2fc084a60f2edbe369fc795ce78a2c889ad02d06d763e875456784779866a600

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
Size

477KB
MD5

edc74c7aa1713e06f800326ccb7912dd
SHA1

6003a5216f9a93718cabaaa6e95c1ff059bf7c23
SHA256

2fc084a60f2edbe369fc795ce78a2c889ad02d06d763e875456784779866a600
SHA512

088319ebb5745fab5f5245fcc429d8e263825353387a965ec7e107e91ee932943ee1098362c81a1b099f8b8fd159a2dcb73ebe89cf43e9cccecade2513804976
SSDEEP

12288:zl89Rg1lzarZAYh16cN6Cfm+KUGEMAM55Gs:zl8z24rZAYhvm+dWxDGs

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found

Renames multiple (83) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	MckkQUIU.exe

Executes dropped EXE 2 IoCs

pid	Process
2024	ZAAQAsgI.exe
4900	MckkQUIU.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZAAQAsgI.exe = "C:\\Users\\Admin\\OakEQkYM\\ZAAQAsgI.exe"	ZAAQAsgI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZAAQAsgI.exe = "C:\\Users\\Admin\\OakEQkYM\\ZAAQAsgI.exe"	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MckkQUIU.exe = "C:\\ProgramData\\xUkUcgkM\\MckkQUIU.exe"	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MckkQUIU.exe = "C:\\ProgramData\\xUkUcgkM\\MckkQUIU.exe"	MckkQUIU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
256	reg.exe
4880	reg.exe
1816	reg.exe
3324	reg.exe
4072	reg.exe
1144	reg.exe
3984	reg.exe
3456	reg.exe
2952	reg.exe
1552	reg.exe
4088	reg.exe
1404	Process not Found
4368	reg.exe
3772	reg.exe
1212	reg.exe
3356	reg.exe
1468	reg.exe
4288	Process not Found
3564	reg.exe
1404	reg.exe
416	reg.exe
3116	reg.exe
4616	reg.exe
3888	reg.exe
4532	reg.exe
2768	reg.exe
3208	reg.exe
4712	Process not Found
3256	reg.exe
464	reg.exe
2748	reg.exe
4296	Process not Found
444	reg.exe
1888	reg.exe
1784	Process not Found
2396	Process not Found
1312	reg.exe
3176	reg.exe
4256	reg.exe
3580	reg.exe
4392	Process not Found
1904	reg.exe
4364	reg.exe
1416	Process not Found
5064	reg.exe
4476	reg.exe
784	reg.exe
640	reg.exe
3332	reg.exe
4888	reg.exe
2176	Process not Found
2188	reg.exe
3764	reg.exe
3192	reg.exe
1784	reg.exe
1172	Process not Found
2676	reg.exe
2020	reg.exe
1900	reg.exe
4384	reg.exe
768	reg.exe
2800	reg.exe
1908	reg.exe
3564	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4256	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
4256	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
4256	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
4256	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3356	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3356	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3356	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3356	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
1628	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
1628	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
1628	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
1628	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3912	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3912	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3912	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3912	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
1212	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
1212	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
1212	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
1212	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3336	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3336	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3336	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3336	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3104	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3104	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3104	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3104	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
1392	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
1392	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
1392	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
1392	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
1000	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
1000	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
1000	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
1000	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
2404	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
2404	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
2404	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
2404	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3672	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3672	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3672	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3672	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3888	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3888	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3888	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3888	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3156	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3156	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3156	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3156	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
4820	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
4820	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
4820	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
4820	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
2988	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
2988	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
2988	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
2988	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3964	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3964	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3964	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
3964	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4900	MckkQUIU.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe
4900	MckkQUIU.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4256 wrote to memory of 2024	4256	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	82
PID 4256 wrote to memory of 2024	4256	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	82
PID 4256 wrote to memory of 2024	4256	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	82
PID 4256 wrote to memory of 4900	4256	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	83
PID 4256 wrote to memory of 4900	4256	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	83
PID 4256 wrote to memory of 4900	4256	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	83
PID 4256 wrote to memory of 3292	4256	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	84
PID 4256 wrote to memory of 3292	4256	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	84
PID 4256 wrote to memory of 3292	4256	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	84
PID 3292 wrote to memory of 3356	3292	cmd.exe	86
PID 3292 wrote to memory of 3356	3292	cmd.exe	86
PID 3292 wrote to memory of 3356	3292	cmd.exe	86
PID 4256 wrote to memory of 3608	4256	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	87
PID 4256 wrote to memory of 3608	4256	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	87
PID 4256 wrote to memory of 3608	4256	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	87
PID 4256 wrote to memory of 1144	4256	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	88
PID 4256 wrote to memory of 1144	4256	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	88
PID 4256 wrote to memory of 1144	4256	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	88
PID 4256 wrote to memory of 568	4256	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	89
PID 4256 wrote to memory of 568	4256	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	89
PID 4256 wrote to memory of 568	4256	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	89
PID 4256 wrote to memory of 880	4256	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	90
PID 4256 wrote to memory of 880	4256	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	90
PID 4256 wrote to memory of 880	4256	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	90
PID 880 wrote to memory of 4904	880	cmd.exe	95
PID 880 wrote to memory of 4904	880	cmd.exe	95
PID 880 wrote to memory of 4904	880	cmd.exe	95
PID 3356 wrote to memory of 2144	3356	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	96
PID 3356 wrote to memory of 2144	3356	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	96
PID 3356 wrote to memory of 2144	3356	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	96
PID 2144 wrote to memory of 1628	2144	cmd.exe	98
PID 2144 wrote to memory of 1628	2144	cmd.exe	98
PID 2144 wrote to memory of 1628	2144	cmd.exe	98
PID 3356 wrote to memory of 244	3356	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	99
PID 3356 wrote to memory of 244	3356	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	99
PID 3356 wrote to memory of 244	3356	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	99
PID 3356 wrote to memory of 4284	3356	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	100
PID 3356 wrote to memory of 4284	3356	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	100
PID 3356 wrote to memory of 4284	3356	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	100
PID 3356 wrote to memory of 5112	3356	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	101
PID 3356 wrote to memory of 5112	3356	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	101
PID 3356 wrote to memory of 5112	3356	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	101
PID 3356 wrote to memory of 3460	3356	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	102
PID 3356 wrote to memory of 3460	3356	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	102
PID 3356 wrote to memory of 3460	3356	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	102
PID 3460 wrote to memory of 1996	3460	cmd.exe	107
PID 3460 wrote to memory of 1996	3460	cmd.exe	107
PID 3460 wrote to memory of 1996	3460	cmd.exe	107
PID 1628 wrote to memory of 2472	1628	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	108
PID 1628 wrote to memory of 2472	1628	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	108
PID 1628 wrote to memory of 2472	1628	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	108
PID 1628 wrote to memory of 1816	1628	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	110
PID 1628 wrote to memory of 1816	1628	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	110
PID 1628 wrote to memory of 1816	1628	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	110
PID 1628 wrote to memory of 4640	1628	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	111
PID 1628 wrote to memory of 4640	1628	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	111
PID 1628 wrote to memory of 4640	1628	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	111
PID 1628 wrote to memory of 2660	1628	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	112
PID 1628 wrote to memory of 2660	1628	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	112
PID 1628 wrote to memory of 2660	1628	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	112
PID 1628 wrote to memory of 1592	1628	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	113
PID 1628 wrote to memory of 1592	1628	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	113
PID 1628 wrote to memory of 1592	1628	edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe	113
PID 2472 wrote to memory of 3912	2472	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Users\Admin\OakEQkYM\ZAAQAsgI.exe
  "C:\Users\Admin\OakEQkYM\ZAAQAsgI.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2024
- C:\ProgramData\xUkUcgkM\MckkQUIU.exe
  "C:\ProgramData\xUkUcgkM\MckkQUIU.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1628
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        8⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        10⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        12⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        14⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        16⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        18⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        20⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        22⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        24⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        26⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        27⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        28⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        30⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        32⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        33⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        34⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        35⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        36⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        37⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        38⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        39⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        40⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        41⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        42⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        43⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        44⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        45⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        46⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        47⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        48⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        49⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        51⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        52⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        53⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        54⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        55⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        56⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        58⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        59⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        60⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        61⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        62⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        63⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        64⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        65⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        66⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        67⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        68⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        69⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        70⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        71⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        72⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        73⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        74⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        75⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        76⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        77⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        79⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        80⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        81⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        82⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        83⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        84⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        85⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        86⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        87⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        88⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        89⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        90⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        91⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        93⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        94⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        95⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        96⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        97⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        98⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        99⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        100⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        101⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        102⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        103⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        104⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        105⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        106⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        107⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        108⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        111⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        112⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        113⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        114⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        115⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        116⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        117⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        118⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        119⤵
        
        PID:416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        120⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        121⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        122⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        123⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        124⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        125⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        126⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        127⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        128⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        129⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        130⤵
        
        PID:416
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        131⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        132⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        133⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        134⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        135⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        136⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        137⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        138⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        139⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        140⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        141⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        142⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        143⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        144⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        145⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        146⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        147⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        149⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        150⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        151⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        152⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        153⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        155⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        156⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        157⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        158⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        159⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        160⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        161⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        162⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        163⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        164⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        165⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        166⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        167⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        168⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        169⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        170⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        171⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        172⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        173⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        174⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        175⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        176⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        178⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        179⤵
        
        PID:656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        180⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        181⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        182⤵
        
        PID:4568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        183⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        184⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        185⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        186⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        187⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        188⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        190⤵
        
        PID:236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        191⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        192⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        193⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        194⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        195⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        196⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        198⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        199⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        200⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        201⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        202⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        203⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        204⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        205⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        206⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        207⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        209⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        210⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        211⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        212⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        213⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        214⤵
        
