYQQAE\AuIgAAIo.exe

Filesize
1.6MB

MD5
2be35a502972d8419e89d0027819a14c

SHA1
9e31dbfdc22d411677351e7f21516b3b7c8901a6

SHA256
d64c3ce7e9c75fa9b75031e8abf94a0d02bbed0ffcee40154c4cc6bf04c8b278

SHA512
d51b9395d6928b07998ede8b541b4a45bb754bb046d7ac2f551423e7f53b8864ddfb20f19dbcdc308f33b3ea11d069622c2f18bdc5561fbdf095c2f1bd6f4752

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

Filesize
1.7MB

MD5
09cb684bc198c0ea4d58b8ab2ddf5ebe

SHA1
ab77efccbc16092ec3c824b1e866fb27db69b766

SHA256
95e32696f677d63097319cb64f6685c366afdc3105cb5cc5b8d3bb5821f12a84

SHA512
e5c69a59df57ecfba375d923984cf29f27584dcedfcd7d703dc407e8d538c846a4c39c521f05ef41ca8f770c7795404aa038cee4c2fdc445025d97f223a9c98b

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

Filesize
1.7MB

MD5
0d3c1cd42df9eebd0d569f0a683755bc

SHA1
5b6797a858cee9ba966b116288f60681b72686c7

SHA256
318a7d55565f2258b1d175126b78814acf751f9543db1c0f6c37009afa777fd8

SHA512
8c4cb0403e4eae9895610310c090e963f8afe309f35a7b6a8b751313e191cd57e932ff51f8f41413b6522a71e7f068ca4afec721341866cb3e7439ff66fcfad9

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

Filesize
1.7MB

MD5
e8e43b5d33cf013a1db8e9043de3e8a1

SHA1
6497ad85cbc54b0904ae6b854ffcac2f016a7d2b

SHA256
6d431a97e2b165dc5629b963eb12a8e5783dd40f1e7f0402d0b50d69b2f0a556

SHA512
6dec4a5147fb8686e38b2411ae9cdf730aa44a41eb15738aaab6d9aeae95559c22dfcd330c894945f4de9fbcfadda03e605208fa66f1ea404873bd8888ca39ee

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

Filesize
1.7MB

MD5
1b8f932e16fd96179aab248c10b016e6

SHA1
60c167282ed4d64bbdd9b868b357df3d08b97cbc

SHA256
80acb215a6349c1bf6405a973e7e687c8a4aa2351dda96d59b7c876b85ad1828

SHA512
9ad6f7f4c538923b0d79b7529eebd67459f6e635dbc9d6376584c5d65fba446d6e253d242b03e33d137ea7dd323203b0f01e2b660403a4f5dfc52ac40d3f2e51

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

Filesize
1.7MB

MD5
956d51785962b246128dea403f50c812

SHA1
8c071227c2fad58310f75ce7def3760c251d3130

SHA256
bef641389220e18652fbde1ed354bf53ab2eefba889d0ef9779e3f1f25977b75

SHA512
041529da444d18adefe23ce5e183ff06892195fde0a6205fa63e065af2828c67b3deb52f7e9ea1adaad1be270441d100a4618e0eee26a7449618a38dd23e7872

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

Filesize
1.7MB

MD5
f7e6315e0f2684b5f04f736b89b3f70a

SHA1
9a712c8e82e9539c3bf7ebb0602e8c0072aa8559

SHA256
2c9d267978d0a41d3caec83bfdde81b827abcb467139fab2f8c27d66632a1f2c

SHA512
01f0f48ecb53275f23cbe328ee94bdd929b81b2c06b43658429411768c86608be0cb9c797f43ab95b94c7baac32fdd26d891c46a0f1a1f21bc01511a34208657

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

Filesize
1.7MB

MD5
a31ec9a50e1084f2704b685629d622b4

SHA1
070c5ce6559fe7cf347e5fb0d05831dac13b4406

SHA256
2d755aaaef7d9830d5566ddcd517abe5f2f6b07852fae0a087c7f2fb75e003fe

SHA512
a744a39cfc84d963737e4ebc481c2cd2c3a307d63f120b26f94eb89d5fa3a2e40508878d846f14c968d426cc2ccf382d2be8c885b6503a6f3fa96c6363e882de

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

Filesize
1.7MB

MD5
c16bfc4231978acd59bbc6954e71315f

SHA1
651024455fb2f76afbad1bb7c80473d946518c04

SHA256
e215dc3a5be8c3be0418030a1198c6a6fe70a7405e9eedf6b3f94b8a53921ebc

SHA512
a3b204d8f9a1c8dfe07332e155618fd12b5d61a9b5645958db7e3899a9f403eac31f94c15551c4b4901a0dd94bd65b2a8adc770cd7c0fd6318e994367a83ab9b

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

Filesize
1.7MB

MD5
b66bff5f5c614700628d3aa036e6b9ac

SHA1
ba57120e126a16eef91e82bacb93d0dd3018a1ac

SHA256
abdce1d11e0d9c4efaafa422390c7cb4cbe31bd3128ee5d7983192cf35be1c05

SHA512
224491e4360b8be266f21cd05c954015ecfe8c5f9b14f091e2507a02bcb5bbfe3865a22ecfb3f1a3243d33ad0554aaa70125ec7728975abaf803288899b91f02

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

Filesize
1.7MB

MD5
a5e6b5f5210062772de5f0940dcb2e7e

SHA1
4dafeb20f8afc7b1dabcaf899646df615a0d3d6d

SHA256
f58bb6a57d6e6bc8ad988d62fa49436e682d713e135974d0ec0aea6fb8b20cbb

SHA512
93deeecda828ddb844959e5178574a168bfa94ef39d6acd643fa0e89802695b53619070fdba96a2cd5f55b7888f727f0c0a61637024e2891b3805c73068b2f4e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

