cca45d77fa86177709457c2638ece6d17c5572cc41a2354b3d05443a7de59952

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
Size

1.7MB
MD5

02539c580448cf8078ca317f500e2fee
SHA1

70ddd915a550ca3651effb446af1adb4b9f5d8fb
SHA256

cca45d77fa86177709457c2638ece6d17c5572cc41a2354b3d05443a7de59952
SHA512

6a8f80f1b224a2020691bea56f850fcdb071f16d5cc7d0df863c703e142ca1b09b59d529a6a8f62489ab346c8352798df879aacd074d907e37d662011b74124d
SSDEEP

24576:JJ23eWAvbYRExX8dx4ephQYN/FCqDOvHVKUO1Fra:JJZXQx5pio/FCqr14

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 33 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (65) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

yyIAEUEM.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation yyIAEUEM.exe
Executes dropped EXE 3 IoCs

Processes:

yyIAEUEM.exeqgUsMgEQ.exeMOsUcMQY.exe

pid process

3136 yyIAEUEM.exe
4716 qgUsMgEQ.exe
1420 MOsUcMQY.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	yyIAEUEM.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

02539c580448cf8078ca317f500e2fee_JaffaCakes118.exeyyIAEUEM.exeqgUsMgEQ.exeMOsUcMQY.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qgUsMgEQ.exe = "C:\\ProgramData\\gOskoMUE\\qgUsMgEQ.exe"	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yyIAEUEM.exe = "C:\\Users\\Admin\\VQksYAcw\\yyIAEUEM.exe"	yyIAEUEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qgUsMgEQ.exe = "C:\\ProgramData\\gOskoMUE\\qgUsMgEQ.exe"	qgUsMgEQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qgUsMgEQ.exe = "C:\\ProgramData\\gOskoMUE\\qgUsMgEQ.exe"	MOsUcMQY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yyIAEUEM.exe = "C:\\Users\\Admin\\VQksYAcw\\yyIAEUEM.exe"	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe

Drops file in System32 directory 6 IoCs

Processes:

MOsUcMQY.exeyyIAEUEM.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\VQksYAcw	MOsUcMQY.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\VQksYAcw\yyIAEUEM	MOsUcMQY.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	yyIAEUEM.exe
File opened for modification	C:\Windows\SysWOW64\sheLockOpen.ppt	yyIAEUEM.exe
File opened for modification	C:\Windows\SysWOW64\shePublishUnprotect.docx	yyIAEUEM.exe
File opened for modification	C:\Windows\SysWOW64\sheResizeWatch.wma	yyIAEUEM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
4156	reg.exe
2584	reg.exe
3944	reg.exe
4644	reg.exe
1352	reg.exe
2840	reg.exe
2164	reg.exe
4852	reg.exe
2188	reg.exe
1840	reg.exe
4736	reg.exe
4392	reg.exe
3012	reg.exe
3664	reg.exe
4556	reg.exe
336	reg.exe
3232	reg.exe
2904	reg.exe
2236	reg.exe
1204	reg.exe
1028	reg.exe
1668	reg.exe
396	reg.exe
4900	reg.exe
4600	reg.exe
2128	reg.exe
3036	reg.exe
3836	reg.exe
2088	reg.exe
4944	reg.exe
4484	reg.exe
984	reg.exe
4536	reg.exe
3260	reg.exe
1408	reg.exe
2280	reg.exe
1584	reg.exe
776	reg.exe
2528	reg.exe
448	reg.exe
1384	reg.exe
2780	reg.exe
716	reg.exe
2440	reg.exe
4384	reg.exe
4012	reg.exe
4436	reg.exe
3124	reg.exe
1288	reg.exe
3576	reg.exe
3236	reg.exe
3980	reg.exe
4168	reg.exe
1640	reg.exe
4528	reg.exe
1404	reg.exe
2272	reg.exe
1896	reg.exe
3916	reg.exe
716	reg.exe
4524	reg.exe
4024	reg.exe
2304	reg.exe
3540	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe

pid	process
1592	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
1592	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
1592	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
1592	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2800	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2800	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2800	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2800	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
4064	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
4064	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
4064	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
4064	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
4936	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
4936	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
4936	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
4936	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
4256	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
4256	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
4256	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
4256	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2852	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2852	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2852	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2852	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
1020	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
1020	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
1020	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
1020	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
4012	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
4012	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
4012	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
4012	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2356	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2356	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2356	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2356	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
1660	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
1660	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
1660	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
1660	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2796	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2796	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2796	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2796	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
4868	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
4868	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
4868	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
4868	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
4920	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
4920	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
4920	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
4920	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2660	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2660	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2660	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2660	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
4644	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
4644	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
4644	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
4644	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2956	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2956	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2956	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
2956	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

yyIAEUEM.exe

pid process

3136 yyIAEUEM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

yyIAEUEM.exe

pid	process
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe
3136	yyIAEUEM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

02539c580448cf8078ca317f500e2fee_JaffaCakes118.execmd.execmd.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.execmd.execmd.exe02539c580448cf8078ca317f500e2fee_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 1592 wrote to memory of 3136	1592	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	yyIAEUEM.exe
PID 1592 wrote to memory of 3136	1592	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	yyIAEUEM.exe
PID 1592 wrote to memory of 3136	1592	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	yyIAEUEM.exe
PID 1592 wrote to memory of 4716	1592	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	qgUsMgEQ.exe
PID 1592 wrote to memory of 4716	1592	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	qgUsMgEQ.exe
PID 1592 wrote to memory of 4716	1592	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	qgUsMgEQ.exe
PID 1592 wrote to memory of 2012	1592	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	cmd.exe
PID 1592 wrote to memory of 2012	1592	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	cmd.exe
PID 1592 wrote to memory of 2012	1592	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	cmd.exe
PID 2012 wrote to memory of 2800	2012	cmd.exe	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
PID 2012 wrote to memory of 2800	2012	cmd.exe	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
PID 2012 wrote to memory of 2800	2012	cmd.exe	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
PID 1592 wrote to memory of 2780	1592	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 1592 wrote to memory of 2780	1592	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 1592 wrote to memory of 2780	1592	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 1592 wrote to memory of 2164	1592	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 1592 wrote to memory of 2164	1592	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 1592 wrote to memory of 2164	1592	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 1592 wrote to memory of 448	1592	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 1592 wrote to memory of 448	1592	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 1592 wrote to memory of 448	1592	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 1592 wrote to memory of 2972	1592	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	cmd.exe
PID 1592 wrote to memory of 2972	1592	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	cmd.exe
PID 1592 wrote to memory of 2972	1592	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 1964	2972	cmd.exe	cscript.exe
PID 2972 wrote to memory of 1964	2972	cmd.exe	cscript.exe
PID 2972 wrote to memory of 1964	2972	cmd.exe	cscript.exe
PID 2800 wrote to memory of 1108	2800	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	cmd.exe
PID 2800 wrote to memory of 1108	2800	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	cmd.exe
PID 2800 wrote to memory of 1108	2800	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	cmd.exe
PID 1108 wrote to memory of 4064	1108	cmd.exe	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
PID 1108 wrote to memory of 4064	1108	cmd.exe	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
PID 1108 wrote to memory of 4064	1108	cmd.exe	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
PID 2800 wrote to memory of 1404	2800	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2800 wrote to memory of 1404	2800	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2800 wrote to memory of 1404	2800	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2800 wrote to memory of 4012	2800	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2800 wrote to memory of 4012	2800	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2800 wrote to memory of 4012	2800	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2800 wrote to memory of 3576	2800	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2800 wrote to memory of 3576	2800	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2800 wrote to memory of 3576	2800	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 2800 wrote to memory of 1028	2800	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	cmd.exe
PID 2800 wrote to memory of 1028	2800	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	cmd.exe
PID 2800 wrote to memory of 1028	2800	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	cmd.exe
PID 1028 wrote to memory of 4836	1028	cmd.exe	cscript.exe
PID 1028 wrote to memory of 4836	1028	cmd.exe	cscript.exe
PID 1028 wrote to memory of 4836	1028	cmd.exe	cscript.exe
PID 4064 wrote to memory of 1444	4064	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	cmd.exe
PID 4064 wrote to memory of 1444	4064	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	cmd.exe
PID 4064 wrote to memory of 1444	4064	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	cmd.exe
PID 1444 wrote to memory of 4936	1444	cmd.exe	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
PID 1444 wrote to memory of 4936	1444	cmd.exe	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
PID 1444 wrote to memory of 4936	1444	cmd.exe	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
PID 4064 wrote to memory of 3528	4064	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 4064 wrote to memory of 3528	4064	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 4064 wrote to memory of 3528	4064	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 4064 wrote to memory of 3036	4064	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 4064 wrote to memory of 3036	4064	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 4064 wrote to memory of 3036	4064	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 4064 wrote to memory of 1384	4064	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 4064 wrote to memory of 1384	4064	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 4064 wrote to memory of 1384	4064	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	reg.exe
PID 4064 wrote to memory of 716	4064	02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\VQksYAcw\yyIAEUEM.exe
"C:\Users\Admin\VQksYAcw\yyIAEUEM.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3136