        PID:2716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        215⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        216⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        217⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        218⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        219⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        220⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        221⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        222⤵
        
        PID:1884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        223⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        224⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        225⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        226⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        227⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        228⤵
        
        PID:2920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:236
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        229⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        230⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        231⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        232⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        233⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        234⤵
        
        PID:936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:476
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        235⤵
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        236⤵
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        237⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        238⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        239⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        240⤵
        
        PID:4216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        241⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        242⤵
        
        PID:1964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        243⤵
        
        PID:476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        244⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        245⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        246⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        247⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        248⤵
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        249⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        250⤵
        
        PID:4480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        251⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        252⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        253⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        254⤵
        
        PID:208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        255⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        256⤵
        
        PID:4904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        257⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        258⤵
        
        PID:772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        259⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        260⤵
        
        PID:1884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        261⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        261⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        262⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        263⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        264⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        265⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        266⤵
        
        PID:4368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        267⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        267⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        268⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        269⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        270⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        271⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        272⤵
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        273⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        274⤵
        
        PID:2508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        275⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118
        275⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118"
        276⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        276⤵
        
        PID:1556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        277⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        276⤵
        
        PID:3044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        277⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        276⤵
        UAC bypass
        
        PID:3332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        277⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iikEIUwQ.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        276⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        274⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        274⤵
        Modifies registry key
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        274⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIIcgYQo.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        274⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        275⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        272⤵
        Modifies visibility of file extensions in Explorer
        
        PID:656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        272⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        272⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FUscYQMY.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        272⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        273⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        270⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        271⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        270⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        270⤵
        UAC bypass
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tiAAoAcU.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        270⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        271⤵
        
        PID:784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        268⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        269⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        268⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        268⤵
        Modifies registry key
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RgkcgMIE.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        268⤵
        
        PID:4464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        269⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        269⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        266⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        266⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        266⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQksAwso.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        266⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        267⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        UAC bypass
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SiUckcAI.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        264⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        265⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        
        PID:476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        UAC bypass
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKkIEccE.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        262⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        261⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        UAC bypass
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UKQocows.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        260⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcIEAskQ.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        258⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        Modifies visibility of file extensions in Explorer
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:4292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        Modifies registry key
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DowYQUUA.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        256⤵
        
        PID:3672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        UAC bypass
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HgEIogso.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        254⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:3164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:4644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eyQQAwkg.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        252⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:3204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueEsogoc.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        250⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        System Location Discovery: System Language Discovery
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        UAC bypass
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKoQMocY.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        248⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XmgEUkkY.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        246⤵
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        UAC bypass
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XIEcwYQw.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        244⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies registry key
        
        PID:3208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        Modifies registry key
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NGsgUoos.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        242⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYYQgssU.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        240⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:2952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        
        PID:4856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QwsQIssU.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        238⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CCAIwIkw.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        236⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        Modifies registry key
        
        PID:3764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XKwwsgws.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        234⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hAQcEccI.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        232⤵
        System Location Discovery: System Language Discovery
        
        PID:4732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\giQckkAc.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        230⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkYgEkEU.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        228⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:3792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQoYMAwY.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        226⤵
        
        PID:4128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:1204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkwYMkYU.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        224⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RecAEokM.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        222⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:3036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        Modifies registry key
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgYYgMQc.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        220⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkoUoMIk.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        218⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCgQwMcM.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        216⤵
        
        PID:3688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OyUIQAcM.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        214⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        Modifies registry key
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQcwEAMA.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        212⤵
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AyIkQAQw.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        210⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:1456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOYgQEMw.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        208⤵
        
        PID:892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies registry key
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:3108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwYgQMIk.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        206⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwsMEYgc.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        204⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmMwQEwo.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        202⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGgQwcYA.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        200⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        Modifies registry key
        
        PID:768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCsAIEcI.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        198⤵
        
        PID:416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOwQoQQI.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        196⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies registry key
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PaAocEsY.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        194⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOsIYkQE.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        192⤵
        
        PID:476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:1496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIkYgsAI.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqswgAAg.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        188⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SegcskwI.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:4256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:4424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImscQMMU.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        184⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        Modifies registry key
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkMcUcYE.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        182⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies registry key
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:2476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcMogMgc.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        180⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fEcQEEEE.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        178⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:3688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQUoAgQk.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        176⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zAQwkcQk.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        174⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOIwQIQQ.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        172⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKYUcYMM.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        170⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwowkgQQ.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        168⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAgoYQkY.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        166⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqMoAMUo.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        164⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQYwkcQc.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        162⤵
        
        PID:1428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAYoooUE.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        160⤵
        
        PID:4788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmkoEgIM.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        158⤵
        
        PID:420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yiIcEoUg.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        156⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYQIgckA.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        154⤵
        
        PID:1224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wgAUMgEk.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        152⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:3504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bGAsYAAI.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        150⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSUcosYA.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        148⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        Modifies registry key
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XKIsMsAQ.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        146⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwIMwkMU.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        144⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uEUAgcEg.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        142⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uioAcgYs.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies registry key
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UsMYkEwA.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        138⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RUIUkUkg.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        136⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        Modifies registry key
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUMMEgAc.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        134⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        Modifies registry key
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\voMsQAkE.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        132⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies registry key
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VsgQIEEM.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        130⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkcAsQcA.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        128⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oSUgkYoM.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        126⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EesUgksg.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        124⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puEccQIQ.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        122⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PIgwMAME.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        120⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RaoAggEw.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        118⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KcIsIgAU.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        116⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGskcgoE.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        114⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOYoscwg.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        112⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OoMIkkAI.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        110⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies registry key
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUEIkkos.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        Modifies registry key
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmQksAwU.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        106⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TQskAEQM.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        104⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OmYYkQgc.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        102⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USwEgEoo.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        100⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        Modifies registry key
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swcgMcIg.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        98⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYsAkgsc.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        96⤵
        
        PID:656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zeIMcMUY.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        94⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        Modifies registry key
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HigYwEwc.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        92⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fEAIoUkE.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        90⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuEwsEEs.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        88⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QkwoQUQE.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        86⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies registry key
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        Modifies registry key
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\coEcMkMk.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        84⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\osogIsUE.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YookAwgM.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        80⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VKgAAwIc.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        78⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lykYMYUo.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        76⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAoYkMwo.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        74⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        Modifies registry key
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\coEMIMQI.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        72⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMIgAcwo.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        70⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGoUEwkY.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:3332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PwQIAwAg.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        66⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQcwwAUE.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        64⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XcMkUcAU.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        62⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OaUMUMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        60⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies registry key
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWgQcwIw.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        58⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AyIIogMo.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        56⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\okIkcMAY.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        54⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgwQAMMg.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        52⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        Modifies registry key
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOMYwwwA.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        50⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies registry key
        
        PID:416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIkwQUMg.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        48⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KyQoUYoU.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        46⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ySwwIwog.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        44⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqQgUQow.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        42⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jYQgwcEc.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        40⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lEgwMYkQ.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        38⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TsIIEsAI.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hGEAoYYE.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        34⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cScoIMIE.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        32⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OsMUkAQQ.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        30⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gsgEosUo.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        28⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dSIQMMQE.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        26⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        Modifies registry key
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYkMEMUE.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        24⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nOowgwEQ.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        22⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZiAMMgEk.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        20⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OuowsosY.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWUAcUgM.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMQEkQgI.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        14⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NGEIMIkA.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        12⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tiMQMAgA.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        10⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PoococME.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        8⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2084
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:1816
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4640
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:2660
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMIUEYUU.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
        6⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2072
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:244
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4284
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:5112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AeYMMEEY.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3460
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1996
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3608
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1144
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iaQwIcgQ.bat" "C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4904

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
233KB

MD5
bdf8581a7d258812b4cc35be4c1e9f52

SHA1
7c834923deb073f287c02b185a700298277aa1fb

SHA256
b5a2c9a72b526f812a4e5a6b73a0dd6dca14a5acaca4f1ca98ff3849e04f527d

SHA512
6d89a404ac0b52ae6daf810c22e224440a57c21fe80591b78c244938a35ecf88125b26bd3959f3e8a5617a6becfa93eb801971c68ec887950c5e6b1e0124ae76

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

Filesize
789KB

MD5
2b4adb636c4e642591b25b5dfffa1409

SHA1
c8b66661c17b2950f946f434b28095134010e4a2

SHA256
cecb2282c39bbd283414e17a6e764aa5a0f5ba75d718df6c693608165150acb7

SHA512
071cf00fd5fb1580d6282d608e9393b56e2cbcc096c96ddb13db4c335d90e8a1c2586bedfee1472c9f5be5c7504ae2614ad10b93fe4979e5df11a038f1cb0305

Download Submit
C:\ProgramData\xUkUcgkM\MckkQUIU.exe

Filesize
178KB

MD5
27757f62f136122aa820906152008645

SHA1
d528c421a9c44d0cb36628778b9fa8623a868ef1

SHA256
9110ae26952612cc2285c71025b25cd33bb530811c8991b94fbcea51b5b5e7ce

SHA512
fbb0dbc79311300b2463586b394e7e876bc6e0ef260ccddc061e220674cfece92cb7b25d8cc8968aeef28b2578c32d783bc01575f3292c07a4c35f1ec67fd002

Download Submit
C:\ProgramData\xUkUcgkM\MckkQUIU.inf

Filesize
4B

MD5
2889faa911b74c2512c864edae74b8e1

SHA1
a08f82319a3a71e7051b72ddd8be443a3402519c

SHA256
4b2416611d55c9ca9b4dd1bf85648f50e3349d034796a2a78ebaf713be54c682

SHA512
6f30ce729762c07d46d464e91dd7010557d0c598df901e1b2c0723c1d23bd8e842c12f3fa5ab9c73719c5ed55bffc97520018bd5da62a7419454e812413ae94a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\128.png.exe

