33e2695da4fe975e3945b6aafc539ef6ad61c4916b30b00bb5454fc4a9286d6c

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/10/2024, 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
Size

199KB
MD5

54f18252d65c0a4dcdf360055fd4bf82
SHA1

1ce81d8323d11e7b03421ce4030588026a6a81e7
SHA256

33e2695da4fe975e3945b6aafc539ef6ad61c4916b30b00bb5454fc4a9286d6c
SHA512

d4ba259bd8538c41e9a2c3c510f646edf9508afe1aac66717b7cf463ae7d61401e199378a6a8f0072cdc320a17595308e6f3a3ec02ef0866c66e3d2369951afa
SSDEEP

3072:oWkwzgGtfU6MW8zpoLJ+Fky0jwHPzoam2oxpy3PUszw+IyJ9EmOzFUO7QP7OLxRs:ogUJx2gRaA+mpmid

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (57) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\Geo\Nation	SUIEcMEI.exe

Deletes itself 1 IoCs

pid	Process
688	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2120	SUIEcMEI.exe
2708	PWgkEYYY.exe

Loads dropped DLL 20 IoCs

pid	Process
2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\SUIEcMEI.exe = "C:\\Users\\Admin\\lAwUUQco\\SUIEcMEI.exe"	SUIEcMEI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PWgkEYYY.exe = "C:\\ProgramData\\XMEQoIQs\\PWgkEYYY.exe"	PWgkEYYY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\SUIEcMEI.exe = "C:\\Users\\Admin\\lAwUUQco\\SUIEcMEI.exe"	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PWgkEYYY.exe = "C:\\ProgramData\\XMEQoIQs\\PWgkEYYY.exe"	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	SUIEcMEI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2684	reg.exe
1440	reg.exe
1616	reg.exe
2504	reg.exe
1976	reg.exe
2616	reg.exe
2780	reg.exe
2004	reg.exe
1624	reg.exe
1852	reg.exe
2820	reg.exe
1384	reg.exe
872	reg.exe
2864	reg.exe
2780	reg.exe
2576	reg.exe
340	reg.exe
2624	reg.exe
2588	reg.exe
2176	reg.exe
1528	reg.exe
2800	reg.exe
2660	reg.exe
2664	reg.exe
1632	reg.exe
548	reg.exe
2168	reg.exe
2620	reg.exe
2892	reg.exe
2100	reg.exe
276	reg.exe
2100	reg.exe
2264	reg.exe
1212	reg.exe
2368	reg.exe
3016	reg.exe
1640	reg.exe
2736	reg.exe
2388	reg.exe
776	reg.exe
1624	reg.exe
2328	reg.exe
1944	reg.exe
2964	reg.exe
2356	reg.exe
3008	reg.exe
2344	reg.exe
2804	reg.exe
3000	reg.exe
2248	reg.exe
2260	reg.exe
2192	reg.exe
2696	reg.exe
2128	reg.exe
1772	reg.exe
2052	reg.exe
340	reg.exe
576	reg.exe
3016	reg.exe
2520	reg.exe
2916	reg.exe
2744	reg.exe
1416	reg.exe
2792	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2628	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2628	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
112	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
112	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
604	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
604	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2132	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2132	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
1672	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
1672	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2676	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2676	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2720	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2720	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
676	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
676	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2204	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2204	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2212	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2212	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2964	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2964	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2768	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2768	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
468	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
468	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
776	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
776	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
1544	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
1544	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
1764	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
1764	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2996	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2996	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2524	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2524	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2284	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2284	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2072	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2072	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
1300	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
1300	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2916	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2916	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
1012	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
1012	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2764	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2764	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
1748	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
1748	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
1256	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
1256	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
784	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
784	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2752	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2752	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2576	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
2576	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
1632	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
1632	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
3016	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
3016	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2120	SUIEcMEI.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe
2120	SUIEcMEI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2120	2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	31
PID 2268 wrote to memory of 2120	2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	31
PID 2268 wrote to memory of 2120	2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	31
PID 2268 wrote to memory of 2120	2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	31
PID 2268 wrote to memory of 2708	2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	32
PID 2268 wrote to memory of 2708	2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	32
PID 2268 wrote to memory of 2708	2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	32
PID 2268 wrote to memory of 2708	2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	32
PID 2268 wrote to memory of 2780	2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	33
PID 2268 wrote to memory of 2780	2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	33
PID 2268 wrote to memory of 2780	2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	33
PID 2268 wrote to memory of 2780	2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	33
PID 2268 wrote to memory of 2576	2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	35
PID 2268 wrote to memory of 2576	2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	35
PID 2268 wrote to memory of 2576	2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	35
PID 2268 wrote to memory of 2576	2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	35
PID 2268 wrote to memory of 2328	2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	36
PID 2268 wrote to memory of 2328	2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	36
PID 2268 wrote to memory of 2328	2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	36
PID 2268 wrote to memory of 2328	2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	36
PID 2268 wrote to memory of 2744	2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	37
PID 2268 wrote to memory of 2744	2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	37
PID 2268 wrote to memory of 2744	2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	37
PID 2268 wrote to memory of 2744	2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	37
PID 2268 wrote to memory of 2552	2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	38
PID 2268 wrote to memory of 2552	2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	38
PID 2268 wrote to memory of 2552	2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	38
PID 2268 wrote to memory of 2552	2268	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	38
PID 2780 wrote to memory of 2628	2780	cmd.exe	42
PID 2780 wrote to memory of 2628	2780	cmd.exe	42
PID 2780 wrote to memory of 2628	2780	cmd.exe	42
PID 2780 wrote to memory of 2628	2780	cmd.exe	42
PID 2552 wrote to memory of 3016	2552	cmd.exe	44
PID 2552 wrote to memory of 3016	2552	cmd.exe	44
PID 2552 wrote to memory of 3016	2552	cmd.exe	44
PID 2552 wrote to memory of 3016	2552	cmd.exe	44
PID 2628 wrote to memory of 624	2628	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	45
PID 2628 wrote to memory of 624	2628	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	45
PID 2628 wrote to memory of 624	2628	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	45
PID 2628 wrote to memory of 624	2628	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	45
PID 624 wrote to memory of 112	624	cmd.exe	47
PID 624 wrote to memory of 112	624	cmd.exe	47
PID 624 wrote to memory of 112	624	cmd.exe	47
PID 624 wrote to memory of 112	624	cmd.exe	47
PID 2628 wrote to memory of 1632	2628	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	48
PID 2628 wrote to memory of 1632	2628	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	48
PID 2628 wrote to memory of 1632	2628	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	48
PID 2628 wrote to memory of 1632	2628	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	48
PID 2628 wrote to memory of 1616	2628	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	49
PID 2628 wrote to memory of 1616	2628	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	49
PID 2628 wrote to memory of 1616	2628	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	49
PID 2628 wrote to memory of 1616	2628	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	49
PID 2628 wrote to memory of 2368	2628	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	51
PID 2628 wrote to memory of 2368	2628	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	51
PID 2628 wrote to memory of 2368	2628	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	51
PID 2628 wrote to memory of 2368	2628	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	51
PID 2628 wrote to memory of 1904	2628	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	53
PID 2628 wrote to memory of 1904	2628	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	53
PID 2628 wrote to memory of 1904	2628	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	53
PID 2628 wrote to memory of 1904	2628	54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe	53
PID 1904 wrote to memory of 776	1904	cmd.exe	56
PID 1904 wrote to memory of 776	1904	cmd.exe	56
PID 1904 wrote to memory of 776	1904	cmd.exe	56
PID 1904 wrote to memory of 776	1904	cmd.exe	56

C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\lAwUUQco\SUIEcMEI.exe
  "C:\Users\Admin\lAwUUQco\SUIEcMEI.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2120
- C:\ProgramData\XMEQoIQs\PWgkEYYY.exe
  "C:\ProgramData\XMEQoIQs\PWgkEYYY.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:624
    - - C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:112
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        6⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        8⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        10⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        12⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        14⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        16⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        18⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        20⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        22⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        24⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        26⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        30⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        32⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        34⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        36⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        38⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        40⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        42⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        44⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        46⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        48⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        50⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        53⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        54⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        56⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        58⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        59⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        60⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        62⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        63⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        64⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        65⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        66⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        67⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        68⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        69⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        71⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        72⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        73⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        74⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        75⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        76⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        77⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        78⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        79⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        80⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        81⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        82⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        84⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        85⤵
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        86⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        87⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        88⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        89⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        90⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        91⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        92⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        94⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        95⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        96⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        97⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        98⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        99⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        100⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        101⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        102⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        103⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        104⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        105⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        106⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        107⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        108⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        109⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        110⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        111⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        112⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        113⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        114⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        115⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        116⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        117⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        118⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        119⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        120⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        121⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        122⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        123⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        124⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        125⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        126⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        127⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        128⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        129⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        130⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        131⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        132⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        133⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        134⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        135⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        136⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        137⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        138⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        139⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        140⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        141⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        142⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        144⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        145⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        146⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        147⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        148⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        149⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        150⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        151⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        152⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        153⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        154⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        155⤵
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        156⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        157⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        158⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        159⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        160⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        162⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        163⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        164⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        165⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        166⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        167⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        168⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        169⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        170⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        173⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        174⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        175⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        176⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        177⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        178⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        179⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        182⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        183⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        184⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        185⤵
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        186⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        187⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        190⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        191⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        192⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        193⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        194⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        195⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        196⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        197⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        198⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        199⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        200⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        201⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        202⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        203⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        204⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        205⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        206⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        207⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        208⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        209⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        210⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        211⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        212⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        213⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        214⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        215⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        216⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        217⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        218⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        219⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        220⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        221⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        222⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        223⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        224⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        225⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        226⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        227⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        228⤵
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        229⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        230⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        231⤵
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        232⤵
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        233⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        234⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        235⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        236⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        237⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        238⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        239⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        240⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        241⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        242⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        243⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        244⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        245⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        246⤵
        System Location Discovery: System Language Discovery
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        247⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        248⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        249⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118"
        250⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118
        251⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PKMwgoQI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        250⤵
        Deletes itself
        
        PID:688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XKkEAIww.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        248⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies registry key
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        UAC bypass
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dgUIkgoI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        246⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        UAC bypass
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ccYoQIMw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        244⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iIEIQAQk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        242⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        Modifies registry key
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        Modifies registry key
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wgkAAcMw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        240⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GgwYIkYY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        238⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        UAC bypass
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TIQgUsYg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        236⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        Modifies registry key
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZCwYccgM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        234⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fgYwooUQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        232⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rAkoEcEo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        230⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aaYcoUMo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        228⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sMsMMgII.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        226⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eyAQksII.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        224⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        Modifies registry key
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\saEccwsU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        222⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MYgcQkgo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        220⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hCkwoIcA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        218⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies registry key
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        Modifies registry key
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nIUcEsAQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        216⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fyQMwQUw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        214⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bygUokEE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        212⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        Modifies registry key
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PckkwIYY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        210⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        Modifies registry key
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MEMoEAYg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        208⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uIQkgkcI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        206⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CEMMUcMI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        204⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wUMMskQM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        202⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies registry key
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        Modifies registry key
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dyQEUIQs.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        200⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lQcUkYEc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        198⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        Modifies registry key
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NcUkskEc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        196⤵
        