C:\ProgramData\gOskoMUE\qgUsMgEQ.exe
"C:\ProgramData\gOskoMUE\qgUsMgEQ.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
2⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
4⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
6⤵
- Suspicious use of WriteProcessMemory
PID:1444

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
8⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
10⤵
PID:4296

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
12⤵
PID:3236

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
14⤵
PID:3788

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:4012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
16⤵
PID:5012

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
18⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
20⤵
PID:3916

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
22⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
24⤵
PID:3308

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:4920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
26⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
28⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
30⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
32⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
33⤵
PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
34⤵
PID:3684

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
35⤵
PID:540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
36⤵
PID:3528

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
37⤵
PID:1184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
38⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
39⤵
PID:1848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
40⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
41⤵
PID:4712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
42⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
43⤵
PID:3108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
44⤵
PID:4012

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
45⤵
PID:180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
46⤵
PID:3788

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
47⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
48⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
49⤵
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
50⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
51⤵
PID:4036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
52⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
53⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
54⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
55⤵
PID:3652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
56⤵
PID:4292

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
57⤵
PID:4156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
58⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
59⤵
PID:2436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
60⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
61⤵
PID:988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
62⤵
PID:3684

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
63⤵
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
64⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118
65⤵
PID:3960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118"
66⤵
PID:4848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:1584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
PID:3540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RawQQIMM.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
66⤵
PID:1612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:4908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
PID:4412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:1376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
- Modifies registry key
PID:2440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:3108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CigUAMIE.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
64⤵
PID:2460

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:3204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
- Modifies registry key
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
- Modifies registry key
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\juYgswMM.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
62⤵
PID:1500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:4876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:3900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIIwgogg.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
60⤵
PID:2544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:1528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:3124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
- Modifies registry key
PID:2528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqgQQkos.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
58⤵
PID:2868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:3020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
PID:3540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
- Modifies registry key
PID:3236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
PID:3692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aqYQIoIA.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
56⤵
PID:3308

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:1736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:1384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:4876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
PID:1892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WaQEkYYI.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
54⤵
PID:4824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1288

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:3560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
- Modifies registry key
PID:4852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
PID:1544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xwskwMQI.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
52⤵
PID:1376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:3080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWsUwwog.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
50⤵
PID:2252

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
PID:1504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
- Modifies registry key
PID:2840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
- Modifies registry key
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mCIAMsEM.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
48⤵
PID:4880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:3576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:776

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:2660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
- Modifies registry key
PID:3124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
- Modifies registry key
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mgcMUgkU.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
46⤵
PID:3112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:4404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
- Modifies registry key
PID:716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
- Modifies registry key
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XkQEQQAE.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
44⤵
PID:1728

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
45⤵
PID:4928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:2044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:3636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
43⤵
PID:4168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:3092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
- Modifies registry key
PID:4392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\joQYowUw.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
42⤵
PID:1792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:3236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:4760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
- Modifies registry key
PID:1584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:3664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSIcgkwM.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
40⤵
PID:5100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
- Modifies registry key
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
- Modifies registry key
PID:336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgswkkcg.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
38⤵
PID:4032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
- Modifies registry key
PID:4436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
PID:5012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
- Modifies registry key
PID:2584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goQQAwkg.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
36⤵
PID:3688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:8

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
- Modifies registry key
PID:4556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
- Modifies registry key
PID:1640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSAIwQEQ.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
34⤵
PID:4928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
PID:2424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
- Modifies registry key
PID:4600

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:4392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\soEwkoQk.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
32⤵
PID:4136

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:1252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
- Modifies registry key
PID:396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
PID:2876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\suwQQsUQ.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
30⤵
PID:512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:3560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
- Modifies registry key
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ryMsMMAY.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
28⤵
PID:4812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:3792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:4220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
- Modifies registry key
PID:3540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:2232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:1060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\diIsssMk.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
26⤵
PID:3140

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:5012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
- Modifies registry key
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
- Modifies registry key
PID:4168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hokMEIgU.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
24⤵
PID:1316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:4000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:3720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
- Modifies registry key
PID:3664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
PID:4760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\suAUQMIY.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
22⤵
PID:3092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
- Modifies registry key
PID:3980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mCQYAUsM.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
20⤵
PID:2220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:5108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:2228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
- Modifies registry key
PID:4536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EoUcYgos.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
18⤵
PID:1164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:4180

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WGQMcowU.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
16⤵
PID:4220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:1060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:4036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
- Modifies registry key
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
- Modifies registry key
PID:1204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQcYcEkA.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
14⤵
PID:1356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:4796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
- Modifies registry key
PID:2236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
- Modifies registry key
PID:2188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HIEMwMsY.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
12⤵
PID:2676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:4760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
- Modifies registry key
PID:3916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jYsYgQos.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
10⤵
PID:452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:4032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
- Modifies registry key
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
- Modifies registry key
PID:3260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JGcEIUAI.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
8⤵
PID:1164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:3676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
PID:3528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
- Modifies registry key
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
- Modifies registry key
PID:1384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\legQYMsw.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
6⤵
PID:716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:4848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
- Modifies registry key
PID:4012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
- Modifies registry key
PID:3576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKwQIQkI.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:4836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
- Modifies registry key
PID:448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yoAIkUIM.bat" "C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:1964

C:\ProgramData\nqcEUAgc\MOsUcMQY.exe
C:\ProgramData\nqcEUAgc\MOsUcMQY.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1420

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe

Filesize
1.6MB

MD5
29449ef89f3d6f82d40a13411d855f20

SHA1
3adb78cce65da03a640a914d3631471401fe3670

SHA256
435a96615c7424bdb62a9da22d8288c3a4bc94009c75cd3a7b23e8493faec8e0

SHA512
b60fce01d6351f738384e5694c8dbdc776da1c669eb4f7e0ba1a5bbc820f65cd8ebedf95319512a5f4f82e347c7043503f8f382640c533e819e8c5c3642c4b13

Download Submit
C:\ProgramData\fAoA.txt

Filesize
8KB

MD5
ccc17b64839af925f62b85721d3388e1

SHA1
64dad4a3e212e186f4fb96f182d427f6f1c93a0e

SHA256
c56d839221d79822462865490e9d186577c218389049400db8fee8de12256848

SHA512
be1cf90734f7f0b2dd5a6ffd7f4b1ccca671c85b83bcd6d2eeac4ee40ee34c6c6fc4110131a98548d3fe15a121bfa10bfbd8d81419a446ea044008df63c468ad