Filesize
197KB

MD5
9521bdab98691a8f18ff14c8f9fd777b

SHA1
977e2b1fe85f0c56825bd473f07cdd4b10a8cd34

SHA256
39ca88319fb465dbd2142b7961c65f94e215a2d4ab2cf46fc0284a74920e1881

SHA512
e309aba4c8e2186e5eb4f6cca23599d7975090b241abdafd2d2338c5591105a440fd85598216330df783dabad2f958cc036eed46683df2ae6157cc193f2bd672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

Filesize
199KB

MD5
418e66de0cb4744b0aebd83d77899f3d

SHA1
494703560481d6f8dfa8b95e4a86437ae123238c

SHA256
931b407cf56e6bb8b25af7e45e76a3160fba55090e694da7c3b5897013d298f5

SHA512
8b9fa0f5287f9aae1e019f4185815150acd50914d4a8158328fac05b667e92ae51451dc81321af75affff62a7884b1a41a2db58218afb57e045f5fee0670670e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAEg.exe

Filesize
185KB

MD5
1bca4590eb3c6f05bcb6a5d4a4621cd1

SHA1
fe7c0f781b478796ac29b7ebcf3bc8946cf32e30

SHA256
3b02149dc1ab7d9a9cd8d50c8a5e3ad026bf4aa4d4c9181b92ccc46e138378ab

SHA512
a32d65df730fbc0c57d1d9bfc97447039e998cbc2ed545467fab2ecbd336925c111c19047455b341a5107878e8d3538ef9e7d2015974695bba29221fa727b065

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEMG.exe

Filesize
309KB

MD5
7c316b39fbb31745b03d0ef4983eae15

SHA1
4dde0a2ccb6d55e1295a842d66f6420e5312fff9

SHA256
fd4845b28046e82a2cf736eeef718e8ef7712531b5ffd4b4b3b4075c6b2e0448

SHA512
f5bfe3827aa16bc153f6ef44a5ddb0491f1afbcc6f48a6494edd6f30e2ec863b390d5fe6eeffb19d9a33cd18510be9a70b82f0c0ab79073627c053db10451f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQAQ.exe

Filesize
192KB

MD5
cfe9001ef0317ab31bc80fa22f778230

SHA1
09f3ce4047b883ea5a815b1462df4cb5820c6b93

SHA256
88bf6cbbd3b352032f6a32a66f95a6176bf949b6a69875fe6ab88d724f8fec0a

SHA512
3def674f05be1d470f80681a65dd80a0b808119354ddcddad8b931104cdb8dba31ea97d0ba7ff9426deb618f4dba3d76176fc98d888c4f0c9d2ca2c235b3b403

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQYG.exe

Filesize
205KB

MD5
2e7cdaa84ed9a96ba202882453ed0247

SHA1
785a6d7b226652f2b17d28c6c1cb05f17e7173a7

SHA256
54d610791dedf55820cda74fa06517a4110cb81f2f8d4a20927e4a295fb8a34e

SHA512
644f141a834b319bf51b2e1f14f4aebdf8a19b36fd7234caf32f49eea0ec2e42b5aba6edc69acffdd5cf10f3a91c6e6bd619c5ee2a96e6a56d01106fd7c57223

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUMW.exe

Filesize
235KB

MD5
d7ed18db594b8d226b2d9a53cedeccf8

SHA1
bb907de9694d0443d57a97d6638283e4ddbdb011

SHA256
860c39637e9de85e922535614d23f30ec9f5e97a9fe231b3039ee82d6ffa244a

SHA512
fe43877cb721279b3f6de6115817b33feeaa9529b20c231db31049d13b3c37d2ffbc2d4bf1bb140f426e03b23429c666b80ee5c3668c13999383f0b9f9d102f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgwC.exe

Filesize
205KB

MD5
b3322386652672020ac7bb2554976422

SHA1
310bcd205bf7ff48f486156a231bf538597ce611

SHA256
1d37cd01c78eac59f3c9f2c401062d80ff03f3f1fc17a7d56e9226d7f7a22cc5

SHA512
8543a190b8d77c4c9063850e010e187aee5944d32b0e00302b767eb455eae1919a50dbe6232ede1e1bd3ea683431dc6957c69126ad3026b2b179e510b7fcda09

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwUA.exe

Filesize
630KB

MD5
285e34af534dc3195f9c738d9d316bfe

SHA1
82cb662fb40065da8cdd97ab2ae5c9e54f1ac56f

SHA256
6c5682f1c94f355bb3a0d01ffcb69a54170089fa97e547ddd58a444e187ca6b6

SHA512
03cb256054d6b7a51b069aee47acbbeff627a04f75a53df969cb3fb713bf1462fc740cfd211c9eb622aef18cc9e3b95e9ffeaec6b0e8da1b6e215bc09861d91d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEEY.exe

Filesize
607KB

MD5
6d44dfa9a42d563d48656b0a0dae6624

SHA1
6f6f838451ab4a5c0b10f1b345deb9937d7d2776

SHA256
fa8497859ec83ab6bd9aef43baaf08c3979de3fdb81a2a361325ca284270703c

SHA512
257705cf9e524ba9aeb9e368a7b3979012a943feb26647c5d0bdff0fb3c5f760cc5ebf67bd94c77c29f14da445ae8e855f21623f558a93bbab501e93099baf76

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEIO.exe

Filesize
223KB

MD5
8d4fb0a8bf878bfc08168c999f459eca

SHA1
db04223b7ce1082d4bca33cf87afae04de0507ab

SHA256
8f0e65fbad25f90d733bafbb58ee5f3cc4c47000948e5527cb7449d108f59ae6

SHA512
3e74a7ed88b249b2f6aee5b6ed4ef52ae2cb8beb1dfe135d4071487ce94e4cfe7f925e7e00ea8ef51f9f5ac541d7d6e41fecf010b2f733384afa67882946903c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIYC.exe

Filesize
183KB

MD5
094f01b47ae47620b80cd163daf13416

SHA1
8ee253ef6c925423e80c1ba3394558752ff0267a

SHA256
d1dfe1e21421b909dd14ede79122c91addbfb6b7c2ce6da33400ff950a06638d

SHA512
1ce74a2eb4a095bff939f79a83eb6d3a92bf97a3281e3b176bc36103d2c80679e2c3317f64506d08f96364ade7360a717ca2645439ea8ddc406a5e0791deba9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIoI.exe

Filesize
812KB

MD5
c7496d96f6b45bc321c81a39a58eea88

SHA1
163be8991363c99ea20f757e614d29a1699d9980

SHA256
629eedf45b37ca8e75b162885746aace253fff86099039d9db22eef515730375

SHA512
851f39c486acb79c4794e9d342d4a64a8526b26966aa89db062aa2c75150daa799e44927feb653e8b63a22afbe1515e7bb693e2d8cb7ca15932c18ba838ad7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMMu.exe

Filesize
205KB

MD5
23a2a263a01a610e5f3064fa7a087cc1

SHA1
cdbeeb2255e33d411389819fecc67618d5bf9076

SHA256
2dc2d2e8511a3d58c3e96e07bc73683ca1139f74f941f7b8e3a132e95a44f174

SHA512
7bed205c6775d4f3046dafc9a8f3fc985746a063f6a9da8399039ba958ec55ebf883215a7d3f2cf28407f872827818d52aa063c10045d1118182687089ffbebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMUq.exe

Filesize
378KB

MD5
305506d5b361a68941190bda4a185c32

SHA1
d0e4a54b2310659911dbf0dc18ec08b74601e141

SHA256
6853a79377710b90d2ba388d08e9f11d7f059411670841f0c05776b6aa2ce450

SHA512
805e5b862bf957e2dd1da3b90048bac876aed1cca63defab443855dc976f20d876a342c9b53e26ac7093186c068437c193fb37a875c23383bf70b765d0714ceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUQc.exe

Filesize
649KB

MD5
26b491271538f9c6d30e6dc21ce439d0

SHA1
a1a59677c560a39703f7c224f11fe6a8068b18ce

SHA256
ff8dd65a3f4b39ac4eff6aecd714bf9c10d5f1abed91dd3038d38e704d2a2bce

SHA512
ca48cd9fe69a0b95f77dcb288817597daf16c8367ae7a8dd3b75112987138f99f36f46a7e96778b75ec33098bfa7bc5e3f897c07e8c7e3e0463437bbbb6b9d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYQA.exe

Filesize
464KB

MD5
4be77d60d83cd642a997dbac0b670df5

SHA1
9cb9436c46a4316166b481758ab89dae82c253b3

SHA256
1ba6bfef164f7782263349b4231e546ab9e8d7d876e09823c7fdcb33bb8d0e73

SHA512
742397f418df7cd82cf9e68387afff31568759c55aeb4f183b30ed1b55805377522e0b35cd47e16b856abfde217fe04c05d75ffb13e886f4b032a7e429ffd343

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkUe.exe

Filesize
332KB

MD5
650cb9893342d7405d44c79cfde71299

SHA1
d79adf9c44f295880efb8dc923db79cd296144cc

SHA256
291cb11a7f7d74234d9604639128a56956defb00eb9e5f1bb2a0f590623382b6

SHA512
ad617d1454e40157d438ef14d62dbb8cb96989042bf8caa7b2d287ec9e8188e943a491fef7f621ef781d715a8c9ee3bed9874b25477d0b022254051b7715c358

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsIW.exe

Filesize
201KB

MD5
3e6781c9a1f10cdcd79f445dc9541864

SHA1
403de315ee399de48449c272b0f0be06118c5f7f

SHA256
740eaf5050a5f3062cf3aa79b097ddc9c53a4e3fa0a3b338397a3c84df85a940

SHA512
b8e7da4994956896a170364833a9c597cfa0302030ae35944e2746752a8b6b8a2efb04ecdff508c7c76986992b4f6133de21cb84c7ec5578504d5555af5e34b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAkS.exe