Filesize
1.7MB

MD5
b8457873bf741207732f5c8e33ceaf47

SHA1
8cdb5c0664e7840b5d686dd5ed24713654467702

SHA256
ec06c714f33180db3d15db9e177110d8bc664e473ee6984fd82276aae934545a

SHA512
eedcf564a000e4791fb0a2aba9c6e13c64698699d06ada4981954a41d992160c46f12b3ec2573380d4930968df651da8ad45f2de9fb979ce56b96e77af8985f4

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

Filesize
1.7MB

MD5
76fb08ea692e63ecbb91aa20084e7d15

SHA1
a53be6a9e395d6244a0acf2c99afd9fcaac5c1be

SHA256
f312239e98308a9c04402e6675a69f3828f27efa742ce8a1c40caedbe04cf983

SHA512
72f57061789cfb6280476eae6cada2ca836a0bebb730b4256c030a5f0300b95122e199c7a6a9ba1faec8afe51376a9d7f1b5f63a1aa9f870d703319c5d859048

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
2.1MB

MD5
06f208a191a8300d854c0e25e66509f2

SHA1
b4c457834eb88eccba553bd3f48e207dbb5b4a05

SHA256
5cded4099e0b4365832c374cfb3705f528fe0534419731b3060d2679402208b2

SHA512
c8aa7a44abe74901c1af22ace0e6dd46a7d78e8652a59b161ba8c88ac15c5776557c5d62d7a42e14e58e9eaa7e16172a0f8717240749f69a7962a09e65555024

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
2.1MB

MD5
87d0d1e4869e15863efbd45fac88c25b

SHA1
a1a28a966487594d1ed26ff218e51cfd1eced5b6

SHA256
be088b8eeb571a8ae6ce1401482cb6b62ec713a9b974c4505f471ace525a6c87

SHA512
d909451092b527a35b70ccd5411199eca092c92d0f14dff2671abf68c43bd455ccf62132c2ec0d7d36d41753204acfffedf96c96bf216739a1eaef3b7ce804cb

Download Submit
C:\ProgramData\YsEA.txt

Filesize
8KB

MD5
8edf0f4ca173077e88bf58000a54e102

SHA1
fab7469698f10f06a195ddcdd54d5d13b5b479b2

SHA256
d97ff044166c855ae321ccb18c01588ccaca5ebde2938ee574349161b30cb1ad

SHA512
8dc5b897036a02b2df0cfe53d32c923e4bb8f72b4f894307ca0cb8ccdd4a6cf4e1b61e21770d297d1cf365489bdddc23262bba50388c95577dbf8cdce3943bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAEE.exe

Filesize
1.7MB

MD5
a851bb7d8bc858ee884dd61b4f45bb57

SHA1
e5eff05f453323874125acbe1950599735c0afbe

SHA256
0e480b1686941a99cf0e5dc007fd7d1a88ed59ee0d78dd750699284abe352f9a

SHA512
59b532ecebbdbedd18c7fc49db3e94fa0a2576122b81624d1d474769f4202587da3303f38ecd6aa29fb49e426e935b3c009d0c68613c8687c2ea4abbf824fe04

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCMcAEgM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\BIUoMkYA.bat

Filesize
4B

MD5
d1ed54502c252c42093c0ba1fab2f3bd

SHA1
9916f634d2bd9d9708e116eb3e41e86968ddb533

SHA256
4bd1ab9083a8255f8c464c15b999db67af84a7c625df7d25ced670dc9e4486bd

SHA512
257bd387310f62b5f0818c3daedcc040595f8694c2618f9ed8d5cd51fb7a3cebabc33f7b9893b16a11958d6176a5ddb3e45706cb3e5e709448491c4986ff7285

Download Submit
C:\Users\Admin\AppData\Local\Temp\BuMcsUgs.bat

Filesize
4B

MD5
984f4105e8331fba3a49aac23558717a

SHA1
0eacb0696fffe2b228a1e64c30a2c2364b8df645

SHA256
f4b056b770eb5093fa01b135c58cb64915c04fcab05bbd857a2c1aebd7f2f34f

SHA512
455c47af2f4bfcdd266472a332218446e01c4d981483ace0774308a25d2dbd3b5ebcd0d2853932d202bb0a0b9059923a8a22546dfafa64d18f8d55d66c978675

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAEC.exe

Filesize
1.7MB

MD5
b7ed2558b8386d0ed2730775a9309f98

SHA1
95bbe5b223890940ca8678c9f2d427465d5eef99

SHA256
6067c940a37cee74de0c66a0635f7afee3311a2c83df320dd3db7b033cadc56b

SHA512
ec4936ba1c7453daf4857326936ce77e56a77f4e488f2f7e56ef1aae23476031afc96871fdec1aefb6331c654b8cbe8dcb5030ea29ded76d275a4549f3f249cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoIe.exe

Filesize
1.7MB

MD5
496526c1a5321ad3f159d29da8916f4e

SHA1
3fa37601894a36c05fd5e1ea5a89a1d06ffcf6c5

SHA256
41306eaf5d33919a7930b15ff0e6b74d5cd020e05f5ff6315f7a35c2328f89af

SHA512
6dd43d6c700b04610d5786a439dcd7378f7c097beb4fb0b571bb07957ef51c2bb8a9ad42367b0600dc078d54540b96d2c7a3078799b74c7218b5e87b740fd6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CqskQMMU.bat

Filesize
4B

MD5
25f5f217b114feb8c0326563af0753e0

SHA1
4b145c99be3b18d5268681f3cb53deb0c7278dcb

SHA256
fd0f2be2f7a842bea6714c6609f309de693a775413c8dd046d98018ae720136a

SHA512
c5c69930f1f98342487fa771411c3eb86d1764cc269a06e0a7101dc04ce9e90c2c64ad3c9259f85d63c5bc02102527c2890372ab0271adb79f5d9aa52cb19d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAwO.exe

Filesize
1.7MB

MD5
589049bf42adfcbb314bfdcb729e5c87

SHA1
7ef14c93f724bf20f3a3ed2ac8e539c79ea1daeb

SHA256
d18ff042510b16294beaa6388c2544605ed46946f45100c78c4cff9fc636514c

SHA512
e01a7930f11236ba9b4ada7a52411e4401bef2aa79952a0206947cb992b04dcf02e759fbb3a748c297d983d24bd5d8653d35df6ad604e22be1e1897b02fd27b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gcwu.exe