Download Submit
C:\ProgramData\gOskoMUE\qgUsMgEQ.exe

Filesize
1.6MB

MD5
8bf2b2c7200ee9bf321db38368c10763

SHA1
ea4a042696c27a1c9d94ebffb74fb04637a1790f

SHA256
2d391ccbfba33c3b172f87e11e570eddcb2cc4c6baa19485179fe0179d11014f

SHA512
a7c592cc1a7e28e0442cb11e6de424628f5d9dd39e4734b107f1f6e604a35c34abe800da7918e512d51d9f2ff89b6b7f433ded644b4c53bb5d151abefbfd4c13

Download Submit
C:\ProgramData\gOskoMUE\qgUsMgEQ.inf

Filesize
4B

MD5
78da7f5f4aa67521331e9db8091df0ff

SHA1
0f0728cdf1bf63b3fcc19c122532fc2459827660

SHA256
837ccc1870b2dd43539b3d8a29300a61f6f5effcd0aaafae6d9a694bc2b6dfc3

SHA512
f50f3e4e638893b44cd6526d69650c5396f5210ff13b97ae6d0be094522a1678ce0aed51e4945db6fa71579df19bd601964c6e6ff2868171542c81ec4a9f0292

Download Submit
C:\ProgramData\nqcEUAgc\MOsUcMQY.exe

Filesize
1.6MB

MD5
c03009af1500bc1b5756c595afe37294

SHA1
0c31e40667faadf7b097a14b34db95019b428824

SHA256
1a78f6c823a80e2acbac2a53c91ec906e908c41af3313eae942cb54ead78396a

SHA512
7bac91286b4147912d15e6fbd871e1eabe423a4db142beecff41fca28eab2403808ca54b750486d7cd126b7df6f1eb68afd98baae42167e4e60b926d7bef5863

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

Filesize
1.6MB

MD5
81410cf6a204f11fb111fceb975f887a

SHA1
a7a067c6b840514601a05c1bbc3e03adcd65d40b

SHA256
ddc411fe43758fd392cd3af12d8565bc4ccf81162c8a9551f1adca8796943d2e

SHA512
a5c8c0eecfbadb93c5698a09267bdc85a1f4995d4681eb3ccb66d3b75df560907fe74f251317ff7689fd801e90e7c049670b9ff835e7123278f0babbe82c19c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

Filesize
1.6MB

MD5
6cc11021a992e10be6deccd69ea4edf1

SHA1
86346116c595b6c4f17de3b0ebda1ed2d93ea953

SHA256
8d521297a204b08e1a7d56ae02e479a89f4bd8b8caed6ad1899419a50588cdab

SHA512
cb97073226f94c80bb7c4812d0bbc27d5c5eee576e4c46a471dc3849ef92439dac306c05ca0edb63c7cf0ef652bfc70351842833226802c12fd37089d7724487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

Filesize
1.6MB

MD5
6b4a9cec2521160026c9b071a492d577

SHA1
5e8130489a94a986dac890612a87a25a4051d77d

SHA256
353d1b1293ca3b1f491bcbbfbf2d190e790273fd656a0d7d2c0d961803ea33a6

SHA512
8cbffad9a0e8cc51375c2a3175c2f1848c2d3ec540fac00fcf72be204687feeeeeac81196b8330665e3d4dece93044553b01e7003edffab0f61d9588f9610e67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

Filesize
1.6MB

MD5
98085ab3b2195ba7dc5b93d757e21949

SHA1
690c9788d21ce967ee46ba9ccce743c91da6e999

SHA256
8292ea97ec7dd7e2a7eef2bb3767037e6c2dffe75310b81c9aa88df09ccb55fd

SHA512
6edf8837d65c08dfb555c937fd4dcf8d374e4f1f40a5567a74c29eb906c27432e30ed3718aad0819ff2fca0ecb4812d0a411a849a20e1c2712722656e1d88f73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

Filesize
1.6MB

MD5
4b622aa0c4bc734a94f3be061b72c77d

SHA1
088e4ad8a500fdd87a2ec4d8d1a9712d80b8c542

SHA256
1f2ece4c1138141583afcdd93d90e376005f9d12fdf9d58a0d0ed2aa09ed44bc

SHA512
427dcb9d737459407c6705b39712d64edfb11d6d14da1e5319e6798142db805285eea046e042697647201af05fbb45fbe8c0bc59c8c3689eb7d92e2cab293382

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe

Filesize
1.6MB

MD5
101535c7b8713b03c64ad59b8ce1ebac

SHA1
c9e8ea3cdcf97e715473a745e8fbdae81fd70523

SHA256
e3fea864299d263f1c0bab16fffe954e796d2d2736119c5cb6f10304b9816ee7

SHA512
89355fd246d6d40b19a679173a2e71272f2b779aef1821bd11f742ba905b5175c19cec2e552549016f03023259964dc5c297ba9604c43bc87d3bd0c563f42a42

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

Filesize
1.6MB

MD5
f341e0b137d75546db1899844fad90dc

SHA1
5023c9e5b4ba02895854c4df9913a0fe2e5bf640

SHA256
bc87a41e62af10dbee390451740ec62b4acbd6928ec6f44bae29d5db7478b974

SHA512
8280dedd6d4d4cea6d0dc89c38f1290b1cdda7f5f28d35e3138b0c97a281ff9eb3c944a516892135d6e4c73b5689a5a09f69da8fe1d8ffc088a40a3629f7f8e5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe

Filesize
1.6MB

MD5
4f0510d518752132251f7e1bd2f11359

SHA1
d63a2bd3f0f962afc6ec5ea2de4a7c96d0937f51

SHA256
751620b543f93b4e9c87c2af3bb68485d88d198da4af8ff90dd3153bb44912ec

SHA512
62547acdd057916ddfcaabf1ad66a731f77059f47d5ead6d24b9d6b45f89bc6fb4eb9c6d42f4e636c2aedfaa4d1acb70dd55cbcb13e58d281e6dbac658b4b52f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

Filesize
1.6MB

MD5
2609faf3b5239eb86c4feabfa7d71ae2

SHA1
13c627d119fcc8d9371928f5cbf9a420a2030186

SHA256
da1d1dc46609f71718c492910bbe9dda24ae952bc63790c127c25f1253344349

SHA512
8991ad50619ad2762ae6966aae46fc4ba82f83317f7e32bd097038db2ead3aa261acde531f3722170a3abd8ffc8fa94d9e1b368a0e169eca48b2cad8cfcac420

Download Submit
C:\Users\Admin\AppData\Local\Temp\02539c580448cf8078ca317f500e2fee_JaffaCakes118

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQUc.exe

Filesize
1.6MB

MD5
10d4267ad1548d2a2fe6de36ab1bcca1

SHA1
9e0a75c8f7642fe5dc91543f76e7ca3785ffc545

SHA256
e31ea552c7bb0d1a8778e9e3ef44ebe11f98611af7ef09db17d27fe1a5134220

SHA512
d7cc30f48b0084781f2164258d12be21b10d6c99e56980fc13ad70bb46dfd303635a54611f2f27fbdddc7e40be711b61819b74855e43530b1df925f99fb1b60f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUUY.exe

Filesize
2.2MB

MD5
7027f590f26569252514492f9acea1d3

SHA1
3c42a160fc3e246b69c6550056488a1b0b78a38c

SHA256
2a1d9ac726c2a618d9e359fc51d4382cd721fd96a7d896bf84596fc835cb5495

SHA512
e615049103ea0363b810b52820e6debc52bd547420f1e014c8589085c9f9f46b3d0ed69a6eefc59d2711541f88de468be26084079a3755ff571fcefc50bd3741

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoQg.exe

Filesize
1.6MB

MD5
a49703145e1fdb2c463ac661b7f6ac79

SHA1
4922b93a10a20ab6f0066ebd3464baf31688cdbf

SHA256
e3327c23a874a1162a41199b2866178e83a306d0a2dfb4184cb73578ab613c59

SHA512
8d82acef3cd94fa1f204ca69eb9c6eda70b66d7986c47fc893b64870689197dcd3b1fd35733a53003283c8f5526c3f93242c63cd0319b49ef8eac6897707e93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQAg.exe

