c949b846121b17c66e65b196e24872ba117861dfe41a491e3ee361d26092eec0

Analysis

max time kernel
150s
max time network
63s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17-08-2024 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
Size

211KB
MD5

a21f61fc9870af66d5cbeb8578fcb57d
SHA1

09144ec09f6e92a5c918cf2153c72c011d0855e4
SHA256

c949b846121b17c66e65b196e24872ba117861dfe41a491e3ee361d26092eec0
SHA512

964563f97753e8e5568dad77b85258ce2eee57f4820070c009da54e7d983809646beaf39c0161883207cf6f09a9eb28176fcb7c3fb277daee43e5c7b7fbc9472
SSDEEP

3072:bmHPiWYu4h+O+Dg1F7Y0qSZLalC59pb33xjqVbTBtlyAjH:b4TYu6+OzZlaA59p9GVptlyS

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (53) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\International\Geo\Nation	KowgUUEo.exe

Deletes itself 1 IoCs

pid	Process
1960	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2212	KowgUUEo.exe
2936	rocwUEkU.exe

Loads dropped DLL 20 IoCs

pid	Process
3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\KowgUUEo.exe = "C:\\Users\\Admin\\VoYoUgcA\\KowgUUEo.exe"	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rocwUEkU.exe = "C:\\ProgramData\\ieIAUoUM\\rocwUEkU.exe"	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\KowgUUEo.exe = "C:\\Users\\Admin\\VoYoUgcA\\KowgUUEo.exe"	KowgUUEo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rocwUEkU.exe = "C:\\ProgramData\\ieIAUoUM\\rocwUEkU.exe"	rocwUEkU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2900	reg.exe
2012	reg.exe
2868	reg.exe
1824	reg.exe
2760	reg.exe
852	reg.exe
2180	reg.exe
1948	reg.exe
1908	reg.exe
1384	reg.exe
2784	reg.exe
2900	reg.exe
2664	reg.exe
2184	reg.exe
1628	reg.exe
3044	reg.exe
2776	reg.exe
264	reg.exe
1900	reg.exe
2416	reg.exe
584	reg.exe
852	reg.exe
2776	reg.exe
900	reg.exe
1880	reg.exe
2512	reg.exe
2080	reg.exe
2240	reg.exe
976	reg.exe
2712	reg.exe
2008	reg.exe
2408	reg.exe
1180	reg.exe
1104	reg.exe
1532	reg.exe
2100	reg.exe
1104	reg.exe
336	reg.exe
2952	reg.exe
1756	reg.exe
1932	reg.exe
3024	reg.exe
2852	reg.exe
2864	reg.exe
2412	reg.exe
2756	reg.exe
2396	reg.exe
2196	reg.exe
1000	reg.exe
2528	reg.exe
2972	reg.exe
2912	reg.exe
2804	reg.exe
2760	reg.exe
2512	reg.exe
2752	reg.exe
1384	reg.exe
2476	reg.exe
2308	reg.exe
1000	reg.exe
1668	reg.exe
1748	reg.exe
1748	reg.exe
3048	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
2832	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
2832	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
2232	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
2232	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
2668	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
2668	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
896	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
896	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
2236	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
2236	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
884	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
884	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
292	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
292	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
3024	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
3024	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
2120	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
2120	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
908	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
908	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
2040	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
2040	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
2556	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
2556	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
2904	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
2904	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
2664	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
2664	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
888	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
888	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
1604	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
1604	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
2128	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
2128	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
1692	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
1692	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
2276	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
2276	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
1724	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
1724	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
2396	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
2396	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
296	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
296	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
1496	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
1496	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
2988	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
2988	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
3036	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
3036	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
676	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
676	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
1156	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
1156	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
1740	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
1740	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
1924	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
1924	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
2756	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
2756	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
768	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
768	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2212	KowgUUEo.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe
2212	KowgUUEo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2212	3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	30
PID 3000 wrote to memory of 2212	3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	30
PID 3000 wrote to memory of 2212	3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	30
PID 3000 wrote to memory of 2212	3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	30
PID 3000 wrote to memory of 2936	3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	31
PID 3000 wrote to memory of 2936	3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	31
PID 3000 wrote to memory of 2936	3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	31
PID 3000 wrote to memory of 2936	3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	31
PID 3000 wrote to memory of 2808	3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	32
PID 3000 wrote to memory of 2808	3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	32
PID 3000 wrote to memory of 2808	3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	32
PID 3000 wrote to memory of 2808	3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	32
PID 3000 wrote to memory of 2200	3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	34
PID 3000 wrote to memory of 2200	3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	34
PID 3000 wrote to memory of 2200	3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	34
PID 3000 wrote to memory of 2200	3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	34
PID 3000 wrote to memory of 2708	3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	35
PID 3000 wrote to memory of 2708	3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	35
PID 3000 wrote to memory of 2708	3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	35
PID 3000 wrote to memory of 2708	3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	35
PID 3000 wrote to memory of 3020	3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	36
PID 3000 wrote to memory of 3020	3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	36
PID 3000 wrote to memory of 3020	3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	36
PID 3000 wrote to memory of 3020	3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	36
PID 2808 wrote to memory of 2832	2808	cmd.exe	38
PID 2808 wrote to memory of 2832	2808	cmd.exe	38
PID 2808 wrote to memory of 2832	2808	cmd.exe	38
PID 2808 wrote to memory of 2832	2808	cmd.exe	38
PID 3000 wrote to memory of 2956	3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	39
PID 3000 wrote to memory of 2956	3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	39
PID 3000 wrote to memory of 2956	3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	39
PID 3000 wrote to memory of 2956	3000	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	39
PID 2956 wrote to memory of 2148	2956	cmd.exe	43
PID 2956 wrote to memory of 2148	2956	cmd.exe	43
PID 2956 wrote to memory of 2148	2956	cmd.exe	43
PID 2956 wrote to memory of 2148	2956	cmd.exe	43
PID 2832 wrote to memory of 2204	2832	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	44
PID 2832 wrote to memory of 2204	2832	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	44
PID 2832 wrote to memory of 2204	2832	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	44
PID 2832 wrote to memory of 2204	2832	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	44
PID 2204 wrote to memory of 2232	2204	cmd.exe	46
PID 2204 wrote to memory of 2232	2204	cmd.exe	46
PID 2204 wrote to memory of 2232	2204	cmd.exe	46
PID 2204 wrote to memory of 2232	2204	cmd.exe	46
PID 2832 wrote to memory of 1384	2832	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	47
PID 2832 wrote to memory of 1384	2832	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	47
PID 2832 wrote to memory of 1384	2832	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	47
PID 2832 wrote to memory of 1384	2832	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	47
PID 2832 wrote to memory of 2328	2832	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	48
PID 2832 wrote to memory of 2328	2832	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	48
PID 2832 wrote to memory of 2328	2832	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	48
PID 2832 wrote to memory of 2328	2832	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	48
PID 2832 wrote to memory of 2900	2832	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	50
PID 2832 wrote to memory of 2900	2832	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	50
PID 2832 wrote to memory of 2900	2832	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	50
PID 2832 wrote to memory of 2900	2832	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	50
PID 2832 wrote to memory of 1512	2832	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	51
PID 2832 wrote to memory of 1512	2832	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	51
PID 2832 wrote to memory of 1512	2832	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	51
PID 2832 wrote to memory of 1512	2832	a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe	51
PID 1512 wrote to memory of 2372	1512	cmd.exe	55
PID 1512 wrote to memory of 2372	1512	cmd.exe	55
PID 1512 wrote to memory of 2372	1512	cmd.exe	55
PID 1512 wrote to memory of 2372	1512	cmd.exe	55

C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\VoYoUgcA\KowgUUEo.exe
  "C:\Users\Admin\VoYoUgcA\KowgUUEo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2212
- C:\ProgramData\ieIAUoUM\rocwUEkU.exe
  "C:\ProgramData\ieIAUoUM\rocwUEkU.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2204
    - - C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2232
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        6⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        8⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        10⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        12⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        14⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        18⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        20⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        21⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        22⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        24⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        26⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        28⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        30⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        32⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        34⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        36⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        38⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        40⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        42⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        44⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        46⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        48⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        50⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        52⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        54⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        56⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        58⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        60⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        62⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        64⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        65⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        66⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        67⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        68⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        69⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        70⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        71⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        72⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        73⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        74⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        75⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        76⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        77⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        78⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        79⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        80⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        81⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        82⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        83⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        84⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        85⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        86⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        87⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        88⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        89⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        90⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        94⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        95⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        96⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        97⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        98⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        99⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        101⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        102⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        103⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        104⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        105⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        106⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        107⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        109⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        110⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        111⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        112⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        113⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        114⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        115⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        116⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        117⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        118⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        119⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        120⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        121⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        122⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        123⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        124⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        125⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        126⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        127⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        128⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        129⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        130⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        131⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        133⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        134⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        135⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        136⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        137⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        138⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        139⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        140⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        141⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        143⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        144⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        145⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        147⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        148⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        149⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        150⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        151⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        152⤵
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        153⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        154⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        155⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        156⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        157⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        158⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        159⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        161⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        162⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        163⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        164⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        165⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        167⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        168⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        169⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        170⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        171⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        174⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        175⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        176⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        177⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        178⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        179⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        180⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        181⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        182⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        183⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        184⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        185⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        187⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        188⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        189⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        190⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        191⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        192⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        193⤵
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        194⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        195⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        196⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        197⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        198⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        199⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        200⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        201⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        202⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        203⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        205⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        206⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        207⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        209⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        210⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        211⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        212⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        213⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        214⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        215⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        216⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        217⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        218⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        219⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        220⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        221⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        222⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        223⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        224⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        225⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        226⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        227⤵
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        228⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        229⤵
        
        PID:292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        230⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        231⤵
        System Location Discovery: System Language Discovery
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        232⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        233⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        234⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        235⤵
        System Location Discovery: System Language Discovery
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        236⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        237⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        238⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        239⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        240⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        241⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        242⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        243⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        244⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        245⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        246⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        247⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        248⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        249⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118"
        250⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118
        251⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies visibility of file extensions in Explorer
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NAowswwI.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        250⤵
        Deletes itself
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        UAC bypass
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\noMckQws.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        248⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        Modifies registry key
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qaQAoQUg.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        246⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SOsEwsIc.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        244⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SgwEcYEs.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        242⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IqkUMYUs.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        240⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        Modifies registry key
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        Modifies registry key
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pMgIQkEw.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        238⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NMcEYwYQ.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        236⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DIYUgckw.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        234⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jMIskcMM.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        232⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oycggcAY.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        230⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UCsIsQAc.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        228⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OecYoAQs.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        226⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SOMwMQAk.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        224⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        System Location Discovery: System Language Discovery
        
        PID:492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uCYcMgIk.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        222⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        Modifies registry key
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uCooMMEM.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        220⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RoIAIkkk.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        218⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        Modifies registry key
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bOkQMMQs.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        216⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NYEQMIAQ.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        214⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        Modifies registry key
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BYYUMkYA.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        212⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vIsgkUIc.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        210⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kokAwEoU.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        208⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kgUcgkYI.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GgAYssEU.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        204⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        Modifies registry key
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        Modifies registry key
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qssAoIkY.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        202⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        Modifies registry key
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZisEoYYk.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        200⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        Modifies registry key
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tUEMwsEo.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        198⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xwgMUggs.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        196⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vSoIkIck.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        194⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pUIQYMQs.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        192⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QScosEAo.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        190⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        Modifies registry key
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YoQskEwI.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        188⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kyIwoYgE.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        186⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        Modifies registry key
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oWEcQkkc.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        184⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        Modifies registry key
        
        PID:264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VYQcwgEA.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        182⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies registry key
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        Modifies registry key
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lwkwUoAk.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        180⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        Modifies registry key
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZqksgAgo.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        178⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        Modifies registry key
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QKkMQIMs.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        176⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CSckQwQQ.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        174⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        Modifies registry key
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EaUUoQkA.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        172⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        Modifies registry key
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uAgQEEQo.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        170⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CEcUgoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        168⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RcAQQAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        166⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        Modifies registry key
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TIEcUwQQ.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        164⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tEckUkYY.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        162⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jgIAoUQc.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        160⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GEoMYYgI.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        158⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SkUkIcIw.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        156⤵
        
        PID:292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        Modifies registry key
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IgsIUgsE.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iyoEcwoo.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        152⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rQsEMAkk.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        150⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hwUcwUkM.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        148⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZeQMIMMk.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        146⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        Modifies registry key
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qoswoAIc.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        144⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        Modifies registry key
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UyIMIQgs.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        142⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YUUAQoss.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        140⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IiYIggMk.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fQkYIscw.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        136⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NgwAEowo.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        134⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xYkowcws.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        132⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fokIscks.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        130⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies registry key
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OwgcEEIU.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        128⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cAwIoUgw.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        126⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yuksksIM.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        124⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mWkcgoIU.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        122⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies registry key
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        Modifies registry key
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lqQUsAUU.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        120⤵
        
        PID:328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VikwAQQI.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        118⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tcgcIoAk.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        116⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies registry key
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CwAcIYUw.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IigQgsso.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        112⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        Modifies registry key
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        Modifies registry key
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sqYUEwEs.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        110⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\emckUIUw.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        108⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lCgMssAU.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        106⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JUUMMgMw.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        104⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies registry key
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rWkgEwoI.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        102⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BCUAcQIQ.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        100⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EyAQsYQs.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        98⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        Modifies registry key
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UWEgMwgE.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        96⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qcEQQswA.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        94⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WuQIoooo.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        92⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rygUgoUg.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        90⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zIkwkkcE.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        88⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        Modifies registry key
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RusgYMcM.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        86⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZOsQAAUw.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        84⤵
        
        PID:340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QAwMEMkM.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        82⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GgcUAUQY.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        80⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ygggMgQU.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        78⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies registry key
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sQokAEkc.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        76⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        Modifies registry key
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zKwUQsQc.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        74⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zeIEUYgk.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        72⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HiEcYQkk.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        70⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zqAgQssA.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        68⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MgEkccME.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        66⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies registry key
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        Modifies registry key
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oAoUYgIM.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        64⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\agIwIAsk.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        62⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eUowIkUk.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        60⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oUMEUAwU.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        58⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XaQcYIsQ.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        56⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies registry key
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\doIgYwsE.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        54⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies registry key
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xGkIkUYk.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        52⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FUYggwYo.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        50⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CQAwUoAc.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        48⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WaEsEosk.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        46⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EAUMYsEo.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cYsUUUAU.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        42⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JuUYMgIY.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        40⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\juMcQwQE.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        38⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VYAwwAgU.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        36⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JIwQwYIg.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        34⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aoccUEQs.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        32⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IqwMcoQU.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        30⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cUkYosAA.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        28⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\askwMMss.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        Modifies registry key
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xAIUkUEU.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        24⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        Modifies registry key
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RQQkkEkM.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies registry key
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rOkYMUcI.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        20⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dWIkcUMA.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        18⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MEwgsAEU.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        16⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UCUgcwAI.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        14⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        Modifies registry key
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mSgcMoIQ.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        12⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SasAgccM.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        10⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        Modifies registry key
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oGwUUEIU.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        8⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1452
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:832
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:344
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies registry key
        
        PID:584
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\husMQgsg.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
        6⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2132
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:1384
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2328
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2900
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\zewEYwMI.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1512
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2372
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2200
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2708
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hAAIMwII.bat" "C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

Filesize
240KB

MD5
c9c4d416c0021aa5e4a3072c4d3e87de

SHA1
5c0ab512308da1b5b698b763bfe2ac8ffcc067a7

SHA256
845340bb410134e114d60f434015540b7d6dcfa1fb3adfe54dfae2fb8ae222cc

SHA512
983c63232b2bf9a189025bd8caa50c84f53b8ba49223c76d5537bcd2c7527a6fe007829dcf55229fe1d2b479ae92d0493d2a3be2e351ca7d5e17cf74b579d8ee

Download Submit
C:\ProgramData\ieIAUoUM\rocwUEkU.exe

Filesize
192KB

MD5
b5e725e1ce189d8bd3ce580f71ed3440

SHA1
7e1aeccd3a25333a3762d74f3d9209d101aa919d

SHA256
4b5280064c682b851dfa605ae6573fe7697b2b9b62b6a8536fb2baddb81d8e3b

SHA512
f40e441ee5a487c303f5ac1ec054c9a41d1b76fd78816156612de5ef3851ef030c50a9df1474597c0f1891aad23c2bd433fedb29f1ba62cdebfb0d1d2c076f5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACwUIgwI.bat

Filesize
4B

MD5
522027b546344105f1d7ff4d7491e1cb

SHA1
105c399fff6d1a84b88df5c56703fa3588e16552

SHA256
6378d166083ef44133fd53680314b213e593bb825bfa733b4b079563fa3ea95c

SHA512
e2f5a23ecaa0f78d5f4d48c779ec0bd48262e61e3aaefb53cecbbd446d1173eb38d2620eba4a91a1ff9bc4a859cf4cf79a436a6b9ffa9143c654c3e9eaf98721

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEcC.exe

Filesize
242KB

MD5
9e0228211cd346d599fbadf90c267b9b

SHA1
0be7f2674340c91dc010aa2a875aa00df9466107

SHA256
a72374be63a90ffc6ca2a2bd83ca6341f3ed7d47f50f1bcec60a062a77806b3c

SHA512
5294d469b841a1bc037471a57fcd40119699bd3b0b79d883a8e8ac01bb2c25a6985c499deb98219714be2a0db2ecedd588039f92e6bd13a9c1e12bd152115e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIom.exe

Filesize
235KB

MD5
80e0a3155f2606acecdb7914c644c5b5

SHA1
8e77bdd433faa2c7ec37a9d4613b4e99da775c91

SHA256
2ac3c660a5b15232950170a059fd0c22f9d510f62c02d075a4fd7c48cb22261c

SHA512
f3e91a18818e9a49a991205d03c062c144a113592b236f416d29e214b2f5fc967e38785d0e58487884ca82280ce645c539da5b53e9e7117e03424581df88b1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQIUQsMc.bat

Filesize
4B

MD5
cb2a05d86aa7ebf7da56e9fee707e9b4

SHA1
5471cabf190a0298728ded73342ee2f4d84faf26

SHA256
f2bacc3542b0278211b2808ab1478e6b1ea433d31f20cfbfc5e030fc2fdad425

SHA512
e16e91b5e10376a343042d1385f536b51f6cc2251f180af6928f5eea2fe9639bb217a0f0bdc28d22e5c3c42d1705935b862c5b277e5139b2aa16fde2d2210a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASYwQIYA.bat

Filesize
4B

MD5
68429ce94155fec70a52009799301fa3

SHA1
45af95ba20b37e974647c9192718a403f3eada4d

SHA256
3511e20ce98683befd9d627766401aff3c5a73852be518dc2ab1434bfb3e97a6

SHA512
0cbba7db2d4c172e4107bab5035729bea965dc432b94053b7db4ef5c11e6f52d4fe8ddf4eb88c2f18168c5af70bff7f21622f8025bee0afa00849505a971d460

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUAK.exe

Filesize
184KB

MD5
5991690c4c27df79bd738247afbc0f5a

SHA1
6c763ceac4730fd43f9b48c2b36d8455b7839b84

SHA256
a4dd2d7c5a3957189b73b7617d884a854f8969884ec4f38f31967403d90e8590

SHA512
c4c8709c83bf990f9e252b055159e51c33adddf760e1b02331a022ba47731aef90599dd02072e49da0bd309cae53a9e571d4bfe5e94a6d02f6f2e8ed03b9d7e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYMa.exe

Filesize
184KB

MD5
16a1047b7300e309204bbb4d3eb31803

SHA1
210c427fcc599f3a98396c9aa6501cda7fb90b60

SHA256
5c717bcec781121084b4fd539cd573b40e0e13b4698a91627953cd3c25d0395c

SHA512
baa3baa03c188c727081fa39083f5691d95a675b2b3ecdfb4dfd4286f57eed20e752b51bda2139015d53eb305a5da770cef7119eb53f2f544844fa27d4d0c1a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcgW.exe