Filesize
1.7MB

MD5
6843d195454b1fea83d06a9be2b9be2e

SHA1
a0c86bf8cadf05a625e6b1ef6aa3d611eb0119a9

SHA256
6bfc74244ce0824d1d46cf3f490467575471b097cdae5944162f345d7cfa188d

SHA512
42a99b15eafa6d2eed84a0569af73ee044560b885d802aaa1e43b4592237bb8c63b33c68f97d0d5de6b37c02774911e0106b4fb8ba2422c3f6c22c8c2f66562e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgoC.exe

Filesize
2.4MB

MD5
6e5e7308c0c8a214363e02c0c0e5bc81

SHA1
375d8cf8496af9f5b49b10ecf192f6d6f1913443

SHA256
fd2050ddd2ee5a10dffe7a271998d8177acc17cd26e15963140bb2cde5d6de6f

SHA512
75aef5af5d16f21914df5a018cb4b47ecdd708e5abc6f77b08e7c97f7467444fd634608b1c56bf3a8815a14f0eeaa3725618fff64971a2fb2791443aa44310d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HCcYsoAE.bat

Filesize
4B

MD5
fb8260a9a98f49148d3e21a39ed27fb8

SHA1
159c021356cd7c24de1bae87874ec76704dbe5cb

SHA256
b57d8fce9480ad0cac84a3b8a5148d579e0fc8dcc6f9e568106ce2092aa93b1d

SHA512
a9add271f7e4450be06a4d1c12d836a87943250562594e03f92e0244a51515215584e00a40566b4480f44c63a20ad5fb547a48d41f8c1af308a084ec96461bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\HgoS.exe

Filesize
2.2MB

MD5
69babff0de47bf9b2cba865a7fa78a11

SHA1
0f56df730ac9d06d08dc64ec3b6426158facc116

SHA256
891600b6ad640ee2406f57b449971cd7945e0ab39d17e53edeb192dcc4c63506

SHA512
75ff4362cba31c4772277b35546ba6a4d22fb49422140fb706f415be7d4f15ae76dc9f012c5535a20e87e5c5bad0978820f64c0d2c299ab7be7fd51273048a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\HswQQwAk.bat

Filesize
4B

MD5
622b30ea8e8b58f527205d3140344732

SHA1
2fb76ec1d84f022208db57fc206c0a5e6b5eade5

SHA256
32cfaede755f599760052f1dbddd8ea7f7fbe406a7e7f34bc8174534d43dead5

SHA512
6283c2deeb4ffc003c56e81d880b9e90c1f4469feedd3ab2b4e9802fb85d78020e1b686ded1bf0b74f6e1422fe393d164542268b1cd43dd6d3549aea71a333d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUMY.exe

Filesize
1.7MB

MD5
3fdd1997c49ccfded53952f15da55f50

SHA1
2a8338924fc07e6f3912f608acdf4048a51de3f7

SHA256
5bf7674bfebc2099c2eb5808e8017718425bdef52c557ae964fb87c1767e9de8

SHA512
6a36de224e5ad454e6c395b47c19cffd10920fe77c1ba74c24d6079036db28dfa36bfaa2ccb848f859c2f349c0e19d48d540d11f902190873872a840196ac853

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYkUAAgs.bat

Filesize
4B

MD5
c41c7d3bd1657de1b2d3f0d1f44bc2d7

SHA1
e5932168aff8e9f5bb3c98a7a56b6b0b74bb8758

SHA256
84384f35eb07dcc9e087f298cbcabe8ab4c51b487b4d54893201311a25c0b6e8

SHA512
448af534ca4f0417d916c3fb1eb00e2e5b6dc6e4153c5dd8845d3bc58260301bd3836f26cacce6c6754280baa37b39938feceb62adaa3bb3af050259e7ee4a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUEQ.exe

Filesize
1.7MB

MD5
c24eb75fd47c1ef861c88f4162a2ac23

SHA1
72205e441674ed97ecfa132739dfe65aaf5c4e2c

SHA256
e47ebbd15f531971808bf097a8f9d6a00d06741ff5c7c646f9a250d20697ce1f

SHA512
b6c1fedde99d0a5a8178c5f163332af7c8e4a0f4a0668f46dc8d04307abcb1138cbdd5c73d9634e66aaafe73cc965bcba3eadc9712fc7214a4be43d62ba2a154

Download Submit
C:\Users\Admin\AppData\Local\Temp\LyMYswYo.bat

Filesize
4B

MD5
a2ed9bf5dc820967b62d2ca4cb377098

SHA1
4dfab868ac480d615ca87584877db4791e8e66ec

SHA256
89d162f376876cbf909b260bd3559578202c138c13cb637b7e82b32a62f9564a

SHA512
37521ecdac8fcd038f9ef89b01789494fcc27f7ae6d6fd71fe2ddf7e1999caf581b199ce65f8103d8dc0e3ba74fd4a580ac7b49e9c06d73989e6ae875fb0f15e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MOIwgcEU.bat

Filesize
4B

MD5
bf0827757f8c224b9a1c639d4341526c

SHA1
8a934a46a9b769e0f0d7aba710b769dee9fb1b46

SHA256
1161470d4d86406c7392898db29cae83f92752a91c8e88920bbf8aeb9d3b03c9

SHA512
a794b3842b9f7e02ed43ac59efce5ea9124c47d807c7c2370e8aacad6332e3e60e5401d9a4dd102cfa3cd5be83cd4c4150638e9188f311c6ac177212a5772770

Download Submit
C:\Users\Admin\AppData\Local\Temp\PaAUMEcM.bat

Filesize
4B

MD5
93b8e1b4d818a435aba90ea1cf612f5d

SHA1
e2daf278571c8a2a526b57f26c721f39f0c07a98

SHA256
9f6c862ecf92e232eff7a6ade4a38db2917f76bd9b8c985c803a5948be272d77

SHA512
9d6177d9edb6f89d134d4bdadb836c9776305d4e500071e35faea1fe4d8a224b8449356650ca4ad92a0ce95157fed809a0e5c150c42d264621fa5bbfba1d7e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\PwEY.exe