        PID:356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        Modifies registry key
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HusUYooU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        194⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oSUYMgAw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        192⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AwEQUosQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        190⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        Modifies registry key
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cyUEEYAc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        188⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OmowEMsg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        186⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies registry key
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\swMsMUsQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        184⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        Modifies registry key
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bEwQIooY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        182⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pMkkcIQs.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        Modifies registry key
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vggEoEMw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        178⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RcYcYQgY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        176⤵
        
        PID:272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        Modifies registry key
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qyAQgcsM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        174⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YmMEgcow.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        172⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KCsoAsEc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        170⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YWwEIUcA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        168⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        Modifies registry key
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MikIgYUY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        166⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        Modifies registry key
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TcMwkcQA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        164⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HgMwwgEk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        162⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies registry key
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fMMUIMoU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        160⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tYEsYckM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        158⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\esMgEYok.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        156⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        Modifies registry key
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MWMIgEQA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        154⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uEMIUYUg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        152⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UCcooQAM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        150⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JgwAIkMg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        148⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TOIgcUoA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        146⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vOgoIIgQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        144⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tQsAswww.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        142⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uyAksAIM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        140⤵
        
        PID:276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yWUQgcII.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        138⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oAgAwEsk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        136⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        Modifies registry key
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vkUkwkAM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        134⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jswAoEEQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        132⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        Modifies registry key
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZuQYksgg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        130⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\picgMoYE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        128⤵
        
        PID:584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        Modifies registry key
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yIYAMMQk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        126⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UAAQQYwk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        124⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GQYggMUw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        122⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\goggwIgc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        120⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        Modifies registry key
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NacIQEsU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        118⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies registry key
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zmAskEMc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        116⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nUogAkoI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        114⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dqcUYMMo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        112⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oasAoIQY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        110⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ugoAkwMc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        108⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QIoYMwQc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        106⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SWgEIEcM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        104⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qokoYMQs.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        102⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HykkIUgs.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        100⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        Modifies registry key
        
        PID:276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XGYkosgI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        98⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FUEEMQcM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        96⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tucQYIkI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        94⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies registry key
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qCkksgsU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        92⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eYcAoIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        90⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GyUIQkgk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aWUcYoIw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        86⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        Modifies registry key
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zMsEQwQQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        84⤵
        
        PID:340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DIYIwsUo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZOgYMkUc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        80⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RagQQEoQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iGgQIsYc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        76⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        Modifies registry key
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qYkgkEYo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        74⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ukkQgAgE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        72⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LOMIAccw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        Modifies registry key
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pcsYMQcA.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        68⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PMssMwYg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        66⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rMIUoMoI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        64⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qoEEAMMc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CcEkwsYE.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        60⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies registry key
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gUYwUIsI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        58⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ogYwkwIQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        56⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies registry key
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MEAoMUUc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        54⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jYAEAEwo.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BegoQEgg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        50⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NccQIUEM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        48⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nKoMsccU.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        46⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YysMQEoQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        44⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QmsQUUUY.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        42⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SkQwQEsw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        40⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mQgwEAAs.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        38⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VOUUcwkk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        36⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xGwQsgkk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        34⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lWssksss.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        32⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hKYoEQwI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        30⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CgQAMEcM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        28⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        Modifies registry key
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eyYAMEwk.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        26⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wgwQQsks.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        24⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bCEYcwQQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        22⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hUcEYggQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DyAwEQos.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        18⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\roEksUYM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        16⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SAEwMQIw.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        14⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SeooMsgQ.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        12⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cMQUAwYc.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        10⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yuYskMUM.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        8⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1272
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:332
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2200
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:2816
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\REYgMUcg.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
        6⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1560
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1632
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1616
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2368
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\zacEYQgI.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1904
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:776
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2576
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2328
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\DUooMEow.bat" "C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1677545583-39431059913666410093881852611338265761-120894969-411569329-266175147"
1⤵
PID:2840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "539268477-1018821869257060643-11404127609744433689241618824028158-1004534101"
1⤵
PID:1092

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-88117089115169815151838299556-1381649573-331633002165424187518185664-1305195448"
1⤵
PID:1336

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1792361974175058483-12734282281285550021-1366032656798812452397028623-1531478630"
1⤵
PID:2108

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1824822644-1264221072-1937761202102076296-1062681616738357270-1013408681-1920732082"
1⤵
PID:2928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "832225201784430045160726534085174910722835822113812898341099453569-240678005"
1⤵
PID:1600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1578511283-8974153271050758058-16807594101076694888-293902856-1742997889711709500"
1⤵
PID:2616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "740067346-1223159225-583215081-2089225749-385428879198533150216703072032012754233"
1⤵
PID:272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1363305976-1961416353-8889578233492283521063787599-8077212427265138161904313132"
1⤵
PID:3008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13337347661161360190132423954-19357387901126836626-1347226913-16822236491683540735"
1⤵
PID:2672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-73317171585264244115725512071349169750-155810671-8551283361487424543-1762953389"
1⤵
PID:2504

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1549446050-210430595516515589241120070950-821461723-561110775-1595336840-2113388737"
1⤵
PID:764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13495347111408746521663281444940224314-2092885581-1862877196-10183351311275505342"
1⤵
PID:2192

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-212035634150144182-21079156962020111489-242676542738034006-375455821-1372986685"
1⤵
PID:548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-756440808-16286085931341655104212154826099594499515587388211794108799-511278136"
1⤵
PID:2304

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "617843466-680810783-771151796-643265869-434742245136899536-1930443456-425144524"
1⤵
PID:2580

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-816352316281161273991518004-214035904515701513896165288691899120556-254456204"
1⤵
PID:2600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-420079888-24498995-1701588254-5084712719387965591068456414695972544-1364310630"
1⤵
PID:2388

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2045221637-13313801431007853055-1884118114-547884824-1282968429-2061687931-2068873037"
1⤵
PID:1000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1265730766753490975-7074607001758415529462308999-13432969477207762571384041529"
1⤵
PID:1068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-175027348-49062505270617197018942073501297604235-893291399-630502664-2043259178"
1⤵
PID:2392

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "570017070-257665909-979449568-18745566271624638134-1320707589-97932243-1186168273"
1⤵
PID:972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6826220361664306252752239879-7250595491163964789-1570161590-780622878-1831727365"
1⤵
PID:3012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1906629779134644081-1753552265328448881866136254-7051618111168101886-1096213392"
1⤵
PID:1772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13428105231305228798-1876648713-1535716884475894536901221310-1905820599572143978"
1⤵
PID:896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18426947721488739980-5399243962104676353886565589-1403315719-12595626681268590692"
1⤵
PID:2604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2064216128-1537369248-241191266228298870-1673765770-2197194183492044-524362155"
1⤵
PID:2588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1753875528-750784533-1350489974-206575559317360488791480960409-2427782431648803744"
1⤵
PID:2024

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "432256573239380319-19974177971818101579-1866196673-1687527682-1087421121380307636"
1⤵
PID:1936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-342234625-1427199720-1477452573-1326548106902471700-1563876143-1868315279938925650"
1⤵
PID:2552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "343881098-1686351206-446400118-406341454797520996-1020431738-16942737191139551018"
1⤵
PID:1748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "62205744014573099481832510605-145943106-18502423371915019570-625475019591199538"
1⤵
PID:2112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1306213654-1264947742-1724966634-160299747335831134873171061-321601989360690657"
1⤵
PID:2848

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-220676101934552626-820800511250282130287650203-465119943725561487-1298881798"
1⤵
PID:2732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7328872481505973734-946565507-1332471841212655440857987909614417341251217181584"
1⤵
PID:2368

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "472655266131407337348108523612629621601916535818-15074871381629311985762540321"
1⤵
PID:2164

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2521796692324689111302556081372574404804732230-1837398547-6977200661355238088"
1⤵
PID:1752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "148795876962087168910577953651814478701105299276-121677149721331634582111021672"
1⤵
PID:1224

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1373829294771071034-404434995348506119-452887287188611810416078146192106930557"
1⤵
PID:396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4500041811018875239-964730954204135442-22282843-1292113449-1790282222-1470328602"
1⤵
PID:1592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "128447734614539025421865806304-7213087751931631921431156024-1645368913-1177032371"
1⤵
PID:1372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "192804253313985308411351055598-1809545611038570009-603416753-1547114812-1782406325"
1⤵
PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
227KB

MD5
a57959ab9e8f7e8fca06eefd8e96a606

SHA1
f8fe5187a528f975d8644d6f4103aef9d895dccb

SHA256
73672ba5ff4274876325a87affcc1c7b6a8541351b2bb8a5aaf1e9a6e87420b6

SHA512
078b4b977bc60cbf7215e76d9c60241fd0a3b5d4455cf7036362157cd0c2b1e16b1edd9e1ec0e8b6786e61ae204dfb68a8ec06d3b34de1c9ddebe6b01e0eea5d

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

Filesize
246KB

MD5
4f9849cefbb190feba4b5e7b6f19fcca

SHA1
86b67238ffc44d1184d8326cf724cc4ddb6a3aa9

SHA256
c3679769e3ec8dac1059e583961b19c8d1a2b5f0edb84a80fc3e2b310c468473

SHA512
49be490595bf0f89c0b6a81d6a39c2f4e17a6cef63c67643c77eb6d2f7fef91600b7f935f37c67b36ca4d6d5584530365c8a9ca1ec83e5331ae5ee2a5924f0cc

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
636KB

MD5
588aa539657d9d07d20d5be893071162

SHA1
4a5b15bf48fbb55be08af99791243b9fb92e92e1

SHA256
272d3817f9605ba84783c482d962e58c7abe3435153f711ccfd6627d390be2c5

SHA512
9ec2f08de6a51cf42005fda6c9e86995507d2070f5353131b152f274e1b57ff63ca093f965b03c45a65e88a07b28d5bbd57f6fd88396258d77a75368369134c7

Download Submit
C:\ProgramData\XMEQoIQs\PWgkEYYY.inf

Filesize
4B

MD5
b5095444daf5a82fd44c75d01971cada

SHA1
9b2d78b91880d310fc2657c91367605c9bc4d3de

SHA256
048cf5e3d26d60282130b4b03fb5e96cfc310c91423dee58d77eebef97241d01

SHA512
476db5d26d277496a2315b048418a804377d11300512ebaa6c230fb23f4bdedb66bee86f4328ed47a336a24de228682d1b080aa650938c1b19de395f8c5ce92b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe

Filesize
201KB

MD5
faceb7f26dd1652bca9e39c88b702f1d

SHA1
a6222c62e654e0ffc8cb666fd8ddfaf666d49e33

SHA256
375094ede4a7d9597f2382893d4f2f4b329c252ee2840ce5e36ed4e469030c2b

SHA512
57e19476661994ccdb78860aec43a628c1ec7a3570c0134e9ec5ef0a05eb3556acc766914599370514b0aef9d1937f243a3330032211c7c9933c14b75911e3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\54f18252d65c0a4dcdf360055fd4bf82_JaffaCakes118

Filesize
5KB

MD5
ce1e5810d7c9f27a6b139b7bb5772198

SHA1
ec7dd31f242502ea55223a00c883044cba378ba4

SHA256
0ae29a2e9fb4ca75da5145ac86ab6dd9f12767cadb5bc6a9aa4b1036edc128e7

SHA512
44975121e40b3fa90d1c32ca56e53e2fcd5c768e64e22cc9f9ac73991b1ca79aa9745136b7dea10bac6c88c946af0155ba2abb91b14eb182dd1e69c2a718a63a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYEs.exe

Filesize
243KB

MD5
589fe3d4df3a110a0d74916673696e2a

SHA1
06b79b952eb59cdff255f2e3d3c3604850837400

SHA256
d07f44b8dee93a1f96d0a5d0dfefaf4bafeb51e5e05225ee18955b4ba5a41e32

SHA512
35725b25222c4e31f4e4a11f396b33911d9a31b0000202843d288d044df7179783665c1e31576b85770bd3036e4488365a9176f70357198e1cddba992b6d133b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYQi.exe

Filesize
409KB

MD5
1ee93d2f4ecb2ce6e4bc996dd32a8cac

SHA1
ffd998d1e6add3c00e5633e84c10c83e23249e0a

SHA256
f4e1d4d82c15166d2c20dda81e76db382bb999a869827b082321aae5e8dd9983

SHA512
b589bdb6d86853e2e4d540c1aaae15a3a505781e825d70e157ccb935893ae8c06f2b7163a267a8499e5cf565c84bafaed1d414560d779f7bca4c377d71366c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYYM.exe

Filesize
564KB

MD5
4c25175b85502bc0e55e6d672110aac1

SHA1
0673e986a9bf38827afae5d1e86f4d2b20420ef0

SHA256
0e31d1011a70ad36d44846a6b4cabff68b0d35dd5cb24f2eb2887fbb618631e4

SHA512
1ec9fa6bc8617725930ada7e5b2a0ffb2ab5dff720d43a1dd7ec5b968ae5bf35186434202dfab07012795fe50c374152d34a6b41aa497e518dd9f9d869dca140

Download Submit
C:\Users\Admin\AppData\Local\Temp\Acww.exe

Filesize
228KB

MD5
608f929c3de0cb706241742493ad4c29

SHA1
b00396e4491aec17036f6a2b346d4c77a7946dcb

SHA256
ccbb4ab4ac4fa1484dbfc91fbe0993e70f40e191a228b7f30a7be8b622670d66

SHA512
872af429349b9eb8947d49c406ae249459edb0671e6deea92687772b6c1ef13b5df2415342e89c0904070a47aae9362f99b25ea9ca971edd34076371f93ecde5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoIa.exe

Filesize
240KB

MD5
d1e7cbdc3c07adb2b561f56cb7f1878c

SHA1
f39bc83eb2a0833de53d49b3b14e5cf6c854a79f

SHA256
e3e879d5bc67182c6785d3592c4241821954785ed381d072a53b41fcf67e31f7

SHA512
1315fa6d1ac57b289a250c9b63587f0a3c76e0183b1a228300e647ab909a687849c5be549145604d75fac3443e48315c259bbd338e7e787faf665f958b51198b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AycowEYk.bat

Filesize
4B

MD5
48216b6bafdd21c7212408a6280c6972

SHA1
4b61feaf9033b6b0127de9d83a2f9b48b70ffb93

SHA256
282d95851453075e6bf7650aaefb720ceca96aee6ecfc4d3ef899889976dbe86

SHA512
9491adf79cc97a86c9ad084c4059e0d9d5d2b9c921f9a59e1fcc8920f91caa11cd8969fef14d9f420d4a028797595739005dc33e4b8d03a7d9f5265e9eb19526

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIkAUscc.bat

Filesize
4B

MD5
c44d0fa580cde4719590c5891dc800fe

SHA1
91f8b3bed2fc44ba7f52c5a5212aeecb794cf1c5

SHA256
7830f2d306f0e85e1ca662674815723383cec81051ce176b81a23d0a792c5863

SHA512
8d2060b3d1e8e02d15e736c6395158ead977957db78d867f995ade2273e4de16512a68987e3427d715715b1a80e248b2fda243cadd809c64b78d434e0cb83c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUYe.exe

Filesize
230KB

MD5
3a8d51260674071ab8901ddf61e06b82

SHA1
a6ce087d65571af81a79fb43be6e10d635c7328f

SHA256
9c3a980763c39f43d6587178da6d91ee4c1323b0eb507f01eba64d5032726572

SHA512
645f6a109b52bb7e52a3c4927304da6277b9fa0604ad2c7cf3d3e2b5d4139f8de8dd7917435545bbb01c606af93b8f96382a95bd5faa7884128515b03bcd2e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYAW.exe

Filesize
729KB

MD5
751efd040e3527b803be6d11de57c217

SHA1
a9d0935e22cb1aab088a1a6a93f5ac1e17c3d3ec

SHA256
9080d8feb1e32c964b7a165dd22cce2e6275f45b751a3abe39fd379c2c8956ab

SHA512
60a1322745d13a677f34db3b8156d60582e6d66356566c1d3e4d8be9a5227ee9331f1ac9bff068b4251d4880faa37a4d8748f9ade87315a74e9d0da1510e9062

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYMW.exe

Filesize
467KB

MD5
e1792ba8e5bf18c9748dd6217a390d60

SHA1
e8cd64408d3a28786049edaeba3188f711f392b0

SHA256
1a451a3bdc0018008443cc1b8d1a3f211a0173edb494f21d3a5e101ea08bf9e9

SHA512
fd4f55c5104e485dbe3f62984f54f251adb29bf71a0920f56db2c57f83d4d74a214629d8a864d5087b37dcd4ca8d152cf0e67b1c64c86c5b960a9247e7b7a8f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYUK.exe

Filesize
241KB

MD5
5c18fb29041bdd3219c395f6b51b600c

SHA1
b04279bf819fb09d25fba12211e8699c59f664fc

SHA256
b4e3870200479c12da930fb94247b74095a34f6d1e745a803099077e8f68f2e0

SHA512
079cd6a0057eb59d8390c073c8f6948f962b8efd78dd9aa8a9ef01a3d143313e19251dee1f520a5a02a1b1b765aed9614a7cc054426f96b9dd55040fb552105b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcsYEMQU.bat

Filesize
4B

MD5
d83a15fff09cc769c0b26d34723e6cf7

SHA1
dfbad9103250100873bc50a28ddba813eed686b9

SHA256
98d720262463ae229165957cd141fcfcab685091d4c44eefb66e9c76041c0527

SHA512
d2f5c1dbe4840946d90a264c16d0c2846a0cfa8fb803a9466820f4e6bc6173cbe9c0a8c705e89ce4779ed3baf25d7e91041353c1df799b55e6c30871a5258784

Download Submit
C:\Users\Admin\AppData\Local\Temp\CeMQEIAs.bat

Filesize
4B

MD5
11f6cf7193f35ad3462b0dc38906a6cc

SHA1
631c4e8633c59f5f10afda9e83e4c12040e0d0d3

SHA256
dfc5570eb5ad6475eea4aa2b7705156be2569f069ed3cb4186d7d64fd7f96e10

SHA512
7664aa850790cf1102baf711c4b7b1536117ac5d636d1f6cc09fdd6519d2f8e58ff929afa904e68973d4908ce1975b67128eae61058244f1d280ab219178805e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUooMEow.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\DeEEUIUA.bat

Filesize
4B

MD5
4e10b35f0330c4b7c6ebd16c66a83e29

SHA1
9a83bdcf6aef3b442ff2ad2d2d912986b29ce4b8

SHA256
a3f4756b345f8564f2afe1a28558ca22fce205188a21a5a55f01f4ab2660c188

SHA512
a03e00549323824ea1bc601858c59cff095a5c88b2fd048a53f5f7bf202f75652245e7d9d42eefd3f7bbf51221b5610f4af57e30153590065cae6863da092a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\DkwEkAME.bat

Filesize
4B

MD5
afd9cb6d2a9cdd5360cef772cb7e39e5

SHA1
edccf71de37a24f079e4fa8e14c9dfd22fdc56e7

SHA256
b14c6ca8a8942bf9f0955f2741be44838edca8ea40629b95473407def85c8d5c

SHA512
9744bbb7752472f7b74802b1a9bcc2c75dea2c70109aabf74afae4acd402cec05d4ff3552fd63da6a71044f4f2f8a67ba62fcfecc88e343a64fb63c5a131c4a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DmYAwQMQ.bat

Filesize
4B

MD5
8a8fc0764c44cea0eaec4ed964a17a75

SHA1
6cbfb479b261d55387a36485bac5f51688e71d3d

SHA256
487021ad64f9636ce00d78b14b54489d8715437ebbcb8c3fd5d7614eeaf1b2e4

SHA512
249effe00bd2a410facfea8dcf46dc46da85521a98a17de90f223af08b9469296a744b816e1e137fc966681faabc504a57eb043ae274e3ea9870749efc2818a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DoUwkAcw.bat

Filesize
4B

MD5
c87bc08b176bccedc6146fb699c91680

SHA1
f389c1a9224727246cab350b632eadeacc5b1d75

SHA256
b144858793ebaf611f5504f62cc1353622bfe6f30d7f726b7148ae168bfb8084

SHA512
5e72d14c7d9c4555eef4dd7061f74200f46538d97628f956913453dae0a89452abeb8a10f395969238c38cd37634a7d4fa786b7894963aaab5c59058aa46f37e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIoI.exe

Filesize
314KB

MD5
70709d0f17d458c48e22eee34a57e796

SHA1
c91f9f5e21957db803efd827edf3cbda7edad2aa

SHA256
81511b0c7ab9368301b25bd81b2146f54a23eb3d4a137a89016b0a8df2ca2a24

SHA512
c35c30a1f0062757fbc1320c49391076e82f947b17a56153024132c8898e9d6e5a5bd3e8b12af18f3790c3d19e411d1549153b38abfe11afd14cf096d2903c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMUa.exe