Filesize
634KB

MD5
fb637f7c2fb95dbff263ae738846faea

SHA1
10f72bb10a6d01c26351be74e70cf9a2033f1703

SHA256
d0f0081a4a21452271c8967331b6279cf28b72591692fc1e51141d1d6aeda3a4

SHA512
633f358509bc27b8c7a70abcd3ee21c1eb27e2cb47ed9ae0fe5fa1f83174c7ceb84290ee3f8f9c0408cd929283768273adcb923894240760b5784636cefc4f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEIq.exe

Filesize
197KB

MD5
8250ad1833b67447e8109fe968097c12

SHA1
aeb9cdf86ddaa635aee3de0c259c418f157602f2

SHA256
0aef7874de1395e792042be4c1b880328648a8e491e275a0ef6e75fd2d801216

SHA512
582198e40d63951083b87b4dd3a01df1f344627e3daaea9146b5021c24e7278ce4e1fa624c11d70673fc3670099180e7a95ab13c06bef25fbc8fe2bfb1570c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUsU.exe

Filesize
400KB

MD5
d161abbefcc9aa6960642262393bbee8

SHA1
98879141447fc8ac9b96b02d2f8ab77bdffa0857

SHA256
238925c9f70ae8e4e6d17306c5f301c8716d0fe63e508400c0fba1313be5296b

SHA512
e50373d9452cb039026060c5bdd2f096e675c6f49eef7f1ad0d075bed5a4d032d07d5750fe29322449f70a381b8c7c17cdc215375cb782674a2bd91fa0a90e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gkss.exe

Filesize
197KB

MD5
66ee70b01f91ac0a0d1c4676f7b8c759

SHA1
cc51c33d522b4c91d08d881c26769de62238c278

SHA256
dcdf03c1c96787b99d8be1c53b050c23ad0db746d0b4e3d1e16ca4eef0812ef4

SHA512
4cfbea9cc1fe3b6ec50fcc897b186a31789ccb4b287d320b17d04dffbafcebb1a7cc8e7644c182a6747585109bd178cf3274af06b99f508b1c621f9ead742020

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIsM.exe

Filesize
193KB

MD5
577e68cfd9ea36184251c60f75dc2cfb

SHA1
9e08b076a019fbe5ad6dc775db8d1e1b6d064638

SHA256
8aebb032ed18745d04e05bfa385a772bf036bfc6decff5740d516b2c256f25e2

SHA512
5db9758d0630e98af6b3b513601779a66e2eb7d256deca3ee167c8289ae7aa850fe8e2b01c893826ce8e8b230d9ea3afbf65793d72228e599d315df7eddf055a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kggm.exe

Filesize
183KB

MD5
7eaf315106128b3ff19f232aca27463d

SHA1
06e3b8a68b23c6b949275ec768db72735a0f6ce4

SHA256
1a8e41e51c95fef511155cdaf2b071a71b743df362cbb11b07a8ebcaaee7dffb

SHA512
5a93e675711b50f580bd0c7234a0247c8c232822a45efca8c32f5d2ef3bba37a15615802032598bc6cff7c60793c0a550303f83213392fec3974f2b629d6e5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kkou.exe

Filesize
656KB

MD5
0b37ad637f1f5d4915465dc421c28bb9

SHA1
10cd569d269e520cfad83c99e8fa92a0632aafac

SHA256
3ad16f1cfe6a4eb866f0b325b252c5b1e54c5bfe926ad9ce223bd95f9a46ebfb

SHA512
bb09fc419d7323ec7350ce703c6cad77713afc3098577af0f22fe2ae2b437ee44462acb7539059ec8d10e3843278f12f9f1584ee124e221053be6a78e611c3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsQk.exe

Filesize
182KB

MD5
4baf46a8b5fff0b0d867e083f4922084

SHA1
59a9b621229e2528d3ed99fdcbb019ebee678e93

SHA256
90ef4f71d79e3c778f3fe9925aac363a6c5f21731199a93a1d9269c644f6dfb1

SHA512
90bd470f700f44a0a3b085d32cfc433f973e5d9862544fe9234868ae135b280228907eb25cc1b1d046478c4cf1b27063809962ff6a99e8e7db173ffd4db11d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAsU.exe

Filesize
663KB

MD5
f508ad28499f48468eaf619556adf5f9

SHA1
66a3cd6f84e964014b21dbbb7e944762a45e0919

SHA256
f5d8ff69357b0ecf59de8f67a339b437cfd755b4637a9f7863c42b427dd8ef50

SHA512
1b8726d29663a5135b5b23dca134f077f10874a2dca61b90fc25b739fb5c664b18df812565f28d8d51de1fc5eeb83cfdb4cb1665a43d42db6756184f2bb4e6bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEgc.exe

Filesize
203KB

MD5
80d67a49894ea6095ebb976d2ab63193

SHA1
f54d3eda5bd492c2c43988ba727fe54b98c24e53

SHA256
5ced999c0df93476372a59d29d5051a2652380be3c5e1855400c5aebd3257ba4

SHA512
d5dc9026ec01a2c9404a4aba09fbfbe769800945db0e5cbcdb4b4e50c55f150d7bb20284719389a9ba069a473dd36db10cc16ba2c87be27dcc42200a24fb8413

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUoC.exe

Filesize
197KB

MD5
80d7b787a2097657cbb1b22d8ade65b2

SHA1
9870cc991439bcddfb97066c26cfaf64e3c7a8ca

SHA256
8b97f220160fcd5ab2f380e8ce6b8eaa490c3dfd92f588f566fe0d2afd223c20

SHA512
0dabf8db32b3aada3e70135d8ab581011e513aa5c80ef28e1bfc71344f546a89f7457a50a704740855e006857182b7e9d12507d46f9da275e21fc13c872ef031

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mscg.exe

Filesize
191KB

MD5
c2d1a554711ac8863bb8ffdc69faf707

SHA1
1cba875b99ca480bbc79339f0264f9d21a85b8af

SHA256
82998647931e6d1a53c5d10222ce41cd55c76531f3a9742ba03681f684368500

SHA512
c748f7ce8671439e195db32a56c5e9c1f0c30668e01176b67ae6572004226cb7b08f5c32deb57389c62ba77d36d68607983284b960324fa2d6e759001fbb7434

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQEI.exe

Filesize
828KB

MD5
1de8f5453b0fe32b7144dfac2f60a090

SHA1
7d9176bc115d2244fffd13471b72e07fd2ab8e9a

SHA256
20f52d715f6a2796f156343512484a30b3802ef855991afea6a896fca23014c7

SHA512
c2854118d165138fefa1cd362794c348d4db85d1a2f6cdf63e8a081f8f6eef532454a2470909249fa153178b2e5f955394af173e15dac338bc236df12df9727f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkYM.exe

Filesize
367KB

MD5
d4e704723747f40d4d71d0e6f56d8e38

SHA1
c444e17a917a6781ad9cf9924b219115d9842ccf

SHA256
70d7a46f906184f35714fc65946374c6d50dcf3bc0dff8a66f32b8b6474ba558

SHA512
8061b77cd4f5877c687801420394d058b89d654725e0662819adb011443921c96d7876396246b799b2f01b32e3ca80d91180f8872e9dd276463d9fcedc3ebcb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsAU.exe

Filesize
183KB

MD5
c6ddb73a520ecd15f3c26a0611552e8a

SHA1
245c6298af402bf13e7298b3481f054e5a7e8334

SHA256
009b493be8cd686289054d9d4cfd055764fb24db8c094a994f6c390889ac9c38

SHA512
8dc5e948ca7d58f9e490fd729217bd7a525f3f44ed0fd60ba929543032cdaa78bb0542e97a4bb2b75911a309d6546cc9f2525191788767c25dae899568310997

Download Submit
C:\Users\Admin\AppData\Local\Temp\Owwi.exe

Filesize
1.8MB

MD5
d12a141d314a128d3ea98ac847e5f491

SHA1
d51c72850c7c55d413f7c7121a00bd6244d3028e

SHA256
43e0c3b816f625f2ff7bab49300454efb8eab0547cc4233615a5f492c53e2316

SHA512
b7cf6756194f015174f6adc06791f0208a7b90c387e4c96f255f26a0d8aa5da246ef1061297d9660cabb9d63d144e239b9e77771a9dbdd5a326b4c90507b9925

Download Submit
C:\Users\Admin\AppData\Local\Temp\Owwu.exe

Filesize
200KB

MD5
b832491e2ce91fac4c73edee15e747c2

SHA1
40dc77d762fe8580ffde5fb4335943578395dc73

SHA256
ca0034385475828f69f18508ebe83e2591868f2633043850803cf5f84e9ba204

SHA512
ff0e8ecfc57f4e099490e5348829d3cc2c659ab6c4d7619394eb7f589b85642970e74b87babd6273bc179855c042f5e84d0782fb4b844923246fdd986627e1ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQkM.exe

Filesize
212KB

MD5
2824bf453e7e8d056f0f11a6064aa6cd

SHA1
97b8b8cf6a03d23b35da3c7e629fd710e979506d

SHA256
9105c8991d8214a610f5eb182021d5705f3cbb7a470274cd9a945280da962546

SHA512
77b54588bf43be59ab22bb3f72a6037d722fab4353dcff9c8703a1dc45db62761f44741ad9a9ec66a803ee9a9da3c9555e7c0acfd570bcf072798f3334695ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUgK.exe