Filesize
1.7MB

MD5
49b6544fd6604550230008abff660115

SHA1
cf72e15efe07c9944dbe1e28abdd8c8de8430b45

SHA256
bc09566b8a48336f2c9585d1d23878846b0a54874ce18a51026ae791fca87189

SHA512
29b42ab4fac3a54ab1d430749318e27055001189166a78f53f266a4b4bd2f3d8867b9d059ae32c2601ce654b380f649e4b3b5bd5fcca56dfc1d35b49c3b5fa66

Download Submit
C:\Users\Admin\AppData\Local\Temp\QckW.exe

Filesize
1.7MB

MD5
db082a5530b8e694bfe83ffc44576333

SHA1
6aaf7719781e57a831709259e264fe45338a9398

SHA256
f83a14c2c2a87e20333e3fe6fbfd002101109ae4705682aeb82be48468340193

SHA512
f85383e14043a50cdc0d44cc931ceddf6e3d9b8b667dc1a60abb812d2c14bd9bce723d89567ca7273b8dd3cb9e50d723d2d0e6cb99c536ac4a59c129b07059b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCAUAcIY.bat

Filesize
4B

MD5
37802947073de9ff4fad833fbea54f08

SHA1
396f785337cad7be2348bd5dd871f388b4eb55ee

SHA256
eca4e7d9a1c653e064f1b30a7a6764cf3fe9f418b691c2553956e18ee127d16b

SHA512
a70e67b86b906c057c47644be92e8e18090d52faedab4999a2ccb4c81810b745d0f48a96b98d5214ab9f9ce986def920eed29e2df9cd7d503c5a8307c566152d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UKcUgMAo.bat

Filesize
4B

MD5
a4f9dd186f2bf24edb9eb3b1cfe27a7e

SHA1
77a9d79d33d659e75e6e2b3fbdd5592fd07b7033

SHA256
0e82331e7063765983c0c6f314af6757a2fbfd0898ff9c27539e0d9ee753895a

SHA512
902e9c5f9eb76b414cb83751d89e5ffdfadfcc5a591c689d6728e28694c7e4b5ee507eb110c79eb2d2176cf331d31c45bfb1e0ba5887239d4b81803665c2fde8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkwA.exe

Filesize
1.7MB

MD5
8a2300bf7d1d489628ca289beb89fc3e

SHA1
c27f932ca5034870e0621487ab8cf7fe93526af6

SHA256
c7aad384f356ac7a25d178cc5eff9d167c5a68e32d674f3dd032c7a955161e99

SHA512
576634efde379f391a0e1e8ebf94e8bca8623d377d3774c890bc7a2152faa78c939bc5975775a31a3cb2c2beef114a8fdd0c46b8b02e3e14030c915fa0e9d6ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\UmEIwMMs.bat

Filesize
4B

MD5
f85dbfbb8fa00f64b6262e2de9a812ee

SHA1
224a61ec23d9259a8c537dab0cd98650893e3906

SHA256
87a9131da1e63fa873c091911003a4d4429aaea0ecfa0306281cc7e1c1578870

SHA512
863a681c98118eaee27f01b303867287b036bd1034f8e9e8d2eeab14a366b6a8d575943866ae4b9b090ca7a6c4d6479a721d8aca1531ff725ce82dd04a525353

Download Submit
C:\Users\Admin\AppData\Local\Temp\XQAEgkQo.bat

Filesize
4B

MD5
8e83c385cb9035782d966e46b12a6b61

SHA1
f55be7659f06a77c930ed37c49b9c58a03a12832

SHA256
460c30501b3441c77a5239ed979d0d0272f12dfe0315e279d65ae6126f9533df

SHA512
82ce9efd056644e950634ccec83ad4c2821e051804fa4b9e9834ece81fa1757e3be24871cda4e8c9a9e68a06bca3e79758293ad61608e3adb0940f22d97fcfbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEAwMcIU.bat

Filesize
4B

MD5
df8a84536055d762002b482db290cc02

SHA1
3287517f031e3da1f89332bb0e56569f6a45bad6

SHA256
0505cdf6445509e73f2880a193c6ed136f500e1837e29a15ca01671e2c532113

SHA512
778d5685f0dc0dad9e96824fbb08ca64769b8eb6f749fa2e3b7c321949005c2dda6dd91a2939fe1ee5e5caea41107657000778f0635c0e737a8eb21b2077c121

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZgMy.exe

Filesize
1.7MB

MD5
0a2b2ecc40176a9a42c08525b15b11ee

SHA1
fb1f193c4e34cd954f59c5637b44fd86b742fb49

SHA256
84ca010beeca7ffbd79e851b3e19493afe4e2209d11d5b96970263d0aa1d8012

SHA512
61f54dd588b15706f866a6d37bf7620fafaa5030d48f13867395c702dd9b8c579c6da442566f8983852b17a4727059697534d5140f052155cf819ad2f23d34a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZskS.exe

Filesize
1.7MB

MD5
7b140168f0b5195c0ae6a924cf617511

SHA1
c0b5063a646fd37b552bc37fc6adda8bb2adf589

SHA256
864c90bf1d1b22fa414a7264434de17d8d1ba7a3d18be397d51f86e86923a045

SHA512
d34f86348ea8e4423d2cddf03a0c8d8a59a8989257ab603f2081cb4f5b7a86859942fa9b9c1580016d28712ea10a2a9769b3063a92d36f7019da7e6439c0acde

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAIS.exe

Filesize
1.7MB

MD5
0117f7d332d305635001b2413acfd9d9

SHA1
e47ebb9fb088de1543b4542cff9034d55f8e1487

SHA256
407d9f766039e16a372b7aaa42a18ae3716746171bfd481b7927dcb158abc644

SHA512
c89d702348cfecd6b75191d8f9350835a741ee02c90ad73d389a6c1c009f7855a106caa8b15484e1348d6b16143bd525be3ef02ade94fbc8975ef51d2bde5fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMQYcAAs.bat