Filesize
328KB

MD5
adf413ee1a77dafc89efe26c2c382b2a

SHA1
6996a685a96177b63789d9ff59e7efa6908b8ec9

SHA256
e705c3ff897a989972376dce1bcf3bcc9a1596330e52e27af7f36d3778c49bde

SHA512
df9a3dea7f65313da7f9abb4cff291cd4910d68e913ab4a82e0469b44097e5442eebf48e43c14c5e92a301d9cb2b2a1dc9add14d4eba4f61552ccfc50adca922

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQAA.exe

Filesize
730KB

MD5
91c40802f53300071d1d3a76c6e77e37

SHA1
730119343585235826408a39468280ffe19d5f08

SHA256
3bdf6d938a1642e04df331eff7df51494be91a0d300ef2ed4183b4e021a14c4d

SHA512
29861fe93ca6aaed6f45fef08b648e285bd3985ecc9a2e61c49f18ad3f331e04da05623694c5f14138a109af122e39c7393529e33552bbad3e9bdcdab84fb62a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQEk.exe

Filesize
944KB

MD5
3941f13212992ddb42e008e481467420

SHA1
1deb2fdb106931e0c60a5abab1490d5c0ac64b50

SHA256
a45eb524ae9a48c6519faa8a44191681cfbb9bcb71763d67020fe97efe316b8e

SHA512
4367f0c4fd288848183580da7df447242e9e44297e4573052e408788e26b7938fa784bc97409caed001f606a1fbeac54f9c5bff05ef7af3716f2d3068cf5ec12

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUYY.exe

Filesize
329KB

MD5
7649c3528836617f1eb3e380e0b208a0

SHA1
78f8e7357b5f88709a0ee4fbf0b2b208a41124d5

SHA256
a3f81c7cbbc4e2e1364ea212f4c4b86c1fa8c4fd7b6b2f0a51479dae08d2d0e7

SHA512
939a45d85e70ef1068d76650874470e19c9c8fcd4e08f02a031d495352a338404dc313baf849c8c7fb1fefde9f9b4b88ab2038ea597cb2813948cf1941be63c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkYq.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\EssG.exe

Filesize
243KB

MD5
de71a5f4a0b8f879bc0e087fdcfe16d2

SHA1
8733203f5c6253136cb19a65b158be867b8bb604

SHA256
47443e2aeff96570c4e5c9e35c14573992e7f87c85150d99e44cf1cbd6861939

SHA512
c5c1bc583dffe521bfc496295e1533599f2cfcad6462e92650180aab01789c4969f457125cbe34d96171aaf220ee77e65f2cdf5c4f6d15edf3bc7bdc18dabef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMQwUsAs.bat

Filesize
4B

MD5
cff24c2fec69afdad915e76513016a05

SHA1
fc011fa7fb217db48af72669e0fe0f93ef6c26d0

SHA256
cf73e1943045fab77212ca437e3b47061dc5587f82ea04ac169bd68a5a74ca08

SHA512
4d41bc0145db8e42572b110673a8b4aecff25fe82664cfe3f23cbf7e056d4705c912683f5737c13d204ec8be509d2d5d647f16656d442328fbfed7c6c7b35dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIUI.exe

Filesize
792KB

MD5
4c4935a2b0d92dd1267a15d3b4f28a9c

SHA1
aa6a903bb333d504b127488dbb080235005cfb39

SHA256
52e6259b98be1cff559e8f5f1c2160303a262766b5e8869d79796edae583226e

SHA512
f67990e140a6b646e39663c16b9fc80fa5815d432ce640f98a4300c9e1b856d03513cb426d2c7a71c07fcda24bd18291a8e3059a9eb1ffe82c9bb55eef8cef13

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMYi.exe

Filesize
247KB

MD5
9c967fa8a239e6340258de034ab4b054

SHA1
9a0521291e43fbf4f10c79640c192d7c1b1482ee

SHA256
19a9137532be4a32c057d9b8ee4d64cc11eadff04f06e9490b3405db767e7308

SHA512
49b2c6fb11e32c9c8d410d3da64674234146d09c081fe955bd47ebab9d96fee09557cf9cebf6b1585981ac7b19df9ed09bae59118c6b099bcfee3bfdf2bf0502

Download Submit
C:\Users\Admin\AppData\Local\Temp\GSQccgcw.bat

Filesize
4B

MD5
0629b515cd18bb3e3d2494c451340213

SHA1
581f2621108a5d005465d648823b4449bfdea9f0

SHA256
07e65437972cd0edde455a1c8bf2145f91aa1809d95f00fb723a6a961997cd02

SHA512
9da21f8f05af2fff5ddd1b9819b8230f89751636170da4e2a62a2ec2212bbfd131fa6dcd3b0772fd8d03e0b29c3bd5775330a62d56fe50b0c49f16ad48c20470

Download Submit
C:\Users\Admin\AppData\Local\Temp\GckW.exe

Filesize
636KB

MD5
b2a5d9593484a5a2da0224bef339cd36

SHA1
0870cf947b5788d05022aeea868c831dcffe62f5

SHA256
c40985acc7b99c125f7722ca6d9da631778d63d686c91bd8495c727b129ef015

SHA512
30de502ba445053bee2c10a2b50be3fbbb7e823b8453809e7c71e63e6c9b838dcdca0940dcf30ac4ec22cc503665f7be94224bbc2cad4bd234bfca7245c689c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgMoQYUs.bat

Filesize
4B

MD5
6d566d6525c127d98641afcec9128dc3

SHA1
c765c718af9b3c9e025d778f0991deddcfcd31b0

SHA256
86c0c0d0e51198856b14e2e15626ae83f2bcd031570789b45e81facd14ff7e6d

SHA512
33d012db6d2521b70846017ba732b93103a6affb3840c9204fb8ed37723b61fe3858f87cf359991a6f6bb0eb3deec4c7cf87616294348ea8e031addbd5e4d797

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgkE.exe

Filesize
4.8MB

MD5
78a2fe0d5ba0706ab133b971ed98c935

SHA1
a7a0ac9d2b5a056739667c02cd3923af68dfd9cd

SHA256
e7af23d585631ed80bb9343719571ce2d4af27002ea217bca9f1cb54dec52f10

SHA512
82ad256998c755a229d66fb3834688d55aa6b1c86bf3d0cf0b648dc535f5167f6b9fe774abbdac0d7ab71fb6b5882c49f16892051d611c0aafdf0d288165bec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkYYgsEc.bat

Filesize
4B

MD5
06f09536e4cb8fc7cb85e0698988d439

SHA1
66118a31f6c1ed745b174591f8bd5a570ac828d5

SHA256
6ac29c9a6cd5f84272bda207cd5c7836cfae442d3ab185c19c17484518b05905

SHA512
9739a7425275d73baaafa0a5b9d1e7ce934dc2ea68e1a2eaa4853c2df3cde52483d39383ac6f2084f5b8d92ca8d63333042a422f77c4f72e1cdf266dc27eec92

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkkEocoU.bat

Filesize
4B

MD5
ee2d13d09067ff6b082f4cc004e28d1a

SHA1
48ad79f51f45c0410bfc6b03be0632a61fe57095

SHA256
09ef2ca016a475ab766e8d1808c84a7b5b3a07450a939161ce37ba022884d0ab

SHA512
cbcacef82959ed63c7e37c08422c0dc9b5019e9c9af32de6fa97681fc135996cbdc6bec5c4ddd58ffb8bbebe3ae22c6f8eedfd5b4bb5345d789f3287617b67d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HeAogYcs.bat

Filesize
4B

MD5
1cb92851c7cf2a0c84e2d05a03bc57f2

SHA1
58600524a9b46e92b22aaa7c576b0a37d606216d

SHA256
a936570d6b3b88e1dc7d2424093fd54207eb852fea01213b32ab867dd1871e19

SHA512
747b7439b3c0ff065952eaa79f073080508ccb799712b98ac4660ac1b92dd76997cd4b4bf1c159768b36db4dd91699eafb1513cb4e95ad03db9c5d77d2d45a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\HksUkAww.bat

Filesize
4B

MD5
518d0e0d69ee839dd333d1bc435c60a3

SHA1
e6ee7d1a8fced7307d3bd6d268387cb8df46a0b2

SHA256
0f5806f989f4e89220c1873445c777329793d3e04faf7cc6321d447745c332b6

SHA512
7e4b520ef149310c7618b9de9c444dac9c146fd93e9f3ce1f65de731972e47afab1a9f6e357262f44cf5b2575a0ef2f131f07bf80a7766f44bac3a012227b80a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyAosIwc.bat

Filesize
4B

MD5
aa2fce6cab3a6a5afcf6a71862a4bd41

SHA1
ef911be51492638cd7eb5eb56d9e514bcf0185a6

SHA256
03e07fea68dba2124fde540342f4db99ec46b7dca122d4d8422bb4b6b3b4db39

SHA512
203fe82d90d5b6dffd35478749563f9736c715616b23739abcd8a32e8baf4c1f70816f06fedd4982d4c0d91cf662a8bd11d2fe920e568d76c71c6693671a3847

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEMK.exe

Filesize
240KB

MD5
4e95693ea48882fc5e60efc5a5af5623

SHA1
c3620f41ec20eb96078fff85684d484fc1b408c6

SHA256
5fa40e83e73768ee50264b05c016ebb4a0259513ddbd187f0ac478557154df62

SHA512
5b6b5ee14a72b835192b3711ab234f9c87db5d2467847a4ca4a96f93d9d24219ee650c8a4010a4f45e4b3ad565961eae1a9b1d516fb2ce730e9dc9af0887e6d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IGgEUooY.bat

Filesize
4B

MD5
f8d8f1d91e50e4d25d233d6289339128

SHA1
8e692c9905820eecafa722f621d336d22514dba7

SHA256
4d29cea32684eeb0d00f95424a152ed8f363449c2827b790911ce602fab3eee2

SHA512
d4cee281ae175cbcca698de833290c6019d493270ee30ca83b7b84ca4832302e043c8698d099d94b49551f7f6177888afc2a5740938478343d175bc9a886db62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUoW.exe

Filesize
231KB

MD5
b81a2d93966c2d29e23f3a4b89a07d94

SHA1
71f0849cdb99d1da9d8c2c474b760ff552ce2684

SHA256
5039d8ccecd97723a160a618e52e8f602f95461c2b50d4f8ff016dd7ba7379fb

SHA512
16ba10511fc9634d256fb7208139dfbe920c45bd4fa7409810cc746d1df4148f34f020f4924c90117eaa17c9f0e944721a9abbb14e38c7ea94415ff451fa5f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYAUAgQY.bat

Filesize
4B

MD5
59732da5353dbc378c2a869db696f225

SHA1
e130d9b3fa57b04cf2298d043e726ba3bb0d207b

SHA256
f47331c1674f16c7031750f077f7f9bc7c7908157838860223d3bd77a50c617b

SHA512
06f8e65ff56e0827630ec7fb4683dc21da16c0588ba7e8e53b095b764a954beea1efa8a98d2ceef5a9a411480fe3308ce674d592ca5a542dcd83a88d580c78b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgsW.exe