Filesize
198KB

MD5
2190ecedd50e7df9cc240cf1e714e9f3

SHA1
21738b73905694e4c8afb9889ef7b05f14ea31ce

SHA256
aaa0f092f1edaaba7c2e9d0211e92753b9d195c289b82e63906f28cad38cf6f0

SHA512
f93be9bea6dd17c93b471dce35874d8aecd5a0bd682e7249169ed5029d95e90867cb87a5a16022f3fd4984efeb6afd8b00bc7be876d3ee56e75c35fb642ff1ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYQy.exe

Filesize
200KB

MD5
96b39085383b05d28ab6676982c76d1c

SHA1
4a524e7d03076b53c10bbd660bd18efdef7d4182

SHA256
e6fc0345dde2b94f6655f05c772933a70e29574604bc84842731faaaaedc5f4e

SHA512
feadc17358cef3e29174c6a32b8d960e75884c08bf2f75c884e41ce9d4df20d8a6dfa7cca9a915dd6497cd0391d94abe33d38267095c9978a39c2f0778b9faec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qgcc.exe

Filesize
195KB

MD5
5009a145728ba43e342acdc3fbf8717b

SHA1
7582e0a5d7fc4021b572c13c79b13fecbe5f3eb9

SHA256
bba2eeb5b1ca96f515126098e8cbc9b13af98fe3470b19dbce5b6e7fbf8dbeba

SHA512
0b978cb2b715c7e520a83d3274a839f0674823582860e4b30e3f5c1510ea01270b29db5a202f1957e3a483b9622c643cde1276209c111d52e37994c1e42280b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIYw.exe

Filesize
200KB

MD5
1193b50202bbf330cc2aa0910ef3026b

SHA1
b7f929e52b22f4013ed9c6c094d86a6ca7f781d6

SHA256
158eed30c720c97d4857e6f145e2b5b6fc2394facd4d17d82748228d9eda656c

SHA512
9382e92cf9d1fd88634da270f5f28a5352497fc4549d2eee84c34308d272390fb65f0e2306fc778035c128e76bd4ddbbe1692526da63d9e3a99f081ada8665dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIcS.exe

Filesize
206KB

MD5
937c9db668c97c180448961cb5bf0199

SHA1
675e2c688d49604cf54711015df91d2a422f679c

SHA256
63da3ef59539ff3cc10307ba8a45688a7c36a1a74f5527aa0027e485bb2d2318

SHA512
09ea9b16b789a534a8cdacddc32c4eeea8c2d32a9d0530b3f7157ad7a4f1a05862846762fa8a7982c496bf0cb86d75fea6ead295ac061f48888df953a006f8a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMAA.exe

Filesize
211KB

MD5
06443db092a9e2c956f0e78be932caf1

SHA1
8c9e9ec3fc4ec31fecab27e0286d489d94763630

SHA256
e5c4a346b5d01e0a742f9444da2702b5e569d3dbb8b38708d4116371c6e303c7

SHA512
a23eed17a9a60fa76ad950fe770f16b2c5e42f2a2fb1098799826acf65bf8debebb67d2f81783a117e25fe34ad0af881508605ee863332af1366677e029d767d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUcY.exe

Filesize
185KB

MD5
18ba7ba368adcefd889aea4ff1e46e92

SHA1
d97c3f68892ee0d5b49bcd57bd80aaa53674490a

SHA256
fc413d8617f162eee3525fbd8eaba49f04e78166fddcb26e06d689549322795f

SHA512
4a2ed9d83432a1a134bdbc1c6cb16f85ee90947c461d83e8e19250e013e568976a5927548acb1720d5bc784df6c8d86b3be8509103ad511e63e78c29188b8995

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQUY.exe

Filesize
206KB

MD5
c3d05c7f85c9589f061139f360c74a6a

SHA1
33445ccd18b33eae8f14db914d3a6ba29986579d

SHA256
ca3303ff630cb2735cb76e75cc12b0156df75f38c607fdea815da3bbe7ccf3ca

SHA512
59297829058c844e375109164a34f09613f6482b505fbfd6916c26c46f5703940d6084aafbca3797226c1241e220c225e759af99096f885e72df55a5b811a8b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgEA.exe

Filesize
205KB

MD5
369e963db5186a5cd77460a3e371f2ac

SHA1
addd9e338e4854a2d91d8e035fcacd86322bf78f

SHA256
de0d768adc2e91a35cb632e2a02499ddc1b213e0e33201eac526c7d6b3203148

SHA512
c2b605431c9ea67eb51113c6adf4481bcef1ff694a05cb4671fdeba6ec1f29d0995cde28bba976e62f8a027353e7344fe563722bb64edc49d4da355b030d703f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsIA.exe

Filesize
767KB

MD5
72684cd303137d98f98a2189e257352c

SHA1
cf269bd91f869b01ebf9575ee201027c29577f57

SHA256
7f312d5f326f777987380ab174941f245461ddeeb52455d96d5a78d776ce9689

SHA512
00407ff129edd13fde8fd2af39c5081cefe83ccf502b7127bc2db1a7c7379d2aa0ded7a39354e2836ba1fc69a55d8f5d63de5c1c0abfce63a518d5813d3d3e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAAs.exe

Filesize
326KB

MD5
2ae1464e68f25cc8e1cfc79e72a549ad

SHA1
6525958d24f11dc1473044d50c3a03b9a93ec4fa

SHA256
b2692907b61429f06ea517c8ee13fd4c9d940b3cc101bfc390fa4ac99b9d5ab8

SHA512
688f9678ee30f4992e94188378cd2966b52417750f5690ad896827c40eda42e756f7921b5a4f0d169d3dadb0d50b1fc778becfd242c834d953152d4a558b6425

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIAO.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wwsi.exe

Filesize
190KB

MD5
501bcfa921ee4646622aa436586b4bc9

SHA1
23b7c5275947532872cd861d15751ede71664b20

SHA256
f137d50619ebe8563f5132947650d223902c0d43dfefca2128223833e9fdacf1

SHA512
96cbca640d81d490492f5e9204d79b357b0c4fba9f8699329cd3e610dd95bc24c949cf8c4ab2ddc2e8a8210d84e51feac3cf2502f39217326e8071786a43d54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQEC.exe

Filesize
206KB

MD5
e724eca26697aeef23f85fcd0611cd39

SHA1
3949a92f1a4ea5c60b24a8a95e9949632485edb6

SHA256
b8fe3345bdb113748f65f95d701f20e3c5f42ea86afdc3e4ac1a83950313b807

SHA512
5ac3810ea7c74f7982ce77dee3de1139c00ec7c1c82e7aa7594f39b7bf75d75e9d0e6fc53a8f015b85279d650405d2a812a06cd87866e925994fa864144d40ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQgI.exe

Filesize
205KB

MD5
3ca49a368fe7d92d7db30ac44c5d7656

SHA1
9a17495cc599476fbafc18d0859fba3cd537f0e7

SHA256
a800f3e68d7fc30b92bbbbd1453cdcd6d0e000e55dc089e2832b5c8438378630

SHA512
2fab373159a71154a685525eb96dd3ad298f9a9a912639b8ae9a56cb44d971670057f3476f868f140717c0d6cd68b3ebc742abba2c764e8cc4847d3c5d3d0128

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwYO.exe

Filesize
245KB

MD5
eb8695adbbdc7343a88101e67c327ef9

SHA1
403b143605a168e98905b1c99355394c5d4d16b8

SHA256
1a7ac1ef730fccd1079dad230f6d81f8facd4ef6aeb8fc1e3905bbdf3b8c9a00

SHA512
907074e30d1523da23aacd8e600aaff2c0536211e164a79b8ad1b9a9ef0d9e4b0f3f6297b7f90a20de12a6de4be9c5ffe5ad31293869c28bb5b9948d6e6970b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAoO.exe

Filesize
185KB

MD5
4b627244309c0a5b0be701fa27383edd

SHA1
4af6d6384156127954ddc6d51a5689ae4b9c78f5

SHA256
4f43647d1189bc87be3296e9608b74631bbffc31cc7dfbeee53707ac39385022

SHA512
9b84f63010f9ce94b0d6804aa1fb182fcecec17719c445cf71bb5b575b3a67b61bcfeb17115aa723ff1e2ceb35e3f2c50eb0a77d97a0e66d471e0e5e137358d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAUc.exe

Filesize
1.0MB

MD5
c102549eb9429edbeb68151b05451460

SHA1
6eba35659b17e682af248088b3a2f4707bdeb6c9

SHA256
29fcd547c35749a701742b58f291a3dc9fbcf47413756f9e6b32fef273ae4dbd

SHA512
848df47b20d8297f919e7ff492848ed32c605816f74aff6498d5bc46472ff09cb0e4a9fffb7c713590c325efec4aa17eb70ca5c90bb07ffdb02d6c8dc2821a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQAA.exe

Filesize
201KB

MD5
d8971ada81ba6608176c763e4b1977a8

SHA1
ab9a2f63be9a314906fab2db0fa7a46c5af8f50c

SHA256
a69778a06eeb3dc9e0d0075816bef05b8d666f3f7f8f1178b6c3f978ac0d1f0a

SHA512
c28e417da1063c69998e6bdb22b58bbea90beba7dc5b0ce2b02c46153874601a20a825fa7eae350876a9f74933beac99b2fd300f69090f7239b13bd83dd6034c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUQE.exe

Filesize
196KB

MD5
081b8d18ca37a9e8a67f996c5dbafbc2

SHA1
2d225ce4834e9009eaa1ff7bff9f19c9fec8f73d

SHA256
a57a83105df7e496e55e5bfb43bf08d1b4ef7d18e9f6f4e1bdd4b58c0258dcbc

SHA512
8f33c931c9e14de029e2337b07a7a9c3bf1f45e91e8e4787257c299eb9ae9d58ad144cf42843d9946b240ad49d6ff4e18c26d746f48258940071868e373efc32