Filesize
4B

MD5
baca71a27152d606b942d0b7af2e946d

SHA1
c187290595ec386aea76143e0ac582eed52c3f25

SHA256
c0263434f83d4bd154d5acc1bcd00f7b1cc66c55cd55793a12f37f42e97e5c1c

SHA512
a6e1697ed7c2c0e6f7a2d12f4d632d05a0f941f2b7224ee210711e0d3b6068b44b99e193e89f948f3de01c72e3ea85b1fbf1fae5ca91e1e27898ecaa3248c185

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMUsAQoU.bat

Filesize
4B

MD5
0493f8ad0c466f939102ad41d04c2a3a

SHA1
e5e8ef1b1311189cc91be312f538971820eb85e8

SHA256
0e1466b48103114b4edaeac46d31b2d7cdb0a8cc3553885cc394096976457bf5

SHA512
1f0d4939284926f68602bd3cc39b345dde32f6f237b125c849c05253dd7af25b0b445be0272ce1ae6b82f95b14049ce53f600fa1463c446420eca35a113f2c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYEK.exe

Filesize
1.7MB

MD5
820199a258042171f90b60cdfaa08430

SHA1
47d5c17691c6099db3ff13e35e5428d29b0ca5b0

SHA256
1e4cce1df6accd1000862517e0250a72c964bf23a4df95a4a570740446eb89df

SHA512
67d010715af6b2332395a646d66567c911284c3a4dce1bacd030a6b8e4931494b879ec84c3f4293e1b615d58e7bcf6796ca49e53637cccfd6667d84380290414

Download Submit
C:\Users\Admin\AppData\Local\Temp\cowgkIYw.bat

Filesize
4B

MD5
192b7e4fe04de095dde7ae7cdd84141e

SHA1
b808678c16a3e086c9a7f6cb723d13178632a409

SHA256
b2885701a9e1c91263c62b7f3a00ac42200e4e0f0f1adf98e9909f6f06d71517

SHA512
a14261f2c2502886f19e26972dd465bf99fe5d7fa0d8d5431cff91cc6ead9134bfcd97f6b7def3cd8c126153a71f9773bdbc6bd58ae58fa5447cb65fbc8db667

Download Submit
C:\Users\Admin\AppData\Local\Temp\dqgoEEcE.bat

Filesize
4B

MD5
23ab56e5f28cb5cbfd50203345954a5f

SHA1
1e7d2605429dfa6c094f1f8905b0aa3b58fa1751

SHA256
9b3d90224b237462f32be84d03d583e7febb8e4d02abed60e7d2abcfcfbaab2c

SHA512
517fda30d3d0242d3599934abfd0e3f95e45cfb997dd4b3ae8f7c919cafdadbda8482b5126683e607b04ee72b4ac49393e91dbe767441f8c1b5c0b874840a820

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEAQQkUs.bat

Filesize
4B

MD5
fc6c37041d4a6b5e90feba5b53923468

SHA1
14e9bb2b28bc78d521c3104ff7db42dbeb507b22

SHA256
219835e05fa6e51b87525ffa8ff2d1a4d04440d5bb744cb884b5817acb0f84d0

SHA512
94fc10ab42b3e11a781d3a82424e9a88d08126c55b671145d84262e0e268091b4a3b410bb8724d061404736b9d557b8d3d35051a14f6e6c8fffa8182609297e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eOEAEEkY.bat

Filesize
4B

MD5
df9d07b72a81b404e9561a2d81c2a077

SHA1
5bb1581497e7fa50792c8c1e9e2137329ae8742d

SHA256
1da98e5da6de5af5d6173d17cafb4708c62052ab2fe113944a8fb47ceb768afc

SHA512
90c98d682e6323d64e7731dd7a4c66b371c4058f3c2823dbfc4c88d8bed5db906fa5aeb3537aab1f3ac7bb312ba7bcb3e99c8d9ddeeccb7f8766a4c31ecafdf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\escgEQwg.bat

Filesize
4B

MD5
56d1420544d8eec95cf2badaba18e05e

SHA1
3dc1de3defaaac6ab81e3eef1f383fd928fc6dca

SHA256
a09b95a698c01b0c4a8f5c5ca3f1e87af270ce30de5270d34eb143304bcadd2d

SHA512
f127668e66ce0099640d6e2cb1b02b95afb3532e688b4485fefba5cf8492cc8edd688f87e284620a213c102a6d4cbe190d39712a9f5625b204546ed565dd376f

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fqUQYYcg.bat

Filesize
4B

MD5
2392e9ff9c069aad1d57d5ca788351c6

SHA1
0da6c49233c19ecd41924c1d76f86a2cba376218

SHA256
8da09d95021902d43ce937942839dd030f2d82d8ab6565ad0ee8abc87a64749e

SHA512
8d448c594030d0766873e64e114a3b71105e1bc19d9b3f0245a6e8acb19a6326113ae094b62296887857c3000c5ba9f98ffef952cd59fc7cb1bb94f3776200f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIYK.exe

Filesize
1.7MB

MD5
12df1d0e69d5a4f95a8879199ea8f598

SHA1
adc31ef3d71e5fb601a7c2e9ef52248d2cde2136

SHA256
88cb23877d042f8f7d8b2b6a79f19a13f513c226286b80937e871811c49ac7fa

SHA512
e39f1f35033586a6f836d916673caab7a9896fa7c69dfb6958fb1109ec90fa128af1e8fa76970ac942e14e4bd741c9f4043a0f11903507ccc8148ac89fad0cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkcy.exe