Filesize
244KB

MD5
22393baf8b8273548031ab743c530d2a

SHA1
2dfef35d6909dcc4f1240c78561b6b144635faba

SHA256
6ad81f2ad1176d4b5b5f4a2a51b0605f4ec4ed8476eeef7966a139fa908cb0af

SHA512
05b5aad7f2f045b62070b4b161b507a2e078066559979a73740ce50e22ca52def0f3df0212b4aede7b7a5c07c61c255d3a34f407d7bd5cc8197b5c35e6cb5199

Download Submit
C:\Users\Admin\AppData\Local\Temp\BccQcIMc.bat

Filesize
4B

MD5
76008772e882d59ce1eedb64e4f39690

SHA1
e0215512de034ca6af4cae361c5f70f8535933d8

SHA256
c13ac0fa34c38e7eb36892cdc9750a7cc4001c7bc5fefccca9394a004bceeafd

SHA512
a30aaf31e6b03a29e672fea8ffb59013f8b48234aa9f3c4fdd91ad64455f520cfb4d8a90fd73ffa4e8345a4550993103068202dfc0a5fcb524eae003cee5650c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BqogkQEU.bat

Filesize
4B

MD5
9a95c442627829f8e31509f09320180a

SHA1
bb6eb320e150a3ffe2d585c6bc3c4799ece557b6

SHA256
8a542ec781cad5b0e4af8f37152c87cb89181768dc1329f84ebe865552305ee0

SHA512
a7e5b29c976759612e9c76f6c7854614eb696c64b3d1734d2e7a1b6d52420e62d3819e0f433d293a134c3ca09eb8f418f3f801a45ed5df2cec8cc502c42f1df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIkK.exe

Filesize
246KB

MD5
d2c02a9f259a5e2cee36832698100945

SHA1
cd7dbdcf87d1a0fd245a588636ff1a5be05f5cee

SHA256
8ed49a295c6d561554f8f79ede46332c09471304788030f91cd5cc5ac15013b2

SHA512
b8e2c535b554cdaec30995ea346d3f586b0b43f5aeb6402c89fe300bee48cf07196147b7c848063535db44de451d5b38665d604898ea2e9916e640c6d9e2b89b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIwM.exe

Filesize
8.2MB

MD5
fbc220d8434a9f7190717dad249167ca

SHA1
8a31e4e777c9d185a1b77876e96105961455777b

SHA256
8ec33a6093cc4c51be28c9a40a8a09fa5c1c897b207b5adfb025de5dcd34f02a

SHA512
1c22158f022ab7eb3397581c04d75f99fb99e2f7d0c696f9608bfcde234b18f18dd7737bd5f5aa48d886976b8f1281ffe05fda18a955058163b2e22d13f7970c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUsUcYgU.bat

Filesize
4B

MD5
f73406bf25b6ce34bb455576c9f03936

SHA1
d8adb7dfce7a3a3f3ea44104818d2d84d671a023

SHA256
2a87709597b466cb6e3722a0c7d0cdba8dea5eb9464c6b870362a8f71bd7d782

SHA512
f8399cd00e393e2e16aadf3e1668a0c7633938e340ba9b28616d61a24ed4a0dfdd4ed3d37f24bba6075ecb875a42219f4aa6f260715cc26e97415e649084260d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYgk.exe

Filesize
432KB

MD5
6dff508df62c817fd41ae18fa8379bdf

SHA1
a2868e42983bea3eea2fddf087feea1d4d6516e3

SHA256
35e9ee314862774efba57783a482b9f04500310d01f3b644b0f8b0b6e93f6bfe

SHA512
bdd0d24e61d3f834ec476b6a5b010edd4f1c6f2de23d0220408ffe199872e693a455367627695b5a5a840ce1d3492e3857aeb901fe13ab84acca100dae7481be

Download Submit
C:\Users\Admin\AppData\Local\Temp\CccA.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsocIAwI.bat

Filesize
4B

MD5
cecc28a476d78efcf80875df11f0eb05

SHA1
30cd3a724de202bbc8778c08993a396b623debe5

SHA256
3e1dbb1fed62adcdb4663f74149d9c394ee8a43e04416353f606921125123020

SHA512
3aeb79c76d623975a57e805f7436fb051ed43b809378e9959c0411cb0e396138f90de6255c5e8774cac0e157cb993611e44f94bb0a8dc37f0a4665af4e1a96eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cswg.exe

Filesize
633KB

MD5
06dfce5d0f47088115dd907fbabc6ba3

SHA1
f84bd4f90bbf35b869ab8268b5f62e51e9078ba6

SHA256
b7a600e11c016bc2835eb6082672c204b62a582eb9c2ab02ff263e6c16ab630d

SHA512
8fd8a0373b4342d118fc7f7dbdbd31d06b0a0cb0a4a72fe77dfe13dcabf3454fd938b42856beedc15887999aee281bb052c96a3f47a5a9f1e9712322802063fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwAm.exe

Filesize
226KB

MD5
fca79e430fc1485b60bdd44b8d3e57fd

SHA1
f13c4e7585835a1f4a188d05a328d0757a89d131

SHA256
be0243023b55f288b964686c323ea9018897a30ab241c9621d4c8314f2b54cb0

SHA512
8d0a56898e6937cbed6030bde33daec9780a5c30e37f54c0c408dea27e37985d6ba48b9c2b737aae0062dfbcab28d040fc7de0b48d719cd964db1be1020cb242

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAMO.exe

Filesize
248KB

MD5
946a47dbbde82b91f3243b2908afda49

SHA1
227b959d1533d7760a9bfd6632f9397d662906ea

SHA256
1ebb0731caf188014dfd2ed35021183c190a72a11e90e84ac1de66a0becc685e

SHA512
171126cd577cee33820623fa1674c32fe185f52bfe9614661dbdeb6b38b7a7b9ec7aacc7d796aa9c43c8f7881d79887a83c89cd8f4716373afeec145627c550c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAYA.exe

Filesize
830KB

MD5
7d4eac4b50b5c7cf7c667cf010cb786b

SHA1
1a25776ed7f631349ffbad97bb112ebe53ac79e4

SHA256
bd5a14e2806ce82fa97520c0523dea9725a85e019eeef6a21675ff72e2154d30

SHA512
1363b47a198ca44b8d95f5f258527a36940e885cdc0c5946c84f680f14f4267cf290e10776647df76450c64eac2094dd0ed996396f523d5575d62383e8264e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAsU.exe

Filesize
534KB

MD5
7b126674b56090bc4117b16847467080

SHA1
301dc212096107c0bedeab3c8d2101e66938b866

SHA256
5ee9d38a2865507d9c80ad37411037449503be01c442376ca1b12c9b9a005a62

SHA512
c9653c6bc2ffe96ffa9327acec04964368812a9ec95dc4fbd7bdcf73dc2c67be9365a82bde903a5b2050977b41d51bb89b393a83101685740b3e868f4bcb9480

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMEa.exe

Filesize
230KB

MD5
25c44d97303ec7e0b8d7adf7b02aa012

SHA1
8e073f622947096f1ac386e383705411d514a94d

SHA256
5e8e9ada7c22954a7af9d391c34cb35ce8e597710ec339735c30f3c61bb700fa

SHA512
6cc8b8008208d2926c0fb99105dedbb2eefe9548d3fae6c70d00fc0ab5a9e24d7ccf6635b12bed827aa5e71eefde94b489a3533c8b07a4f31811cffa5f36b451

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMEi.exe

Filesize
193KB

MD5
f520b32884d7321a4f29cc671a273e0a

SHA1
2d86d876f1a2af34607363a26ae729bee568005c

SHA256
b54c6f647f804d1556dcd5cf8ec0c32b501fafc49228a14eb7cdad011497946b

SHA512
a1528dccc6db13aa638d3756f041052204e680658a865360e63352e9b8c33d3ea1def78be4262d88e1d0202d222847a6403cb6606862a28f840884a49944b9df

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMMk.exe

Filesize
961KB

MD5
7709305a085964ddad8767a7f0f01404

SHA1
83e6cd046905d17efad118626398590eed8e2845

SHA256
d671c158bd9a7396fb15ff16d2b5f938807855864daf2fc7c43852c46100ca47

SHA512
25da89f72385286d86ed978dc9bb17f9f99b374a1c692ea3a7893328d789229d30c10db55966b7c58dfc590d86e6f16274d73ce1076a5fa73a17e83206616590

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYYO.exe

Filesize
572KB

MD5
4d3e3056df900730e85b6e426615bd3c

SHA1
96a4d6fc258c4180c9a097b770ea57f75340158b

SHA256
fb7d8215cc727c36860a788415207fdaf4befbf2c5f3ae3fc45c54bd8107c679

SHA512
314404f83b02721005d330385a7ef37736b7d045fdc5f4e9f8337807f83e220c4a8d33a88ff0f70793413722048ce038f0006214e95d4e46e06200b8e8116a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkAa.exe

Filesize
232KB

MD5
60ee5b836214bcad9a0e5e03e2e71c9c

SHA1
06d561665198d23e6efa6ce9e1ace9e8e655cae0

SHA256
6d854957f82ad5eef70b5c1a1af3e1475816af6e9eac5aa0d472edaf0c8732f9

SHA512
7fcf054bedb5f1ceb92fe90667745fa1e6b1138c83e0b8640857d145c92524a5fc434765c9370843e49aeb7867c130228732de51fad606da8567c8797b4cb48d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkQu.exe

Filesize
245KB

MD5
0a519175118e79070d7566d7cc234142

SHA1
9dc287f7b951c1a1e6c3278828c2e00d36ef6d2c

SHA256
f17ceff9c3e05560ee5038cfc5a89c298f7d02580ce78b26885278f0a84c56ce

SHA512
39c7c7ee789c7c73946a912e520aa3656df76ba9d4e5888002c15303af13d409d6685eb026d400c950ad9e2911534522d18faef3fdc1ebbae654139f13bd17ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoQQ.exe

Filesize
209KB

MD5
8338b22e99d0265fd13a4a6083fb4b55

SHA1
c9f101731bdcc270f9377d936d479a6701cbfc46

SHA256
0951d1d72430063df8a4abd05cae8c36cd8ce4b5a817812e00b934108e99fca6

SHA512
cb47da6937208a8dd21e07419b86666fb170ae22476bdb6f9e3fae7fe23e849db2a056426217075d20514758f6bb81426b68e06d12eff06fcc359c78229a1c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eogo.exe

Filesize
238KB

MD5
785513a4f46cd8ebd836e9086ee42a35

SHA1
5d0d6289410b4d9e8a99002f11a57fce2b982532

SHA256
6b21871a686c284cd2f97531ff7cee7238ea3d8a7f592c1696657c5525f7a64b

SHA512
18ffdd3149db5033dfbf12338ddd443747ead7e61080c9d0500e4ff43420b5c76327debb053b21aaa849d662515a6c6eb9feb47845bc55973d25c61a3c149e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsEU.exe

Filesize
329KB

MD5
3d65e5b9f7d0cdee4428ec1501292556

SHA1
996fe14a1b27ed1757059577f95d84eb98755c3b

SHA256
0794d7da6fb1d25f606f970adb2cdb4fb1b6288a88e807546f7383e26ce04989

SHA512
809fc6a637ce1d3e6605fc227a1356013e8d9d8d0e9dde6197d06d31d4c3e334ef1d4e1ea79c5ffb816308b6365e884965ff8ac3a15d61784de992d6c97a7572

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwcQ.exe

Filesize
535KB

MD5
d7c7cce2ce6dea5dc3d312b7466aa55e

SHA1
19de99cfb032eaed2b42c62a78ba3d95fbcc3f00

SHA256
a7fc276fb56adba1cef2178b52277a3a2817bad26e11366f64fd84f7b16d4569

SHA512
571ec82ffc0fa080f22c6a81167d430a36d1a17a82fd7ee9322189aa5bedd701022001e261425d95be005b5a708efcb56a7ae790a0f2a0bfdbf04c2ce6573def

Download Submit
C:\Users\Admin\AppData\Local\Temp\FQIgMkkY.bat

Filesize
4B

MD5
93a5f589019d66479b66b867ecfce082

SHA1
d453608fb91610a7f5c182c5d8e26e18a604520b

SHA256
6334e8bd3ae66b2bd3470173310870be2b58808a0e285159ea89ea7633b119b2

SHA512
5b53ad6951133ca7e4a62de94cc50036223700107ff70802b48b4de92bcab7fb0c687e91076bfb9cc986dc241e2e9774efb6c9dad6d44eed1db5d51de7fc7172

Download Submit
C:\Users\Admin\AppData\Local\Temp\FSIQAsMw.bat

Filesize
4B

MD5
dfaf73d15049b3f1a5fb1a83e5669377

SHA1
2f0c7398eead81c174551b9b43d0beeb0e5f5423

SHA256
7a0f806676f58f093c5d32d42170fd7ef273dea7a3de17df6f772c473d56bf38

SHA512
a93942b8e419a07ba3ca0cf7acd0a45ee6109aa55a4a6298b3efa9dac77d7b9363f0b728b9dcbb0df19cf2d382bcd3d1d3851ff66696688bc46a83669a571c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FioYcckg.bat

Filesize
4B

MD5
b3854c43f2a115c9e4b243f1ed31620b

SHA1
307ca20f7c13841bf6c21d553f4d3b0334dad44c

SHA256
724fbeb782c1596444697c866a6b5a3e081b831017f35eb96d99cc0ac1e71d72

SHA512
8132897c0eecd358fed0cd2bb7c2e0d86ee43c0bef74b7b2e905c699534d3e39e40fdd17590cfea13aa1581d4691a3fa9a3353ab58b1749076949e964a290910

Download Submit
C:\Users\Admin\AppData\Local\Temp\FuYsAEgM.bat

Filesize
4B

MD5
f40060ef90c954999f58ea2c97872192

SHA1
15f94a2705d3d47e77773fd3fb2167139b616a43

SHA256
d92de85d8b07ecc6db3bc11b8bdea1d4e64a9bc90779a90349a857ed2d76c555

SHA512
f8a5d5c121ea446c26f689e141a3236755042cc15f6e64cee6a1578a621f3a3649974725bd6c8096b14e0900d2dcc02b87b9687e265691476f5e9fac71061726

Download Submit
C:\Users\Admin\AppData\Local\Temp\FucoMgIY.bat

Filesize
4B

MD5
6332afc22e40d198222f353a7cc9cf96

SHA1
ab8811a1d6b7b5a6ffa49b3ca97349594388eb6f

SHA256
916b9b9cb00d81c29bb9fbab400d82d788026b703ccda27d920f2a2a6c212ea7

SHA512
f328d7fff8ed91781c755f7bb59a7076513e2f37b612a21c7c3c518b9bada9f0ab6d8a0b1cf4e9cfe03e15fee164c00f5dc60e42bdfe4f3bdb318235c3560900

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAEC.exe

Filesize
220KB

MD5
512ac32b2c4189982df72add42d092e3

SHA1
3e9dfabafa7fe30e9bcb7d813983ff0f503b8938

SHA256
563a3107d746e2bf1a6fd1812550f45a83adb3b291e81e05cd6254638c34bfe4

SHA512
5d7533a7c62d15f4bd6413974497b745c65fb2a6cd7e80310dc0c4abc08d530a518686ae9df80cc2175519edcb51bec26bae025e7fa7c77d296ccaf9d4200d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEga.exe

Filesize
247KB

MD5
42370383da69ad63d1e97b42f7998504

SHA1
016e5b9700c7afca404d7853bfc0fa08c30bffcd

SHA256
894bf16dd50c874ddcf8afcb8b1c4ff8cfd7a8f879aa91b1cf02283503afe44e

SHA512
fcfdee4c1b5c4f16e761f332c4d415b7cfe2f7b4a56e915cac66f93583c76014ed8074e72f04d20d324f474a30b99500779e26293caa02e1776f4d05d7abf1c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIUI.exe

Filesize
241KB

MD5
b11f98f5abdb66f7365f8d49a38e32a7

SHA1
e80147aef818b1d76c56a6d8159dc4ed10b6fa03

SHA256
7a17f58d1d366c092303321b1b27edc9b663affe6e2b817bdfffa27178c81ba7

SHA512
4be74ecacc65ad3def6dd3368f279164f03dec4082af4200140326c62fce76d9098cd6172463c064eef8d50e311cf04610db2f3444a27965e785b1bd6784453f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMcY.exe

Filesize
229KB

MD5
1f3e0f46ee267f8c4e396fd96a7142cc

SHA1
c4d9df4b0bf8c19e32584d07284ec410c47b30a8

SHA256
1d940c2a71987e5c8c13584aba1f6afa81799fb1f0e7563a483a6c903e661934

SHA512
bf7414fde28ee4f54216c9e19bf9a09c690dface673e7785572f1b5899bca3a2da8c52bae6fbd04fb3e0da289bde412f33e8e7e1cc11c56f685bc58475101f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQAsAkIk.bat

Filesize
4B

MD5
d667719c6247c0494f374840cded4b62

SHA1
4ec32d3bfeabfa0d5309e3f63233c6107e993395

SHA256
35168b6d80ac297536595843ab3a127df31a29f8f4b84210c7583a7a69992665

SHA512
2c848d3c273c86085f9749ac87a05ee67c320a2e7752e3f614f49f8ae8463a0fe67323a85b339ccc951b0daf763e96741bcc4677e11e9e2c3d84b875b8f5ef93

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsIW.exe

Filesize
763KB

MD5
26aaa234c505218b41d7c3efcffff640

SHA1
9df4a6c2704269520ea2ad828ee837597fcf37c1

SHA256
a40e4e7e6a29d13bdba068e8da86e21f11f72b6196d6b4e4700d020a80643a32

SHA512
9e565afa057f38ba2e6b8a9afc29f869fc2927e1aa4f6c48fb66738bf63f918919c09ab4558bfa817787c9808d31603fcbc4a21027b706202f75c51669b765b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwUq.exe

Filesize
324KB

MD5
020c110ea461c3ba4d3c355d2181fec5

SHA1
bb945f0e9d984b7b35b687dacd8a5cdb4af96618

SHA256
e9ab1360ca846d5d3ee55ef70584788d58051029202bbe4bc0abc1b539eb67ac

SHA512
8a10c37fae432b5c9b95b107d0304af4aad1c6648f54d386216e83652ac7fe826b5b428fa27e6700a20bfc8c635435bd5ba22cfd67e82c2fb7f99cf0eb1ba94a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HaIgAEgI.bat

Filesize
4B

MD5
77e214e019a4b523d2a7f542c16849ae

SHA1
83db1381fd8918b58ec6ea32fdd23a18ee76caa2

SHA256
1a379d5cd145245823afd8e666d68b7b83e3d9e1b05e414d598add43b24fa264

SHA512
fefff50df47d50e469644d22d34beb3cac49afa493a3c76b196a607974ff95ed00899f1774627b0e50e26edabdfe512ea98245a11fae79075196d909ac6d3eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\HgswUQoc.bat

Filesize
4B

MD5
8e826abf908749d319843dbd33ffc34a

SHA1
ef4b048c9168fc0b77a001caf797ddb22ae95c1c

SHA256
1545a59489ebfb01a37d5fe1a43282752250f4b4478495c333e1a4b38b74211b

SHA512
9360d54176708a4a0e74218a6a5a5388532f93a5b7a2916881065e27b3a5c327101dde85381b43c9112eeee40fb47d9b0beef0986a1920d234cb2a4520f72e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HusIwUwc.bat

Filesize
4B

MD5
4c71a665012d486dc221b59811aa903c

SHA1
72b3153c484736b6642a7bc1b294186f688fb05a

SHA256
e6acafa1926786c2ea293dfaddab121fd8a38a0c4db95ab38c4da18819d4f3a3

SHA512
a065e65ec997089734a37e7ab6cafae28c25029c6bf755ca50c4c1aad60b7a7d4a0911d3092c9c486c4de3f64cf13e8902fc34593cc636039286624b9d88b9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICgsIcwY.bat

Filesize
4B

MD5
13e1c3d13eaa8621d7e591a618167f27

SHA1
2636f173fa0d0c8911994be37f85a3cc26e02a1f

SHA256
ade2b032ac424537d1cf29f29e1c469d244502137b11578c8edeb1df9f0ddd14

SHA512
7aa4baf805941781ea5f08b40feb181ffb0f93e155438f550fdde635ede2507bd16d436c7c52e0d427845731bc8f3b41626f1ae93887fcf7c9e7eadfb36bbb0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICgwMUAQ.bat