Download Submit
C:\Users\Admin\AppData\Local\Temp\coYI.exe

Filesize
196KB

MD5
e211b9910d369c2bbd979c0486ba5b60

SHA1
c94c0ea6273782bd106e164d5fb6ac3daf91622b

SHA256
40f60690079b6c1c550f18b67fe75d2100ec0169fbefb269ce658d20e11e7668

SHA512
293e0c4a95bc867787a1c82e33bbe102359812502d75fe971991aa166d66d57d219f64c6dbc98ba8bb6d06ef5b3577c346d40ab4b3eb7bc234653754e1271cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cskQ.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwcW.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAkA.exe

Filesize
790KB

MD5
5c8800cf9b81b1ef3e8732722f7c35fa

SHA1
b178aa3acfa1d2566e16d370dfed81f121796439

SHA256
adfb91b302135f13992fb529376bcb4d0d52ed6442df35d7e33cf8382ff790d9

SHA512
1ec8a95c7607cf6f3d5af60fd1191e6dadf9f145b59c2bfd111ea6e43e8601573bfbd92c55ebe41d40d1a681b7ca90cf66f7460c301392f66858f2646e1cdee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUUS.exe

Filesize
194KB

MD5
a0a7b93cfb053201e268b3303e3962ec

SHA1
22b8c596cf70f54c2e70f55cf224bb67d20e983d

SHA256
2b21c77aaddaae95dac94738b447220f59704c7d4da383a058bf2f686a04b761

SHA512
58634f44f18ce5796a9084f6410d3c52a230949d747a21cc4629dd5402031a5e67568db855625e2cef2932ccfe7ffde4058bd9ee4690716ddd207a6618557393

Download Submit
C:\Users\Admin\AppData\Local\Temp\edc74c7aa1713e06f800326ccb7912dd_JaffaCakes118

Filesize
296KB

MD5
ef76e3ecebd5124e71ca8934cf07afd7

SHA1
269a1b7dbfb4d16309b835183270a24af582af61

SHA256
731595249ff3f67e020ba6903939ba233c69bbca0799c0b41b1cc04ae15e02f3

SHA512
bc1091deda6b2080f8591f9d6a25314fbcdd3d085340e9c61b3df26b0626be2ce77e449160a07e598ddb63421aff43c9c96cdf230f2a4726723a2a393bc0e443

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekoQ.exe

Filesize
235KB

MD5
dda3be4e7041b140e9021977daaa191a

SHA1
0765fa0df8807cddeea33b25b2fa8e10a7ed4043

SHA256
6559197a7c5c97b4a6f42f12f84e595d7f0c33b019ff5668a39f3746e48517e0

SHA512
ae6a3d87b466c89a01e1428e81bbe74e14d8253b208a7cfaa0fd9bc29ff09d63759a6ff23d8a483ac47c8666f2291a15abd597acecb4264376f844c43d6534d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewMQ.exe

Filesize
282KB

MD5
23800cea006c03c3f3ca51031f6acd53

SHA1
0c15cd0ef00787ad2dea30a5535e90b406f745e9

SHA256
072272510ba7b39e30936b39aaa6cdb29f5f4ffe3c2c3ed2fda31749832cc8a0

SHA512
35edfaff77c83fc43dc1b53f72f38ec1866e41aaa0d4dc8fed375df46ce033863683d8cd57b2ca18a85403b47fba930fbae7e0f517bb142660f527bc79241fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAUo.exe

Filesize
209KB

MD5
00b935268077db40574d0c5e9e0890ee

SHA1
e492c784036aeb6466b747325caeb29c501c9e7e

SHA256
8b4b0a78d2b6b8c4d0f5cf551643b51b73785440ac4d6070906f12f19091608e

SHA512
db5d8ed941a8c2f79632dca3501576984b9ca7f7d0ab9c7be22e9009e3ecc1a8c3fde145bb96a1730603c0d01e91504f6904c507a61b6567f4c581d93ce3ad6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIcU.exe

Filesize
213KB

MD5
0d788c4eb3c6fc30de048728de46367c

SHA1
f0d4fa354aa7a5dad8102fcc9dad742ce549be11

SHA256
2bfed8fefa5b987105d349a358745f1894202a0740c4a48b1abcb4e9ddda2e9f

SHA512
ef586be86f5609830f403227378ee395f5e7c1b98df02220d1d5675a9de88fb149012d9aaa5fbe1616c215786d8aa1cbcf48e7487445333fc9d407abd3c59957

Download Submit
C:\Users\Admin\AppData\Local\Temp\gscE.exe

Filesize
195KB

MD5
733ef0febfbb19143fc97c7ce3058006

SHA1
4b21e17e834e8df2edb9c81ae840cd076adb9276

SHA256
b0b79b1b0665f2df630ccee5c515ebf4c7978dc4ad7d79d221b1e3747b0a32a7

SHA512
8b753d8b80e1dcbdacbb7afa4d3b7df8e492b990dd081c128ff0b3e0cd6a6198fa690f29e719e79eeeb3281d6079011a56e286bc14e880d7fa9d96d64923c2ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMUe.exe

Filesize
186KB

MD5
0b492bf5ab792ebe160c44ccff12fd1d

SHA1
44bd9515117925983c31dee6764b188b07c085be

SHA256
09f110b756d535b6c6728fe1350494c669cd9a9cdc43964013b77824c190f050

SHA512
1c071a78b93cb8007de730f6708e0af4f4d07377f967f1f8b0888f15e6a424ddc8e042401d2edb27151d14c9aced243e7d6576801b5396c3214d9ac94c99f864

Download Submit
C:\Users\Admin\AppData\Local\Temp\iaQwIcgQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\isUS.exe

Filesize
307KB

MD5
e7289d5736bbc77fd47e469a02d914e8

SHA1
a1c87ffd0d29b51652ee2202c111a6b58db73840

SHA256
71b927e22a4659a632b17a83da231c31007ffbb1af17fd9eca08eb76af834f10

SHA512
3279d7b5861fea55c7e72f051c7d124c282437640078d177f3e1676c93652454973c3ede5919c9981c344fc6801605000cd0beba1a956b8d3bd68e7a96daaddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUIa.exe

Filesize
200KB

MD5
06c498e4c7c2fc5ae189f373e4efabc2

SHA1
af4512c49f6eaecb3355b4d44f5a66d8560b1b3e

SHA256
4461763261193d15d8f8100def6b38b3ad03268de5e97f79a43523b57184aafd

SHA512
5d12b6b97c6e5994b757e4a4fa44dd6076d83c80cd933ee73055a29ce8dd9384d6c029162e52e173c1da75f77f0ee227ac012292858631bafa886177985a6cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUwK.exe

Filesize
210KB

MD5
266e741cf7448e2c23a4b1f841c69a51

SHA1
9626c8a8ed5ae5e4318a2f48a851d965e3f28584

SHA256
8424415fc27d6be1dd5e8f050c52b7ef947d77ff4f9ab6ff60e3bb9d1af4433e

SHA512
ae93a74af5a99ceaa7e1615de561070ccd2731e8ce309d1c719f387556d44855a52e1ab57980d893a35ba9b7482656e4166dcb6ec98e5d0ace3df9c57ee9bcad

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgce.exe

Filesize
633KB

MD5
e1d64af32844d04ffd785faff0621143

SHA1
570a42f94931ade21b027a4b4d1309a45d29fe5f

SHA256
0c6cf8c1f8076dc13eeb3b66632df052a083a9fcba569b44e6edad4c663abbbf

SHA512
a075d80e3bfbcd38ea7a48538e2cee79d175690643594cc0dcc24a2d1a6844a1a93b0bfcfee5b8bc478fa8f33964e5d39f5fb7979946904f21f71ccad3a777d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgsw.exe

Filesize
557KB

MD5
3a8e148a5750108214086f152241172b

SHA1
e1babcbd477138bf09063b4af3d381f2272be43d

SHA256
7c34505d601ab6bf14a5589c8700f8b8ab8af878a9b5947d433e74ea9910223f

SHA512
46805b6a866494597f2fa511662a3eea644c6ecfac14f32f615ee3cb77aced400e1de9414a32d49587ddde8111268c21dc3e231eb8f47ea8f37c2be116694669

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEMI.exe

Filesize
708KB

MD5
b67ecadc49f4dcd4075f3d776e551912

SHA1
082ea132ea2be02c41e2cc23fd02ce83d743e656

SHA256
0cb75e4a4999021a830951d085660085c5d61cab00874fe8b1bf05a6cf4ada1c

SHA512
6326f0bcc6780475308cb9a63b452561d0aa0b609ebeff0cd657242fbddd4218cc37cd366de482d49cc76059228c430334835774b2a2a5b79335f299146d4b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQQO.exe

Filesize
632KB

MD5
e7bcc2c58bfda818524abd25c716c576

SHA1
e0700a3972863496a6500e226dc3eef6b5b1c8f9

SHA256
d9b6e2269ce8bce7ed1f27484e46717c6ede991a91775716448840b01a57d42d

SHA512
342c4cddbc20bd03032734df824c141f14ee68cb007870d5b90ab22a91938dc18cdba9b89a95087bdbeb1e7e6c4f5202e97f9a7a664f0f38e5d9173e6590375c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgwg.exe

Filesize
201KB

MD5
fb1fb396ec64b899d21a5cf014d01a1b

SHA1
9083ae46d46e50bd4a670c2c547e9459f844595c

SHA256
39fed05282b0b93f3b86eda0e4dc56e6b8a45e5d9ba7e70e35f08756846cdc84

SHA512
dfce25218a4ef58d140bba9a48f8a1b79e71a61e2f692841280ad542d48edb92a6beb39fe87c78538b088d1fcb81f25a97b926b0af891593c50ff08a2ccaa722