Filesize
1.6MB

MD5
a074a845466f30427cd0f6dc41d7d89b

SHA1
64b6d45f9f468b39256cd5d79323d62fe9a80724

SHA256
12c17f7805ea6a6f8c7ae13a8baf4c7026492f311822333ad18eb1452a28fc9f

SHA512
46f4b3adbb85a3f7fb8b2123494e16a4ca39cf658733099de9ec94fee1a49d04411bd3de5c0bf4dc323b9966fcd8ec50a8c826646cefc2f8f5b30c8e24693676

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgIY.exe

Filesize
1.6MB

MD5
4b3f278c82d2966d85e2b6a00d1a89bb

SHA1
c5f04f35d9409993eb8f8e04658dddc1d2042825

SHA256
4df94a996a27312bd9be86f7e2d514a3077cd5945c6e0e239cd2ee89eef07154

SHA512
2d0ab2e4369cd2243baf656000fd5d557d3ddc8138d9dadcce6f15fbe1deb9873cfe23cde8d103ea1655d6487851b1445bf5f15bd5340cd3efc9a6db6de6ac9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cosq.exe

Filesize
2.2MB

MD5
b0a668e7374ec34e29502a996fedf61f

SHA1
0ce8f110043745af078288d93c2a3c4a8dccb9fb

SHA256
7ec21490d70ac270f56aa8c7dee74f961b44f06f505806645f60b2c035c41fff

SHA512
1834074364a876d413768795c77528f0e00e3645fa29a92fbb52cec38a4166c2f889b619a54476e42d97a6ed2dfc092148d111150bb9245102a4670508cba288

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcYS.exe

Filesize
1.6MB

MD5
64bc972794d6c933c177babab9bd5547

SHA1
7fb52be292f0f6ad4a5bddcaa5cfb560ec0f7379

SHA256
76c3c9d52c42f91114694794ead0bef82c19ca6b0b0641c0b2ce225b10b3b33c

SHA512
35eafb04122094a91f8eff269e3c5cd03e1c66665ed6e4020e4ff4752350965358d5d3a0c374cbcf7c2077c2e2eb41e209a49ddd76a7a545e2715c4c4706c78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgMC.exe

Filesize
1.6MB

MD5
fa5d2a192ee51f9db8b2366abb30f8eb

SHA1
955bb757035f6ab9b655ef823f11af78735f528c

SHA256
cb82ab6f7543b865a1a411693ad9ccc5262dbfdc907cc1f5d062ddac9ea20bf7

SHA512
1392908df17de25efb302827eb62987725ac46c1ce9fd1b27433624d5dad88fcc4488aa8683e26cd1d6a5c4134e61ff5b24541e5bed8d397c513d94d50043733

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoEw.exe

Filesize
1.6MB

MD5
e59247e34096a868e67d25b6b6a7294c

SHA1
5cb5cb503e8232dc31b6be75b2c33f10a8bd2b61

SHA256
33f69cf864227b85d9255f3458556ea68365071968b5c8b5ff5409238cf146b4

SHA512
a3ca23ef40acfe00acd6744b80e3acf52e92b9f41b8a999525135c044c47c4f5956d924418dadd70468336f320fbd211606585f73bb6e2ae24466343083cc411

Download Submit
C:\Users\Admin\AppData\Local\Temp\Esce.exe

Filesize
1.6MB

MD5
876cf7469d70f8ce56aa499a4e2d43b6

SHA1
19d2d08cdae124b8559cee10e81b2bf2bde7c15b

SHA256
3208347983f2e811aceb8d6c075500c1e422cee79bf426634f8521998de3fc95

SHA512
e7e92ef00694894b6fdd93de305a6fb805d6b34b5171ec9606a2c8903a975242412ff7787eac1531e88a6ad1cc8474f5384e1aed0377da930b4d6d09db64ebfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUEg.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsQy.exe

Filesize
1.6MB

MD5
6bbb8ffab65e4866731de3072faa5577

SHA1
2c9c4f7b7d9685ecb34baaab7bb7ce2bb2f4e122

SHA256
06b2e1c0d92380c73b4e644619fcdaa08188bd79adce27650a5fb5d4c32f1865

SHA512
02e0d2135c4ce3d6cb7db523dcbe737da0d048185d750ae5648de645a77cbe5122147a62b3db21918ae92b6698321368a0a3d8508f9134e3f8b7153a8ee9a060

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwoM.exe

Filesize
2.1MB

MD5
2293defa71a5fb92ae21722436832b1d

SHA1
b7f901825ff4fb2bdbccc4124928717cdfd86ef3

SHA256
d5c82e41168165bdc1f3a04cbf45ea7b639d1ff8e6fc6fceb33d79beab0485a1

SHA512
5ce48abb9366e26886cc119f471c1c578b17b0dbdbf8ebb489d3d2c326a257bb79fc26516060e27bfc1a03ae69c30a2bef06c23fc6ba2e19e26752327505f6ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUMw.exe

Filesize
1.6MB

MD5
e14fb28d9786aa8255ffe012bd980da0

SHA1
bae459b094de56e564f606e13bf41bb86d55fba1

SHA256
6dcd84f3d7959482ad4757f74beb7be8b2c9186348baea980ede7244d45ca82a

SHA512
e7c06d4b5aa113c635d3ecd9518593de04ae76aa980880a8dd2ff75effde9ea626f31f9db2f8a7c7553605f83564eaf788793d644e8358dc8bd169995697cda4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcoC.exe

Filesize
1.6MB

MD5
d4fb760893eda0fd6e4d3cf1ae574e91

SHA1
ac5cecb4ad33e8bd6ade091d5f2e41b04525cf30

SHA256
ee312bfbb9c5997ce926447388b15c53f4a9f5f10d943708594fc380708efbf5

SHA512
aff2fbda6869d3cd8532289a08f96ae966b69c13b9a8d22fbfddf20090a2b67c402dbb8c74745a217787400c407b1501bac13ea8acc328685ddfcc727eb030fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsYQ.exe

Filesize
1.6MB

MD5
eb7caca86ce7fd753cee049bb2279a9a

SHA1
534ff22df1ec0dd8101af816f3b2ba6685686329

SHA256
15bb62c83e97aa9975863e744f3cb996c0d4fa8cba7abf7a8b41aca555705401

SHA512
697abeb2090b7ffea110b1114b9780377680a92d88ef56d4715f269ca35875838324b680527e11e0e5741defd2cff67571fae4677417d4c154c1ea9dc411f927

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iwgk.exe

Filesize
2.0MB

MD5
6e1f55208492c2dea911d26305df2b36

SHA1
de4f98ca984278d17160dbbb4e9052610bb77162

SHA256
ff1a02b1f1bbe78f59952e1fb2f547797ac76c97f0c6cde8ef89a824520958b0

SHA512
e26919d76ead7bda98a4c7c5aa087c563d49768fa8b70ba910534bf421d6e4aad07d4caa61a9d5284231e8f30460a57060079294f3bba31dccfe987874dd956d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAsS.exe

Filesize
1.7MB

MD5
a1132c766a8d7395d4fb3576da1dab1f

SHA1
2128fc696bdf8872190d628ac9a2197fe67d6802

SHA256
9e4ab4d23455a977c1139e1505f68d411ebc2aee7223037eef1e896b42640aa8

SHA512
2974e06654b68769a5464ccece3da6c90fa9677b3fa636671fe9cde29f5681ddcf3c378597f2bb1b9aab5948842789b7ac86b58a04f62a3fb02d11e093f40cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMkY.exe

Filesize
1.6MB

MD5
2aa486f558617d061c9ab58fa48e2dba

SHA1
2d5ebeeb94b5a25409b9e57ff78622bcd09ae425

SHA256
f1290ee48640bbf1492d42664111ac95d38d797ce742f1f978e471e7032bc803

SHA512
4acf6014a8ac47a8210155aa91a7e7b3989f59e0bf2141730121e649bf3ec001ec78d13a324d436adc34e78dbdc9a5c2c10c24ad79ff796b2a9ad00e6fdacaba