Filesize
4B

MD5
d75cbb942522c9c906b38deb5b3a4eb2

SHA1
8ecac4013db6f161afe6acce283140dbc42ccb2f

SHA256
ab6d6aaa0f25b2f08db1c901b60ec2e467668fb222fd4c82d306bc6b3e5ad2a2

SHA512
5954485f8ecdbf653d1d4823bcb111ab9dcdf89b5bcc2eb5c17964403cb697a8790dceb5fa52a7dccba70be572a27874bec6bd21e84c54750a350044c6a13470

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMck.exe

Filesize
1014KB

MD5
7c8c64bb9dd7ecbbaceb0a8b353a55da

SHA1
cec0e6fb2ffb1767ea4d1225fb81ca7cf450a415

SHA256
a6cdb63e807bff1738320bfebe49b5d0a2965f089118a7860359e9edce64542a

SHA512
5a04e24db3fc573bf121b1787f5f9ca71e6b4306bf7de0aade7afaef420e39f4eda6a15eef1d742f094e761ad47cac0b67460afe279b4f08f361efffa90298c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQAs.exe

Filesize
237KB

MD5
17c17223bb77dd573faa6755c72d42b5

SHA1
7d087a44d5261d735959c029e04fdf615e622a07

SHA256
73c6e060123e50779e435bc8306626a0184fddb330fad6fdbc5936b3443ff6fd

SHA512
7ba5b1cfcd9df657c71af326d245532f2a48b382c4000c6a860ac0f3120a35932af413d8973abe37457d9c903503fde6cdb1dbc40fbd5c7ad0ab92af9a28c193

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYoc.exe

Filesize
242KB

MD5
ea6f80ee900f65e2241f2e5dcfcb542a

SHA1
b3ca5c0a1e29136f1d22c96333bed7fcbdc618b8

SHA256
324c0c6929d2fec56f0e2e5b817a3b2c9e00284221a52505df52ed42cbc67ce6

SHA512
ed8e0b535c133c0227c8025718c0b211a351a2d3e1003cb1851657289f1fe4042685a8d4ab8b5dcb6d79449e44b31b2d939c366572fa1ec97fa200b0130e9414

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgMQ.exe

Filesize
249KB

MD5
14e232706f06b9e7ef88e016313a9618

SHA1
a668f3f96547604a0a3c9ea27b8c63c02b1d2b1d

SHA256
ac8866b14996a82282a58abcf1c93d1cae8655aa65b2c13fb8b8bfbad3c6fa98

SHA512
1cfb638cbc669be00bcb49504c693226f4afa9247f3db5dbfef7a86e46bac1a42a1c482ba66b119c7345625f48b2417e4f5697aa4d4d0a4c749140b891879422

Download Submit
C:\Users\Admin\AppData\Local\Temp\IscI.exe

Filesize
225KB

MD5
aaa89a7782572215ae1831215afb4788

SHA1
cd54e18bcc132dde4846327d972d3ba68a131db3

SHA256
1bb89a7074a9178ed83cc2673afabc9f463c6d5d646e056249b8e24595cc5b3e

SHA512
8755bf19b5e93baeaff459e5a4323890d6bd49f37e42cb6656c1b4fdc4a382c93bf59e09501553e873af79beb0470cbf6856cead9a23a9850f127f0a6cc2ffeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\JAIkEMMI.bat

Filesize
4B

MD5
aab1ce2d9dd4045d0761c265e2f81df9

SHA1
40f9edac79aad178ffa74f4facf63ae8a7cabda8

SHA256
49d2f916fffaf2be1e43175f5c4e3eea2e453f2deffddf3b54a3664878c473c6

SHA512
8dc19452e865ea2186751f5a7b973a66c50b758e444a991f7fde8cc5a3d171cc994e26a30a56b5ec7d2a8dbc12e80918ebb11b6cc60a852784b28dd0655b7ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMYYkcwc.bat

Filesize
4B

MD5
9f043e88ddd78d6c8a63f3b436715cb5

SHA1
16e0ef1cc9a81ebda262d70466449036af37eb17

SHA256
59ce1512e8641a1b8bc1e9fda53e7b1240e1c81720405e45bef47887e4f8e64c

SHA512
bc75a86bacd14344388699736ce5aebc6226d2400a497b0886d9c288a5414e8121bbd0a4f55699649a4597679497df9a98706ebd693b3234133e937624c25944

Download Submit
C:\Users\Admin\AppData\Local\Temp\JeEgwUQs.bat

Filesize
4B

MD5
9882cbafc9fc915c1ed5a4ac4cea709f

SHA1
871850794e668d9e5356e6871197994d21513940

SHA256
7c4fab2cf3ceb1f2949ce21d74cc308719081d34944ed14093be7c9734ea6268

SHA512
6f34a49857acccd4ba0cfeb711985e8a156485eab7bc54a868647db9554759e8fc9ba24498d779c5c20406c98fa74c2f55d8e7002c90fd15b93287f2e7799137

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAAI.exe

Filesize
242KB

MD5
2f2cf585dbba809727686e82a5422945

SHA1
d4252b43fe2dc6703814ae4d2de9835012a5a3a4

SHA256
79d5caa9bb3d17210ad03af8c5c2218f3db201a6b95fce07c4cf4189dc4685cc

SHA512
d675c0a60f4b199a72af589bd54873a24e82b7257c7bee334d3ae2949080da6528daf0c826efc3f79eb5f39c2b39476cd5d6b24201ca2a9cf3da52a81d4a3cd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAoccUEY.bat

Filesize
4B

MD5
d7a6aa2ee0329cb0e44ceb6824f4c583

SHA1
fad852cf78fb5db1e0f638c770460678b4a6e8ee

SHA256
97229ce32d1f426ffe7ea247df141166aab64dba7ef318d10a8d6245a4d26f85

SHA512
9b7accda6e89f43133e1c206a976d3ca90a68218c35f162799bdc036298708fe045c8d3fb1bb0953510f70ed189fd2219e920797a8a4147b628cf473d9496808

Download Submit
C:\Users\Admin\AppData\Local\Temp\KckM.exe

Filesize
198KB

MD5
5f36bd4765fbb372f1406a5713f08656

SHA1
7a6c38057df8d914d1c71053875af7b5a273409a

SHA256
15ebaea29932fe9314f2f442cf75ad7e83244676cf4004d2f13a3d2f677318e2

SHA512
7c01b3ad0efff6d76f11e7d1f10f13d31332263e67f31da88e3dc00002501e7070224312f596b0899124a3b361d4b65003c7241d80e360606ffb1546ed3ecc42

Download Submit
C:\Users\Admin\AppData\Local\Temp\KiMskQkw.bat

Filesize
4B

MD5
e7ab09bbbc3c9ddb92cd0596bd52e4b3

SHA1
608ce189f3e1fea76e30552abe4d3b484da31196

SHA256
b37d900be57d590d277ccb204899cc97e06f9aa3bb2b383f1e373d56412df1c6

SHA512
a5a04a2482c078c12d7f48d73f34cb000d89300205c857a9c633eff24dc23c8137bacf4032e831e705fa953dcf85452602985b810841beec59b5fde1fdd655a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\KswU.exe

Filesize
508KB

MD5
0b53edbd75425348b39631347083721b

SHA1
845795acb1542866a38501eba9d7ce78120e2172

SHA256
69a398587517a432fbecb0717739942539585bc91f731f331c7f603c1cdef4cf

SHA512
a046f8001a30b8a86509e972f74ff988953c3ecb25ce476ce4d5daae4b903cde89418690ce375eee4bb0e37b780b2841cfc5c643ce81ed0005b5c087d3a9b0ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEcMosgU.bat

Filesize
4B

MD5
1efffb249a350129bd6eb52ba38cce90

SHA1
888d457d542742c71fb505964696afdf918382ad

SHA256
7ea49858dc6cae7abb2e2028fa4c3eeb81b33c472bc0780c7e53f741392e4c26

SHA512
338a3556ecc1adbadbdaf41a1dbf41cc1cc241eb7042027e749da63d31a0bcb5a143ef083030bcd0f0c8be5e35f699e6ac2a556787dfa85578e196fac929f282

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQUIgccE.bat

Filesize
4B

MD5
8637aa4327451085aa224ba7f6cf6f43

SHA1
f7ba6c74680860832dd01781515bbb8005eb5735

SHA256
b4ffe30ebace90e124a59419e01ac2e5ee9c9e94fc32f2a7f5db101c7243bab4

SHA512
14f5946d9ee277ea0dc919450a6e00a177dc29d7a6837640429055b1dab169f01d37afcc7b0593bac419a0be710897a5e82b3b1110f3d7e658cb9ced1d0d7874

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAgUEgYA.bat

Filesize
4B

MD5
2ac25c12341f4e0ff93a5931932720ef

SHA1
d2526ba12a5e3c1534daf695b7d09a7cc148f1be

SHA256
38103ce6f44ceece0ea7ffac084b03b8a6e5ffaac65f2997c4acf7be11550e95

SHA512
1ede3acdc187c2c8045861ebf38b99ffeaf84abfd4b96d67cc5250e17e9c1f949b0eb6d1dfda1f20a74c293cf91f989c9362f507b3b20bcdbc356559d9c90b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEoO.exe

Filesize
643KB

MD5
89354ecc0e5f6affc2b70b8430e9d657

SHA1
94dffe686d235d06932cc2e5cf9c3d5d0ed6c0ab

SHA256
1f271d93f5968d77405c35f656d6f48c1f92431355590930d4b4a48ef1242f4a

SHA512
fa480285cd770f35ea6e2cf6de5dbfc4a2b0c5c4af36955713253ce06355a96600830d5a8384ea6fabb7d3d6f36a0c3ea4d702104f9e4911060d7fedfce90033

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEwO.exe

Filesize
227KB

MD5
3994851b884fa8513088bb41514bde3f

SHA1
cf36a297634a3f3c86cc4b390288e0c29019bcde

SHA256
4d40a46a84f61f77ea0b04e5cc773e488974631b1124b59d27a3a15dadc0d9e4

SHA512
9f11d37e30626c4560f5107713c456e3acdf6295e055d2ccb33026dce269e7c09c195df2103356e7cbcc9dc2568cb4fa31dccf7cddb6c2e35568d2a0697f9b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIAEQoUw.bat

Filesize
4B

MD5
fde889547e512afa41c4380518268a58

SHA1
ee890f3528147a15131d78e7979446594796d737

SHA256
95c0a22db24b29b64caf0b0a3eaa9a57f7d4f324a964262a21d0be586b2d7f97

SHA512
1feb603408c29775786305a2211deb6e2aab786354877dad377e899d9b47ee4744f982a247af3772805d6f553b501135fe6fc1067cf9ea971d6f16e1df4652ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIMogggg.bat

Filesize
4B

MD5
4b0cf203b83b3b18e4745ea1117f8e72

SHA1
4a15ee2581328b8f3cb26af8786703fc267ce2ca

SHA256
77b1a507bac937f311136c5e6eeebc17c977eb6051d7c3be5c16ff7e59f93291

SHA512
b53e4eeb2aad0b7f2129924a6923497636236484e69a12db6d11370433f160a52010db1a0adce8435ac5eef254111e9afc158c749bc04ede3b749f2172ac7828

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQUe.exe

Filesize
248KB

MD5
de9d94c4a46b26d1b28cb22d57606ac9

SHA1
d16bba1ec5a656201204c4d95f05c2b9290841e0

SHA256
e2a58245a3d4027a513974eb81cc85ec54cdaf875c2ab85fcc8137b76b70b485

SHA512
1162ff335aa0c4ca2d82657c2286d147396e45d562e45306c2a8e3d7390267de79e0f1529837e7878d1f26f55fb3b0e931c74ad353918b2ee909ec3ff567473e

Download Submit
C:\Users\Admin\AppData\Local\Temp\McMq.exe

Filesize
245KB

MD5
92a5924e99441ab2d8976c789da6c683

SHA1
27eac804058f6818448325058083f508f4aff4e1

SHA256
7c70f79aec05adf913470439c01eb3865e4585546d63d7cd385045e38ef62bc3

SHA512
08d26184e1c1bf821e874ac7b977d3b0861f77c60447322d33bc9819a60792008c313b0952b1ea78076b9c9370ee7652affbc6a31d82e70d74300841339534aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\McoQ.exe

Filesize
1015KB

MD5
e9af0370b9f026e1ca7406270d0cda94

SHA1
0c11be0dcf4ff804c22a28415b3c1d9d849c3bd6

SHA256
ef9bcff2c0b9e65ed0fe27a6333df2f68d1c630483c8b227891e5614c7d356bb

SHA512
11c85ab47f006e01f65432adfb3b3f8624b711aca8378d5a00bc7731764827eeb9b8b3a484ff59b526ff9f8b08ba323ce4fcb79b31a284e50f24dc373442f09c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgMS.exe

Filesize
250KB

MD5
e218a288a7a275a02337cdd47a12f190

SHA1
a8df30d05a6386aa8c45926f0bf85a5fc780d63d

SHA256
9791109f7407f0d739e95b73ce18080a7ef62e7101420f5171715b3307656bb5

SHA512
32d4cebdab43a37ffc0f050f28945a716655be61d26537dcaa12b3455355a1fc7f14ef99742903c2e8e7a0cc5261a88abcad79b1d5b87c798dfb60e6f69d29c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MiAMwEAE.bat

Filesize
4B

MD5
50f6ac834d75f9e417bde86cfa5e069f

SHA1
33a5907004e46cd8261b9e95d105da01efd9e9e5

SHA256
a8007d74c60bc8fa4e25ec2ad2727f6cef3e57c35fa9b2bd2c4b799b46803b57

SHA512
e46932b8fe4d7d9956b1f4f43cb655863a4aa68644d3fee0b093d5f05eb602d4fcce286569c9f15f5b2f533b2deb45f50cca8b2450238095cedf63829cbe043d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MikkUwMY.bat

Filesize
4B

MD5
62095c2d1bcb485fc1e24efe27e703bd

SHA1
0b0a2e515ea64f29ddfcc81846b24b6f1d92d580

SHA256
fd18196f257c0b5d681572627b6bbae79177402ea4082840eb23bb824273ddcb

SHA512
4ff84229d0f8ec7744a2421fc1e1bdae5ab556fb216a3204d72e707a3ffe776ec4b7171f9f6d8193469c921a9ef8f56b68cbcb0fbfbdbdd1c81edba282eed55d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkokYwcg.bat

Filesize
4B

MD5
d09616c43e7e59c6a7f5cb850d036aed

SHA1
f4a5905482aa61edfe5eece02ac157753016aaac

SHA256
e57eeb9783e4beef6cea5a66e4d506bca680081823f6c6220a724f6efa7ad176

SHA512
9d22b4354b84fe50ef324bdd0077b2e28e15352fa96432bf85692994d47f5f009049466545081d4d4b3b5c6e6af55b7161e2e653ded448423c5aff371b1734ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoEQcMsI.bat

Filesize
4B

MD5
0fd8e53ecaceba7cdf0c53ae5457fcdd

SHA1
b059f232381327cac87217227cde42d3197ba490

SHA256
cc4671cfacd6c365d0356f44028210427fb494f49876addcb7e4447ba5ef43e6

SHA512
ad74f95d620ccb5dc42dd1b1ddc7c85d07469c2ad863c1b24bec9acba47eba172d4ac36766f3e60919ea1c4143b60efbc8f24943085c75db4e36169b32811a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NOEsIYkg.bat

Filesize
4B

MD5
8d51acb81e4e347375ea148c501df711

SHA1
e293c4c420c1b1c30a2ed08afc13e9cce190505a

SHA256
863a76ca9324f57490696c0f91b413e3fd69d877ef0662a92d660b6c1d7d9a34

SHA512
2e39dfbe9080ecb72399b091d8094c25d42d5fb1864cfacf429dfccdd96e38e75fdbb47e5939b5ea8fd2dec216808cc969d96f6a6711a1d2c0bc23bb3f76ae81

Download Submit
C:\Users\Admin\AppData\Local\Temp\NucQgUsA.bat

Filesize
4B

MD5
7169e6a3493c646f9f9ed986494cf0ac

SHA1
60156ea85ccc1da2ecf24a6481526ff785a225a6

SHA256
7b648e89568056e3cbcaa46377e89103c7801909fe38ac44493f1c4ad8f2c419

SHA512
19dfa7bb2ff29b0c0d275d5a101557a7ef032d6c8484a433bd5284d4295e40a72df5a8f0f6b5a267e5ebae95b04751072965beebf82ae9646c5d19717744e7ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAAg.exe

Filesize
186KB

MD5
d58624804b3d7d058128d9a15c3649f5

SHA1
ad48bb447f06bb7f12159abae1be5efedd0fc638

SHA256
25b6c1c58a1a5f42db63b34576db8f9eae5a5560259b1f26861215fedaa54856

SHA512
756575bcdaa2fc49bf4b8dccf4dff790d3165b5ffc6eb05da4e96d07a9d8c595449851b226455cb7247d5753e66d82138aff5b1d0d6af702ec0021c08559d382

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAwM.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIAM.exe

Filesize
242KB

MD5
6a6a90ae271be1ff33027e1e25643c24

SHA1
47f6a849f0ec91c6f43720a9e6e1311151478725

SHA256
a3f1d83ae6966a474a0527f63df6e1a6224bad34306a06f9e3f8e6b209e76ca2

SHA512
27d3ae40abf779a7406374a4e2e8233363b151c2d1afa41649b8113d7b3ca0b86660c22e1960fce4b034e1684a2acfc32133940c47ff851b6add7caf28f479ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUMs.exe

Filesize
229KB

MD5
30512f084b72ce568dc225c463582441

SHA1
2498459fcb5710942b1a891e00e432919cd63333

SHA256
d96650258fd7d2907125cd56ccfabcfb25da1cbbc37abf2cbd7f6ace073357a2

SHA512
472441446b0e3116f03942a3fe9d080b8500c1ce133735b0430f15636ab973b1e3dec2bae280d0eb3e64637db65bfe7dccbc452b3bb8e2a33eb1c0ed6e4cd24c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgAwMwoE.bat

Filesize
4B

MD5
e05dbe1f10acd284710613805e7c31f3

SHA1
e3ad0f238784e6e359955db7ac565985fe963c78

SHA256
e88490828339dd83be273fa11d4267c709beda17a3df4129afe45eea538ed030

SHA512
0b8bc9369443265d9ca3fbe8421132138847cf9f9af72312564d9f33bbc47b26003ef4261515886f2f8f8f14dd2022862fa95db66a5274329160eef2ec1cbc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoQU.exe

Filesize
251KB

MD5
91ab46a14b0cecdf8a35b971df3a0663

SHA1
a9f56cb774c5896e4a2269aa96812b5a69a5e6bf

SHA256
0f920f56f564ec8f98556f39af050e98ac67436226764a730c06c87be273ef25

SHA512
89dd9dbaf3fd2a287c17dd78b023ec089e7af1209b7031f88e88db42ade1236d575c3adf8134f8e049407406544161b0e58bf6bb5195879732f0d69c07923ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\OywYUEYQ.bat

Filesize
4B

MD5
949c6bb95a8d7b5164cc971411ec4de4

SHA1
4c5bf782cab8db515e6cd31590ce273264e5cf5a

SHA256
1eb053fbca067ddba41930ba0e065666b8859affd03d26bd1377e0995e13ab50

SHA512
05390d6ab3f71162a118f0c96ae4490448f8bd3f77e36e22ecd39a9241453d74d44f807f44f0d2a5297939bfd5043941e18b0020e9dbd2fe9c16ec62d81a4c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\PiEAIsUE.bat

Filesize
4B

MD5
3120bf421674020e765521917e97af68

SHA1
6e0f1e3bd22bcbb151d9c1cbc3acb02000d2fa30

SHA256
521d29897837ed9aecbaf5db901e07c47b5d37016f8a8f44c330c7c185f1ef58

SHA512
d3a0a96544617e0218a193bf5dc128e7167c13abd1fc9dc62f1a11d81ef87df134e681ab6bf39d5bd44033b4ed19befad4c5a18c956daabc08ea6a9380a0d78d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PsQYkoUM.bat