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEcU.exe

Filesize
200KB

MD5
1441347ff2c5a5779cc2ea057cf1ab1b

SHA1
6186f4419c14f7b242cf8cf9035760c7bd812417

SHA256
3a0f156c22d2075d41976cd15eea9e62f344c766f8d8ac7cbd7c718a0b0416cf

SHA512
be3b249227887d2247196bc89169f36c8e0b0e9557c653d6f506df0c51ee5c34f7c9d8407896f59ed4dabada6572b04a3aa31e036b70e8f230430a71b0a7906a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEoq.exe

Filesize
189KB

MD5
0e93661c51dcf12d68668836f795f09f

SHA1
74d15dfcd695a83fb7228f30db5d5c609da4cbc2

SHA256
d4eb97b32e9a411a5c4d7c0bae0c3a8b8dfd935501e83ff73fda9d105a46780c

SHA512
864f7c9de586640128e88e66fe095250a6fb09754ee5ac459ce474d17ffaf4f19b19865d9056011129a0373f8bca796785562420ac1819bf0d1abfac16f9ca4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMwm.exe

Filesize
797KB

MD5
ac5dcbc79cbc24eff2923c70d48e520b

SHA1
c01a4f89b8d403b0ab937d253d8955724df08480

SHA256
fd0dec951f0aae26681139bf85625d01801325df4dd0a6c9bfa5773eb12792a6

SHA512
b6d09270283426a2a4f28fea32f644037d4a25c4bbf51c1eb97fa6ab148a111d46352731d8844d0218e123af3d18abf94ac9ce08acd59bf5c2cf176bb580abbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUQo.exe

Filesize
806KB

MD5
13191e19c55975c4b8a001eea46cc6e7

SHA1
6a1ef4095b65bfa6fe3d3c8c69f99bcead96a80d

SHA256
ed4e2697bbe3d60936dddb034863968b1993ba74153c5d13fd0d6c8f7a9a93b7

SHA512
7fcf40c993c35161b8f1ab8ed4cfc5ba0a48768f6314e341e7f9df0958105bcf2a244619e77a90ea2f16cfaf2199a1b0cf870b62026c8bb32fa8cbe1fea28ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\okgo.exe

Filesize
248KB

MD5
7172f18c57a3608d8299d00feb88125a

SHA1
548b72f810d031f96135e820cb4ca2a3c918c079

SHA256
1525e5d5ba8a4dc7347cc14e9ec8be5284820a1e088be75a96bc4d8701e605df

SHA512
3e9447a5f32953b64c544409ab58b5345f2ef4baeed89f1726e92d337a9c21b88676a92e8f114dba1d6120ba845c34fe5dc903a390ffdf500327602d297f2b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQcq.exe

Filesize
190KB

MD5
bb12529d3855aa66f77801a1dcf51035

SHA1
f06750b12d2625564dbf9e479e592810ae7b7289

SHA256
b0a839561b08918d3a4835cd815107dcf2c00fa0aae64cbce4e62c4171cfcfe5

SHA512
af3feecd8603c723e240df83d1340010041e021ef214ba1df884e269020fc3e8e843a3ae890c12f344c705c89ca5341cc6428ddb33c8a68b3d286c0a1c987f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQwG.exe

Filesize
192KB

MD5
220633da9c261958be040ab9d8e37be7

SHA1
f160458e19b84b5c1e9dfa912c3b1b1d70cacb4a

SHA256
0c5b6d16ad64bfe585c9f900af483a4745a9b9f30b5bdb1c9074de7faf8e5186

SHA512
4f1704446f90fd975620c5c91ba912c086508025b1ea2167ddf5e852d026cdeb7b1818378dbec6d889d79d29a1fa12e8f7e52de94192ce00793b321199d62004

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwcS.exe

Filesize
879KB

MD5
d0fe889a27fd6ed118ce23cb625581e0

SHA1
a2c3d0efdec0bae34e2b1bce714a939569385fe8

SHA256
7ad7f3b4adad5ecc9aee2874fd6f03b11db08a0c12b30a6f1369c629d4f42fa3

SHA512
6bfe1d5773d338258e0a0023f948ffbb4941157c08c151c52d31cf44dfc8e0f38dca3764a290143c717123d5f90aa1adbcfa531b721f1ed090995a89798329f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAcO.exe

Filesize
387KB

MD5
8f55a596568bc7a7cf6ae2d90f49db64

SHA1
a05f750e03e4bbc016f266cb53732156b3db3ec3

SHA256
667cb60cac2297e771808579f9c53dc7d8ac3930ccaeb0dec0a5eb09515670b7

SHA512
df86aede15f3253f0378aff8f734fc32d83abf3971a0608174a29fb9bd5f3b8346a7082118f5b0287700db6f51167b1979cc5246dae1673fcaebe8c93508b7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEUM.exe

Filesize
191KB

MD5
858dd214bf5319052e5653a7418611ef

SHA1
7a9efb2561b94870d70191d3803579a33e1ee0b4

SHA256
ae744f7ec94d708027883a32c96e16e35136a0767ca51e9393e585194c27d9eb

SHA512
e2902e75da83accad3096a01f9e3da588e11a3eb0947ff5ac0d8c3281168fefdc01e3327130965095e3c16912e552f4e7c1ff53c5fdf44631b6fbd4a3d180556

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIks.exe

Filesize
214KB

MD5
4bc758a70a5c22069e0f1d2c3be0eb28

SHA1
0ac11355b4e3b2b46a866710eb68b26264fcef02

SHA256
4dcc0e49915baad10165f8551e03463a2b199f5dfb4f3a27d61c99fd03a64c3c

SHA512
08e2dfbcd3126a929549a6f2b58cfa2a5aa6c7af1dee843943b33af905d661791bcec73bf843a03c9ea1619ea08f83c00f57f13a511a13e284cfce259d222c60

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYYE.exe

Filesize
200KB

MD5
5cbdd40ec90db323fda6a9081a19f039

SHA1
5d01aa4239975cd87878e07f4c15e628d61cc023

SHA256
0038187b5188ee4b9e92fd4d0978ee3877c0570fecbcbf8cdda55c6dc7984030

SHA512
ed52df23dca06cf15b6b085964ec1f767c8780a34ac8a6e05f19737604ccd3a3dcdb57c1f61f2255a092b0c65375b9ba88028924d241df12f3b3a2750dd4aec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssQK.exe

Filesize
194KB

MD5
ea101bd53477c0184bd1d99536a3142f

SHA1
aa14a042696f8571306603b94c0711f222ceb7e9

SHA256
b9f65f3ebf9febdb751e06b1c8fd793ef91d9822bde13a0022ab08a6bf9c0add

SHA512
c53969140d08c0403c3a52747ac24c4dc6c4a5781a34b475c3f2a7dc73577a759ace0f3d89555854c14c8255075608420b6009b4e96cc34923417e9a5ea2ec1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssYE.exe

Filesize
428KB

MD5
773a88f45d98d8033c94b7a45859a627

SHA1
9780378da93ff884332986fdbefed74f0e8c9175

SHA256
4350a28962a2343c1546eb731261f20ecac11c5fecac366921b339a6bcf1372a

SHA512
b7785cc85812e3004feb5dc356eccaab9c49642c2ee58b2b517bc921d2d75270d81bfb4e657e139ac8026368ee09b8e27a7f8301c5901ea044c79e8b04869dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAQW.exe

Filesize
624KB

MD5
7a0d2de3aa0c5bc87f56acb2129ce048

SHA1
9521886501242007000da1ac588f6a59fd969ae7

SHA256
d67104f52697e7aa6e3916801d1865927b3f511d5e72715148173fb53b232c2c

SHA512
75db3b12a30758ebde89d97062bb87d52eaa79f4e07778d536197a31975abd546b19106ab698d6be5e398e1eba7fed6cc38b1f134a6004f4922438fe0976fe6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEQE.exe

Filesize
286KB

MD5
e892653e7b029b488ed7aa15dba6da0d

SHA1
0276dd19eb70e1d3a63eeda483c36460073215f6

SHA256
0ef5a196d6d26795d6066d0f2ba8d81c1e1e03039810490f0eb2c89a5310ddd5

SHA512
562f68e9cbf5dd7787096810d240c2936a03a916d89295402d0306e5e3ee7fc014f6e2d5e2db09f335446a247259faee06b3f35c0db8b73aacf6060fbe5e9e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMcK.exe

Filesize
316KB

MD5
1f2013207b0cd86788f3d19921dbabf6

SHA1
88ef51ba57918a1a7ab82907fcfb47245373f8c6

SHA256
cbe89114b839a4cf899b6c6063c7774e258f6e04d674ad0e4083ce5265215940

SHA512
76eed08f261aec36a60b5a24afdc35d5e5f328364c7f96d0b344abd547a322101de66749cd6fe17e93fa686623165a6bbc86e54d7512b79af0fc46dcfc7ff990

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYIM.exe

Filesize
195KB

MD5
69f5ff2f5be00b82834eb8ca75b4ea98

SHA1
34a37af6c5ef6fef84b8e3954c3a7d52760fb053

SHA256
4c33e5d2befeeb30561169e59b4975680644de533c22815846eadcfb818f7da0

SHA512
2a07dd92f96dc3c791c3de7cd0df383d30a4aada1331bc6937b7536c0c3a5b52e71e21cc0d36e054af8b47365410d9564e5b84b965b66392f87e84982bb1fe6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYwQ.exe

Filesize
211KB

MD5
831327082d880375ee621b930a4aea84

SHA1
9b7d76c692945ed7aab3845a3e59165c1078c67b

SHA256
1d6c7f4ff333e793d524922c040a637b43140e2f2f917ba569e767ba7e697a51

SHA512
4c59fb672c6290acf7ae27ff730bbfc7892b3848423a43af735df852a027b9afe1f4276a2f2495ffdddc25e43a6035378905cf749df07e6977466229c8759383