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYAC.exe

Filesize
1.6MB

MD5
dea4e843cd6b8e832c6b1ff2e92932d4

SHA1
74c97f92b77f4e3ff246fdfa1ce71bcf8a8fcdc4

SHA256
394f9933fba1ca11ff97f79a12bd9bd5a25c2b3df6e3d9963e1890e814cc12e7

SHA512
54be8b19ba72f3f9a865229bd1b2f1ff7275421cc4105179d24a4dc70550b7884e7f37cbeb027cf9e71d780c2f05d9d802b95dfa35d17a318f2becd2a43b8e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcQI.exe

Filesize
2.2MB

MD5
1f78a24d25f9a4f8bbc30fff9c3f0984

SHA1
b74ea071f23e69cc7c49ddcf3e2dcef9b675a443

SHA256
8e6b61e2abf3cbb05a6e47772e0743ad42517e061c12abdb3d494c8f11f6f7b2

SHA512
3d590e695ee05d8cf1e0b84b0970e7c1d222e4b256bd7183df3e584613a13563b827c30a9004df15e02c23d5ec0d64b23964dc6ff9fb2e85754b8c5967e78f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwMs.exe

Filesize
1.6MB

MD5
5bcea4c5a3986444ac3fc4b271d31a3c

SHA1
b2d008c4dd0fe0e0b9e203d2bb19d59d7884e606

SHA256
bff9708e11d9f4082eddcb180b1ce9015784a0478bfc4847227cc9eec3cedb69

SHA512
71a83893904ace7b38890597e6ad116c1d8aadbc91b46625e6e7b07720ad5beb691b13dff2a8a7c037b17fc2bc40b527301d020ea174332c0fa5cbbee39ea185

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYQK.exe

Filesize
1.6MB

MD5
5c80a9438eeea6329979dee73ed37e0d

SHA1
3c3bc14518937e68fda405d97c6f20d59ed467e6

SHA256
22b1583db2a74593cc28256559d304ef05f55d525f60ee05b5c6186bf7be5fbf

SHA512
da28b10211952f97762f35f8473d423c1c9c167ffb349eff3f9645dfcf629eb2837f0aa20d59ae1f83ab13201e37e38a11b75af3c72e754e69175abaa5a25eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQgO.exe

Filesize
1.9MB

MD5
6ef6743e22f5a1f5bb3c7bf64cd8a072

SHA1
e820be6f1d7035125199ff415b62698d8dbd9e85

SHA256
c065acf9950f1c0dfda311f250093ec7eced65e4471d2666120a5f8b77e86b18

SHA512
eeb5834e661ef36a6d66a57541b938daa642df79712b711f6d11aebc93f8002a64513a8818c02823f1773253d5053dbd8f40982eb27c3b26b4b033f98f906232

Download Submit
C:\Users\Admin\AppData\Local\Temp\QiAk.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUAu.exe

Filesize
2.1MB

MD5
8428f47370ea227f0a1e47eaa42677a3

SHA1
ff28e8b2fb46ac3d1d724a58e635fbe2117756ad

SHA256
aaa83ee1b23e23dd08b6d848de75c69a0a4d05bbf818c88cc82335ede76dff9b

SHA512
48ce6cb5f91d83d8d6c6297c1e0f9b4799d5e9b6298d3d59286796fdfdb0e3775c4a8b8f1ddaca0d2336eb4d3f5b119e7f281285d59718db9ae89c281e2df49b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwYU.exe

Filesize
1.6MB

MD5
9be3e6c6711133cb5f72c8d130b84f92

SHA1
3b3f5bf0c67fd8fd3011abbcaf9d8673a968ac78

SHA256
8768fff6fc92fddbb2df0e07739db0b7c2d02f8d3bce9631860d84d0ce4a75f3

SHA512
2a3d50f6e2f9d051010d73c192e4d1260a302176f13925a2c5ef7fdcc2306e9bb96b6149aa0dfb2b72185962a6286ecf620ec681e108c86200caa9a75bbe71a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgQI.exe

Filesize
1.6MB

MD5
c394a2620213bc075502029d6cbf152a

SHA1
5f8effd7148d69264a46bc77c9c67464330c0a31

SHA256
fd248f5059c04fbf652fbf516bc54523344dc87c85dca70c88d33575f1b04775

SHA512
b45faf7416f7c3f507c1f83994421e3a298b60686c4875a79bf360fa20cab1323a50c8b34c03b6a9344f2ba209ef63b5b55e2ed3e9546945548150ebd3d61d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkQY.exe

Filesize
1.6MB

MD5
a4f43e08032e893877fa263347d53bfe

SHA1
cc0668e84eceff93ad3bf1dd77641bee0666e8d0

SHA256
a6b78cb73727d646e5e4455ebbf27908ae381ab12ab215e160dcb933d3e52ead

SHA512
72b7b037b8fc40b8af89b0f98ddbebb7f938aca7739386dc491d688da138e884466fba55a2ef9ec7cb8e2191dea4173896ae16736d45ce475da51877176d3428

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEcO.exe

Filesize
1.6MB

MD5
8b7f3676950d2fb3837722821e2d0906

SHA1
2f35c37bc95385d7fce6c589f49da70129e7fb56

SHA256
627c58d3688cb496343cbeda01894200cd8207fbcc08db72b05341660a49d3fd

SHA512
0401c45985bd3aa2ea74f2f3bcc6db0973012d062f685a1c64edf10a1419d5c0fd3e66c05ba18dd415dc2a618db722544c8076c0b30ea63b9eb4eb9c2c8c39fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUYQ.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wscy.exe

Filesize
2.1MB

MD5
0dc0c12b7624e82ab9a1e23565c0cb8e

SHA1
c5d9fae26777b8c96dbe1db124079e813c182bc6

SHA256
ad0f00279d5590beb877ed0ce313cbd7bf8e42b1ec52b4af88df2f4ffea6988e

SHA512
c61ffe85b3a1e51ee5be0c0d906fb125f554a87ca314f4c3c5814af721f5832ee448b71de0117c4feeb9e69dee8e62a57cbe550a86eb95a877b0a0961c6dab60

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQIy.exe

Filesize
1.6MB

MD5
36c7f076c0b15c960ed3c49230aef8f4

SHA1
cf80981dd2c344508f6ce696bc13d67779b6d343

SHA256
3078abc1a604a59e86eba0e16d62b49b78bb24a5754219dbc5fa958a45497daf

SHA512
991b1b75660d327fad22ef8b8f480c9a28ef43f52f04494ae80b5ca88e7635ef446d7699445fa74e91534c70fd13fc3e14524eb21f8b8859c93b86bbec95d267

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsYE.exe

Filesize
1.6MB

MD5
4eb397dcfe5387165ff2ac030bd17eb4

SHA1
5749c487a001beff5754f77796b81b4aa6213a29

SHA256
80fa8ecd3e8841411d358dc2a6b1b11348bf2436fd79394de5ea8f98af877c8c

SHA512
5e6f83b99bcbfe0fe565af66acabf6420837a8d588dc04c7e1956fce200d9fbc400955d954ad7d5516a627275b0b6e383212dab41165c26fb2e4b838c36b4c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIgS.exe

Filesize
1.6MB

MD5
f49f80a7cfaaae6630297b2459883b48

SHA1
debba3aae89a5af744cdb30154df19bbe59aa52b

SHA256
8f1ee77d85739ab04825c6fed5db113bd51f4040c20d89a83a04bc38ef0cb6b5

SHA512
b8248f2d46c20bfc836604ae26e6937f7ce720792d3c296fc27b50040cac5a18f39bd811763dc528b3eb7a345abaf34061a923416aeda9ce6314c1a36d26e252