Filesize
239KB

MD5
487901eb1bd09df98a038fea6f7581e7

SHA1
f32c12beb3f29355ab7eb3f4c7d27f150fc8c103

SHA256
3e2b52afaf4957af39a1b56a417d3feccd8ac7add739cc5215fc917366d8f4fd

SHA512
41caa154e64a499fb29760eb18586cd3557ab310fa0ab5ae18019a565ae4fedc399d829f669f6291799df7e6c88d613edde47c96737f36242d5be780b2836e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoAS.exe

Filesize
314KB

MD5
0b042a08ae793f32e34f6290b5d0caa0

SHA1
2874b9a0a6746fc47f9a99bbf69f8ae1f28a45a4

SHA256
8dbabd93b7b4820b2ef90ada561a54c5abee6db2d3be29ae22ea71e8260b6d85

SHA512
328350b38d5308257fe32fb3ea520e49701dc2e8c376133d3b4cb35ce2682018f87a9919f5d5827dff0e4a102925e00c133bb37153cc872857d517ff7e82799d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoAm.exe

Filesize
229KB

MD5
e49a623e785be52594d414e1dc557846

SHA1
a2e366306931e93c445677cce70ab34e4d6597be

SHA256
c6468e018fe4b7d386575532fe9d244d05f650ed3e65b0fa04159eecf4d11881

SHA512
21922c96f881775b37e3b159559d0504cf7e2326613bf0b2029cf0b347689c611fd6c35dedfae54854d6d00f8f198baf6c04390a3557736eb1ded38f96f56039

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsYAsUoQ.bat

Filesize
4B

MD5
4697d68968247850d56e83c651979d62

SHA1
060cd8b370247b2a7b78611674f5b42b77b2b390

SHA256
faf455cb6adb28521fb66f6e53addb570babbebe051d8f6f7f7d3d90ee5433b8

SHA512
0c065aa975886ddcbec09f57f463bc6c7aca677b8dba1a092afea146fd553e2017af8bd6e4e873d0023581c6c3dec76b346efe2118a871ee08dd8cb7214c7cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\JAgIcUcQ.bat

Filesize
4B

MD5
08148a9ff2bfb7d6ca4ffb30da8ccb79

SHA1
a67dfe3a08dc658a9f9ee2e6b79c634a86eb0c28

SHA256
74adfde7d8f51d46e0ea8a4fe866f903d2c82634120e1567f5f672df47ff6bca

SHA512
09bad481507a6a16bbc20cc4f90095dccb79bd0bd1fed9bddeba0cc2a36ea24950034c091c23bf1526c71f5bd02b5bca62be71fcac70d2efb495af6346dfeacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\JKQMosAk.bat

Filesize
4B

MD5
feb5129b8bac2843c77a47ee0922d6ae

SHA1
775420b91129844c2f65da7e26726293083d4eb8

SHA256
b401ff3160df6b9879cbe8f5c97e18f904026c96d2b56f5ab7d31960bf827b7c

SHA512
569f59dbba24325dfc3a26d8a144d894dacb9e0dbcd5c91f63ed15565a632fabb590be985c2ed4b8277095a3d0defe937670575616281f3e81f832356a06c5e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAYa.exe

Filesize
214KB

MD5
6a799666aa7b78caf12168b684b0f6c1

SHA1
cb93806b1f78102103dbe064ed3d4f0ad235ee78

SHA256
64a90fef57a99a571eba8a08928a307e35ff6f214bcf42dc52b9727134303c96

SHA512
b9bb2ba23060b56eca0a083a2f7d1b54b4285764a0c2247781a7cc4e60880d979f15d1f202b614ea4d3928786fd2c1d84f24b7640abe77e9610b13980d575ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEYw.exe

Filesize
184KB

MD5
d9c40be5a2948bfc1b8036aebdd342a6

SHA1
920977c566ae825df226910ec3faaf63d3502429

SHA256
c51e442c97eded0662167682295634b20eb1f45858d4848b15d96e583626ef0f

SHA512
dee74fdf27b15a65f846bcc42072f1d71e415792fcd6e5a529d8686b534bd031630a7cb38ee312f12af3a435e41a5e55dbf6fc7f32273575b17ef6cf05624ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEsq.exe

Filesize
235KB

MD5
93449b84ad03af7d2d2bf00e22bf9db5

SHA1
03b28f4cfaf745ac40492c31c4a77cee893b4e87

SHA256
3fcd0d58295124dde877b80f6413ee3551df96477e9c4aad83b6b75816bff8b0

SHA512
a18c28e6b0433e7b2e8806d79d07457160a4a7d77d8de3d567a872405b3b867f991d5081c4295c7270752d718c46489b4b9c3752ed11e40ec680758f234ebabd

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQAE.exe

Filesize
182KB

MD5
aa98e665121243e6ee6390247a51a5b6

SHA1
24bbf0ba6ba11dac21da1f494d4fa29be7f34bcb

SHA256
91e8589fa2ae9d6070bcaea5cdb25b36f02cfc2dff43c6e347c5f0bebfcd8842

SHA512
0807d44ebc130389eb5d91a422b69cc5ba817d4287cea7ef5c31aeff81fd9e652212efbf81457c84580660b1a7e3a60e4d3378ed4805da025521797463b4325a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQEwksgg.bat

Filesize
4B

MD5
fb3c4b9bad29cf2cc52699b87e9a2cc1

SHA1
10c8ca5152ebc51aeac8f2d95d9bdda762e8d57f

SHA256
520cab138f9d20b3e5afcaf481c49c04820a139977e7b0d2bda03ed7b9823755

SHA512
0d1daebb56fc75be3b25d37fa674df393dc002d807d8136af73d9cc0af27978b5924ff0bc8583fea9bd65474b3c5c49728314b9897f72a564bedfafb8dbb8f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQMA.exe

Filesize
228KB

MD5
a435dc5f405f7893bfd7e7f35a135fc4

SHA1
901ea5c796c8033ebb11e4b34408f9bf6b0f338b

SHA256
27f3cfbfb2221d8aa93b54630b79d9bcf8148710ec3bb4093a13f1a7f2776c01

SHA512
9c06558bce76d23a129ee8b0a54f1fac9eb1ce7542a0d83babbc5afa77052c5d9a13116cc080ce3949c09f3ef710daea21501dd7da999a91f2ab0765e371abe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYwQ.exe

Filesize
185KB

MD5
779a86269ff9f9779ed47be1de43593c

SHA1
ccfb9161be71ecbbf126fb0211c22b048ecdc8fb

SHA256
e6e6e031e4ebc9e4b8ee73ab8b9fb3887002ce3a43f60819affb2237d347c87f

SHA512
bb0ce89035980fd37883d730379ae5a6addeb385038a1bd8ac21e70446a230b0d484507e52f00b7bb1d24d4c1fba6c94fd6b4a4bf4b3a1aeed237569b45eaed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoUI.exe

Filesize
819KB

MD5
823b12d3677d3f5906b3dc7904ea1625

SHA1
6a741d46882ba234a0c107994902d686289badf4

SHA256
f0fcaba503ce53687a51175e9e9f253589bb5d2bef96bde365a6895c85d4558e

SHA512
c75cb7bd30c9ed40715b41817be7e6e28610b3bb450434bbf3ae90fd94c95d7d3891bb6273c73c143713c5933683571422e357922a825017059a6eb091c62e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAIs.exe

Filesize
191KB

MD5
289450a62f8576b3175721c7bb79eef3

SHA1
427448ae568f150f256c87dbe5b8844d33c1a18b

SHA256
cb0ebf69cb782e1107b8297fc9eec8c0a43f6942802e18c843e1eece26fc6a4b

SHA512
4144fc1900bdc79cb260ea0e13e5eb0fa81acdd9d476ce684309a049aa5211c71bd5fd2e6495424cf0738115c12e4b64ffa1c147d32d1487a3417e8a635ef2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEcsoUEk.bat

Filesize
4B

MD5
4d0d254faadf21586b34dde6414d89c3

SHA1
965fbb7208fd4f19b40ac9b518cd8aaaf3df642c

SHA256
c43db941b0f7c41931e2044fb93616b7b51281deb0cabc98a6fe6e19fc6f66df

SHA512
610cb465164dd59861f7232fdc42a7f2f3cb22650592966c4d33f62a86b02b9c8aca745b21452e1ba77304df70a8c864ab4683858bcba7aa47aa8f5e15571d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MGgIssAA.bat

Filesize
4B

MD5
178d96e98eb80a5926c9ebe7818d7dce

SHA1
90ed2211c462d549b4c39da863fd4fe8f3a7472f

SHA256
70fc87e4e3ab26fe4c5cc5f15a09ba3b38b585ec6445feb5bf7542f4f15af928

SHA512
16c738a1574ce59997797cf61c7b209b1bf0d9b048bb498f815d2413366a3e225e6ffd71d1c61a701c64fb46bf44b5810bda7ac6581bcf3e50440c1b5929b756

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMMg.exe

Filesize
193KB

MD5
369bbd1e59da61482ee08c09cad052be

SHA1
90b5e58ebeb0699fb03492d1d2585bcfaa08a82b

SHA256
02208c52a9fe36693bb2977f891782f38c0f7ac5257f1e79ef527a12e1069067

SHA512
a4a62af475537868681edea0319367e0708fe4b0c0372d7630904ea90eb29d65eaee13b0d9d194c7d764d1258292c12a7442665889ad9f88d3fb162ffd4c194c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUUM.exe

Filesize
185KB

MD5
7aa61cbc47e1dfd964fe9fc5d572901a

SHA1
4871e0748763e81eb81f1b9e978eeb422ad4fb9d

SHA256
97ed8572a091f10062fc70605dcf246439eb73aa5e79de94fe81207a944094b2

SHA512
13688cff99dad0511eadd7c8dc11fd4f5239a3787970a731682410b60a9b536f1a6b98f150af4525e45009ee72bed70fe7f7a0a3ee900776f230595d94655fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\MckG.exe

Filesize
223KB

MD5
663d44ac5a9ef721dc02d4ccb000a750

SHA1
52158be2185acdda039bd59d4ea22a522f9102d1

SHA256
ac0f5d6d066f9bb281681a07d4d69a25d9175b252aa9d90803d1adb42f06772a

SHA512
bce32981bcdd1a1535f8996bb68950beac7a00a38e280edbfcf9326ef926aad6fc8ecf3fc7e8ca583f2899655db64db82f5b1ea3cb2bfae063d41245b9d1f6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkQYIMsM.bat