Filesize
2.7MB

MD5
f8fd9144faf5c07fd09edaa30bc72215

SHA1
963f928d26ec046c18016eaa7a46292cc8193abe

SHA256
06fb4adfad674eb7f73aab0d090c655feab7f70f002b1135aa78b5ebce38bab7

SHA512
366761569816fed80164d27d308a4dc6ead7048286c311ec8961decad7aa8fb198149ed5a2bdf5a965551ffde66684e11b8d483a65b8267eabee27d3bc9f7f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\hoUgUsss.bat

Filesize
4B

MD5
48517dab168b9e38591911de30d8f07a

SHA1
043102419ca43d95166a08ffeeeca59ff6ca0c5c

SHA256
384324cfa8569e7aa3d12aa347bb35395b482c2a7d0646dfbe80cee09db64735

SHA512
7cf5f66702705a596a09d5cb8be444cbdeebabefa3e673c4c159dd57083f304160f96453bc3c6b7c3c35a0b93ec4d7604a3fd17df5c9247a0f2463e5640b745d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jEkS.exe

Filesize
1.7MB

MD5
36b2ef1f8981aadfa6ce54c5929613d8

SHA1
9c97dc1893ad98a4e847af6e134595e147e593bc

SHA256
3b02be21c14e27ad1bff3c710586d5f0613fec614e990349029fe750869a4136

SHA512
df2a6ec329015fa7edc75dea728d4d8d370480b66ca69fdb0c5cc6d5c707484d086dca6719defc4bb87eb360c2700132046e90e489cb79322ff4d86689b719ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\jUsQEIUA.bat

Filesize
4B

MD5
999f18e2a34f38658e5190a240ed6cf9

SHA1
f64696f82ad0975004283792b6a3935954a3b172

SHA256
fe51a8b7583480b4b8439f12f9fbf1e78447c52e612d65db4d4e0a97953b4f83

SHA512
247b67626679a06af097cd73b50a673134ecd37dcd1f6e0b1c7a6d7dfde137b9278994753a1e5211e7e52ef6719afc98d6af270fbd29e788c6b7fe109df8ecae

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcIE.exe

Filesize
1.7MB

MD5
975aac8713d77b489f2417db30a24be4

SHA1
71ed9cbb583d8acd50f436c3a61ee211b03f7a65

SHA256
5df9fd62158d7c9b2d792d4aa9ad77da3751649628dbaa6d716c9f821f381db7

SHA512
16f5bf78cdc93b720aef1359e62a69115f2ab276893f446ebf88753f096d496d7620aa61aa5fc895364d582077314a5a711a0b20825b2e88ceca78022de43bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAkgMkEg.bat

Filesize
4B

MD5
3a6bbeb2b8a980b3ecfc5ef54d4e6f22

SHA1
df427aed21f946796915438f85bc8b1f0c5d1e37

SHA256
eb79d355d6e74ffd5ee0778dde7bc230841ad4b53edaf822a17061061212f40b

SHA512
6c294b974be2339a84e0efe91c327f923bc2f2eec70b09b21e4301c2668ad4218b2b220c014413463900b6457aae2926895eea600cb83fefd3a3ccf89cfd307b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kqUkwcsg.bat

Filesize
4B

MD5
6e5386e75ad64a3ccaf497087964d34e

SHA1
6fef74d300c80da542cbeb5ceb54751321d0603f

SHA256
252a03dbfca4f25c7261f5710d047a443b4634a6ef93451f05f57240428f4dea

SHA512
40d99c3b6ebf70eeccfdf1dba3fdb47b790d91533bfad9d21a447b713c00977dac4d29e480db6c5dcba967bf5ad8bf3a7f4c933aeb10c456d449e387b88532d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\lKEw.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\lMAY.exe

Filesize
1.7MB

MD5
b37ff48f2c38f9e84a562dff22baf25f

SHA1
4a1c016be16e08bf66e7672b0893282bd2c2e3f0

SHA256
0b3ccb7c96d017886ecdd0822064c42ed772397148e6f1cbb52eb4d745edbad4

SHA512
544f967f116c8f98adad1b809b2880ade2efa69e1e046eda45982c21161bf1c112ab51e7987a684c4f66ed1478044cd8cd6f6c3fb3121e16bdb8b9bafa13367b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIsI.exe

Filesize
1.7MB

MD5
f7f45dc26b529e48d1cac6c63c9cb168

SHA1
2b923752203a5182bd9f4c46b9214264868ae5ac

SHA256
d469e60693aa352201bd1e3618fd409693e31d23ef86340ee44334ee951cc7b6

SHA512
a0e265e8e967c1a41103ccf425ffdae5f9f06686c16a42a94f28c71a6f80a11346c4d340a729b02da9c2c0b105581e9a27f489a3775c9388c847be720b8a4dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\moEMUsoU.bat

Filesize
4B

MD5
ec1ea82d220c0954f6c10931f1ca457a

SHA1
34a0ed1345e25be4a01ffcd682d2469d176a7c32

SHA256
fbb47d454b36a3c1ee7f075f111d76a9cbf9c5f0682536e6d958e78b62545ee9

SHA512
78ba5019be8913d2e4f4d2bfd7046aff9926f466a90f4bb91d2dadc2de9f3b59c9b082dcc894c405fc54bb3733a86d00d8ebd097de88862e0e84a27963220392

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkcO.exe

Filesize
1.7MB

MD5
64f0c6b34a7835a93585966d0bec1232

SHA1
6a83e763f75ab944149bd580bd15d86a3fd77931

SHA256
a82047e5a1f6e952c20ac442803e50fe72213de08a6fd486f7f865f7aa6a0764

SHA512
9ef9f4e268a890d4214d258b2f4a3426b605e6d1603d2313951b659d2758a5acd60b8decfad4aaa9cf87e462780760269f24ee8c1a4862a52410c00e87749cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAIw.exe

Filesize
1.7MB

MD5
c5eb448f121552771bccc2587125f2d7

SHA1
b84e02f5c97d04795f62ec1402813cd7407e736a

SHA256
909f3863ad69354843a216af5ca4d56c6b751716155985d8459e9a96adaf3133

SHA512
fea70aaa4759e5ac036142d5fa85ce834a320790f5491875f083b8e97b30333b976f1d9f4bf51845f631a8774b878210e038e3a17a1f9b546c7bde21dfca396d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMwkEEMk.bat