Download Submit
C:\Users\Admin\AppData\Local\Temp\aooS.exe

Filesize
1.7MB

MD5
36424bdf051d20857524eb4515937feb

SHA1
88fe4b13ae0b9d84db1ed3306399badad8b4eced

SHA256
c3732fbb38f35bfed8671feff1ff9b3a990a07ebb7ba13229d2c22f763c3590e

SHA512
35fcaf448a08938c10cd36f665e3d9dfc84f8bf5ba7ae7dd63dc6e5e8c4e646a94929866e14fceb02b657d6f3c9eb3a2a83165fe3359f9d467db5f46bc91fe1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAYk.exe

Filesize
7.3MB

MD5
e9b274f143f509f6db4a05035463e8fd

SHA1
f8f474dd510049825ef0bdff04af2029688fc090

SHA256
f6e4a3b9fd41d527a52e83da50054afceed7fdf0727eb6bf9f5968b8a8dd413b

SHA512
7032be07ffbf193b097e5f8901ce2a79266def4f890d305d85b31db83e29775463c1bf22f92275d07a539eeab81ff8a423c34000d9aaf865e8e0f8b08c5e7408

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIYq.exe

Filesize
2.2MB

MD5
577a1d08436a0355d79ec6e07438e301

SHA1
2ab1068554d53a07043cce7fa4f38c4a64b5dbf3

SHA256
5f60907cf40294093dda661837090466adda8dab18bcf7c4414a96a19c3c2d2a

SHA512
3289e6208dc82857303716ed10b0467b3e9d86f814dc39d664f21585e45fd084d2c9a1c9a7490f94eec0d3c27271d324b84783a60d7301bca26786203cfd2177

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIgw.exe

Filesize
2.2MB

MD5
831f990fb006131eab33e80df348047b

SHA1
85930c97be9c480865dabb333dc52c4ed1334282

SHA256
95f237a3dbfb609a26e23341e74e528b2be9ae87b89ca90145a82fdd0869796e

SHA512
013d9fc35fe8a03ade1c85c09b61e19f9d0d7507b3c411f9f7996cf0562718bf91fa16fae371c608b8b6a04b4ae5014338e37140363c8ee68b93aff112a160d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYkS.exe

Filesize
1.6MB

MD5
3d45d784311587fada1351701fe827d3

SHA1
cb2d8daec657c5a97134de79195a22bf78e27845

SHA256
2ec2293c42d3bbc5f231a938ebca3dd4ee85a5f49c3065ca437f23b543c924ad

SHA512
29e8fb1fda4563c3895054221411a87a8a6ebc40c2bd1e147a48024c93a78db9fde3550db74eaca4e089f542aef216d9a033c6388af7b56a25d168a533ca19fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecwI.exe

Filesize
1.6MB

MD5
6cff89b2f6448d0b612426ef4480cb28

SHA1
8eeb81f74b322cb8dfa05b6d9053007e2eb20b76

SHA256
6e89e19a1a8b2a615d7d9bfa8a02bcf17e900e959b03fe5cd35fc79818781451

SHA512
a57e04e39fe81eb07ec2077d14b329a62fb932b774b968959a42af2e6dd4996113d7b5402d5a22ad1b4a6ac10ea814c43b86b6c3990e28abc2f31d0dde517559

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEYA.exe

Filesize
1.6MB

MD5
b9e62517b4009b273c4199a03262273b

SHA1
b67245ccfb47e7d3bd75562e8d33f55c0235413e

SHA256
1100ee2f6fba8bab2be980d60b584feb234e08b94b663c398ed55f9b633f0a34

SHA512
97763a177595dcd7c9cb363670e30ebb7a34b1dd98553729de220e97b6ce37f2f819e4ef9eb1c51144e44b74ec5bc4cc9ebfb5e48fd48eb6870f0d18f012f230

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMsg.exe

Filesize
1.6MB

MD5
f480ddc4d129878bd40b47d7ae6a0e0d

SHA1
1c567a70666d8d92d2da377a5bab0c8c615de7d2

SHA256
109033264e0f8029bf23c14b7c08da3a7a1d2bf22dac88a5623db72dcbdad778

SHA512
bd71575d59651a074a1e816020278292c4d1d2b7689e67120b16f65b470d12758aa2d6d00dffb6c3b25bbe5b47a9819d4b2364ed6b797bae38897fb0800bbdb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEMq.exe

Filesize
1.7MB

MD5
8b9d4a7df299332401c918992b2d96a8

SHA1
e575714b7bb991de241c12d4eadfd245a5685047

SHA256
6824c21d5a7509135a1469c316f36a5b85932888274eda671d94ff7ff7f130da

SHA512
083c5c9e943010b9b9162429d8a510d98a1b5d9821ac9f1b1e31035a37620f647c8f8f987a0974ba52a1858d4093785f7c1f9ee65bfab749763ec858668f56df

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQcA.exe

Filesize
1.6MB

MD5
3f98a7e1f4e4e4774932e142ada6e00c

SHA1
eff25a3f268876f5c383a3821b67e1c891fd096a

SHA256
692b9bfaf2a1dc1c01ffc9ced553a0b39c4e0e751727c32d83f899f5a5af2659

SHA512
3b2bfc0aaaa6afd8ebdd3aa8d5d60d256dc482e089ec71dfb29cb4e5e93e618a970f95effef2feaef5d4228ab90c1aa87b6ad6b19ade7064c9025b64f3c2e655

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikYM.exe

Filesize
2.2MB

MD5
596278df1720ae18353062df5bb11fe7

SHA1
c19fb89e5970c117c01215cd069ecbb6cd1195b8

SHA256
fac02af492493acdefe9b2d1bd5ceb6845669d307e5b1751f28bfafc05985cdf

SHA512
4ea01a7881dbd3b3b215c9666bb65c3c90c7a55d3e3c1a2e350fe1dc1920686f33cba2e70fa433dd4667e662f5202f487135e9133690662fdee239c5e15ea4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikwo.exe

Filesize
1.7MB

MD5
3bbfa14409ded411bd4ec9bea8d00503

SHA1
2a903a788c62c6daf284634b9dd59d458218f0a9

SHA256
5f3f2068cf0c5d95d0982c3e1a099a1241ded04851bd5f7468d82fe5c982ba04

SHA512
43613bee7fea2521e732fee73aa14c8d55874131964c3815b4866654f40810e0d55f860ca7b59cb766c852d478e3a67ee95a5383e8c3950ac1c669b899ca66b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\isIA.exe

Filesize
1.7MB

MD5
1db81aaa7c8efec37b3cab2a3b10c7d9

SHA1
5e8a3b96f3f2beee8cd9a2abb1858cf589ad5f83

SHA256
20d2c64940ce1b7f4cb2417d430632d25fcdb93056aab5ca66666120c19637c2

SHA512
826c0fb5e4623d81f3df693c164da953abd938a5150fadf81cae526fdb63dd9f72e2be086aec84a7e755eea38982c4906a9ebc5a62ad762d2f22cadfa182a9bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEwk.exe

Filesize
1.6MB

MD5
140ae43e98cc139f9c2457c3b05a3a37

SHA1
f7220b786359eef36360964acb3b878697800226

SHA256
ae71b9bde8db173debe1bd5e45a9054c62f1fc5dd461ea72a5398f1a746cf29b

SHA512
21fbde70d08558b27657426757aba0b593287c04b143e04c98673e8eb2d65d251ae7d66ffff7503ee3f26c07c96674890f87b0e0e987f21a2b1d1cda43944c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcgA.exe

Filesize
2.1MB

MD5
c696a6bf9ed8868ea21dbbc1fa692f19

SHA1
8b417f632a3a3d141d64ad3b6cc4b85fbd76929c

SHA256
3e9645d22d834ebb4ee061493fe2c6aeb055995aaf0c618a297e4c119da0b9cb

SHA512
ddf137fe702e7215e9d883764717cb5994a0716afe1a0025e92e3fc0b5e0761661e800523213c5effaaf6dec78037f2edb246882622628c9ed19bf01e7f197ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\kogs.exe