Filesize
4B

MD5
525803bd69964e556b609ff44d481c73

SHA1
a8828476b644c6c2e50b2a4ea5e5f2e4c6bfb6b8

SHA256
5abf571b2a9606dc0958bba1a17739e94eb9668d93a87c91a8804aa10d40e280

SHA512
09fa575867b1f2f7106f1b6dc26a307352b63b1db7d704f712973d3c1659c2df841cccc659a4a9d58ead08c3c394defe4bddfb7eb6aaee3729a2424d9a29e772

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAgg.exe

Filesize
1.0MB

MD5
6334bc46351ca5afba9554fb4c927792

SHA1
30189623df46feb386f87395937f01e50b1acf11

SHA256
b9cc1fbdc6ad6877c31e27ecc622a0aaccda3a71bce6715d763cd6a59edbd879

SHA512
13f50a0ad21108eeef81e3b30cf577bdf2b20ac6520756e37639cfd2dde81e0de18eadfaf9dc3ec21038c8f94973ff59039a7e4affe99dd90af69ff007f0e1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMAY.exe

Filesize
189KB

MD5
718bf6c45a389b0e97081da0fda796aa

SHA1
816b1f7bd46d56cfa59d7a2ab3f5b12710fd6747

SHA256
ed09f0072273d4c294a6c739c5a9e4f9ad8b4a5c84162c717bfef2aff254de4f

SHA512
bab85e71b1b0a0dbb79bacbcc85b5cdea3ec71a0cf2ba88ad621a6a82c643c52ee00cdc7a139eda1771fffbd72fd1607c4c3ab748f7e1ff506dbc9a26cd28c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUQm.exe

Filesize
4.1MB

MD5
7b3a111e7bab96b1ca0ce294d9c765a3

SHA1
de3e0f8ce39191630249dd32ecfdc94302699ed4

SHA256
9fafb78c8af10f45065ab985c6320d7035e08c002f210ab89a859631e8eb2bde

SHA512
4af4857ea91449410b819169433448be8d47d68e436b17a83511c151bb3d9c9dafdba0bd46cab225ba1eb4d6de48a1d5840aa5c2ec90d1c39b46755b40ae6b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUYq.exe

Filesize
189KB

MD5
d387e36840bfda2b32dd82002ddabe13

SHA1
1ea8d4cfa0ad8a3580dfb89c8a4f2108a6e361ad

SHA256
a053914b80ad8421f879183c94fa45bb60adde7ec7e7423e5be8bc58f36b15bb

SHA512
3534cfd8410beee15be960dc0aa693143fb9e7dbb3bae282d35859d91082a982da40e7715ea4626a2481f659428b233d0ba108072b0b6cf56a557bd17f10e259

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUoe.exe

Filesize
198KB

MD5
755eb5008a55ece0caad438b62a185e3

SHA1
dd21109836cf2947e9c655297296c3baeb9a9034

SHA256
1255c0aae30c4a3a7c1571aee5ee0a48636b90ae133283318178916fac5e5e9d

SHA512
055bd6a9a9cdd4294b19ad76db71668ecffbd5451f921e2861ac84df7b8b7e2082f04c88ab54e85b7b4fa91664341db793b9ae469ef42350fd8bd4ecd920a111

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYUS.exe

Filesize
234KB

MD5
76fda7dfd95dca2669f2a5721775f657

SHA1
7b526d183a03fbf8b72d2f95c04f6be686f16a33

SHA256
83f03509c0c85382803dd54bbb937d3e78d2761f6c37827e647c25bb05a63c97

SHA512
dc8dc8d4b6bc63d4a22eb24a412f91b244924108ae4ec4098f9bef112c2019344b3bd57643838196d579c4dd1375aafd746e725e215d4df147f0b29c4d26f6e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYsu.exe

Filesize
230KB

MD5
b11bc6bed14e5b9951c89f5acb3c2947

SHA1
6bee812b8dadf620fb3f46c97b23999ef3eed206

SHA256
b54bc4fe8bf7a8d86e6347055cb15f5ec9b9a7f0d24f7bc93f06d8c2d15ca571

SHA512
d5f188f808e0870a1036a29ad4cd74c41074955e0fb0bd8550f4f19a2b78f81b8d4350411b56957582ef489a6b4a7c483901b0e263bbe97450e757f5c955a22c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QaoYIQsY.bat

Filesize
4B

MD5
75e7b85d2ada73737c7d32dfa8b48f18

SHA1
3ac477c76b8a0135dfbe65595be3db67dd4015b2

SHA256
f283f621bf5605af6d048be0e20ad6eb9f89a5c766614d985af6b0a0dac3cc47

SHA512
6fd098169413a30e1e334244d474f815cacf921616a78b833005b2d5e429219798fed6f8132e4161993fa533a5671efb1d61314d6ddb1f0e01c55444730473aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcQW.exe

Filesize
196KB

MD5
2c761bf2da3ea44bb393e3c5390a3eda

SHA1
86f29a0d4b6446e40a88ff376032a7abb831e4fd

SHA256
25a2c9d2d7e5fc7b608199fce8dfd7a777c055f06c95de5fc4924606bef5255d

SHA512
aecf1c67ebcd26915f799b69dc7fc7d0ea02dd646fa597a2f2dd8c76f37fe3744e76d25d20a838e57708a52d587c380648e094dbcdf49de6ff34355ee14b16c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgIm.exe

Filesize
607KB

MD5
5c7ef4b0783feaec3e2b0c58b6d1d317

SHA1
c488df22647975b1556a568f4444d5a4c7085384

SHA256
97daf5719bf7dc9fae1fa2360ec570a90c29a9fa13e713cd4a2ef96f5b12043f

SHA512
b1c1be588de96c52c621fed9d740d088d34f014bdfb1c58d1095e8f17ae6ccf654b0bccd389e9a12950d27c81207b8b448e2a1aa8d82641536850bd3a4f21d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsII.exe

Filesize
241KB

MD5
1a356bd1f2c94c001541679cfdb9aa60

SHA1
5b3c3615095cbdf2fc31e893771d2529b46e3b68

SHA256
7ed268f03d3a420c82477e414b7a4928c8ebe2e6a5946149c3a1329d8659a8a8

SHA512
ef44a0e7b13137af10c4ee7757504eb211a51f90e37a15437ae640346b5079aa6cdc5502a1e29c4c635098b412b1360ddefee6cc517a53fff0ab46894a251b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsQa.exe

Filesize
248KB

MD5
83b5cf657b708e2d69de45201b63d780

SHA1
d857ceab572ef178bc847f7f7f278983b6f50ef8

SHA256
38a9bc8d3d52d8724485791747e2c323ce89bde3de31f80558ffce1bd4f4547c

SHA512
f5e1983740ba64f10daef220533dc618e5fe172bc0ff78c9763009ab59c7afa8bb22f7b5486c42aeb1582678496ec29d5e935e71857b5478a5fe70d6d7d5928f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ROkwEUAE.bat

Filesize
4B

MD5
c47b9570295270f2346351033e741245

SHA1
2ef5c69bf25d162eb287b7f3a126a876afbdd442

SHA256
d5b79a5c1c4dd15034a58c9f07a51172870f0834ae0693d2bbd755994b1c85ff

SHA512
dc68baa340df4fbc336ac02bdad443d13ac4963b367c50923ead651e406e0315ca986d511c522b404e5543159f77007ab83af80cc95825674861104acbfbf6f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RckYQoAE.bat

Filesize
4B

MD5
7a0f7ec47d39b55e3c1262b67ec16d62

SHA1
cc5e749db1e261433d4bb9e2104e987719b77f87

SHA256
a1b0122969cd8cae8d207b3a7efa65a6183ebd99588a4901cf9685b509559ca5

SHA512
d41eb415861c75f09659a0cb4626834ce76a9f878f7453c8a52bd07d744b67a2f460ea9fbddcc412f48aefede4139e398be72265d65c590cfe7be43c57916ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RkYIgMso.bat

Filesize
4B

MD5
0e398239317b6b25bd805629ee119163

SHA1
a3a80343fe265a0b36f966f6a8deae4a456abb14

SHA256
cba941e0cbb8c7221367da181d86380b7bd5b36fa808283f8dbcae092e0e5bfe

SHA512
0a7b31d8b304080e8b79a24d008ac2cfaa17dded2feaa34bc94d9ad8c2a56ed21c11924bfdcd0729fcd2c99534734138e4f0edf033f1a1472134f47b0d95b51c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RmkksUUE.bat

Filesize
4B

MD5
4e8b24cc2ac46dd6ff175be36f70b1a8

SHA1
187f458b6e4e1d90e44ac52020feca39bc70674e

SHA256
340d17775f1735e65817e80625c6638f9709919c8141f60223fdce78fe48d07a

SHA512
34c625b28ae137e02755fa6437e04a8f56e9ca1a2d0dfb7fce34a44831780c17b5268ce77ffbedac0b3930ba880f6584ec2402b3627f56fd9395541aee0a58fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIYa.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMQk.exe

Filesize
190KB

MD5
d06bf78d3aa1663739be95016fe75f29

SHA1
7359748f0ff032be4e8c2823ab78c21bfa6f3541

SHA256
6cf944969a4e8d8ee422ab67365d173047f1890d42ec52cc29e6a683430f469d

SHA512
3ae6d92838edee6daa67e5cdd791ece260adb9afe80e67db2db6a00b36db482f48a6ee50bd63f24f007c0ae1ff7366b4cb2704bfff5d8e50a55b8f36d7806dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgsU.exe

Filesize
232KB

MD5
6a343cac63c4e26582b3a782a1901f2d

SHA1
a7ec9c378663e7d3c7f1aa4530a49ef1544dae2a

SHA256
fa4581915d302a0a5a948c3a28dc3f50aefd0cdf1d47f7ef251924f004aff1d8

SHA512
14793364fe9d18e7f97eb246fcf5d4ec57fefe4dc0fd776ff51b51ea78a6f5bff90e0ecb8f39294722b0c9cb3f88a5b38bffa210271b846d4f4e694eb628cb82

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkQM.exe

Filesize
211KB

MD5
986266121c10f89bbca262f133623ef1

SHA1
ffaddeb1b8adbb33c14bd40e72c236b80f3584f8

SHA256
0edfa9bca291f6b4f4b87430d8659b729450643c77e1e099c9e2424e4fa42ab3

SHA512
38b3b6777b6b7de6aa7ba652b2ba60862870d0635f8696a80f2969d440fc50a65ceae8182dbc070d01c3c3c611ea4c50dacafa148668e474265a6c45a1857d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sksc.exe

Filesize
240KB

MD5
061fb36cdb1f9c65b88addfe3863c20d

SHA1
fefd3efeee7556df3a9e0745ac2c3eb39ccfcfa0

SHA256
d45eb05da30dc9ea8014cc952c5105852c953146e568f8835099b9cb9b02b29f

SHA512
d39327fddea44d16f1da93adfe89bfef6e9c5a7c472a4f8b7b45de468fc330643cfcfcf2c66c1b838ca0fc9ee2861fe5444c79f3ebc30386ab7229f3e98182a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoUe.exe

Filesize
1.2MB

MD5
6bba71a52d1da34daea0f115cbf40382

SHA1
2521e24baf8a5d1e41270aac5cdd53c24ce3a6a4

SHA256
cc7978a88945ed142f8ce6f5143fbd84a4f42df3929a39d1ec402f716b0fe2cf

SHA512
288d28ac732a5640bdcf6bab8514594c2b85f12b92c5f1b95eb2eaf388eca370f5eaaa66d6de1a35ce56f2b1aa455a92fc070b75a61ac09a8563df3b1f4718cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TIoEIooE.bat

Filesize
4B

MD5
4a1973d516a06497dbddf7ecbe7c2ba1

SHA1
a3ecc97e8f80d90002759433cd8d8af77fe18d56

SHA256
c755db30c3e47fdec30853a514d4753427c9f4eac62f505747f7dbe06b98e33f

SHA512
c870e10e576c373b75ac3b90652fc3dc2e2117db5db1afcff58cba21e000bb674889d50539fe29f3d511bd3ef9ae1f5044f881598a03a51d28664ce853bb1fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TagUoQQs.bat

Filesize
4B

MD5
3166055a57d36249bcca6551e93bfcc4

SHA1
f045d0414b5b3517cb2a5bd4a99e8e083c6a03a3

SHA256
9abe789ac7799763424d1816e420362a4210d39e90a8ae03ddff5842abe9af33

SHA512
9cf9d5d35eef06093d5470bf8d07cdee39a3fea74ede424124eb88f0e940a89a8fe77e2ba14577f2dbb987837673eb080f37b171a34bfc10fd3eb9826a0e6983

Download Submit
C:\Users\Admin\AppData\Local\Temp\UCgwYkss.bat

Filesize
4B

MD5
1945a5bdd37d4e1ee7aecc0925bf7752

SHA1
00d407ac2111ea5d19a6b3f0348c6019375ad8a2

SHA256
040568788c80a96823b7ca3682273dea90f7f82b01c662641bc84658ede500d1

SHA512
0228d89732a121d106c3133926bdeffed65af2d2134fc79c711d7438b600e202fa4edc4514d2607742c8baa9c3a7354f6604f71ae86bafbd43f6ff64b59aec03

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIwO.exe

Filesize
244KB

MD5
d6157d0a46a7773e91c4b4110ecbe867

SHA1
832ba45b179cd8a0916c48da8b5413b490abd9e9

SHA256
765e13830948764c37f8dd2fdda11cb30b8ee374037eecd8fe3553404551625a

SHA512
d1b9f40f4748232052e0be6d1d7806dbdfd8fe1d0cc61c9e215848e9b704cc85a6e63df01be8cb90e0427e6340b9d5688f55431ad09a1f768959ce308e398f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUYg.exe

Filesize
229KB

MD5
1dcd82803581603854a62000e3f7d613

SHA1
90ca3ce5665673d83d068475f98a262176d91964

SHA256
5b59c4197ef45184340f3feb387728316e7405600230e5a1a740e5aff889126e

SHA512
d6b67c673d27c5af39c02b183881289876260ce66cf796c9fc6eb163619b62792030ac9f24975a20b12c7fc5f3e8f681cca3d8137c9ff430d0056526923c796c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYAM.exe

Filesize
249KB

MD5
d092b66550b644e0a02caae68005075c

SHA1
83e1ce81d8ae1f2169adc220dfb867428cb71edf

SHA256
451d95cb1e9eb0bee164271619a908331bc4854f37fb10a98319f41b5ed48d1b

SHA512
3f5e341b1efb66b34d4d744878e8f3b7dbbddc87343bc029eda3e19e65a3c0dc12183a94a5cea71b13672bb371f228fea64244df94b0ee2dcdfda3d92331adb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcQi.exe

Filesize
239KB

MD5
a8f7cc575882ba3c16fcef2039ba4d71

SHA1
bce078ffc42c873988ed72e8c677d00855bfeeb8

SHA256
94a9862d973862ce03560f5933dc0db77931e1bfae8a3b745f4d469250fa4657

SHA512
c43b63a69f4a06c55baebe47c852ada07316e66b58f47776102de935d6780ef0796a71cf1f72678f5541c76bea5c429f9b7da9bda7aae9b84cb3447705c19321

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcksMkUY.bat

Filesize
4B

MD5
5f119b947514249022d549fc0a942626

SHA1
ae60ce1519dddb98e42614da4b1c7d1268b9ba9b

SHA256
030a1b16758e6dd09b995d868676c4d6f30c44139e28056d86028647969656de

SHA512
a52700a78503668f1333e1ab29f407f42ef14015619ec7b1c9f894c9b977426b0a01c58c992217400284baa1d6adc0422bfd2ccfaeddbb5b96a020fa75bb43c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgUe.exe

Filesize
204KB

MD5
02f5dcb334ee221feefbd5185cdf904d

SHA1
e2e96c7a0aedf3d77e80e0045dff31d6c97b1808

SHA256
85d19bd2dfbce85c6e287d2c7e19a0ad59da62e1400420637ec30eb47bf115f5

SHA512
9262cdb66c91c8c472367eb6335bed63bf6d6d7eee3026db05d813c66598c96c3d1590db79451fe368e1db90931814c8009376081312e1b7c4d56e714d1ad6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\UqcQQIUs.bat

Filesize
4B

MD5
3f1b5bc85797b5ec803c1543539c6519

SHA1
76bef67b308f401defc5555d61158aaf45a2f68b

SHA256
450738337753794f135e66ce6b5953ba20392d66a5075d0c78c00e6082ec0b65

SHA512
2a784c6d4d6e688ba4e630b2bf87b3943f3c5964208aa86c2d46baf405dcd3a705df3ee52d6fb423695fee6d2232567e93ff2e7612ee37f4e598c6a19e429216

Download Submit
C:\Users\Admin\AppData\Local\Temp\UswQ.exe

Filesize
228KB

MD5
c4ee20b2989ba4c6aa70d2180349b8a2

SHA1
a0429775fdadf1594fccb67dd04a138e5f824acf

SHA256
5a64afe388010465e0d00015a80b8372c81bbfb180e59424f60bc32b220b686a

SHA512
9deb8e09ea283f2106bfd7e534ca684b19e0575ab71a0faeaae9ba2d41cae127d188ff034f19efe161d2f7a267c9621c1f49b9d98f08eb57b6a29de194911577

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwwkMwAI.bat

Filesize
4B

MD5
ca8e09d7af6a31c2d6b68448a1891820

SHA1
75d642735cae666b27eb904da587fec8aad5b802

SHA256
998d9ebeb576b7b386be27d6e5cf5f023ebb7b77efaea8eb6bedbd191c8b0be2

SHA512
bf6130c7e03a46909b0f146d0d5b4a197db21d79828c61c5f78410c194d28087027ddbe64d262a9189d65cd3420cf22d8a987ece90f51eebd065d4001133dfbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEgcEcwc.bat

Filesize
4B

MD5
a3dacf002e2b7fa96496675da9ca4afe

SHA1
25ae988490407ee60fc3126812447198c6b07abc

SHA256
9ae014f087525f28072c0b2c97fbb5f21a9b5c3baae4a7831235be0f4e12a7fa

SHA512
feccba8dbed75f4d684925fa9120dd24b884dc6fa4aab5e5218af0a8198d466a4c46c1359a1051fe921768f2fda61ada775ff333db485b05a8e295fb4527e5eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEscswIs.bat

Filesize
4B

MD5
7490f600d72630529c61ce7e65bcf93d

SHA1
a75dfb291ca8de58d2f52396dae29c9e91937a4f

SHA256
5cb04fc5b6c470adad724508e118779672ef9076b3850d5238bc6ed4beef3a61

SHA512
c63e3f52c89abcea2ee6fea6149a5af01b55d76896f5054d9cc6aab6081db73cd57dc5293026f52854881630c2941882a2689edfe613cafc42ebe2b70b1b563e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMAs.exe

Filesize
188KB

MD5
347a5b0b973a3fdc95acc81571290c89

SHA1
13d6c4f30069070058568a6234d80e66cf750be7

SHA256
98a820864b4e7e57967edc3b04b6ca341c8dded055e0934b196454cf66990b79

SHA512
c64baea9075bbbe6d3790067d5ac32181557d5eb14e37bbcf88ce40775d878cc47d89ba4543e63f3ca4781df77bce1634b11b3f997759b4fb4a952e9c8ba0f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQcO.exe

Filesize
188KB

MD5
1a8fb5a9ce27601837a4fcb769e8d54f

SHA1
0fa620407f2df2afdce00f87faee2d34d0381e21

SHA256
c889678640a94cd51d00adad3b1ee81f779a4558bb0637e141f4873c585e27c3

SHA512
dab71f2f9570605073c49303710afdba1283f194e69560a2ce2ef271c6c012bd7b5d6afeab75c67c277d4210365ae394183229a7e4fb6b8da8e4172472ce62fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WSEoogYc.bat

Filesize
4B

MD5
20a86b2a30fcd6c0992707bce922e5d4

SHA1
5e89edf7abce8cf7368ee694d0c8f61a978e14cf

SHA256
321bed85acbbb6458165301c15ea390bfeab549310a2ff39dc41a053fce2812c

SHA512
bea29bba7cedf94a0e26413186bb433e0c2bc64b35e70df83b1c85447c8d5592be5c553990a63d8239009a4e4f0670b4f1531c70b5daf2e198b4bb954b7abd3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcMw.exe