Filesize
4B

MD5
8381b887e7f1b69c874ba47d230e79dd

SHA1
5cb39cf0dae5f16c0e47be639bf5fd0ef9eaf1ee

SHA256
cc3060dcef784d657912f7bff0281d9bbfcac24643f6ed3cdc2420d49140f1e6

SHA512
fb82940a0c9519054304c9e00a63b05f60601e1c935169e98d2b4519e670a4e0773fec72556725a603f7ed72ab8771b2ff066b38b01a9117bb9845e4bc1ffdc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pQca.exe

Filesize
1.7MB

MD5
e1a0d9ea76ec38ec3b39b3eda4402930

SHA1
e20ef7c8bc4ef4e3affb0ddadc2844115ab7272a

SHA256
573df29104d5c8fe69a5936ae0154fc873f6f5255c834a29cdad43af854cdd51

SHA512
42faf4ac8666a6a948db86a72e8a26fb8fc69756b5a7eab7babc019dff2aa61768af5294ba163a4404e448d4266677173c653baa83728c1843e36fbcbe65be07

Download Submit
C:\Users\Admin\AppData\Local\Temp\qyIwgUoI.bat

Filesize
4B

MD5
55bc35165ab3cc37bb8c8bf7bb569cae

SHA1
c239512fde8eef300313c69b014d9e3f9e96f2ee

SHA256
483ed57c2d93c419c16263717755d8f136a1cf5045253a9c6d99c4cfe1e6ace0

SHA512
6e28c73ea2992cfedc56f199e0ded4d2947ddea57bd89f7d09a58a39d17f3a04c53357639a1e4d29cc5d18a124c97c3b29e6cfad5d5f943e3a9e0b20defbf084

Download Submit
C:\Users\Admin\AppData\Local\Temp\skwcUAcw.bat

Filesize
4B

MD5
c1a98a848dc78fceea6c584635d08655

SHA1
e6679ac75d86727c064c3c12c40ee5de68cf3b1d

SHA256
6413e312ab90b63ea5823196fe9749af8861ef49c8d783374d91d3ad4f8c6d2b

SHA512
b2496fc17b3f37572399253e12a90d4e86e7c5fadd8452b9084cb5350e12253a261ceb2b038e28b6c95bc3228ec7ab16bceb57744eaed48a30ecaaae6654bd74

Download Submit
C:\Users\Admin\AppData\Local\Temp\swcM.exe

Filesize
2.2MB

MD5
a00c73ad0cdf3b0e1e13ebc7a275da99

SHA1
c0755c79e7d973746a849c90ed4b536becf21937

SHA256
fb031c3add58fef618cda6a99ed93fc2d8e98efea7868aa9437320424a69f5ae

SHA512
e2fcdb7e7922ff108a74d4677ff26443c6b2260b98280eb1d536307ae9c29ed1a40bd35b3a8da118b407742b98afc929343a514b4165d87f3dc17b17812f9925

Download Submit
C:\Users\Admin\AppData\Local\Temp\taoI.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\toQAgQoY.bat

Filesize
4B

MD5
b571ee1370043b224c07ac1d43dee4b1

SHA1
37d2e4860a2881d6ba6fa78b0993da935ff0ce60

SHA256
e4355ac7dbf68261c41ddb1356c256ab710f22371ba595a69adb4e3fe7845901

SHA512
f1fdc0dd9a236825b42f63b26fdaab506804ee9e496ed97435cd78b916516c6296b5bc8d254bb61ae222d81444be5c05ea723490b8c603a8fac5bfd8b410e187

Download Submit
C:\Users\Admin\AppData\Local\Temp\vAwQMkIU.bat

Filesize
4B

MD5
2bed0394ff3a5acb43a3d7cf08545192

SHA1
8667bdb6a9a6e90ef3cbf8d22103e25f761298b6

SHA256
f10d8d6dd4bce44e385d1469e7f268e8059ad3f137f678d1232a50c2143f158c

SHA512
55abc42890ff8df31cc01ec461f5a60056b2ec4221027c575023762040f86aaba41b028c2e5fda230c23c858b69773371afb689798cfd885132c175edac40077

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUwIYkIw.bat

Filesize
4B

MD5
4051bac009143252f957b013b33f7486

SHA1
13041016aa81c4282534364667fcd1a285bebe03

SHA256
993ac68523aa07a2f4a7d85d502984e374a3cf9eaf4cf8bae7a5c42faa099e10

SHA512
494b0e7e194f908089b54e948fd7f630af45035f26f727e6217ecd2d84fb73b59afbd5a72eda39655444d50c7e72766ed15f5a8b42a1e8c1186ed9387c0d3b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\xUMm.exe

Filesize
1.7MB

MD5
61cc81618c46cbf9a8c7e45d884d7c2f

SHA1
a3acfd9e63595f200d3bc9e6fb4ade180ef4bb3e

SHA256
2e9d782166e821b6d21007eb6952efa498101aa41667ebfe0bc4a6a9a3d413e7

SHA512
3075fb3f892c60132d8d5f72e10bd023839f2a79470efa69e766a27e1e5b95b25c365314be18d81fae6c406d19d6fa29ce8bc0c82d41b17f1709f43d8255e562

Download Submit
C:\Users\Admin\AppData\Local\Temp\xWQgsYss.bat

Filesize
4B

MD5
9f41ddfcf78aba41641b7f0156de22e5

SHA1
bc904f972f2b7b0ffb6c1357097edcdd9f2fec0c

SHA256
cb45d84ef71ab30a82110a55acf0153232b78dddb95b439982599bfec2aa9b85

SHA512
760b9ee876965096393e444c3179ba54c16b6637f7d03b48b3ea686a1e68189d740388fe382dda3a9c945207f63c81fef50a90f7b80c11f6a82b20b70789464d