Filesize
1.6MB

MD5
a3a1c574338e70321658d055c9cbe346

SHA1
a36b10e44c9189d5cf43141639b6a988afcda72b

SHA256
8bff4b85fb25a8f5d1e2072b9efd28df2c98b0bc3171fdef6d6ee820345e5f43

SHA512
fc8fa321ecaddbd6f46c071b6e6131c6f9c02e9e74992fd6e3562b24eaf51bf15601ebbdf24c3bf5125488d828384cab0bd649c6210fa8b809d924192e39e8d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwMO.exe

Filesize
1.7MB

MD5
b78a3443cc6a59bffb36cbea16888b35

SHA1
69d09de8c893770d5ad731904fe8d6ca10d080d8

SHA256
0ef5afbdfd4d05e79a5b945a62914b0e61410f27d27633259c8e3de01b0a8b37

SHA512
b670dac46672af0f3ed7176564a13bd5bcfdbab0c09abdf57fa4742202299f9aa53482224c347984caa8ba55d67d29871665c5232ab86582f357a05999a9fca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwgo.exe

Filesize
1.6MB

MD5
4038ca8dc9ab5f2f656f97abcfed293e

SHA1
c2f41a68283cbafe2c98e8b33194313ecf54b62b

SHA256
96a37a1130b918e2680be02f9424ce7be7ab9b21b03d817998ce58ab8c4a9068

SHA512
44fca517f8bf726793478ed39b046c788961a8dfed7bf63f97aecc06628bcc09034565f5c0739b7355c98bb2d6eea884cb4f199f9c7a59922399294e4a1c694e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEkU.exe

Filesize
1.6MB

MD5
f1714f0a57153eecdef48c02d6039178

SHA1
1e25ffd59d9e244eb558db6c9f619fd9fd760a87

SHA256
d0ae01a900120b9767c09e85d9fa6209a359ffd17820c4042d37ed10d60b68e5

SHA512
9a172a991c87ad518b736bbf00087b2ba98118bc3c57f91bc18e6c8e3baa1028dae8aedfcb9b1ae659af28675b866417fa48e1afccb4393c105985062ae29740

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcwW.exe

Filesize
1.6MB

MD5
68be08a59880dc679a8bc5754e319db6

SHA1
3355fed037064158027119c4bf8f09a7e3ccbddb

SHA256
74c2b50f9424ccde051195cec28159e17eeff29c5d61a0e75b0dc8e8bb34dc4b

SHA512
05c25ea02e1324a253cccd244d35fe2da4ae3e57403fa860329d31a32a396db2ce4459a6a4c1b27c43c0c79e8775805acfa9b19406e0a15bf2776bd4d1580231

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgYY.exe

Filesize
1.6MB

MD5
098f8cd6c97478ff97c8be1fdf15881a

SHA1
805bc82c16db1f050d7e05485aa4dc54b0fe86d8

SHA256
7f689e8da05f0548d30fd339016d4a3d6c0458dffe694e23b364412255efed17

SHA512
8d9b46dc62df1396a502799b2fdbc441002d7447e98a158ca959e83edc091e39c59b54eb0f92824c24547e1d079a59c4d6385b9a83d9ed69ed5b1ab285a9580d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkIG.exe

Filesize
1.6MB

MD5
7dd7e31bf1b0ca79c529f46d1401b15e

SHA1
e11d91067369a3d9204ab74e0d98c07d1535123d

SHA256
54993b665467ebd9eed362b07039e06439e11d32075d36c3411829f7a1330d3c

SHA512
cdb27b368b5759eca3f74a5da7f3a053947065c05b262d0c44333813866d9c38c505d27fc06f1472c04558da308e5f9cba09e54e44e433be5f9c75d482464115

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwEm.exe

Filesize
1.6MB

MD5
a5089ee73d2a30f77d8904042d82563d

SHA1
a445f1f40e5b9b78904ca152f723b4d23dcac2b9

SHA256
c161b20e02b13b90f522966058412809221ae47ff8744426dac168cd9140efb9

SHA512
8c5493817a51c792df2afd672f0a892da1e884d4dd29453ff743052e3fc9a21869a3c8cc259ec81dbb848b0ddeed9674aa3b98bcae8a6d42863273c24dee5a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEkE.exe

Filesize
3.2MB

MD5
b3f2dbd5c7baee6e34379cb8a017112e

SHA1
cec9cb960497a11479269689cf0e6e04146ad8c5

SHA256
84cd8857ce0371230c46a92cf3c575050461d93704a2e25adaf45bf3c7de2421

SHA512
23c0aadd0fb44f2d40adbb0dad9bba4534c60863ab43d23c27054582732872c87a84e08a1e5bfee86637d6bb7bf24cc0b3515969e60ed1b42d0601f11fbb7433

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIgw.exe

Filesize
1.6MB

MD5
c471fd2a9c33cc8c4417989ff1c2ceb1

SHA1
fae163d4cef8986e1d111f99a82e7c5631f24751

SHA256
0f33b9c7572c2fbadba12e3bd2c40209a00f9aad2892fcf9b9e17e36d1a0e526

SHA512
c3a63d58dcd7971d774afbf77427251914a9daf8a2b25100c986dd09d5daba5924702fb684accad06e6a2e2c1c6aef4d90bd6d1314060ad78f953699fbbae0c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYsK.exe

Filesize
2.1MB

MD5
bb1a98be76340cc0ca5aa880955a73d4

SHA1
ef7b05c49a6b84e25477b1fc554e1da9a133c54d

SHA256
21f0c29cecdae08d9327ba74801bc6845bf5e60fc1bbd35d5dc6b99a4fe4e42e

SHA512
aebef1da1ef31e38c126077b627122fe49df5a0ab8579d665609af25c0bbb03f3bca3796f2ccc4c88567bc59a3b2ff2319945dc2c3ae1c342eab4c3179d0da01

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkQq.exe

Filesize
1.6MB

MD5
515baf06df37a1b4d8c64de38a5e27d3

SHA1
f90ab76126c692c40cb94ce50419af82ef4b2bf7

SHA256
bb89615a3ec17e53bf06305c0cdc8cffa39f468bef56c313a0f030f845c8e29a

SHA512
94da2d94efab25769e52b3a32207f04a70e3c9813f766f6d50c2428c30dc1dfe00a0ab3849292d7086441356e5d356bff2af7c23b6a3585c740cfbb2c56a7b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkwc.exe

Filesize
1.6MB

MD5
2acb2857c7d3da8a068e443600d98893

SHA1
fbb7614c6656426f0ccea2c52172b9a8207c6c90

SHA256
e38e484e9d5c900d5610c4aa3728f3084b1799bac7a18e4407801cfde56b3ef4

SHA512
5aec49963229698eea03f1cd3a7edcdd69ef9df59e2f60b45fe9146be604ebfecdba7e7c0a0821bf0b025ee0b7db2e2aeba8925924642a52dba9d1d28f5147b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUge.exe

Filesize
1.6MB

MD5
810661d2a4d5224304710b0f3d334a35

SHA1
4c74cac49fcadcdfac7b413d1e8d1ba05a73bb3c

SHA256
dd91bee1a3840cb0331a1fd6d7df7b7ce1453bf3fb4b877e46b4f0924f9239b5

SHA512
5df59212b9cfc37fe02db6da6b660c8931c17b6fcab36bc64c0950727f6f0e8cdc602805c98487893a8a8a15be6f24af39234b2d3df17e42648737e4f53a9870

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUwI.exe

Filesize
1.6MB

MD5
2f95ccf6c7564eef5fb341425672380d

SHA1
195ef58c8e1c3970b7c1393b52637b1b7e11ab9f

SHA256
b82ff4921b060676e71d20de793efbf7ae8b32a164a895fac157650fd4198ae4

SHA512
7fc9165b13de68fca32cd5f5bb9f2c18ddc9a0908a1d37834d6c13a648f701f84f9e07ccd9a7cacf93fe70d228a7b3f1ab39d8183521f86e527155f94f20a3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\scsw.exe