Download Submit
C:\Users\Admin\AppData\Local\Temp\usgq.exe

Filesize
1.4MB

MD5
5dcfd3ac853bf9e866c394aa8b97fcc1

SHA1
c7f1cb3156da1748081aff14bd1bdc1e482baedb

SHA256
2f48d166cde99c24f78ffd6ec0510a2bd09c7bff05928bded5dc9f4fedb27847

SHA512
ac063de1eabbbf755e67128ac8b0d668eb4a20d329aa6cd6207ccab9e4c3c8c9c77293a94571451b3d457758503ef49da0f9e7f681221b501006af26c03ab242

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUMw.exe

Filesize
197KB

MD5
57af639c3494eb6dc36da7b588e26646

SHA1
4aa9fee35a2b3a317cce81cb2e73f1e30ff047c4

SHA256
4074b4f08056934de5487b59d88d9b00e4f82dcaee314f7c5259e41df1d3d778

SHA512
47e550aa2a1fb3bc2ce698a17f6723687a8f93ff09ddc6874f4d66e91e068d1ad364c41d9e82c5ef6634c4b8f65851d8867d1ddc165708203054b9c423b5c684

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYAk.exe

Filesize
195KB

MD5
bf7eb05a2d624dd278b9473d9a4c1074

SHA1
2d5a60c599fe3ea8ae71cad1681ecdd2f9554e98

SHA256
ed7399034079329b720624efa527a863a32ecdf57fccf7844719b5cf5f8a5adb

SHA512
16067246931107188bcb1a5c19183ee04e020bf3adfa0943b9e8c31995e41adc0ab6823692f684848b2b74bcb34d44a4b370d15bac4461bf0c1ce78404009031

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgQw.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\wggI.exe

Filesize
216KB

MD5
b47e19d62ef77731ad6c1e8669a73a79

SHA1
5872c7d872c8fffe5f6babe45ae9079392912933

SHA256
b918d62c9612cea6a1fb6caa141f0c8e024a54d251eb5952bf81ee4a645beac7

SHA512
683e9bb5ce2de35a0ba2c688c2df6168de4d97f73599a67e274f5096e3ff2e09161e56e753804c325763b8bca8f5d60198b3eeb7f7e3a285e8fc42ab005c1b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsAq.exe

Filesize
195KB

MD5
80a48edc25c3065c3baf022509ef6f39

SHA1
72ac21fd763d80ec7e5ca2e41a6b7d5e8cc73e9a

SHA256
a5b62abd9283f30cd5fed6348648fb5117421e65dd22c4acaa2b0ded739dfa4b

SHA512
060d968193b987d43ecf2b22e6d15af258c9194593fabc4b3b4244413fc8adbe6d4732141631bdf7c768bb7d7e746bc5ca9e74daaa6520e2df18eaa856728bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAkC.exe

Filesize
242KB

MD5
b1b6f7c9c211907553c39f06630ec377

SHA1
9b259b4ead69b298bc3fc6bed009edb2660b3b6e

SHA256
b1994efc9aefd72eb3500f83e8fdabb37acd92aea7cd77cab3f91bcd120b6903

SHA512
6017475039b4243d0793dd2f96ba675a3f2f6a913477096b4b9c843675b22f1629bf0cc5653f61c3f641146ddf10e0c42fdac1028422424a882718137480184c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYYs.exe

Filesize
197KB

MD5
43347ffee8dd86f18fb500866f43a015

SHA1
1f8775ba8f423bef44e9cbdccadaa07e16442ba4

SHA256
6fd29789d61048b1c150298f56f05f945b75f48cca8fbcc366268cc5a050d0c7

SHA512
6c77ba7042bc536c5afd63e87f0b303d9bdae48e5cf48c91b8e9ee344e0e19a1b0922eccc2e64cf476ef7797374855baab93fee0fabd397d9bba63abc827bfaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYcy.exe

Filesize
187KB

MD5
8b594a1792db3bbe2a8382578c7e8397

SHA1
7300793eb89328739ec1df9773ec6d445d7e2319

SHA256
566c09c838f9aebcf8bd2404c1e2ef159755411cc4ef14ab2e69906b7045c821

SHA512
3934e56d98abb7cc98938f85e683ffe646a805237538d46dda353fd2f65c05883964c295af29883f5372f4b677f50866164068a31601ba518e411776882f856d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykca.exe

Filesize
194KB

MD5
4d4f7ce15ebd06eaa5a5fbfb38134a95

SHA1
47e550e425576d403328e878525cfdf60f3255f9

SHA256
6287a86d212b74b91f48771920d8f346bd5105eaadad94c35ec6f7ecec6daea9

SHA512
2389d6c904c69e7ccbc8be5d4f6d53d4f66d724a2c180617f46f59db9b9277a620830f88cee838d7d8a954f7f43d95babd45ec40cc65a260a2e2506ac53630eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoAE.exe

Filesize
221KB

MD5
84d44c0d4d33124ec3869a12793f9c9f

SHA1
6a33409899a4c195cacb6873bd039585716ca11a

SHA256
afc40bc8e8cc9c0185c0fa418bd55cc1552cb31d96fa54e9f43965ac2e87cd4c

SHA512
2f3e8c41f1d15173cc43c0bdc56a717636d85ee873e8d9d2c1de341aaae1f5efd2f26b91c722ae479052ef3030f0fe78a66e794aa142884e0f57730165571bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywgc.exe

Filesize
332KB

MD5
c76d243c52eaa0cb72e0a9a98edd2b78

SHA1
1f0d28057238fe7508c28701c9610362179692e1

SHA256
60f2f0b00edaa1c53e44cd7b4dfbfa7aecae65d30868a88508fbfb5d0201b0bc

SHA512
fa904824cddc18a718fdfe03099b28bac94091b36a94a7a056105f686b1a592a7ffaa1e6cbac96db947c60280fba54225d3e752348a08c16c5072a1da9994754

Download Submit
C:\Users\Admin\Documents\UpdateBlock.xls.exe

Filesize
381KB

MD5
098fdc484fa385602c7b16301fde9977

SHA1
49d727da36a3fc75903739299f07099e440f9d13

SHA256
0c9ffb586a0242974301c74687b455365f24e1588f76f971b7b00ef575cb06cd

SHA512
939a2757f0cdcbc0a5f8a9353ca86c8d640627ef5a6202d642e24572b0e02a8d0e6426055fa8e7da07fb7017bef412c77e6ffa42d8261ce9a5ababaa4d540476

Download Submit
C:\Users\Admin\Music\EnterOut.gif.exe

Filesize
791KB

MD5
0e837056bd8f88ca5a854d3791a9657b

SHA1
1d57574f9e47fe2c7aec238b85a6061c1782f8ce

SHA256
2d741a77defc7723bbfadd2ab388d17f198fa384a3f177b70bc72b9016ac27da

SHA512
429935a07bb5fe6f72a84fead178e8c1477b46dd48cbb8fe8143e57adf8e0a22fd0a53e9e27d6fa6c1af2e225e21b75efe7e8bd850be0d99c9f74d039c52d2b2

Download Submit
C:\Users\Admin\OakEQkYM\ZAAQAsgI.exe

Filesize
204KB

MD5
cc36d8e0a4ca1b87dbc9bc3517866941

SHA1
6ad3b43ff841120ede5dace39ed77bd53cb53440

SHA256
efbc60d581107bf943ea5ae325413ce1bbacd50c012d855adac3cabd618223f0

SHA512
bab13e526f788533c1b9d4b6c47092744e76c60ad7e86813a0851d4927d378b9336ba068cbeb23f53493a8df1a9c13f52d0f3c5bdc570edabbaae49d120ae4b1

Download Submit
C:\Users\Admin\OakEQkYM\ZAAQAsgI.inf

Filesize
4B

MD5
472c374c51ccff25c9b4973d3201c0dc

SHA1
4f354e9a5d7b7183db71285d85ea40a2e12121ac

SHA256
eb93204fd479d6672c442cbacfdfcbeeeef1567557df4ffaaeeec9e1157adb0f

SHA512
72a077941ac3fe7d414047881a415e4f4a4287f15f6a63106b1d4edbe2b5490a9a3cc50833040e0a798b007ab15e64de7d9e921bcd46608085f9043274d00912

Download Submit
memory/208-580-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/416-599-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/416-607-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/644-647-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/644-637-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/740-492-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/768-368-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/784-598-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/816-673-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/888-509-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1000-114-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1164-620-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1164-627-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1212-67-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1360-313-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1360-305-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1392-102-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1392-322-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1392-332-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1556-681-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1592-295-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1592-304-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1600-689-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1628-43-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1660-628-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1660-636-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1684-396-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1720-466-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1732-350-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1732-358-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1824-546-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1824-555-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1984-474-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2024-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2072-401-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2072-413-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2208-440-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2404-126-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2508-500-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2588-257-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2588-265-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2716-448-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2776-432-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2836-285-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2896-220-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2988-185-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2988-174-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3104-91-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3156-161-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3176-247-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3192-536-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3192-528-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3208-663-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3236-423-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3236-414-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3336-63-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3336-80-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3356-32-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3672-137-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3756-618-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3756-608-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3772-277-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3772-267-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3792-527-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3888-147-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3912-55-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3912-44-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3964-197-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4016-377-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4016-369-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4016-321-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4048-256-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4088-458-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4156-572-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4156-564-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4176-505-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4176-517-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4256-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4256-19-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4292-563-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4296-231-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4404-293-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4456-209-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4464-349-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4464-544-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4464-340-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4696-655-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4820-162-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4820-173-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4856-405-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4864-590-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4872-378-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4872-386-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4900-13-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5000-341-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5076-483-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download