Filesize
184KB

MD5
88d18c2d6611d9245ac4c44186f708c5

SHA1
da86f9968a7a846b98c4daa2144defd19f59037f

SHA256
d637e274e280f7f847daf05cc1f145296be82b1a9493c1a2e0c9509e48dd1c0b

SHA512
ad0e131d222193edf624929ca8b6d96a5ab6c0a6e942f5cbdaf351d48ad4d36b2407d1dd494becaf7e3a906608757b3147be5d202eacaa9a4e54233f0e366d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcYokcoM.bat

Filesize
4B

MD5
a371ad7b8dde641a71dda381bf6a7261

SHA1
0f69b09af991cd9fb1a5a12a8078ab346372ce6d

SHA256
f19c5b84ed394efc4ae6ae10273481408489a6f3bc0ef5d2e1caca80343e57bf

SHA512
908f20c2f60bdc3857263d9e229dcf1dc375863fff96cd5dc49880745564a97358513b15ed79774dd20d391e52439f1a0c9e924c887b48c38abe498302ac96ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkAy.exe

Filesize
246KB

MD5
28a28a36daa2e6ba9b1eb8210b02a426

SHA1
7d6ec6120d1cf76367ad92f1c8d597044e17974b

SHA256
5fad431802849778390825f5d6fe108335c1c040072089b2a8b3910f1bc42d08

SHA512
73f657e6edb84e0529695082c66fb9fad45696c452deb61198c530d8acd0f4e0721dd1d8ed45c0835c4874ff89f1740d822e62f9f2335ab30302526133f9a5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkUe.exe

Filesize
213KB

MD5
c2f995f14093cd269f8a29b4786a285c

SHA1
4ef8167e1a5f4948fdc6867fb9ee8111c765c85b

SHA256
130804e9fa46371fc46a6dd15505c7506c24b99d9a772328a536d39b7b6acff0

SHA512
3db77a13c2bd4dad6e9e6743cf96e52abccd174b3b641af29c28e6c126b6b79141794fd56b744f4d3e956170503bb9abad439665b49c0df6d2afc22e797704b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XOMocckI.bat

Filesize
4B

MD5
43bd94b61cc392ffca0273473881aa89

SHA1
f9703c2043cd2f9fbf36cb185733bd7a66e99f54

SHA256
a0f8d6b1269a36fd7f5f12458efa04bbdd821b41b45d82f962477264cf6cbcd0

SHA512
4950fd1563d7ae61c53d2450f7c54d2470ee9a61a35a8d2c9eeec0fc44ddc22aa7180a96c5bfc82ac0c13e7e982666c12e8577323bdee326ed76cdaea4d1c9f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XoIIIggE.bat

Filesize
4B

MD5
78769a3c4fc1069a89caf58b12f2dd91

SHA1
ad1224cfe25c05f35bd6efe1e44df8cc0b3f9992

SHA256
2f19a43d20ec85d8315a8e021b516ef4fe609ba899d10fd4a38097f3f03132fe

SHA512
93e2d9adf338d1a8b16fa6543d1916d2c032eec8b856eed09a35d86a3aa2a7405c20bc1a302acf0a51c3e37594bd8c04f984890f463c2abb962f0c5f9d2816c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEEQ.exe

Filesize
735KB

MD5
ad48deff4f12d3ff6b7d609c3f0e2d63

SHA1
418f1daf7635190408e30c3a1a4a274de8de976d

SHA256
f222f40076302311a5c536ed88bdbb94ab90d80facf9e0be254fb015af9d1ed4

SHA512
f90d33f4133d2d4cdaff6d2655cd8a017b245c755043d6319df82121090936d5aa673f204e5a91261261a104641c2ebc379782859af7e04dc59660a4bed71d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YGgAwcUM.bat

Filesize
4B

MD5
87070b3ca0068564614c6a6c7bef60fd

SHA1
6ef212933e90c8b0c162e198ac9f41e95793be0e

SHA256
0751ea9e399f8ab9f900fc66327fa99e4dd19b4513433da9f76f2acd7ee75a37

SHA512
a4db13240f8b511c2c7006757a6fdffd231e76250e6eb3e80d5d004282c5d0c9955f71f0cd1214dbb5c65539b3ce99fa2cf1d524ba503b45263eb96c00856ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\YeYwsocQ.bat

Filesize
4B

MD5
00d184d421250f72572556615507330b

SHA1
816b26a96d7065ba3fcee65eae296d4b1178e4a4

SHA256
18e28e7358f7036dcfd2bc1754018e6f1474396142b734109a957250dd06e236

SHA512
402e4d566efa1cf84a1c70ce08680228368f7d3d8fae1e2627739ae680c2dd1388ad4f95a5410f5c14bd65bd81146712a2d9c6a711cabfd0cb3fbfd1b65e3efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgQM.exe

Filesize
227KB

MD5
cf013e23b710579a58ac2702b58d1c7e

SHA1
f7f383a281d398d11a9cdfea7f17aa33918bac31

SHA256
054541a6880fd89240dc97c07e37f077b52e19b8b1e9c5ee8cfcac87a8ff9074

SHA512
105230236e773dde33dc9bf9ed4582e7ed6a7384463edc5ded443a9d3b57b0c5b816165279f9b56e380d9142588e10bb16c8120dc79d7be357b177be7dea9a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\YmwIgoMs.bat

Filesize
4B

MD5
4fff99d1adfe9545a64bfc8027bec427

SHA1
0337313d1dccd61b728bedd7d3a308be62c631cc

SHA256
55f929c5baf5f5065e5860af6d34f8af7f8ec198b3d4c1a6280e93fd43ce9a10

SHA512
1bfe6d14c79e2455b88127cd343872d821706238cfc5e65db59fa34792ed731852da029985f708e18057397e62bbea22ea3452ca6fd76a2efb69da014a874c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoMw.exe

Filesize
233KB

MD5
8cf2dc5554bddc465b1cbc1e73a8237c

SHA1
ef14bf4f1ad68e83b84b7fb5112f335b7db0eda5

SHA256
7cfa1d074d3308651109019db34b08e783cafdb70c1a3e2c5a9ad88ac1760fbe

SHA512
92b5a0e25e292c6d7daecd9c0898855d5814cfd7b831dbf3b13a8e769fc86dba1c1aef5018dd6f5e6482144d17fb21a050a2862f5a3e2b8591c99781f275aa73

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsUk.exe

Filesize
234KB

MD5
94203869ac9cf9c19f5ef4844c1d4812

SHA1
ba65242cf84b74ce4db5cf7b1ffe56b0c67a2b6b

SHA256
51bc62e14adec363377fc37ec7ba20e6e3bfd884d274a46d7329eb10a883f8f2

SHA512
54f31ad2920173a0710e6913263f7d9e41c59accbdabb47d952b384b8494f05135c04a7f128e81d999b0b21ed1fa456b1b82be8cd3a642db70c436156a068cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ywoc.exe

Filesize
230KB

MD5
28f5bd311b97bba8aab70a75d66ea9cf

SHA1
2194e9ed585d46eccdc38533c299025fc6d71438

SHA256
009bb597d62ca5780c1ac339dc21a65d2e536f709b680355eabe7f1098667599

SHA512
12a68bfe045d3f84f2b4c1565f5fa5a208d0b71cb5adcb4c4718a8c979861d23e6d237405543e54c70379e811b49b6c446a60ec8265a1abf43d5fa6e687d4ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZKsokUMM.bat

Filesize
4B

MD5
ebde9c278f523b7e1cb2582a674e2211

SHA1
ef94263b7bb8aa9f2b9fc5801fa025ea50fa5d77

SHA256
8eb8ad1751024e032275523f3b1095cb8176533cf5d5888bf2fe05428688b5ed

SHA512
1b00c5358818a4b520881057e601c36a2c54070f10cc3592d46c02a7e39384e14930279bd199db8185846d90c50f58ec3525d5a4f66a0e75f35c0ea4b49fa6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZcYAwcEY.bat

Filesize
4B

MD5
3138d3c4b39041964a92bcbf9bcfb19b

SHA1
7c4bf77168222015b02adacd3e4cbe384cd40d52

SHA256
70b4389221a333d1aab70c88da17471bac4ad10f18011c4d0002204c61d36dd1

SHA512
1242d34a3fef8dabe89854700870baffc50ceaa1233363210dbca1627dfcbd68032ab8e0657bbe2ea457a127d2c9ee013416e08551b7886e2992bbf86e7ed046

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZscgkQII.bat

Filesize
4B

MD5
a2a7d9a241a09fc3da99eaad2746c63b

SHA1
5aa9e959ee5cc130a6fbdb2e8af54e961cb7719c

SHA256
9d1e40e5a1f0cbe12e50ecd897b2c249e9194a8899bd5f42b7ec840d0f3f5648

SHA512
912d4534cf3c23bc477f0f3477382581da5c9c46d08be812f89c3eb7c161e4d9835ac3e5dd6652bd218965b856a5989d3a5f96eb34ab49dda5e729ac5351b57f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a21f61fc9870af66d5cbeb8578fcb57d_JaffaCakes118

Filesize
3KB

MD5
4d8b8c8f1a68a4f320da8294a085f251

SHA1
3f9f7099f963a889bd8bd72237dac63467f3dc43

SHA256
6973a2aae66bbb99f2b57f2ef160182825fa5305444511ca1eca4e1b0b38528b

SHA512
35a65ea0f28542632dbbf42cf8649faf0fa214614614ca9b7dc046a1a80f9ab6b07f7d6956b2a039e3bfb31d272b0ccee213c67ab6277c767eaedfef2f583eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAki.exe

Filesize
245KB

MD5
e0d5ba1e190c6abb24447b272af718a0

SHA1
3ab78c86fb35e4bca191fcd7cb3c860a48f1fb8d

SHA256
0c3e3485f61accbcb25d8d6923ca1ca5a1bbf3969209bef3c62da91968e5dbd7

SHA512
c5975afc0c0173d5f60adb622741be6077cbe122ebc9e3a8aa1f4dcd0ca64056c1f1561cb3fa5f1e7f79e022ccb1cee591acbc9747cb9b69e364c297965e1b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMMU.exe

Filesize
437KB

MD5
ca12db5b461503b95771806c1530605f

SHA1
1232cc02d531402a899994742129b847260640f2

SHA256
dc0e3e8c4e8b9279d187108ea4594500d6bb17df4c3e3e6add0ba6cbe18e657e

SHA512
e99dfb9cfa75806d86c46fb9133de6e84dc0e6690a4cfc171e67b4e178cc0eb45eecb0e8e336b9a2686e444ac9fb8fba3c1544eb4fcbe5b2ba23434a1d0f3c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQIq.exe

Filesize
633KB

MD5
7c65e58cd2ddd8a6a18667666947266f

SHA1
54e9bee284ad8c8804c0e3d85ca950b60cebb873

SHA256
1ab16acae211b9bcb0c5478c159ae18a9a9a5a7fcbff57cf6047d45a3936d1ed

SHA512
686417190bd9b34f7697d40ffb53d853add964ae927531e88285065f4491b9eb77a309cca46d794f1628f9536075df126286f7bcf459e9375fd7e1343d7ff199

Download Submit
C:\Users\Admin\AppData\Local\Temp\aagUAMUM.bat

Filesize
4B

MD5
a474a42d709bcd3f6dce8b4155243366

SHA1
bf794b2ee18c12409793e7db2b9b594c963443ec

SHA256
fa7d2948ddb562e422b7964c06f974d97a5afa6952a87746a3f3852288a451d4

SHA512
a0363365c55914ad16127793663445e57174092a2f042d0352a842425c025ff650dbcb8bc3773d82a538dbf77929b423dc36c02e8e124e362e26764786bcdaa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\asAo.exe

Filesize
228KB

MD5
71d7f557a4b0562f58362abb6d9289e7

SHA1
3e4dfd9354a3a1cdbaa355b415a06936983bff51

SHA256
5252a1b07a2df4f7e3073225c872eb03eb4c019f56a52dfd9bfbdc899910325e

SHA512
8675a5682ddb3400cf38bdbc9cdb39455982c3a8044442d1349117eb082546b9bbff30922fccca515dda680f09a8bd4fa50dfc43c0d3f3236fd9144a76bd810b

Download Submit
C:\Users\Admin\AppData\Local\Temp\awAo.exe

Filesize
230KB

MD5
df4645f0bdea893e8b7734c2b5a8ece9

SHA1
875b4f6a7b537375ec9cac2897bb72b862e594e0

SHA256
211133e4c0ab4d2bc16b918b6b826880845967e97d589cbe02769c0751a4cd55

SHA512
8a929657a8ca2b2e17570e143716980e1d87f08bb6804a786e01d97056df7f5573e201d4bc761b82ee7f8d7126130adce3125be23ff0c4b8d50f49e6048e4819

Download Submit
C:\Users\Admin\AppData\Local\Temp\bGAQEQcY.bat

Filesize
4B

MD5
91f15a03e6bef22a580bd792e4bb60e7

SHA1
800d3fd793bb2440cb47ec505f7010281ad731a5

SHA256
f65e6c1a0adc6d488aaaacafcfde140cb3f744c3a8885ad0d31c43b013fc1ffe

SHA512
18a5b30014394e825f6dac009e16fd250d1c29500782765f672da7ef3b881d8562aa12ff54c5f6c873ae6952d89abfa45e7d155fed9b63587afa0d5fe3273c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\bKokswgo.bat

Filesize
4B

MD5
7a34ab1e42640a495023fc691515fe3b

SHA1
456d3f3f90ba1880a7c7469c2c2ed630de9de0dc

SHA256
00792f8948680bf193fc1c01dfcfead8d594309dd1189fcdd7e508da4a0bea2a

SHA512
cdcb074ea8bccb4caa7798b434408e541490e3231c52bf32aaa016dfc0de58069b889ee3026dd2e01f7d316c6de62e815fbfc45e7f5b3de16ba4682857be3a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\bSgIMQEk.bat

Filesize
4B

MD5
c91ec516663c75c54888bedcb97ea0b2

SHA1
c9002b647b279ab1d179f1481a92873d713a8b46

SHA256
8b38ed69b4810a4cb41b2e54b779dc8118943540fc59b20bcfd477464c648c47

SHA512
624decae9b283f1c6d50a538ef3bd4fb6a215bc413e1f54b2e46ef42de5d683650f94054afa59320b03ec3612eb74e0b28b82a2e3fa5fd1621d371ba3b61c5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\bikUIgww.bat

Filesize
4B

MD5
d8f11956182e4a8d4a77fc7c2d42d9f5

SHA1
77a48e0aaccb821764210c51f85283d3f5ab9478

SHA256
d2063154c5d2f30b046fc42d534c102d5f5827278367598f1c8057f5477fcf66

SHA512
2d78e7c7a46464c7d19251343c2d82d1cd0b6c49b2b792a87ff05d176599e883c1e47642ea137a7c1de903617cb0bfdd166de932e56a108ac5d8c7eb2ccb6452

Download Submit
C:\Users\Admin\AppData\Local\Temp\bsYogcYw.bat

Filesize
4B

MD5
102ef365c53863bcfd1fbd8ec69aed3b

SHA1
74d8d4c6e274193a6107002d0d3eadf266110bf5

SHA256
00fbd96fabe9fdb5dc2482097fece143ccf5ff4c619a214b2b1de3cc23c7840c

SHA512
94ffdd27ba11781d8da177c38be68f6eda99d1e006094c2fb2b6c7932c9f9f5454344289d1dc39ee9adc94efb3819ad673fa71118c20c85359a9dafd0547538d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEcK.exe

Filesize
245KB

MD5
3fbb5d89e28104cf265de5b77a3a0734

SHA1
00dc22fe20ede9c0d08b51f008481d6f260951a8

SHA256
1b6593f46964a63a485deb8010c0e575c778f87a240847dbab1acfabaeac5884

SHA512
4da41ff8a16ef3e5a8f73aad91a474693cecb27991d74855136a747c2442187c145151197f3bbca1346e8365c56bcd5ecf0bd1ef906db1c022ff283d55c28df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEwcIsEY.bat

Filesize
4B

MD5
20672b2bb574bb2dd16f2af01c3cec6d

SHA1
acb6d0774154c0fad3dac335fd00646152ba0809

SHA256
600770a145b4718c7c1ec292c98ec0f5d14de16889b4d7869b583c38c797b3b7

SHA512
aadee83d18813704b54f81eca24b93d14d85cad89b543a34f035da072e41576411301a5ce80931c0461d442ce3c353077dd9597b19e476a52eab4e2e9a134dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIQq.exe

Filesize
808KB

MD5
47df06e6a181b614f20f8fe92d6366f1

SHA1
5a6c4b129d3bdc5387d1ac37ce6fa922c499a269

SHA256
ec4e46c506c7a5353b3ad768f5b44f5fdc9ed12ff33b3faff931182f79ce3104

SHA512
8bfbb88032cb686fe7768da2d11d3c2698dafc3f0180a404453cd19dc9b4a4ef195e226ac370716da321aca53a2b43c2fa1310f97b8adc32e8afbd6f1fb06c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMIK.exe

Filesize
236KB

MD5
9091c36f3ab6a99be396c564642885b1

SHA1
f2ca7d6ce3111dd481b70baedb97ed8135a77ac8

SHA256
ee35c07018c7b72a6c38e342036c2b64ab8aa83f208957d8d669394cd1be1643

SHA512
07cca2091c396fd2793f39fc5c2bf2b0ae7b96d7d48be055bdef44dbf70d5114b552d503c9931f0b870a5efe39d0918f1015d483de7939f8d7e646d4c7bfcd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUME.exe

Filesize
253KB

MD5
979fef198b322359243789d59633570e

SHA1
687fcdbd59b602ea51571349b30812a5a126407e

SHA256
159556473f740be3c23ca59e1ffc34d070485988bb7b6a6b90f42584b100d54a

SHA512
389ff710b2a073887637d3872558302308515ebaabf49eb40a6333762ab97c1acfc84ea874fdd5f66ff0b70185519f30f7b6f45589dbe18a6465cee89e97279d

Download Submit
C:\Users\Admin\AppData\Local\Temp\caoUYcQI.bat

Filesize
4B

MD5
47b33eb1f10a13f8ed305e3a47099e12

SHA1
b03fd1efa43be1ee55ae7cea6cb72db3679661f3

SHA256
4d6d863b70d29b013b3d4eed076f482a5eb68496172bd11b50582c0893055a84

SHA512
b153f294e3d8c9adde5a16384d15d7deddba404e6b1f28ef49b1310e353589165ce4109dbd93060ff309316b7d2c7a44030ec948e7599a33d9f42c1e3702ff68

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgEI.exe

Filesize
244KB

MD5
4ca10c43995d2ade5a3dbce4ec081a5d

SHA1
dc3cdd213512ec7e2cde1e4d96b33e2c28ce357b

SHA256
7473fc2c11e775ed5f371131bf894db3aa263b1eab2eff625d6ac11e45e81436

SHA512
b106a823a80cef2067e0cf3df64787cde44d89953fd63eced3544cef6c5aace90fb4638acab252df72f20853aa6a681bcfdebfbe0f73364ca16ff8fdef4784e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ciogYoMg.bat

Filesize
4B

MD5
c49d051f7fd92e73d4f629fefae65361

SHA1
9c3f79b2f865540280f983b6e0f102d8f69b73b2

SHA256
03d5270ec717b5f5ab2f29313cacfc470172de61e295efedea86fe2c89c1e297

SHA512
943bad28a3fd9cf91d0461f9041a9bb7c779e6b2adb84904b3af5668c859b7f256ea492c76511e3c0bbe7ba5d769ae87b3bce409b9fb454086643d3cdf95684d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckso.exe

Filesize
245KB

MD5
3519889162268a3dd9d2a2f67350bc17

SHA1
b7069e81c3bb204b93efb6dc949ce2388820c52b

SHA256
5c2622056d3edef101dcf635cb48f3c7f60d8bbb2b85e52d9d7775c53f4162d2

SHA512
1f53209fb6fd4500eb4756a00925d51252bd1854296d3d090d3b7957578d5d029778d4fdc452c312b2918bf23ad110493d5852fa4d613f2e700f4bb48e2399d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\coQm.exe