Filesize
4B

MD5
1204629e2a4c719264bb4d3a1a13b73c

SHA1
bea49f1f08cc7fd4fcea3d4664c180375633bdf0

SHA256
279b9440a6785271becb56add08a85acebe19438dced26a2b3faad12c32de6e5

SHA512
1c547209c3879f58cf095031c6a1f84b5ce557a354ec0e5790f1444138329552b5c9625ed85b3d6ff5b0d81d440cc729d0ab6bcfcb0916420bc2b0ebecad30d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkgK.exe

Filesize
248KB

MD5
d36a876c5c25f8cabe219d3be8f91dc7

SHA1
6bace03ba7e1dc5f6114d8ad6c2ec27620819aa1

SHA256
1982fb2f041811573959a2b587142b8e315d71d3a3a1ecb30b460e69fc06e905

SHA512
e890450b4d6bca8bea91a7ad25dc5ab76f290ea926aef81552fafa1483167cd03c4d1325bd7b4e773c7136827d6496470cb4723d0887cd577527bb973bbcda02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mooi.exe

Filesize
522KB

MD5
37f5ab03de9bd55a49e155bebb9191b5

SHA1
792e553a9bbc060c50330b7348974ca2a211a894

SHA256
4021512018bc0b9e6e0fc5c2d4e4741e9570d00768e1eb442b7f684ae5801e87

SHA512
2e130242c3a48706a814861a488f6d2391eeb2291683d3241e493b03d7b774be3311155bb28745198f4a9d284a7ca11a2bde2d3d0bfb940f8344a39f8042b27b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsEe.ico

Filesize
4KB

MD5
97ff638c39767356fc81ae9ba75057e8

SHA1
92e201c9a4dc807643402f646cbb7e4433b7d713

SHA256
9367b951a0360e200345d9aa5e6895e090fc3b57ae0299c468a5b43c0c63a093

SHA512
167328960c8448b4df44606d378f050ca6c24969fbd7cc8dcfe9ddeb96ac7ccd89e507a215b4c1debff0d20a0a239d547f1e496635fa2f06afad067c30597c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\NGccoQIU.bat

Filesize
4B

MD5
1acba6cd3ea146f507bec7792098685f

SHA1
26d00ee7c4f6d554a85fa1f6678f2d7c4de242de

SHA256
a346a696ed3d1cd4acd82f07568768d793e9f452d434d67bce449fbb46fe8962

SHA512
6c60c13a03c33103a8c835bb4d9cfb70cbac29e92f9d4a6a64792617ac8c782d7a68f86255cda1a37df4f6d243e67fbd76d9ec7fc62e8895f37e7dff17d003d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\NMcooUoE.bat

Filesize
4B

MD5
67a6a4b382a4790a07455b2db78c0730

SHA1
708dd783105be498e6f87637273b8fb193cbe679

SHA256
054b6343b032133db1980bb5ff5f89dcd4f7e8ac201121687fda5732b5cd76d0

SHA512
1db2b262c715339cf4522741e4fd0bf6227fb10feaefad89480e0f9d5f989bf1eeb3a569deda29918e1ef3d5d438b3913ef5cfdd06acb70afc23d77e27c84013

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWcsMMwo.bat

Filesize
4B

MD5
7d4e222c6359dfe920810418d19bf69a

SHA1
01b94bcb9efbb3a28e332ed3fbbc2a2274b14888

SHA256
75bbeb1d688b8bde8b43ba15dc62aac172bc493fdbdf59c6d8d856a8f798010d

SHA512
20dae22320542057f4677a753c7485894d85377f3be34797876517acf9ea54e5c99fdda2b4146cc6b9c73a7d306154a27fe6eb1f73d59b1af22963af70b4442b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NeccUYwI.bat

Filesize
4B

MD5
c33e1f2a607b96c0c023fe9d6c520f45

SHA1
2e492b309042cedbeb6e08e09fa6977caaef4733

SHA256
2cb2e4e5c9fc14da5be6a2a4b478ba48182b9a2b331f6843cf78cc0c1133164d

SHA512
506f6e34def6092304ef054e4399ab80ef91b162bb0fd9012f8ac803a4d52d7d71f20ead2d9dcc102b96d6abd3935ed1adc1fa56615a66db31cda7fc5202cee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEQg.exe

Filesize
457KB

MD5
2c5a0ba98057923026db94361b87b2f2

SHA1
f7628e99521cf12f4bae19a078619aa03649f6b9

SHA256
40627fad2475192be4d120178cc3120499b6f69c5a73cfbbdfb187da5fe7aa66

SHA512
71ffe6254032cc13291bdab7a270065bcfa3d0f2eef436748f1a5e7b2582c2dfec152171790c833a1ee7277a1328326615619f596446d4fc3db3ce7e9c8bb499

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIUm.exe

Filesize
228KB

MD5
ad93d0360ef5bf3254b723d3818551af

SHA1
cf2dea1bbd67658dd54976f2aa337bf2a76fe5bb

SHA256
f194a7285af33ecdb71e03bdf2b701086aa1004783fc9652995d70c62188bc2b

SHA512
138f20cecad8a847d7bbf4398288721cc2cd11e1a662015a57a098b288b6d0d4639c32c05aa27a0d857ef3216995dae480c2ea5d16abca2a9906153b98149fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQAy.exe

Filesize
200KB

MD5
5f0b894c792fe10c0cef033c7cbd4f97

SHA1
008d2706eb10679570498bb626c419df82fe44e1

SHA256
d829b7706652c38c4ed1e5a408e45e5302bc909777b6f100560a3a16eed6e8d1

SHA512
7cf3ee9342c480d827cb1ee098c3d7c7cd5fa531a89a943f878540929b13eea254fd2358a681f3e80a1c1efab5cf0a4f41596f3cb4adb2a0b784890bbb101683

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcsQ.exe

Filesize
227KB

MD5
ecf08022afc78a3b8911e19aaef640f0

SHA1
015383667684a4e48090e0d5d162a5bf9f31b284

SHA256
5403f88851c78a8618f043d248a6f846179484783c0e40d50d0bffff17eac459

SHA512
9a002ac87c972e60f505c0760c62e1afad8d0dc414c40be63261c70f6519da2e38d232127491bda0c0f7391fb4903cbab3bf15d9e99de25eb95bd4f0a9d82659

Download Submit
C:\Users\Admin\AppData\Local\Temp\OicQQwwI.bat

Filesize
4B

MD5
33d0c72df5fbbfeaddf00b3f67709bba

SHA1
8b9fbb5b9ad22aae4093c3c4d0862f8b5e52d899

SHA256
f9cf95c5fdad30e79d382e1714b49f1c7fec3e074b6002350c021b7d17f1f612

SHA512
07f4da37477795303ecd8a181a64ef7045191d51c4c8d809f07a16ba07342859e15cedf8d816c4ad07b4950cfa244149dab8e11028f4ffc8ef50f1de354dda1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkwggEMc.bat

Filesize
4B

MD5
14800b8df9b1aed365e9c2814e034892

SHA1
94ef274bc4b930297326426a7cbf3454385f84ba

SHA256
8258a2199212340810ac4b01fa6ad1f7d39c5b91bf381282c7264591a84665b6

SHA512
c91a0cbbe691b5211a5a2bf4bf1fa9bd58e8b021959bc7a6de28db5ece1c52f9c2758fb7e9ba246b8c82d35b40be2863b357d3c9dfd08f5fa334090d0a4ea9d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PSogIIgA.bat

Filesize
4B

MD5
730d41af2b70c7dde167d3251a6cc79c

SHA1
f95f1bc8cd3758b97af7c4273d05bc964e54e01c

SHA256
3157684abb1b0212f819e4e2c2d8838d408808de7ff1dd5510edf1d14181ad8d

SHA512
cb8285af2c6de2453155d8715d85d758c2076aa68ab52adbff46b8891fecd84540cb75b43706aebff75cc8ed2bb13edae4cf8fa89127936adfae52b97d41d3eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\PYUAYUMI.bat

Filesize
4B

MD5
3dc47a33da92785256a39459252bbb32

SHA1
54f7168e2f1abbf3f3cdbe686a6034af2c56d502

SHA256
a250c8cabd3a4a81c8c26e9f7fe8d599aa8a3cb2bde0b7849fb73c83875ae08a

SHA512
486fe5dae9b28f3cadc319cddee59918bba7c65c1841a7f8614013ec982ae5e3f82862db897789d43bf6a85f3148f9ec74dd6d932bc374aae7ad4bd9ad52753f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PqsEccMU.bat

Filesize
4B

MD5
b9fc587af9acd9855cf5f9e7919f5dda

SHA1
ec9f1cf6e0884c17b3c17b94ffee7ca8fb651306

SHA256
c389aedb08786159e7eb0ce8a81cc5a5de061ef231a88c0b35527b9ba410683c

SHA512
914884bf58f79c4aa9cd63fba752c2deea2bc5fa7370b42d0e6178301bda38799ca722291f6db2935fcf83a5f616a62b66888bef3006c2bb0494bcdb1450aa90

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAAMkcEE.bat

Filesize
4B

MD5
f0475aff7c427c54bd3976ecc61e24bc

SHA1
62eeb86e19e8c048c01ec02c6a328c46792c4262

SHA256
977b168e223d403a560e817afc0c92520145b293cdb29946c88e6145df395eb4

SHA512
21ed1b4c54e4fbb0f72c5dc4e76234b849f04b9858fcc580082a4bc8824e2ba903abd1020727e2a3ffa95800e648d3617ce0543552ebec1aeb97bd5c8e4eec4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAgi.exe

Filesize
235KB

MD5
cc32a5778c16acae0e331cf0d3313b62

SHA1
7a9ffd9685047a7adbed11b303e1e0b38eb59954

SHA256
e8bc0a53ffb7a93a070442ce0b0f74ea1470847664562aaffd845e171d451794

SHA512
ad03f937ab77f4d09334b017d940acb15d003860639792eb7a0c19804e71c7ea44e889ba4f35f7134ae5430a0b025fbf6af6ebf95329b21525d0d676618e1661

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMcM.exe

Filesize
245KB

MD5
2f40325c1dac64bc4c4617760de9dc26

SHA1
dfb6712e6e299c509cc1ada57e59932d7154d582

SHA256
dfcb2296161bda9d7b6d380e9d47145061af18ce39f9402b1b337d2b9816d85c

SHA512
86658c90457b11484b92376b83cd5317195b589c32d3922e2b35062e7d39ff9d37975853c7ab6bfce874c5a56eadcbc3616af7a952198bcf666b98aec3d6a7c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQYg.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkAi.exe

Filesize
569KB

MD5
98dc4b0bd656a3e93078e222ddbc9a32

SHA1
1413d43e41fad0f50d707313d9d3cf8a4e500948

SHA256
d6c025b85af07163037ba19fc5a018af7ba509dab0835aaed34fd04d8d1c0e20

SHA512
a2cb631e78e0ee2c0fe0d00b0c0e3096d05666e75689b33c5476a0b53e446655a6b420c866f54f4b8b15c696c79897cdd64e4325fc8483b23d632cc53340bdb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkUE.exe