Filesize
2.2MB

MD5
a0c02d6b0376910b02af8cc513f5c42e

SHA1
1fea6bd4f822eea3932706feaaf986a2ddebd312

SHA256
436505ec862be7c24cff3e3468394b662e540b60b5a402c1e09c1293612761bf

SHA512
34f7b00119805eccea1634c2d57b089c8a018a71eb1018970d58372c1ad271df1532b52347e3aac915d9c7f0113116f3b84a6ec2d91e2304b4e8a669f9f828ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\soYa.exe

Filesize
1.6MB

MD5
1a6635a1af926d652d5efe7a257483ab

SHA1
34c1b24c30a1fb1c99acca3a41e245b55f25bfec

SHA256
ed2535eb4c346b40e7a4ea4269c1552b61158f34441b21034bb3ef4132d16b80

SHA512
5f35f41f7e76b562dde55916c73544288ae804c272694420af2c3f3aa38ddbe9ad000798041d8300e766c430e8508ba4ba6c71338cbb28644663817b0efc8999

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEgq.exe

Filesize
1.6MB

MD5
9966015a956f192bb2249f432c40d847

SHA1
bedb96ad812474377739dc8ad5e414fcebc448e0

SHA256
5ba6769db735c8d718a3c4d6d9f42a506518b3676935d7f091c28881d9aaedbc

SHA512
fc3527e254db574eb4d158d4ea3ad5b45225a0c6ba33ebd3c37e9dd47c0bb6222d53821f18bd6c4fe4f86b67c98acbf36ab57264269cb41fe2eaa98f02950603

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQQo.exe

Filesize
1.6MB

MD5
2c65efbbeb2b26365e0751ffa097ef2d

SHA1
35820bf0b1c1fb5c37067877f9e5b0e05ef8116a

SHA256
057c2779308ee7032ca4c3e071ed21b09da4d9436cffa5fd1395014582a5837a

SHA512
1a47ead1908230b099a6b2bb265d5f5293079bc871067fb4e21f0c753dfa0421405d82dceecc7d16f48f0437d5644d041d6be78d37fad33b710eae76ef217841

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUYy.exe

Filesize
1.6MB

MD5
40295f2350227e174f1ddc99ac831afc

SHA1
2dd85dd6253287d854d41008c3164b4ff9d2e5a1

SHA256
d2afdc7c6c3848c3c23d54dfdbc13e4e4b484f1494fcd14bebea44204d2b20fa

SHA512
28dacdbfccd8f564475af92c0ced0a9bbaa565c6cf83e67ddd9708ae189a53811d9f683ec8604ef96215016c396ca8b6ae177e7b3e9e95dea33b5749d3cb0691

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUkO.exe

Filesize
1.6MB

MD5
80ab1cbf9f386b7d3a428c4b5156cbdd

SHA1
9237d9224ee85c67fbb940d0dbfac1570a0dd14b

SHA256
aec49929cd29afa30483db7cd1b11dd9f5020ba7471e546b7829f06c64f808cd

SHA512
a398dc00684840688b417a8814f5a0970e3dc10d2881f6ee8736588a941e0548ba1fd765ea8fafac3c8ffd736e4e7b577f4ebddc20761eb4dd47e6a9040cacaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugsS.exe

Filesize
1.6MB

MD5
e5d597188788a944f322d57082614c23

SHA1
bdbae61b4f70c0a196ae5945ee07a44ea3a78c00

SHA256
f26f53feb0f0b3c94ed4e0f8270854819ed9769d59977184696ba450c212ca28

SHA512
0c71a406c8d6f164d138fe60d8e5fc6c2a3cd9b01ff4faf1570cf878dbef822c597dc68beed2389e3ea420e3c2ce5c32877f98ba0e975d59bca5c9ff605b1c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\usUk.exe

Filesize
1.7MB

MD5
87ba397624e2e6748e5ae97dd909b417

SHA1
9f1fe3fb1fa7bd636daee7bed81f8e1952057658

SHA256
76a96af0ef6995609e1223cd463eaa5e84081fb78dec961fd69f58ccb7257dd0

SHA512
16cea867cdf19c68ef66e4c136e8d0350ed30264fd7712373c96a3a662ab69f4aeee8052b885e220754eeae7d554c8ebc8614fdc9c07af7b65b275d8ecef7f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwMw.exe

Filesize
3.3MB

MD5
e38b3bc67f94f2636b949c16e28405e0

SHA1
63e218cbe649d270da376912cf699ab3375524ac

SHA256
e412d68b4646adef3bbd81f1ba74761fb45cfb2924d8acc4769cb3e2f1ebe636

SHA512
bb87a3da7139c6beb3e21e3acadc293471890144e954709f97cffa10a50e0edfcbbd2f73cb08d0a77db1da91f2ca813532e70b058300c7cfd3b43cf3140acfe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\woUi.exe

Filesize
1.6MB

MD5
0ab0ae639bc1f38f1ce88289ac346b78

SHA1
69757131a90aff9df36013dbad63b9c0eb7d4b2b

SHA256
ebfa3cb6c04f81edbdac686741c4a423ca55af6b1549f6446f3ce2acfe94aaa0

SHA512
32123f2d9e2ecab9ec64b988be1ad10d1edd96ef26fc5910ef423273d0f813895c77fc004c17c34daa4b725947cf023cec32866d5ad35dee3ba84ccba3bfe096

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUwy.exe

Filesize
1.6MB

MD5
f6353c170f053f7f816d175b5d594b34

SHA1
d379088cfa52b75c5f939f258f7e37d49b9269ff

SHA256
72e2e4c0c6b2a00b2e21423b93bf6149e6a427028dc9aec1c80913b2c5ce0d3e

SHA512
2879f5228f8bac717cf32b060c8ff4310dc2021708e3bfec75588f2ca808487d4859bcab4cd5465f6704998e93a332696f1c27c043dc68ed0e4ae5b22fc8264b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoAIkUIM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\VQksYAcw\yyIAEUEM.exe

Filesize
1.6MB

MD5
b0a24598f846e2226a2d794a18a1c53c

SHA1
d7ac2c8b7f5f3dc2d08f0619fff304529b062b76

SHA256
34df63e65606dbd5feaa140f49f07b8b5a8307101ccf4d061cf86b5117f5ff42

SHA512
51555b7818c568c0617c3d899e7a347f04c3da7c79ac42feac334d0244b46d0ef5a9ff1a89081553aec4b7c5b0d6992b23b2dd934498afe34427ede379796621

Download Submit
memory/180-304-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/180-275-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/540-236-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/540-222-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/988-849-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/988-953-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/1020-85-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/1020-101-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/1184-248-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/1420-1848-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/1420-18-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/1564-614-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/1564-543-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/1592-28-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/1592-0-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/1592-29-0x0000000000AE0000-0x0000000000B00000-memory.dmp

Filesize
128KB

Download
memory/1592-1-0x0000000000AE0000-0x0000000000B00000-memory.dmp

Filesize
128KB

Download
memory/1660-121-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/1660-138-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/1848-260-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/1848-244-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2356-108-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2356-125-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2436-885-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2436-795-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2660-188-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2660-172-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2796-150-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2800-41-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2800-24-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2852-89-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2852-73-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2956-211-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/3036-395-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/3108-279-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/3136-1085-0x00000000006F0000-0x0000000000710000-memory.dmp

Filesize
128KB

Download
memory/3136-284-0x00000000006F0000-0x0000000000710000-memory.dmp

Filesize
128KB

Download
memory/3136-12-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/3136-1832-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/3436-207-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/3436-223-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/3652-645-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/3652-715-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/3960-1153-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/3960-1068-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/4012-112-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/4012-97-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/4036-548-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/4036-459-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/4064-52-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/4064-37-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/4156-799-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/4156-750-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/4256-77-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/4296-1036-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/4296-938-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/4412-390-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/4412-474-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/4644-199-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/4712-270-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/4712-256-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/4716-13-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/4716-1843-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/4868-146-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/4868-162-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/4920-176-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/4920-158-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/4936-63-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download