Filesize
247KB

MD5
2b9946b5683ab0d2e6b289f8cf33c514

SHA1
a94db7e84b94c37a4732e3320efa0a31ea1a0bf3

SHA256
43e7555860d0c6c9bf3553f587a4f17b8c0f02a82e1d9f9a0d7e98323860ae61

SHA512
0dd4a56c64fda064b923dcac5408d5e3aa0e3b076a5fd3e8030937e3f566d743d45a72168018c81618a822527d16c8105a93291e79defeb43289076cc6557a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\cogC.exe

Filesize
191KB

MD5
d2339aa41d2b7c0238cd4a0ed66b073e

SHA1
4951b19ba6dd60c10b679a28e32e1a4621ea95aa

SHA256
f6157e878fa3a5a2a34c198fa1a41ccdc2269e54993f137e4167706e1b288416

SHA512
25bde49ce392bb11ab9025c5ff44c54f8e3a27bc332d0229df106d1d767cbbab4c90015789ddb10784cd57971a2bd1600a93bc621c252296b34a6c5144a3cc3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\csYK.exe

Filesize
245KB

MD5
3a88b501d7cd73a6086f3c7782887759

SHA1
e60ea0030fb3a15876cfe67a76114fb325802137

SHA256
37a814519cd362c328884e02906032eaf6f20300378362e5ce23d6eebd0807fd

SHA512
c5e52d7df4ac4f599e2036149373337b77cf181f3d8bec3899de6d2216b7828ab52ac7f64a8e547ed965179bae9a4353c22511c8477eef68358e865e8b4e6741

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkMkYQYA.bat

Filesize
4B

MD5
d6b755646e73c26700b76ee1c4537ab6

SHA1
074fbe5b93163816a302942353ebdb907e0d0f71

SHA256
c1bed9de64fb6d46b08f82acf743d269586b8d7ddc7ae2d1ac0bc593ee1a2473

SHA512
a7742acc6db46912fb0c0c6e64b6fe83cadb4dcbee790f4e2b89fc99ac2561efed2e73b5c2e5c5f4879d2f4937184d97eae6e03e7d9f7cdd138d1f644b525339

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAcI.exe

Filesize
185KB

MD5
43d703f679edabf54f0eda55daa48a4e

SHA1
6366ca8d687e07ad2137f38dde91c58abd0ac07f

SHA256
351bdf6a54ea967422becec9a328452866c7305e1d65163152fd01b170dc5817

SHA512
5ace754ee8ff0a7824f2e4d890a85eca342d3dd1692a093910009261e59e1fa92188e5e96389e244f21620cc638a9c6e0f1e83a36b4b27562cea9c6ce52e4cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEMw.exe

Filesize
237KB

MD5
3f30264a9982cfcb87868f692b1acb0a

SHA1
98571ac45ba066f9fe18c5a6a8de37b7d0bc87f6

SHA256
faba2f76c9635217cf00defe1bfb879b5ee7f3ad62eefb6cfa8a8715c2e7305b

SHA512
679a2409459821d39607d0c753ca46e9a95ef9671bbf4a9c8a55dc0cbf98c971dbae41bfa5748884bd3d0b3ef07250d969c31a898c8e564b6691a40323a95c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUMc.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecUAQggQ.bat

Filesize
4B

MD5
526e46480f0399c1499662bc48749704

SHA1
7e1477470710fb2e798bfd76407906ce719410a6

SHA256
edd6d58a3df4ac15486dd729500c1c4b9b96fcb994e834ffa9bd0ef9e719c31c

SHA512
5f1330118451133fe3f930a31f578060d1bab5eb6e412e8fb198ae70b6049994f5f938cfc6dfbb8de0373aea5acab4c7ef20d468309a3aa7cc1e57950de84d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecYQ.exe

Filesize
229KB

MD5
e0144d46a83ba999fdee9cc402ed7cec

SHA1
043d16f20dbc05e979ff1d3f533713b340f4a9c7

SHA256
0ad25863b6d677b9eb5a1ed72c29ec0cb5e9ade3877e7b3658664df5a7d71210

SHA512
ecbe00d82f57d1282dc2fbe1dfeebdcfb2020374aa4d3ff169722424568d244093cabeea3c0348068eb4bb2a795b0081423afab77be6cb69d204424b3d21ec70

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeIUoYog.bat

Filesize
4B

MD5
1d5c19c55c35ed27c802154fc9a47453

SHA1
136132f50d2f6bda7266aa0b7fc3e67cc5bb9d2e

SHA256
02925ea060df2cc2fe388882f0f2fbd833fa70bd908274c9a8ecddc02e4ee45d

SHA512
688a7b3095ded8ee6e8032f06ad860d9d197ebc5279ca45f86a53dbf6d71618bdb08e247dea97bfaa737b6003d1779227ee8b54873b2076ec74e26c54fb61dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekAU.exe

Filesize
833KB

MD5
30ae314048a853d5f6cb559741c34d90

SHA1
b07c91d39fd7c22a452027aca630a91b8a5a159f

SHA256
09a8f988bd0ef9bfabba602051bdbdfe534a17f6c97669db1a90f76c2a5952c2

SHA512
9f18ae869f80b44b33afa33d5900fc15134ba343e42e61905cad769eae49debeee9b788a566a2f3724f2b3c31ff4d1494bfb073d93f65a932536b8c3a488400d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekcgMswc.bat

Filesize
4B

MD5
923d8ef5146d4628b8ad52622545551e

SHA1
218e8b9878df092eaf04d233c41ceff5ed7aad6d

SHA256
dd93292896dc7e432372893ae9290688b132a309c99f87e76680005ce2a8ec28

SHA512
3e3e46e4f0534832c3021d83454a6d07ca711179429d6af81185d2310ee925bd865e542c288712e56188a8abbb4354f00cae88079561f267030c5790b455edcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\esUi.exe

Filesize
237KB

MD5
0088187abb4f280ea73faee68b326886

SHA1
2620357d8b233ec84aa7919d960a340ca50e2c44

SHA256
3d68fa259f53b410f47fec29561b516408d39c81f2a82aead05ecc0c12c4a077

SHA512
1e8d7a7c0c05e4330f9623bfa77de55035e428f5c4597b47f8a03bf62af9196cf3ac5d074af4307d1d290b060f8f3df4788719a7fcb89c3d6f9436fef05157cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fSYwYgQM.bat

Filesize
4B

MD5
9b93602bfa761b24a2dd62ea6957e9f0

SHA1
306e2f9c6b5fd4d398beea147d03bc6ba86d7db5

SHA256
574720072e132ec6f5c887c152491cf4299946c3dfe1e6456b49db6a6ace60c7

SHA512
df40a37e40ba2569f99d3c7e40e03ce9dafcb1a1112b5dbc4bd6b6b4897eae6975ab45337280a24296a64f5d7130d476c0a033bd804a0944eab8c1e5f76c53ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\fagwcUYQ.bat

Filesize
4B

MD5
89a2fdcc67bc55ccff748a95a609005b

SHA1
11b690cbd1f61ad3d72262b5cc79b38b0a0d1215

SHA256
3c802af8c10a09a48d48d7be2e9cedbec1f88daea7e621ce0671429195ec9c57

SHA512
90342faaab77e85f2f0fbbd7eadadceba43080551da15715580b9c925637dfdda8023036209b7313c21d140b4dd1433a98f4444ca7f4c74f5906bda6ecb19308

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsskAEMY.bat

Filesize
4B

MD5
7ee68274c2ea04d02d6b5eaa5899490d

SHA1
4e71458bb8f1d7ca599ec4dd0d5ea20ae2772039

SHA256
5dc271ffa1ca28a0d46f6cd9392d03162d36ea77c8d7f01f387c0d7c5624464c

SHA512
7fc39f88ab33f1dc4952ab09316b681d9132eb838bcea0997c647a7d4b12b6e9eb63e853af5ca404ec7c11ea26417fb4d552c6e54c9681386e04888c75251900

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEIQ.exe

Filesize
248KB

MD5
1bb156e90a7e9a5c16c09340c4c9bf3c

SHA1
9c2b9d81a6f21a57fcfb2285524950133dbb0f8c

SHA256
c4791321d200133c4914f8f4935c9c4d3767dc15d8845e907fbc7ea4f090dd0e

SHA512
fceba7f922f8d6f9e7c09314a7749e784f1c303bd50b0691d6848f7afd6e58e7ec3fa9036253b48f3cead0532c9d814442c77bd60dbfe58af2132765886184de

Download Submit
C:\Users\Admin\AppData\Local\Temp\gGwwMsoE.bat

Filesize
4B

MD5
880017d130461eda2e27a2f8645b7315

SHA1
bb10a5b2fcd7c9e7298338fe4a2e60725129455f

SHA256
b4e5b79612cbe3d61e3cef1ab7eee4c00add3efcbb91a80ad8457116ae2363e3

SHA512
ff7bc3a79bd2261af9758968fe05bb6af1155520ab0687684e453c74f5bf313644703d0dbfa2e0e957271b36960c9cb901f605f8101e42ea9785f56716c3139a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIwcoMQs.bat

Filesize
4B

MD5
d62e5d631a2a77bda48b6b6befa0fdc2

SHA1
1975c7407cf0edc2f8f43447d0c817822b3c11c1

SHA256
c7180c9ee5da09d0ae031d0da743c998dc193661810da301e46f9c64b47e80d7

SHA512
c9cedb1af52c4a7c37b186340e5c81fadde9a9de94330beb6540b9f1c90e0b6ce44e06859c7d474c1a73fb3e0f04bc297a286dbdf3c143693d2c710f396d0415

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMUY.exe

Filesize
235KB

MD5
e38dec4ab7c7eb3d8decb6501786072e

SHA1
a0327cfc4ec18b846fe4b826a72b37527eecaa97

SHA256
e702654ced45f1255f581d130bc461cd5896abd9e54b21565fb868972502a4a5

SHA512
cce35a25f68f1d8439914689ce05aacf6802f451ebfbf58a116b50daeea2c733ff40e1e99090aa02458fe566efa24d7c8afa678cd20419c82a3a146eafd4194b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMkI.exe

Filesize
241KB

MD5
32681c1a46ada1acd412fcf18e6a52ec

SHA1
fbdd5cf2d26c6d99f0d5ae7f155444bd85a8ea7f

SHA256
eff31598ead25d5685e47d57f5efa0aed30f082ea36aec9f2ac1ea13a96c7e1d

SHA512
60faf5829dfeb636117d47568407409202b85cc30d06ae6d21df90dfeb7751054958ad99c6c084f73c303c2190134f2d8fdadbc30d219e9bd7f6e6db5ab1522b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUgMoQkM.bat

Filesize
4B

MD5
062a998508263f3d4ed8a7e2cebe113d

SHA1
4a9a4a3c584b606041df78a9747d9e5a6373f4c1

SHA256
c7e3a1226fc3062ae310152c5d5c4d7b85cfe948dca97e42085a046d88fb00b2

SHA512
bfb7ca065ebf0f6b0c21afa444f4590fa5b48515763ea2e3dfdf6ad2ff19c45a62b89f702d61e7f41e3f55b63826d24811ece22f1f1dff29112e051c357ba1b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gWsocYgM.bat

Filesize
4B

MD5
1b06cb1622d29b60e651bf65d8d8a501

SHA1
6f3103a2f47759c91c1d4110ad0165df52ec95d1

SHA256
d44f65796e9cf465f6ed66938901a377fc6dd63148d503fcec69b7305f3318bb

SHA512
55c7e2c597773feac3e20046108efe6acfca014ee70f3785bcfb3d2bff467b3c3918de9ca5d38a0fce67a7ada28c357f8a061331b81b10ed08dd8e24418df462

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYUY.exe

Filesize
242KB

MD5
04a3d4ee6194495acb2a75236f17cf27

SHA1
58fb42fa44320579f537a44e12bab2edc0eb27e2

SHA256
a173172ddfdcf0e4b80d74bfb1f62aabc02b4f1178b7af1c9a7f5bac7569a10a

SHA512
b1aac72f82c400088185a2bad492828ad6f99483aaa1205eb1814a5b47ec4c5897bf528f52b78dd21c469c0045d21adfa3342ccdab13bb4c106e563c07510320

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcwU.exe

Filesize
4.8MB

MD5
a1256ad08cffcfdc58d0e91b33376144

SHA1
02b64dbd1901bc28f5f6827778dce1410e06b57d

SHA256
d9a3cab6ecba77bc49f0213f1595d18288561854d3bf51878f4729c404d7e137

SHA512
956075b24682a5f4af7e9b8fe6f7802d0b240ded103a268ae8078fa03564416b31ad4452c9ea4f0a55316bea41047edb4fdad99958a69e61516e48499e9ec71f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkAQoYcQ.bat

Filesize
4B

MD5
f7745a39b1dbc55ebfe641218cdfb30d

SHA1
c62b60d2408ad1673d1a17d7a929719fcba5045b

SHA256
c0556a7fce6f3eb75aaf782dcba1635c894f3b319328773dd8a203022b4829f2

SHA512
d5fb48a2eb6a74d685e70963e7e5b4498a998dd92bd2382755a530e8dfa2b8acc1aed03050f1962c897516a3a92c4568314300456a27a1dd249b67e296b24427

Download Submit
C:\Users\Admin\AppData\Local\Temp\gqUAcgwE.bat

Filesize
4B

MD5
d1d90ffc07d21baad35b6e4188a16bfb

SHA1
53565289f8cb786f8e8b1c16bb5087c71a3d19d4

SHA256
86b1d195171dd7a2da6f431f62f850137703eace1890a459832079607ea30948

SHA512
f0723dc00947d1331fefa43f3898b29d618ca48429211cb20fb85897c7feeb4684467d37df246b34d21dc8b5e76e789fcacf4572ed45070fca0d07e0fa696ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gqcoAQcQ.bat

Filesize
4B

MD5
df1150353ed04e8803d873bac9ac2292

SHA1
2dd8d0cd382080b85676ffb5d25b16670e67c612

SHA256
4d7337339a080f4000ee9d39cc2cd79ed653832705e6c8647ae0ac52cdb5c743

SHA512
d7f4f765bf80fd83520c88fea1d97e826723abd0b3f57904dd3e676e2633ce8873ff7bbc4b6a6819c530fc89c4a22a7a443b0b997e53a9735531cf89e4a0c90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwIC.exe

Filesize
1.0MB

MD5
22b66b7f3f9aec5f85ea8b1674efca9b

SHA1
60c1940ee7c183c85114accc412a2d906f10bbfd

SHA256
1e2c97668fad3266b3971860d4b4f01bc03debfe74be1effd2861de5b4ac576f

SHA512
c76049c591017334672867da57ac3d4403dfe0d7a64466d3ad7dba03c07638c2eeaa48fb68d2d5f237a146a106e9ce8a156d4b1d95e8a592950af8cbf3e2fcda

Download Submit
C:\Users\Admin\AppData\Local\Temp\hAAIMwII.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\hOgsgUgU.bat

Filesize
4B

MD5
81a79053613863c4e0829130eee2ed41

SHA1
945c11d491e2ad79c4229fa7f7c6c36f07a9a733

SHA256
cab46edc3f8cd2b3882a6b75b424083ed98bbba7dce1b58ed3a23fcaa33c04b6

SHA512
95f26012efdbcd981932cde26135bc6eda46a1825a63fbe146bc9dd7f7f8aca888bd691b7dbffa4ed1add7550fc44bc25be2dc75d45253ec4960e175986bb0db

Download Submit
C:\Users\Admin\AppData\Local\Temp\hakcAYcM.bat

Filesize
4B

MD5
5d4a6120cea271fb766fcffc461697a7

SHA1
3396ef8014dcf6a8475f91472aaef3f849087af7

SHA256
a7a0468b48858dd499f4bb355dbd3d106fcea7debda83fc3aeaa41a8d1e6a04f

SHA512
76f2a4b6b94dcff612da9c473d53b2bd59ef0e5f467383cda916486915648cb0cb959cd280ce02000a39bd93301975f4a7fa620b71c8e010f372c56b2e21e5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hoAocIkg.bat

Filesize
4B

MD5
f9c0cd4bf107bdd5a9899178e5ff84cf

SHA1
30cafaa8d28833fcbbfe83e2dd0d91bc979c13ac

SHA256
4df54a6f7dfad9748321013770e4c69c2875b3d1f8f45f536cacd92722162cd6

SHA512
e69c1b52d0b01cdc4a207e83012ff4b2980baa06b85b8e84244bbd8ad1d61bb429ddc68e32f21e04664a1e0f056f8e3fbf839e9e300cb5b31677e25e2f829256

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEos.exe

Filesize
656KB

MD5
d5b1e9a7f9c5b96f7b5a43949a6e9848

SHA1
6775510dcb0dbf954fa7a9308caf0ae66b40d769

SHA256
f8f2b8a5df4e0515ff57bbcc2840b6e4a31a8512ecf23aa101b5d99f3ab6f98b

SHA512
f2d23c64641df4534785ed4417679d332def035bbbdf13b3c0159a53e715c190b972d697a4dcaf222421eaf0fd56f00d3106be083811e3fab59980b164134f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iGAoQwwU.bat

Filesize
4B

MD5
f5301b7ad8e1200b3c83fc2f82b2ad1b

SHA1
1c4d1a76c3fc8e8cb56a708744ce2f463c31d09e

SHA256
62c90a0e355cbfeb323674370e9e15923eaf285b2103aaa84c449df4af23ef72

SHA512
417afdf66395dd8728ebd1847ce7837e7a38b8323e13159c0547bad10aa775f703de1d57019063993a2c1fcbfe4ebd42caa66684bdd78b5c59bfd64284643eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQsy.exe

Filesize
193KB

MD5
1ea5bd67d558a4359f108afd8bc89907

SHA1
6ff0610279ee694097e7a9d2842e9f228d93fc03

SHA256
ae4e22a0df4b0a819b08345a540c2c39c7340e5d006e0cb1ad46dcdeea971aab

SHA512
29e5e14ed999c008bbaee60566cafb86880fd18325e742f3844f12dc6dd449a4416345bbe6afedfbc94388be1edc7aa373d180f14e07691b411837cbdbb98795

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUgG.exe

Filesize
192KB

MD5
24505b45945dc5af11944e55c4e0285f

SHA1
b9dccf5212d092bcb7f35168179fc8acb5f128dc

SHA256
2cde4ee1f665494a7c318a52243b533cc06e586ce4bb40a4ec4e7c49e63facba

SHA512
8a15d50983f06c8aad91ee02e7471911e33f00a113afdc614f186c529ee8870029cd5069383a1237af78841b6f734e0fdcf5434297360a42946363aceede8810

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUwc.exe

Filesize
322KB

MD5
d5617c592e72b2fb0bbf0525dba46cad

SHA1
589ea3bf18b0f49d6f9e12234a316807ddeb777a

SHA256
7300b4d0ca607774f7501ac34e8d0a1706903254fe6e3bc4eae484a90eebafc7

SHA512
3d5c43d021e7381140779bf5a2337b905559140e56d8fe697cc6bb17c1fb5ca8d6c39966a5ca37bcf8608addfad3529fa36e608ec66ddc2c1a1e7d20e1b4f31f

Download Submit
C:\Users\Admin\AppData\Local\Temp\igME.exe

Filesize
192KB

MD5
7e9a7562394e43b8d8b40426a585b284

SHA1
9637c10070428c3d0a764fd07ea54bc00642223d

SHA256
27844e4f8e0f1b579e83e2dbc4e6412960a8f79b86f469bca4d8053a218f7e13

SHA512
0a6afc7b632d3f008e633d3c54214fdfe42f3472c92170a8f36a712f2fb17ac9c2f90c37ec2e0ad33cc8c128dc0b99d5ac0494d71745c473641881066d3742ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\igwQ.exe