Filesize
231KB

MD5
216699ffc71751c4a0a7136dff41dc8f

SHA1
f95a1c7a6bcbd4c3b663adb0c19fd00d3d4c16c7

SHA256
5d92c2dfa9a75f39489ae434fcfd974875997423a4b3e0aedd4a3a8f24627d2f

SHA512
ab056b54375d28e76b7bea4ddfb9973df46dce5fb34692652e1f2f466df9821f9a2ee21055471d2b6be470c6ecc9bdd86a6e785aa348ff4de7e1c674973017a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwMS.exe

Filesize
195KB

MD5
2fff6acc322ff23128fc6212a55446e9

SHA1
0592ab5ded3aa519606dbba9dafaf5d86bcc1395

SHA256
c9ca629eab676122fb7287f5e14f53599d059ee1109f57afbf8a67ebaa8d3b19

SHA512
65e5dbcf5d46a0d8d2e2540b96b4b9cdc0dbdd9c2c8461f2158ab9a6be683be017b6b389df32d8b447475f67c912b0380d5bb4762f4d8d04ddb8d5eca394fb4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwwIYAAU.bat

Filesize
4B

MD5
f4056eee2640b106f40dcd3145cbf622

SHA1
908764dbe56658297fd6a4f6fbab770716720634

SHA256
595a99f1804a1035a6c5f86a43d2eaa390ec5f60e504ceedfb4f9027df4f0c2b

SHA512
4f42006b488be8314a3519be2d541cb9120b951c8d6d31f07fce97b187c0211a570c276b26e501a1a438ecf5ec379703a101a664bc586e9d54cb3c2a988473d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGUcwIws.bat

Filesize
4B

MD5
bb44ba591ea2d03d9ceb65cd15eeebc2

SHA1
57bce201826152add88b05f7002259b980c8f589

SHA256
a7443dd2ed39bd0330a6952dbd0d77d0d82721cf10085182f1126bd73fe34b6e

SHA512
29076354dd5119929bcdf02d2550744c772709233e339a8a18d293c28e452b1bd1a3f89194645d5dca9b10b87f00f170181b1608a6cc33dbb5573f38854b5806

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAEo.exe

Filesize
774KB

MD5
3cc50313de3c889e61fcb845f56bfdf8

SHA1
046cd276e4c1c5c53d1678544194760c404277f3

SHA256
ac47e2add3b9c64f4387d5ddee46ce584f0180c377c44edced894acc7ac548f1

SHA512
cdfdfcd4667951f265b90b64b82eef6332c5879518fadf7f4ee38c8af331fdfc7aff796af15c46edf9843148aa42a4f04bbf8cd1b4a70d324e12f8c3719cd538

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQoC.exe

Filesize
1020KB

MD5
d309f885ffaffa98c3c434e30b060adb

SHA1
d5c45d53e3b0d550b10a679425cbfa99158e9907

SHA256
4a6df37eb921f70baedc66015c57bd1885a5a6fe0c9d1f99c8e1200ccf8450c3

SHA512
db751f078272423f6b3bb15560da600094554f3a6d7a28eebd3b28e31216b33f1142ac345a4ffecfe5e016b32e987e7511665ea1839736de3a1343a703ffa0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQsC.exe

Filesize
4.1MB

MD5
647cea9fcbed0bdb37f9d356b3c3455c

SHA1
115ae07cf63ec092ebcb8bc1092f43a3c48feeb3

SHA256
e473c05860d00b3ed8cc68e848209b52502419b2cbfd8ff3cc13549724a149ac

SHA512
9124c92c0050a53edd534356c568dd3cebb91c03541b5d87ae0b36784e8af362ceac20112c4d2183332d6d2c5ae131f63cfcf541e8c7e41baaff502ac4b233cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUgQ.exe

Filesize
245KB

MD5
87fc1fc5feba5a79053bdfcc05429a78

SHA1
30e02b0945fdd1557bdd7ad5b3103b286b44693f

SHA256
a3933c655a29d91310fc65f1a445b7be23ca0fb1551532b6a6482bcddb3d8248

SHA512
2b797657168010af9f2401fcd4d1a3c5d48deea63c721b610929bd8447115333ac02921754c03324ff955ae2feb2df7d7fbbcb13f4a4d4d491714d844964b7c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SawYQgYo.bat

Filesize
4B

MD5
1499c8e466cb7d53cd2dd56eff120270

SHA1
50be85e123ac1aa447a30408058d32cf7110c2fc

SHA256
161ec752554afed2cbf616445ce9139e598de231ddef7dff7a0c53f3375e0c0c

SHA512
518f880175109f0cae038a46091669e56e6d6a50a7fd596d0fd89e5c9306a6daf1a226f47437dacc4f9aa57cc039b6938e4ac4d42231184f3fcf56d118013c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwIA.exe

Filesize
228KB

MD5
e13bd9f14a41ba8896e2068a0c5b1fbe

SHA1
abca7e04b7fe6dfc402cae4cc70b72426d990a29

SHA256
65c35947dc05a9b7c6f4423eefc181a50873c606ac2ad8cb77fca45d08ca445e

SHA512
c549a3d87d8cec205a9b063f891bfc8936ff9be8c7d61402eaa6d7b3bd294d92164abfe731a826c3807eb421f60ff2a23158e8d8f902f1e3ea3f3cebf9429ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Swcs.exe

Filesize
188KB

MD5
d9d3b9b3972cf65e90dfaf5ada58e031

SHA1
77a86733352f0cee35bc5b11ee1a5812a63ecdb8

SHA256
8e3e95c0f72616fb1c184d9d876c530fa38e5fd6607a4f37ca9bb979c011ce8e

SHA512
78f54b8b5a655bfa8b917a64ca562e571f6baddfe32e1daa730e1c3b36f86e6a96beaebca8845c50e4b6d596861e3b3b52b66f4b229dfde4ac2263dfd63e6058

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwkAQEsI.bat

Filesize
4B

MD5
ddd9022300e741b971dcc69ba2ec0a02

SHA1
4942ea9e6f985b593837a7844ff12454843f6957

SHA256
4e31112659639fef123c009cef7c0ca3cdc14e589f08753795638a9092a1b4b0

SHA512
3a2ec977ad5502942a2cd8f9fc612fedc854bb49c08f190fc13221a05cd3151b3735db4b599608111b8144ed5223861b83525776c1e1add100f3ea0a489cc0a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TYwckYYA.bat

Filesize
4B

MD5
781b4491eb28ead0fa62c96b023a48bb

SHA1
14375879f239ea484167f4b8c7cef54d6aa83922

SHA256
3667acc2440e85052ba39f4da82cb91c908719af4baf4e2e6ea779597b8ad908

SHA512
7a5dcd796222350a037e51985aba77e617b46669d69a64b86dd42388dfc055e32e120c4d202c5d7d0e09a8b05c5ca49ddd3a25fa32198fca93cf985007107b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\TcsEoYow.bat

Filesize
4B

MD5
00575bb523fb5220240faa979e03334a

SHA1
47f6abc1994eb0d799ad79f15def8eae4eb87513

SHA256
9d6916a3041dbd6e58a1ebd2d111c2838359b8132e3a8fe105de903d99663afe

SHA512
00504b9c78c5a6d6bc5992a4afebb339858c111c9042eb192a9bddccb6d3542c81c85739135d2a87ebef8b92604140b57fa3ebb8d06e2a5a0ea48cbebbb73e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TcwwIAoQ.bat

Filesize
4B

MD5
e4677e8004afdea61141fb29cd0bb069

SHA1
62b32f6ef3975418f79631ccede1efb21322865a

SHA256
468cc6f64e8ee52c88e166cb97b9c75d1f7a2293561db161274f7758760e215b

SHA512
3e13a55fd8f557ded7ba5bec076dac7ca64c6eccfa4b382970614c4ebc721de3ec319ae3609a98a00501d966b336073e11c8904bb6c262e23bad4f4c21a4a568

Download Submit
C:\Users\Admin\AppData\Local\Temp\TqUwkYMA.bat

Filesize
4B

MD5
57018e4fe99a536ae94a797a4ce47f38

SHA1
62624cf7d81107a807119f8e9a938feecb22d07c

SHA256
c8cf2e4a50adbc15ee0e8da9a4bcbdb2954c7a14cfbe86333db9256b1684711f

SHA512
f85c660c6de6a3415286a5f9e99a134fbb0340dcc6d85a25c5c71219952cabed76f562d6f6ab547bf2b5dd526a5e52df977188d22c01072f468f771d4401d459

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAUq.exe

Filesize
233KB

MD5
a3a7519f563970610e57878f4ab2daf9

SHA1
f3f98c9416ff0dd9788ee04a46b8b6fdbc56b751

SHA256
17146dd8680b26d0f900a0e510a25989e4f4880f4c842494dcb0b368b7f18b46

SHA512
947a0db10e3bbcdb1385cb71ad2c6a4befc224624c2b2a256b7e338fe0d7f0f2b38570d14c845506ae5cf785212f82d5ce082bbdb48246a4925f01025ee58a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUIG.exe

Filesize
244KB

MD5
0d13758a2b7978410633dd0512c00528

SHA1
9fcb461f8d1f22f25698239d7bae43910a4ac37b

SHA256
600eeba19036c784d9d4efb5128c78313a0c77543b62105d3d61c0cb131cc2a3

SHA512
8ae65392d4923cd064149982c1ab9923371c93b22231574aefe52a649997e6e9150f1538c75fb0e768feb624a8fa244343fca5f916fd4fc503b8addc05d81f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\UaUYcAkw.bat

Filesize
4B

MD5
f415e8200481a1f9a952e91891e1d7f8

SHA1
2bcef4a9f6084dfcbdb8b6c4298233e959b7cfc1

SHA256
5b018408dab8096c898d135effdcca583528e4ce897552cd4c36b91a941df140

SHA512
cb9dc664e49e7892a22a2645703a804f3cf4c4d66d2159081f0dbf626f10d0e0357c93b2831089669b058005e97e1093c3c5a48d677ed10201f3a5bcb25842b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UaUsoQsI.bat

Filesize
4B

MD5
8b787884bf4f8cad094df84fbc4ff6e1

SHA1
96365c6f4f9b90d2cb36299a84f4d593513ce683

SHA256
a65a285c3aae5bf4ad5fa256e3e6387a618978d398bd99f05ada865379c11a42

SHA512
7c4f27c55a48793b4498233b091d0c4485fc34724c54b57c90b524c5dae57f285d2fd3ce0619580522ff37744b17694c6cf7d0a8b4808413ec8e76b1483fad7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcgEcoEE.bat