Download Submit
C:\Users\Admin\aIkMckEM\NeQggcww.exe

Filesize
1.6MB

MD5
f13b3c31303e2675602859c5936c4be5

SHA1
a67826c37853198b7aca3f4cc8c4a613f278e4f9

SHA256
df3d22d25f0d1fa0222b34c56e197a1a53147295c4e709efcd47c73ad2a74df0

SHA512
593bddc0cecd21dd1d1a3d4045195716c768dd0dcaee49503f5e7a50f592e35992f7fd45f268c4e5505bdd665f6595ef98821763b3f67b11a68c11fe2a3d9f65

Download Submit
C:\Users\Admin\aIkMckEM\NeQggcww.inf

Filesize
4B

MD5
78da7f5f4aa67521331e9db8091df0ff

SHA1
0f0728cdf1bf63b3fcc19c122532fc2459827660

SHA256
837ccc1870b2dd43539b3d8a29300a61f6f5effcd0aaafae6d9a694bc2b6dfc3

SHA512
f50f3e4e638893b44cd6526d69650c5396f5210ff13b97ae6d0be094522a1678ce0aed51e4945db6fa71579df19bd601964c6e6ff2868171542c81ec4a9f0292

Download Submit
\ProgramData\VysUYMUM\ksgAEAgU.exe

Filesize
1.6MB

MD5
35b9a94f92c7c9721cfaf8098fefd163

SHA1
6690c0fbe0f7b2408e472bb9b4cb831c9a299835

SHA256
a380be1261518d031edd7dc0915c93cb4eb1b30a494a1f91cadca67714748632

SHA512
8f417e68f31655b0db1dfe75c6b965a1fcbb6ff5b2d440c298d39a6fd94d6420cd22638f30a9cb156b4963238dcfb704e22ecc8787a465f709e0868501a7ee89

Download Submit
memory/532-111-0x0000000002280000-0x000000000242A000-memory.dmp

Filesize
1.7MB

Download
memory/568-158-0x00000000024C0000-0x000000000266A000-memory.dmp

Filesize
1.7MB

Download
memory/568-159-0x00000000024C0000-0x000000000266A000-memory.dmp

Filesize
1.7MB

Download
memory/760-372-0x0000000002380000-0x000000000252A000-memory.dmp

Filesize
1.7MB

Download
memory/904-230-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/904-263-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/936-287-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/936-254-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/992-419-0x0000000002460000-0x000000000260A000-memory.dmp

Filesize
1.7MB

Download
memory/1520-395-0x0000000002380000-0x000000000252A000-memory.dmp

Filesize
1.7MB

Download
memory/1568-192-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/1568-160-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/1608-112-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/1608-145-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/1640-253-0x00000000022C0000-0x000000000246A000-memory.dmp

Filesize
1.7MB

Download
memory/1640-252-0x00000000022C0000-0x000000000246A000-memory.dmp

Filesize
1.7MB

Download
memory/1660-278-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/1660-310-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/1704-300-0x0000000002300000-0x00000000024AA000-memory.dmp

Filesize
1.7MB

Download
memory/1724-23-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/1724-1698-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/1728-276-0x0000000002470000-0x000000000261A000-memory.dmp

Filesize
1.7MB

Download
memory/1728-277-0x0000000002470000-0x000000000261A000-memory.dmp

Filesize
1.7MB

Download
memory/1812-349-0x0000000002300000-0x00000000024AA000-memory.dmp

Filesize
1.7MB

Download
memory/1812-348-0x0000000002300000-0x00000000024AA000-memory.dmp

Filesize
1.7MB

Download
memory/1940-396-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/1940-429-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2156-335-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2156-302-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2252-135-0x0000000002570000-0x000000000271A000-memory.dmp

Filesize
1.7MB

Download
memory/2288-40-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2288-73-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2400-324-0x00000000022D0000-0x000000000247A000-memory.dmp

Filesize
1.7MB

Download
memory/2400-323-0x00000000022D0000-0x000000000247A000-memory.dmp

Filesize
1.7MB

Download
memory/2428-239-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2428-207-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2460-62-0x0000000002320000-0x00000000024CA000-memory.dmp

Filesize
1.7MB

Download
memory/2460-60-0x0000000002320000-0x00000000024CA000-memory.dmp

Filesize
1.7MB

Download
memory/2480-443-0x00000000022F0000-0x000000000249A000-memory.dmp

Filesize
1.7MB

Download
memory/2500-452-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2500-420-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2520-182-0x00000000022F0000-0x000000000249A000-memory.dmp

Filesize
1.7MB

Download
memory/2572-39-0x0000000002500000-0x00000000026AA000-memory.dmp

Filesize
1.7MB

Download
memory/2572-38-0x0000000002500000-0x00000000026AA000-memory.dmp

Filesize
1.7MB

Download
memory/2596-1714-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/2596-27-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/2636-359-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2636-325-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2744-1709-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/2744-25-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/2752-13-0x0000000004150000-0x00000000042F1000-memory.dmp

Filesize
1.6MB

Download
memory/2752-3-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/2752-59-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/2752-22-0x0000000004150000-0x00000000042F1000-memory.dmp

Filesize
1.6MB

Download
memory/2752-58-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2752-0-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2760-373-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2760-405-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2784-87-0x0000000002470000-0x000000000261A000-memory.dmp

Filesize
1.7MB

Download
memory/2784-88-0x0000000002470000-0x000000000261A000-memory.dmp

Filesize
1.7MB

Download
memory/2808-98-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2808-64-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2860-183-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2860-216-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2936-350-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2936-382-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2944-136-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2944-169-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/3016-121-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/3016-89-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/3052-206-0x00000000023E0000-0x000000000258A000-memory.dmp

Filesize
1.7MB

Download
memory/3052-205-0x00000000023E0000-0x000000000258A000-memory.dmp

Filesize
1.7MB

Download
memory/3060-850-0x0000000076F50000-0x000000007706F000-memory.dmp

Filesize
1.1MB

Download
memory/3060-851-0x0000000076E50000-0x0000000076F4A000-memory.dmp

Filesize
1000KB

Download