Filesize
958KB

MD5
b0de96933da27e6432b14865a676eae5

SHA1
efa41078fea62a971a7b67e8e5918d9196a00167

SHA256
14c507d6d0c64f3f789ca3922405f2900ef9c0c61c6b79e591405f54926b5205

SHA512
e5263286ed851590fbf6d21cbd45f1945be0965b1e6276bb38e869d94bb0085f47c902f64d44786a9401dedcb21abf349074f172f59df543f3214b0870417069

Download Submit
C:\Users\Admin\AppData\Local\Temp\iswO.exe

Filesize
249KB

MD5
4259ebf93afc8b2bcddbe879d3c3dc0d

SHA1
8a0fa4ccf12699953452e2f55a5de50551eaef20

SHA256
86f74205f3009ca81c626d9e655de305ed79b4e73b3b3bf1752edd306a1288dd

SHA512
c7dba53cbe1897874f953ac30efafcd03932a0d3c25818732ba8aacad0a46ad5972be61414556b9a0491882a8d13596ce80e032c8ee1faebdf8626b11d4181a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jAkEMEgk.bat

Filesize
4B

MD5
ead17e4182aa55d9dd021c4cdb4afb09

SHA1
c35e064864bc1d33a1b5fe3fcc94569a540bf407

SHA256
ba4e3a0dbcf0695dc434dc488c60b0c01a72df6ec04b4f408192930cc60cc674

SHA512
4c5956f9f0014933838f8cd87eb0d9b87a4e297482adf533cf63413099181cadbab5c487fd883e1678116c6386c3e7b397db7a3092a53967f871e0ddb396684c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jEgwQIkw.bat

Filesize
4B

MD5
572a2d288199af570d26b262c628c31d

SHA1
b4857e2f917f213a56db499f3ccc1397ef7c4284

SHA256
e0ea92212b213bbc47ca57aa93dea41a15f97d23ba5151abd1cf0e29d66ac65a

SHA512
034bb55573a757fca7ffb64f7aa434bdcced65931bd2c57970cd384e83de478640291b69603e8aef2be6342f3df3fbefa3c657bc89368199d7de140d643cdd76

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYEYIYMg.bat

Filesize
4B

MD5
145cb9f14e5de74f520139a29f259f7d

SHA1
a54ba58e17b75845b21366cb4e4236165b5fd2d6

SHA256
cb99e6a00b4f0dc78d58dadbda99cd7e39fdde148ee66a945ea9a72eb48b32e0

SHA512
571033df48fe4619546fbc18118f4d246138a0bdd2df58b0d7c4409fede9359b65f0fffc4b68fc9d10702201a9fedf26bcf1de1005a305fc1d54e9075154df18

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcAMQAEM.bat

Filesize
4B

MD5
8d3ea100d7d7c4c78ad933ce138367d7

SHA1
fd7ef33ad6fc2f3ce79c13977d4209df642d65f6

SHA256
5859fb0cc11f22915b711c2102906e2d75e28b714de5c8f6489347a2e248b50b

SHA512
799c665dc86a967b30bd1f17b4a763106504c3f417afbb08292be7fe0827ad19af7202132881db50844cc28e510c54156ad753fa5378e5182ae2aabf3656b4dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgYoMEEo.bat

Filesize
4B

MD5
95d6e24f85ca9f1f7f2d1f2c366f8407

SHA1
c41f981000c78841db90b91d15ca8a14ddd47fab

SHA256
4348c67d75eb96ed4e1f9c32ac82d58f87932c619be6b94b1522e95d083b1c91

SHA512
6259c20ade9943dc0bd75b26f5acd8d7a0754b00314f7b9d9e08fa467b455c0c093c05ded6d40c82b14bd571121a392a8afff23ece0c313adc884e5f67a49535

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEwO.exe

Filesize
243KB

MD5
332bc62be52ac1e639eef12846688a64

SHA1
9546400f56811d8bcf27754cade35459f724c601

SHA256
a209f3a124c4f913d6d365557359ba3024f675b3344ddde60ee058f28d48cc2e

SHA512
f0c835645deb01c8b72179dd45da64cba9c84150293f2a8b7f8dcf992aa31f027d114957ca25974b17129442b5c31ee99b11f03e91b0062accf9d26a4b6c8b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQAm.exe

Filesize
246KB

MD5
95e404a984d771ee1e7e9ebe7c9af8bb

SHA1
d79233e3d87fa12f2830c749fd04ff9e19301259

SHA256
bf20d1cc59e66b9c19d287522670d5b3b43e4fd417e8c3bf2bfe62a7bfc08ef8

SHA512
b012a3be8a97e1db19e0555c662292106f38fb3af1a292aa59de107d69c65e8e14dee6657273cb387325969c83c8e7c67144219332708350eccfe5da39d7eff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\lKkYgUoE.bat

Filesize
4B

MD5
f1dc7615508969677bcd22daacb058d9

SHA1
6033746dec8916048af837543a7cb788c2528231

SHA256
dcd3e9ecc4df689067c335e706d27fcfe1ff25e65d5c919d191f77f1e8317e10

SHA512
6de70ab3b6facf0136b1bcadb529932dd9a2492584fc2184813fe8e0aac0e4cb4af1d53abb5515505a704a8a9fe8f1ff8867e4f9f2b70fd3c844c05310c423ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\mGMMsUoc.bat

Filesize
4B

MD5
ac651375e55129d7f4b9156268984662

SHA1
23463d9fe5f8668a49d0607a614d126da62d72e9

SHA256
baf445a8a1a1f2331ce12cfb1a6a72c11723fe0e991b0b234447cc9822411d8c

SHA512
170fda19c476fc2e69445183169a9cc7ce100fcc493c567ee026e6a796a89debb8ef51f8baef1cfbe8ba9dc24a514ed81b7e44db24a86076dacc55d74fc08c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMEo.exe

Filesize
239KB

MD5
4e602e3d1e30652cf85f6498c97355c1

SHA1
80034a751d016e9fbfd2791859cbbe9128b6d168

SHA256
8227e9849c970a0cc9937632082f41551b4eaac49a688152cf7870ebee8af515

SHA512
1a2663a06823041fc6308af0a7761e09793a00867357d2a30b746751765a50076cdd359710d9921d2fde439aa77080bfaf5a552b2e2087eecbe09aee072409be

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMkggUgg.bat

Filesize
4B

MD5
f57dc521073593ffb6157574c21fd4bc

SHA1
6223fa308dd2b3dde4c0d2016d2f558a266f5b88

SHA256
41c16660a27bc9883f41aa856a2597bf07a056450f3b47f43b42828a59e3319c

SHA512
4547c820a8d730bfaaddd293fdb1a4dce521ea40f7e557788d40c42453b82b296e0cb963d2a182eaa1d1911fa5c3ae9637f5228f0bdd0e9d79bdab4f090cb812

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQQQAQos.bat

Filesize
4B

MD5
c8b028d7d9b4d46e9017a6d9fa5758c3

SHA1
801961034c15bbdda4135d9e55c152146ccaf036

SHA256
02c2ad93989e3eb3e046d8c4c9cdffb8a8fa7b17d38a8b8d32edef1e8d9f724f

SHA512
9068e2fed0d77c45c6aaa160fe0abd339d4b79bb91f0dc003e4d8c9038d7f78422b043a43dc3549ec75354777915a89b608445469c212953b19314cd14718018

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYcK.exe

Filesize
242KB

MD5
ccce5b2de41548f369bf390e24be24b9

SHA1
7117536338f46100f611eed3a82843593e0eedab

SHA256
2d24819b43fa611659e4f122329d0f8e31c161525a2a3d09aa742b3fca1e28cb

SHA512
6c15dc4690ce9b75bfe5a73b8ded6f99383305a53143767c15e4525f57a542c4163c9094bad7be44a085d1e450f04951451e4d00d06f48d75974604ae83ccdb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcgYAkEo.bat

Filesize
4B

MD5
0616bd99f4ea71676af36ebd0bf7e670

SHA1
4ff1188687c042ccef05affa0d8d0eb6991d5217

SHA256
e5829c96a65bd20e05060cb36346a9caebeeece83c7595e5b13997e02cdbe4a6

SHA512
48ac2ade714ddb73e096059b8aec4a33cc9bed03cd432713be6dabc2c195c62f323bba6a525ff535583ccea2b6191faf4de89c2755b8e422d45c5e9c2f80e785

Download Submit
C:\Users\Admin\AppData\Local\Temp\msYAAwYY.bat

Filesize
4B

MD5
d0a78b2fd2585cab0d36cd8b2e6d7d9e

SHA1
23b1063c4fc41820d8f274447123e7e8a2148153

SHA256
c95e55eb71560eea93461276adbfee228dcffff5f2cf83dc6c7940b03cc4f895

SHA512
101b006d9ae0883a944b80de73f84d2d9e9d07104f13aa81583e159de7767f91f55d483687df41039061c237b601d1b80ad8b201e355e9989dedc5ea0429b24a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEEq.exe

Filesize
207KB

MD5
1d382b208b79b1bfeade0872228e5632

SHA1
4d58926067429a69643dc018014e393aa5c361f3

SHA256
68ff111675a544bf718c25a79ab764a0f26147a1776c4d63e1ee89f21496bc0c

SHA512
b84a26593dc0de6ee5afdfc24206e9df9932b7aa62bade9d1575166fcc10abd01cb52d57f8f4f48928fc5bb05679d12f2e1e246ebc111ed5b2ee477e6215cde9

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEsi.exe

Filesize
239KB

MD5
e8de2383de640a3f8d5a066af8f552fe

SHA1
e85c6759548b3e1a544fefa24b8e1402097a3467

SHA256
b55923d3a07a1a3ec78c84d62e86ed3227351162032efceeb021300d9040944a

SHA512
0ea719bcaf54a5d1fc6ba82b99cc95ec251341e201e82d1f549dfa704bc983ebe74bbf943bd13c0bf418941b7ba692991a52dabd1ae2a64a29741bb1f6f4845f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIoO.exe

Filesize
249KB

MD5
b102c695b98d1052b709d8418233dba1

SHA1
e1206525ca6f4c4fc7011c85acc181e37b406179

SHA256
e75f9e543d2e8c7e2e00087324dde4f3a01a5461094df37098a3d501d7b033f3

SHA512
9122e4d747dc597097ff52a25eb1d94e586339849ded8c8abfd0c91ae73e206ec8d7bac5228e09078174951e437e6d28c0bed09a6ffd10ccf764e19124e32915

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUYW.exe

Filesize
242KB

MD5
26c935b2c2ae3685f4ffa252f670fe0f

SHA1
8bf6832dd381c30fd3e341117e43d1f243f9f2f6

SHA256
f35cac09b6dade01e9f1c4f5f2ea4dfdf9517a7c28e8f836306a6a1ae1d760ec

SHA512
9fca6093d09b94b99a2d9193308e4bddc89b58bfa93367f4c455086f8362a944f286d6501529c73f94ee4e3db1a5eb9aa3ecfbaf852b7bf6eae700284db43caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocEk.exe

Filesize
249KB

MD5
bea1823f69509ada5fc64e20fd99ac4f

SHA1
64057365357281005c836cf09ddf3efa0119818a

SHA256
15c655e45dab5240c9ef4662073cd4c094ac89d0be879f4ea45f0a69f92666d0

SHA512
5c406651e669aa7f64a540168d7c9e43c5bb3fb78cc69dbfc8340484b9cd5f21236d2237ce2c75e3fc81e83b7828589fa3d544fc6cff3f2a3d0da8c47ed814ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\poYEogsE.bat

Filesize
4B

MD5
478489fb2c93d87c428d73310703da8d

SHA1
4c64abb1b542e56925cd1660f33735822d5c51df

SHA256
b42eed96d191f92562fec513dd6e28a5ecf808f2a7b55e68a47d3e7046d67e54

SHA512
557c8f6a9a74d6527198fedb91c82c8eedacf9349485f04b442015d62c76b196a2a76a441eef951503246099ab0c345bed6f1c3be9254b61696d081bb08f8cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYEi.exe

Filesize
250KB

MD5
21e5f10c837d1b2960189c94d37b83c8

SHA1
ab7a86fed5ec62e2162f604678edf814ba002adc

SHA256
8efa57dd1bb9952b3f075a598b2de6e4c44e7d7df5d259ff591480d3a045877a

SHA512
ea65bc17178550668997532ec93a1baa70b988013b633eaecd93213f34ffb9e0898166f1bcc715a5c3cda0ef976b6fe9e26fbeaaf6e8826007f4654a16b227d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYoK.exe

Filesize
943KB

MD5
cda33f063ff8e1376a81f237d1c2f33f

SHA1
1c07382bc7abe333565476e0db77893420a7c394

SHA256
4ef1adc92912ab26efdec81b9d91f021eff55c6a9cd80b34216a40bb4fe9cd3d

SHA512
88ce4b8f37fe3844a1688994d933b07199fa89e0127af77a414136c159e873f2f99c7a970eaec942104f90261c02945a22ceb97ae396b4db1cef67e56c287611

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYsO.exe

Filesize
250KB

MD5
0d295413706b65dd060095f325105c26

SHA1
40acc3855b9d397ad9a3ff11468b16dc820c0749

SHA256
d125ad7e144aba3b576379e4e3c1a66d1fdd044124637fb4e701138059e892e7

SHA512
8433533ed4432ecc1849fc1a0fbe70a5f4febd24f61a1ba7437bb66b9a74696fde4d3322505f699a6ba77deed3452e94f237cde3f0a28875103889ee0c33f88c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcEI.exe

Filesize
243KB

MD5
fa4bc9fafa67a4f8fb90a5de76794920

SHA1
00e73e497e0ba7657d6cbeb0b92fa6a70fd1beed

SHA256
0caf503a1a08c3dc731efba8d08b2891e8d596eecf6a146efaac7f47a55fa089

SHA512
6ba50030f020ff58b7acc2fb82b492de023da75f3b15eacc9d6e699e9fe3f791ba95a5f51453a9ba9c8242c37a606651f03aca4c9719b9c5f601c30ad48cc6f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcUy.exe

Filesize
237KB

MD5
a523a2b5229cf5208f02ef8991319999

SHA1
bc88846daf4db48cde35571480259835941b2af7

SHA256
60a5b62dec02155bed73d48b79986fff8af152c1ffe264120d4a18f913e216ab

SHA512
185aafad5f54a85ac06578d22e2ad3fedd0a2662634469b54fe0ea4e6129bd65118a843f743964c9a2426a80b88c56e3c0bce5c5976098f1c7d4c649dc0cc50c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkgE.exe

Filesize
246KB

MD5
ffd1277e3714f6a3a26d6485dc336d0b

SHA1
8183ea34d39e55ccd3ed40fb641b61768eed12f4

SHA256
b52147a4a95e454b0bffd4751f2302672578c0b8cdc04ed39f944ac79b879550

SHA512
45f3c188637d1e181ae7d3fa24410b413209788f34ca703ba34e938c7f543c6c59f521d5653b30774cdd1624210edb8e911bbea02f7ba4a0634165d6832f1b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoUEYAgw.bat

Filesize
4B

MD5
a14d7f4c59c51d0de6fe80c099407b7c

SHA1
ebaff973bfece602a50f84d49856b1c762c90a21

SHA256
86bda5f0e0c53b5ea6e2f8fbf3ad20ea11254ff4ebea8e1f9991a170d7239397

SHA512
50a0cbbe96f0d9a99b77e2edb0ca704510f24b5ba11842da235bf3519cdcec6161f07cd340480841e39476911fe5ada7421a3f5e2d9a66c0aeb9fbd9e523b069

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoUIUkkU.bat

Filesize
4B

MD5
c42eadd3fdd47d908c0fd3be5c8736fe

SHA1
6aff36bbe4c4d994ce13473dc8c9beb588b3be2a

SHA256
1421a77eccc894eeed2246431a027bd080ec1bfb35314bbef3c7fd8c6ed90e7f

SHA512
508b0087f3e5d90e550f9830562fcfd48135bfb6eec8c5db75ee8bd952521d0cfd29726166ddcc1574a53db0ddb936ebd885c701eed676d6facbb0d0618db5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\rIskEUAc.bat

Filesize
4B

MD5
9dc1aafe91c455705d171c88fb941e4c

SHA1
6014b8ed14519765ad9c6f8736da9f05ce0609f9

SHA256
546a4ce9f3430d1c599bb16e3b19fa78e93325255e2401862aeac8842f6c148d

SHA512
a2767e12292ab15d03dfb200c76015335543ea6cb467441646b76d3cba91974937d5d1eae112fe91f8bd2182e9fc475e78fea1df85e9865f7dd772ad9a921522

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcAocsUg.bat

Filesize
4B

MD5
ff217a59f7926478fd2121f41e0e0091

SHA1
dd7ad3aad38433e34111d00b9744e8387c9821ee

SHA256
0a1f35cf79c628908478bc45ac96c79907867597c8753a30f62f56a51f704346

SHA512
73f8c0760b5095f99d5b70f67dec268375855263fb96e1a64c9e223f9bb2fd0cd5d8b9c3c8067b57f230992b69c44345847262c2dbe2baed8a90ab3c97c63f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIcIEMcc.bat

Filesize
4B

MD5
543320a8f8a7e86f0007cc19e4e12c32

SHA1
43db78be1ee31b42d1489b49ef4ceff31cafa026

SHA256
abc9da105c592953100a91d5a9ff2f7ef18d57f507fbff983871df6cf8869a2a

SHA512
64b00c22a4ce9b6b0e41fadb1bf81b9dcafed1af799fb96089a5456c4ddb2f7ba2d364238f469bc5a093f4a9cf7761205a04fb02d48b8bc2a6d17381e7e12f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMgo.exe

Filesize
198KB

MD5
1a18cef087607d2ee0bc1f020bafe4aa

SHA1
424fe9afb829967071cbb70317b840b7f6fb3f8b

SHA256
0dc9dc1d784bd894e1449c58e593fdca40da0fde4d985af9391b18ac53a651d8

SHA512
4f17d540776f65eec2e0d3ac1d45fde0b5028db428858eb408dff05b2f6df2d12ba34b3baa957e97a9d8375045f2378a312d1eaae545ec562bbab9e7214635f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQky.exe

Filesize
250KB

MD5
8f585d7c51562890c343ded0b848cb51

SHA1
544fc3e23b0150810b307e2b077fda6e64a17080

SHA256
50b6a5325657a12f2c612b8a7554512add0dfe3beeaef496661ad108a36ce4c7

SHA512
c62252cdfaf16ff5ee64e2f5580c55c58cc28dfb8f6655f55d48075e69f0973198e7edcd7cfd7739fdf6df3188f12d97d3647869793dc33bb44ae238dd73c139

Download Submit
C:\Users\Admin\AppData\Local\Temp\scII.exe

Filesize
244KB

MD5
7d240b887ecccaf3ac62b9f2bec2a2ff

SHA1
dcdd72061eded20326a2270ba1dea9bc84718e33

SHA256
f156707cc9c9cf5b1f88ac9fd186aa8ee61561bbc1b5ffacb1f3638e5cbcbe99

SHA512
4f91e95b6530c36b035fbe7d28edfd4850192d2bb5a12881a3ee595b6653ffb676856ed3b74ec6049651b26c3b37d852e0d474ab41f9481061639197020ed040

Download Submit
C:\Users\Admin\AppData\Local\Temp\soQc.exe

Filesize
180KB

MD5
64d974e9b017da0a2e0110ce2d2fe5ec

SHA1
9545bbed7f307983853c6e8b11a7a0da7009d192

SHA256
f19a26edd19d8156bc725dc36e43b5e97834ddd32ef5039d14fab0f33912f11d

SHA512
d93a47123812b0c6890fe0635c2ad955d895edb5ab581c3535db4bce0f94959a77e1ab3c66b51d9d98702976919d6a9b4eff29fcb6a91775281f49b26af8b962

Download Submit
C:\Users\Admin\AppData\Local\Temp\tAgQoUkk.bat

Filesize
4B

MD5
977c5a8afeb4465779a8f72bd9f0d0eb

SHA1
9ec27f3bd6e2caa3c7ef381d56bd3dfc4a692db6

SHA256
36d40b43f8276591a335b49ffee7115f9fb69c6f55fc418a41c4019676e96f86

SHA512
7eeeae11ca1b451978818aa3ec1a1a3c87510ba474e1966ae6880ec808f518fc2ae8533038139a4f1396a7231e8fdfd9496a745d0e14688280525a70d3fd54bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tEEckkUA.bat

Filesize
4B

MD5
0f0090d6f89d3a5b899e2be7322c5ab8

SHA1
6eb3002739001f3ecd83efcebaa0fb8e4880dc75

SHA256
6784359f745acb277879279835c9e6cea987bf39409be301ea5525e8c1907329

SHA512
9e3aa4b43851c5fdc122e88d19dc3b03ea85f69117c6465d7ab90ca83fb9ff3a963956cd943db3cb2a5a9e0e54d9e6dafb1ce3427602098cadf20b5ef5ea7303

Download Submit
C:\Users\Admin\AppData\Local\Temp\tUoMAkwk.bat

Filesize
4B

MD5
c66fc5fc35523cb0dbada401d0f7d81c

SHA1
e4473c3e63d594fd7f5ecd5666f43834b27f03bd

SHA256
2186a25ccda2b8e8bfac8f0148675ae853e88e902fa7de5b593a93cb10209d90

SHA512
3c7396b88a6156c773b39c99e62db931dbf14530d237951848d47aedf03575a9f7417e3b9166666f7bba54daf8e6d20a4187400be43d116bc8bcd270ec372ccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\twIwkkUY.bat

Filesize
4B

MD5
1dfa6e17578a09dabbc3d9ce507b37fa

SHA1
4097494ceb9ce0d249532ae14ae19063a516787e

SHA256
e634105b0d4c9c6e9e8eb4c33b4c91665f79893c96d28eb0fb22b86b331f96d9

SHA512
476b2d08411f6ef1443413681b5e12a2c5abefaabcb1260e46b35553608b79ca9730811073dfefa170682c1f5a724d21e7cd89e661f08c0c44139b93b85511fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEce.exe

Filesize
249KB

MD5
e1e4caa65e0e5f347dfc1a80b9c67078

SHA1
dad37b0870b330a6b10e12876c4aa8dd0a7e0e81

SHA256
906425f08e811b1f10107555810fc6489b2d8b896e92859aa93cf79fe85bfc0c

SHA512
5666e2cfea98c29a250e1f56ff6512cd56f35950b59a66c203e0bd0c5dd5088676f65a4446aa0f5820eb71126b5e7b1f7cd533b71d72e77bb5c17c5391fd9681

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIMAgAcI.bat

Filesize
4B

MD5
d049a27fec03b2408a6ee403a5de0295

SHA1
8659809ab33bdc2c36495e4da1706755d0964573

SHA256
07773c40cc617718c5d43b1f75dc39ccfeec2ad59d8b847a4c8931c58a10c441

SHA512
9b142e145f59b6bea991f69c0faf40d8f371475873ad007e83b083777f76da5b93cf569136dae7fa6a3b965d7a6dcb6f6861646694108526076089a766bcae12

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMQG.exe

Filesize
228KB

MD5
363cadad9673a991b4c8ef9ca23f73c0

SHA1
ac2c9622642e5a70b003ab70b14df23be3d1f2b1

SHA256
1170a582fd18a06b6b6d1b4a065f20dd3c4c574f76a4bd1234f79f3859d446c6

SHA512
031ab6ef54d0c023f6ad2aeb1be963d99635643cdd8ac83296f42576300e85db38c0f3dee416245531d6910ec0872b68c9dd0a848465a9a86df7ef11c9c648c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUYy.exe

Filesize
320KB

MD5
14e85009bb35072d88c8648a10ca52b6

SHA1
7caceb48cb9604499f32b10c1bff677946bdac51

SHA256
ad2f61cf0e6816a8f52c9230bfd846f211aeb22691278af31e37ee658e228e63

SHA512
f4be9e0239981fd789575fde733e1ab7de99eabf65df42fd4a28de1ecc0600a1443d018ae2562da84d09f2ca78aac39d530f31a77871ea33fa8c2f7d2e2e399e

Download Submit
C:\Users\Admin\AppData\Local\Temp\umkEcUEQ.bat

Filesize
4B

MD5
44113abfa7854d988905d00d0734ca64

SHA1
cf6311d02ea548f59b74c42333a1922442a8d7a7

SHA256
4125f80769d2c781920cb2ac05f15971669add1fc69e3bff554072021d46a6de

SHA512
6d848dc424e164a661b29cbd1f545e3b5d7338bcef2bd19bee0b5143988b1ed8663f19fd33f3fd0a9a22a2f463ac9f59bea59aed77ea94f715c99eeef036f161

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwEC.exe

Filesize
246KB

MD5
137e1415cf65bf828e2d1960299980bf

SHA1
d63c8e9d3e3ff67eac6f19d94b68b75f735d731b

SHA256
a95e271dfc68f9fdbbb99c0ad4c7d51a058eaef1ad0d48351d9d7cc837e1e0a7

SHA512
78f9278cb2243a7cb6de29792a273cdb0752cb2f62df3a9526478ef1e6c2146e04f93c6ea042b959ba1066245ddcddd44b062be50e5dc78cb5d6bd0580387ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqcYkAMM.bat

Filesize
4B

MD5
7b5d6203f89f2df1241d7d9810048199

SHA1
1fdcd895c8027454020d224092705eef6ee45d33

SHA256
f665469c2e6512a55a1a69747549c8a885e4de76dd6e4b214b828620c0e7143a

SHA512
14972746a549f4785d9f1b6bdfef603afa8078a3334db1b50758edb7c09d9b715ba66e5bc2d25b646e28c08739882fe4ed750c46dcf47f3e0c0144a7e16aafb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAca.exe

Filesize
201KB

MD5
2f06c155be6132c88d8df5f5fe8b26b3

SHA1
40b40e62a4a9b7af81fdc73fe75b1fe65cf00ead

SHA256
8a7b0ed84846629fbef734f93a8aea5d5d6371b00304afe4da1afb5bbad52008

SHA512
3da7be0d7b94f8020bcf2a206e4f373186934de64c079c13e93806de4cfa7e8a5e6a7c19e3c7b2d92557015c51c53eb94d82dbb89a1c3250d90a7a47ec5eec90

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEMS.exe

Filesize
227KB

MD5
46b0a9e183f702e6eacbe8b7e8a94063

SHA1
b041da761682b603a8b593f2224671c9f0daa8b5

SHA256
83e46dd4dd7e988869e11ed2c32a463e84d2183f625c57ac660da504db2d3817

SHA512
1f39c2bfcaca956099f1ca28481c22e26e91a9fefffae8621dd7c18347116bdd3b796e2d23ca0c92e9ee0d036f58fad200153bf7bd1511d0f578ae5b7b7cec7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEcUUsIA.bat

Filesize
4B

MD5
67b2a83a83e037f17c2bbee2b6e1a04b

SHA1
43e30558bcc890f838d1bd068be728fdef005b3d

SHA256
f516a7308b50055586a5cea55ae6ce3bb204eeb2d47cdb00ca17eb3dd13818d1

SHA512
07278d1b78619c665df98052691cd94eef67544b16be4c25c9365e77e49b22a6de36e9deceafa17f3b5ad976f0f2fc0fa5c7b33024879dbea2d904efdb6fe438

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMQwYUQE.bat

Filesize
4B

MD5
763fa9f99989573cd3698f7d0a446431

SHA1
9e107c205483ea446bc6eebce4fcc59ef7367455

SHA256
3d6e8b02e75c4256a022695320895d13efdbd8dab624c22fb63c3240854ef785

SHA512
42c8e12ea041f6fd09a04bb8c0f298e8ea15a01527b86b7b0ed9c7482d1035d8ad49384afdec2d584d808f6357575d0ff5385d33bad76ea8e577fcfe3b3d7922

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQgMEAog.bat

Filesize
4B

MD5
127af6401ba01371d21ffc8962b3e878

SHA1
c3b76e11b8dabe8d081d65648e8dca333e54ed47

SHA256
9996883111953458ee779493b2d36c19f1322189199adcf3d03d38e479153a4a

SHA512
478ad2eab5a565bf44a573b9ca6e3540772c757bb2f6b84e86e086ac058bda4a541757b4bfc45310cd234ee27de2660be1868b15b72553f0fccc5fc62c85dc89

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYAg.exe

Filesize
184KB

MD5
8bc418204fe35fdb03d4d3837a7f1dc1

SHA1
66d3bb7de07a7f43a65b899f887ee3b90cbecfa0

SHA256
7f2fc00998cd3581aa87282f82de933086fdd84d8f339a31277e23b1b157bf54

SHA512
c13ed7ab02b4471393b51e3da8767936b7e3be0bb2719d6512ca823dbcf6caa8e525371ac98111c2a351d966dda0e6a4cf21d643934fa4196ef01ac05014c5a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wecsMQoo.bat

Filesize
4B

MD5
cb687e8f8e93ec53958b022fe5512ae8

SHA1
b7634c80db272355620052cb74a2932b06c6e1bb

SHA256
18a3a171a5a9298a8f8ca8de377c4bcbd469c630f38182b1c02b82376ef0f269

SHA512
8b922669ca3eb0a79fae850cf42cce3e3db584330f7e6d81a71249e10ffc069c1a79eccdfa08de153c8cfc57edf18e6a56dc903ea69b64f3cdf0bf4c0bab4123

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyokoEoY.bat

Filesize
4B

MD5
539b5ba218f338873ce62aa7223f1472

SHA1
43402d3c5239a6e810f00380832d8ccce0b06334

SHA256
797a35240bbfd799704b0ae5570a4ca830d76fd95725b1504370bbd56fe8fd60

SHA512
32a70195398e0925b48d203377dc77f09fcf95d4c689ba73789408e7bf1cc5e0f603c1a38c644b7279f140fba0e935ad81796bfb977ad61545cb3b5050790a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\xQcsEsko.bat

Filesize
4B

MD5
613c93aee8e12988688bdf80359e30ed

SHA1
024590f4f24672f776954f45b629186bc98dede2

SHA256
8b176a36d62d2e12351b42bcc78d69c7da39b531232e869bc8a29b7df91cb97d

SHA512
761c8aa13a51b87396311f70d43a67de5e6da755294f96470f3b6056f5c43609393d861a8f90ddda92fe034953801f20eda0b4e4eeb9771413b8c29ade582b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgUwIwgU.bat

Filesize
4B

MD5
ba2d21658af020604bc51e16b9df763c

SHA1
7ecf4706ac81747f84360430bd7caf33d9a1fdb5

SHA256
d1303fd5d06468a070506b359f0ab00b50a710f095f0db2ae367ae022726864e

SHA512
3f94020ec44e88f1830eb3448d83d6ea0509bdfbf3991cf02445b5c8771c6567d3ffeb2631456bef8ac8dc20429b5211a9929d5dc8dba6c1800f9c1bfdfc6272

Download Submit
C:\Users\Admin\AppData\Local\Temp\yKQMMkUg.bat

Filesize
4B

MD5
afa0621b4cae21c6bb379bec1ba1e777

SHA1
f9ec59cff1497f4136d038ef3ad64286301b307f

SHA256
b3038cc509fd6e94f869412d8ba1dc47e8140b0cc64a2260475862e52c8ca83d

SHA512
2e274980443f1590f419ff02892b6f9b7a1811d046f5bc7833dec7d3e271b741e7463bdccbd3dc9e1fbcc27b3f30322755cf5f1abd46bb5a85b773867e505fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ySYUoAII.bat

Filesize
4B

MD5
06aa7854ad85fb6b6682326f026c9735

SHA1
de4473cde866395101f9d8453be9e6cf4a68aca6

SHA256
3a3739658cb2a74aa4554ad73d9b973c5ac4b8acb9b3cba4639862e38ed966f3

SHA512
1fe06d5f37f3554eb386acbefdabef9ed0c4bec66beb7a2add3ee555dd6ee013dc3402e2ca75bc25eab6ba66d0280f7662c9b3bafe1346ca863f67fb48f71b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysIA.exe

Filesize
184KB

MD5
226c6d38b8a2f12c0619e14ca6bf0e7b

SHA1
933451dd00565173439e31004ae4efbfa4b7ea0b

SHA256
135bc88ed746fb6192606f1974feafea653364c14b6bc3dade73d80fc3b1a1a9

SHA512
3ed1e3ba752add082e36e69e1c9b59523b563344eba8eee9fb5623e7d0a0c90d3ec7e372ab7354bb90231401b6b92287afecf1a4aabb0e4433153870b89b0489

Download Submit
C:\Users\Admin\AppData\Local\Temp\zMEkowcw.bat

Filesize
4B

MD5
49a88881b19c1dc143db90fc4ed5f52f

SHA1
32f141bb362d158075735d75144711564fb152dc

SHA256
cc481c9737aac1273d634032581fac2796c086a885a070eba87628bd523576f5

SHA512
6e548924e6ceeeda0742bf72266417f962a87aa0ca40dd44ea9692b3a4de9333ae01d1363472aee02e018e884e6e15495d548689edbb442b9b2893d0d3ad0852

Download Submit
C:\Users\Admin\AppData\Local\Temp\zUgMQIMw.bat

Filesize
4B

MD5
73678534e3706c6b671c6afaff159af9

SHA1
09869c75cd73ef231f34c026bf508c59637437e5

SHA256
c101a34b438626182e14ce004dc20cff2f39efc63438fcf7b0a12e3d51e3b78d

SHA512
60b65b1f788f4e91cf5c52b0faa515cc7c74728d7d1643871eebcaa6a05f51b603c4488d1d19a544c98ec592732edc4c46538f1d853cb63019840cf732bd4067

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYEsooAE.bat

Filesize
4B

MD5
21f9fb0a26306442c698502eae683322

SHA1
87aa18a55b5701f0d10d752a4c9a6842e1ca7c0d

SHA256
f90a46cd6af5cd09902e3a3790aeafe079a4b6a9f30c98d975f9392d07f29346

SHA512
130351e2fb0f43fae191152ba337e9df47e2498d27cc8e0f760cf1b0c18faf058ff64a99667a9215475a1cb6ac431436568c8ee8e844da67ea5247a0f35fb9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zckAMYMg.bat

Filesize
4B

MD5
1879e4551b0dd1b625e2411d700a8073

SHA1
499def2eafd14c83496b546fbb717261435904ae

SHA256
3a0b757ccfc661fba3b18949c24784a7787e00ae08195f2fbe662be468afaa4f

SHA512
085d3f45b36198db009aa8c6142d0adb57510cbe01f381fc2f729e860453c27ae76adc9366c6a43702b4f7ca72b0a111a72d4724470537a4593592634bec0812

Download Submit
C:\Users\Admin\AppData\Roaming\SuspendStop.wma.exe

Filesize
643KB

MD5
cf7d989e4dcfba1b5d2291b5a35df922

SHA1
95f618c2357c4309b134870275749568467bced1

SHA256
d55be3957100eb96c2ca086ffecaf1ac7de0cb5c355fbf73dbf63fa6c36c8ef9

SHA512
4b584793896bb8d36d5c9675aa7edb625a0c0a3b1a340301aa30bb154f0005807da5d33c2a178d63eaee3e1cd24c8e54b4b9850e06fae1e2187c14bf80ed0adf

Download Submit
\Users\Admin\VoYoUgcA\KowgUUEo.exe

Filesize
179KB

MD5
f6160c417d4249fddacab8edfa49e587

SHA1
ce1584cce0dd030623de2ab4693041d15b8cf58c

SHA256
d6ae896880ae369a77333050ce5980aaf590aa11b9a3408de4d625d5999e7709

SHA512
591922f38af38441d7b41e314b0ed474226339f3923e581fcb28556ec3643bc7ce24cf595621c187b6d8a45d1f23c2a4d5ec2f91bed6d188ef5cfe44408cf86b

Download Submit
memory/292-205-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/296-538-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/532-310-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/532-311-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/584-567-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/676-616-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/700-490-0x00000000003A0000-0x00000000003D7000-memory.dmp

Filesize
220KB

Download
memory/768-728-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/768-864-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/884-184-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/884-151-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/888-390-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/896-104-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/896-136-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/908-274-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1068-746-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1156-638-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1176-265-0x0000000002260000-0x0000000002297000-memory.dmp

Filesize
220KB

Download
memory/1200-242-0x0000000000340000-0x0000000000377000-memory.dmp

Filesize
220KB

Download
memory/1236-80-0x0000000000260000-0x0000000000297000-memory.dmp

Filesize
220KB

Download
memory/1344-883-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1384-795-0x00000000000F0000-0x0000000000127000-memory.dmp

Filesize
220KB

Download
memory/1384-796-0x00000000000F0000-0x0000000000127000-memory.dmp

Filesize
220KB

Download
memory/1496-557-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1528-607-0x0000000000120000-0x0000000000157000-memory.dmp

Filesize
220KB

Download
memory/1604-412-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1656-381-0x0000000000120000-0x0000000000157000-memory.dmp

Filesize
220KB

Download
memory/1664-797-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1664-824-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1692-457-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1724-499-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1740-657-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1740-629-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1752-150-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1752-149-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1764-218-0x0000000000180000-0x00000000001B7000-memory.dmp

Filesize
220KB

Download
memory/1764-219-0x0000000000180000-0x00000000001B7000-memory.dmp

Filesize
220KB

Download
memory/1804-359-0x0000000000120000-0x0000000000157000-memory.dmp

Filesize
220KB

Download
memory/1924-676-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2036-648-0x0000000000260000-0x0000000000297000-memory.dmp

Filesize
220KB

Download
memory/2040-297-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2100-893-0x0000000002250000-0x0000000002287000-memory.dmp

Filesize
220KB

Download
memory/2120-252-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2128-434-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2204-58-0x0000000000170000-0x00000000001A7000-memory.dmp

Filesize
220KB

Download
memory/2212-626-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2212-28-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2232-89-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2236-161-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2256-288-0x0000000000190000-0x00000000001C7000-memory.dmp

Filesize
220KB

Download
memory/2256-287-0x0000000000190000-0x00000000001C7000-memory.dmp

Filesize
220KB

Download
memory/2276-479-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2308-765-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2356-448-0x0000000000160000-0x0000000000197000-memory.dmp

Filesize
220KB

Download
memory/2372-336-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/2372-335-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/2396-518-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2396-627-0x0000000002230000-0x0000000002267000-memory.dmp

Filesize
220KB

Download
memory/2412-103-0x0000000000370000-0x00000000003A7000-memory.dmp

Filesize
220KB

Download
memory/2412-102-0x0000000000370000-0x00000000003A7000-memory.dmp

Filesize
220KB

Download
memory/2528-126-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2556-321-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2568-834-0x0000000000160000-0x0000000000197000-memory.dmp

Filesize
220KB

Download
memory/2664-368-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2668-113-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2692-403-0x0000000000120000-0x0000000000157000-memory.dmp

Filesize
220KB

Download
memory/2696-785-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2720-844-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2736-529-0x0000000000410000-0x0000000000447000-memory.dmp

Filesize
220KB

Download
memory/2752-806-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2756-710-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2808-42-0x0000000000120000-0x0000000000157000-memory.dmp

Filesize
220KB

Download
memory/2808-43-0x0000000000120000-0x0000000000157000-memory.dmp

Filesize
220KB

Download
memory/2832-41-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2832-67-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2840-667-0x0000000000120000-0x0000000000157000-memory.dmp

Filesize
220KB

Download
memory/2884-470-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2904-345-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2904-312-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2920-874-0x0000000000170000-0x00000000001A7000-memory.dmp

Filesize
220KB

Download
memory/2936-628-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2936-31-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2940-855-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2984-756-0x0000000000200000-0x0000000000237000-memory.dmp

Filesize
220KB

Download
memory/2988-576-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2992-587-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3000-12-0x0000000003DA0000-0x0000000003DCE000-memory.dmp

Filesize
184KB

Download
memory/3000-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3000-29-0x0000000003DA0000-0x0000000003DD1000-memory.dmp

Filesize
196KB

Download
memory/3000-40-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3000-27-0x0000000003DA0000-0x0000000003DCE000-memory.dmp

Filesize
184KB

Download
memory/3020-175-0x0000000000120000-0x0000000000157000-memory.dmp

Filesize
220KB

Download
memory/3020-174-0x0000000000120000-0x0000000000157000-memory.dmp

Filesize
220KB

Download
memory/3024-228-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3028-548-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3036-596-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download