Filesize
4B

MD5
33c9b6a787e5d8ade6713e58a34b9e25

SHA1
02c212a20db91f41c5fd05ffed54ec7d8ede56b8

SHA256
18e4e2bddaf2ca7c2cc190f8d83efe0092b57abbed48d091a01ba76ced2f492a

SHA512
1dadd6060c4cd07a85ff0c0916c1adc1ea9b4cdd2a3d4c9fcd7d02b7dea4630558d33e96fa2a75ad02bef85bdce9aef1c894b56f5d6d663b48229c02b8deeec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uggy.exe

Filesize
243KB

MD5
71f42d074697f8cf6128d72e5b51afd6

SHA1
65da1451bafac053643c2e931a2be07eecf955f1

SHA256
a2215a45cae3a0f2a3a3da3d4962db2d4ae237cd5a279c1588d7c07bb009d15a

SHA512
c35c18b38fca319477b204d8a59eedf6fa73f4f24fc9a16d3775ef51414801813bbdf3d1b3a2375d9bd1417ade8bf88c4779cf97f53d3c5edfbabdee7b703a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uogy.exe

Filesize
229KB

MD5
ed147c1527aec754d297a0e801b8bfa7

SHA1
6ff5ee423855008c62e0806066417a85a01eb8c3

SHA256
0286b55a884b46935c1c475671463d22526d233c673a4b4b6f2e96e7da99fabe

SHA512
868a41d28d644829f827cfa47e1856194ac8d74f4d10405c67b53e78500014ae1d29647e067ac61fb036e3504443f6b7c281129d22e68d33637b915233f835c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uoou.exe

Filesize
250KB

MD5
6d031eef754b9d7138bf2b711b5db059

SHA1
3dad139b25862eaf405e8a04b78c46a1c1dd85fc

SHA256
d9daa3ea00711d1768557152b91a654c803748bf1701e7e2118e3671340b03b6

SHA512
525ad7ff7e874c0763312a8f05fb0500b3a41e79d8f1b546a48c9e2fb2cbacd779564b033bd3da9c01f38877748121835f8c10b21422a994f67ea8f3674eeb24

Download Submit
C:\Users\Admin\AppData\Local\Temp\VgIcwYYw.bat

Filesize
4B

MD5
75cfa8a42b489c3be47d74ab7cf87796

SHA1
539f40bb9f2aabaa5c099d0ac9cbe97750e3c9ba

SHA256
fb762a4850bab4c9963d7af515c21962fb63fa6ab942c1787c734f6dbd65e936

SHA512
f5e921457110b707e6c2134ccaf406936ea61af5b81c988cf8bcc30afc0afd542e91967d21affd87e1d9f7e25b8e34834d479d026f5968ddfd3dc8870c9454c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\VqwQQsAQ.bat

Filesize
4B

MD5
8ee7d7bf33bba46562f4b309c60cbc01

SHA1
8613419143169b9233a1a3a459ebc193cd30e803

SHA256
3352691f5061749f27ffc99237a2baeb26d34c8c60bbff9e20f6dd755055df45

SHA512
134f385e941d75ffb512e2ba3d301f0d769b2c5a81b038dea6eeb945787feafaaf8fc7ef880458c3f7aa904385b242d66f95f135c254607e97a5b0b97e84678a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VsMwEcwg.bat

Filesize
4B

MD5
29cb788102dc534b2a7e15e02b718290

SHA1
ca88a59fc2d47fae85370b4515e54b9fd53b1022

SHA256
2bdbcf77f07ec9a3d47f61d1218d99455b9c361c1d402017ce4b8f4b64bdc837

SHA512
0e77dbde69985aa02d0f851ad5aff0cb93910070a9fac13ac23e3af17cfca60936ae1c2d68e739a82f64870bf96932703273a2b5261aadd8263b3e7df20ae571

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEsy.exe

Filesize
234KB

MD5
ccd24195dad97d4a31b52812b335e016

SHA1
59e124650b3110b8f33edaa7f5a1d127ebe126ac

SHA256
f5f8251910dfc379d771fb7355d254a45f97487e046611d587a11169240eff22

SHA512
7cb76c0f5afd81ce5fdbb7b04ba492939e12340080ecd45accb397e4b548153f5fc1196426e2bd2ba09f0508f909ced539f904a5b3acd6ad48e01de92e0796eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIwK.exe

Filesize
235KB

MD5
184942ffa3b7d00f5adca5eca4f4cce4

SHA1
a921de8e5245a5e59eb331416050af76f0081aaf

SHA256
d844bdb014f91558ac6670fac0d6c8b703b7c12d7f55e0cf137019288370245e

SHA512
31b7952452824f81b8aa78063b78e70eef73732677f6e0300271a9e1b2cb626314e48f6f5c1a4270c16b661d0c9d1b2d26c9ba415ef9f449831880a59dc9bd0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIwS.exe

Filesize
252KB

MD5
a70b7d6c525124a572fc8047bfeb7775

SHA1
2a8e16725f29574b4da97bdae114b8983672f3b2

SHA256
5ea0dd3bb22459df3d6a8396b22bc3665ca1f24c59edcf6cc4a6431c0d7bf889

SHA512
7c1bb91d9174de77d4b9a1a7f92855924d86173942b11f053f6dce144299175c4edc82996ace9452cbd23e5cd76683087d5ec80233d60ce6c751dc710f39ee7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgQs.exe

Filesize
249KB

MD5
a8dae6bfc5890149ad2eca517a065088

SHA1
f252d28e95da54b774893943b3420cc5697884ef

SHA256
57361bdd042ae12a69671e814c9c496c6b0c2c7220c2127842f646dcaea09a9a

SHA512
ef9287f24bf068e717bc816000501595d3665fefc64819d6d601bcc568571543442a281884993aae7a683ce6bc3dacdbfd96ac28050ccdc8b6d257540b607bdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwIMMIQU.bat

Filesize
4B

MD5
22756a8dc94320006b09ab2513936279

SHA1
4d021c7ab67742762c036bbc6d4f5b508087fddb

SHA256
4d03ececbc8d39a9d3d0c058add4fcb7a32fe9c767296d2ccb423a4ca895bf2c

SHA512
832f1e358d44158b616a125b1eb447308f2468743b277f6bf3aac1201eabe623b7151d6d5fc074b8f0cc6ac8060e952e42ff06df9d387a28f105014a97e0bcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wwou.exe

Filesize
195KB

MD5
6e4ce9bc65958824df9bbd622692fb5e

SHA1
3455160945de4380fcb7b93b20abb8c19edbd3d9

SHA256
77885a016616a699400600d6b102123e7c979d7b09136e3f80ab70a71a105c0a

SHA512
a088fe555eb2785f1f383e1c9d9fd9e1d9f22b00f0052a5b1d3ce248a43b143aabb5458f4385e32ae85ba116014818af230fabaf768dfd74832b45dc7f2dffb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XuAMIYUA.bat

Filesize
4B

MD5
df5cdc2455d27eb3838342ba4d63bbc7

SHA1
9b31a090ab62dfebe902759b953eb3c1b36508aa

SHA256
2af090121f14d562c6344ca230ba772db64fe8e5dde418192af6d0b35001df63

SHA512
8ba737bc88159a19704dabe0e3615d71be15b3874ad264e06650948d46c5df0b83d20ed6e2c4da94bfc640a886f895200e9525b1a7ff6b9f5ace621c47854f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAcs.exe

Filesize
228KB

MD5
3c47197beda901cfdf15612da6eb98c6

SHA1
eae12e5d48d076e363596637dae8d0482285098e

SHA256
f7b3d50186df9df2da23f9e297f89eadd9b5ae7e1a880e5ef1c6addf4f7ed233

SHA512
5eb994e93f741a791f6caa305f3582551b3dc4b49a8a864f122cf2f72e6e987da23b754bc6321fb9334be076f8256e1913e3d6d4734f325995d4f4eb5a771dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMEQ.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYkO.exe

Filesize
250KB

MD5
11a899ba6a400a3079a2001e82e148e8

SHA1
0ddb6754bbac0c6668365795c188073697d6c9a6

SHA256
a2dd1a751eb1cb419dcdc808635b049e4e491035118d1f3c5346e135b0a04de8

SHA512
62bdfb25b41b7176384bd0d9bea03561fad7df8c64ff5c87c34f5f36bbe9ab7fc3179f0e238ad40399558f3eb98996e57e10998798cdad5c45ae44feda21336c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcAc.exe

Filesize
200KB

MD5
7c6cf8679e4cd2f1e150d615dd502822

SHA1
29ad5b18793a4132bd3d9b9c434dbe559a9881ba

SHA256
02df91a250dad89cc202037a75f7e6d8d15975792587d91625f68b7ef5d23401

SHA512
cce8e30e21e13d62b18cfd96d813246aec548ef5b3876898f6a2a9d1a9d5213bab1c40003651fb5166abe4aae53cf0c6ab52ce22707fd5186fbdf21f3032756b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ykgm.exe

Filesize
246KB

MD5
7e68b5783edcf652a35080813cbbd487

SHA1
4cd2c542e7719429651d7906752b78b875041788

SHA256
2e00bd8d48b3ac678d105a0b4ef4b14ceff2d3a575b14117646c7f2960b0f6b3

SHA512
c403f1cac6ce998919a60e8a85f0ff5eb2ca6abd5636ab9a90a90e16ca60f24d1bbd77812bc2a4c5c75d587f09f04b39227a154c990c3d7ec12e2203a7227469

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yowc.exe

Filesize
230KB

MD5
b793639993bb13ffed13c3903f94f283

SHA1
8018ee12ecd6e665e2c6cdcbb8968d8bb360277e

SHA256
15c43a875f9d57a0a4f521081cef64723a2f7b2a86e104f53a8bd6dc3a6f133c

SHA512
d011f45b15159dc6e8f9cb681edffe011f65b7454c3cdbccb69fcfaab6e700806ca87f35dfa31c23fa9a2a252a973d6acff822dd49bbe62fad53a12c65b2ebe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsAgIsoM.bat

Filesize
4B

MD5
4fdc8a3fc9f7e5d944f3f714a4de46ef

SHA1
b7551ac6c09ee90ba4f49633c01cf8b4ff6e7d90

SHA256
c04b17ed4cad7380d8bc1e8652593689a82812b018a181796ac2f8338799bbf7

SHA512
af23958dc3c6f389d87e92234741eb929c48dea468ec21e0564ec803376e4b91d8d2c6b7b2ef7cdbb62470ef9bc0256e6fd3195352fc2e16df46fbbef3605991

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwIA.exe

Filesize
191KB

MD5
ed911272efa35ce3cff39452ff47dfea

SHA1
4b71793c004ec02dab5a46226da6edd5bbd7240e

SHA256
fd724928be8dae1561437779e4d624c958b256efafcebcaad82c5255a98270ac

SHA512
cd774863c6c2c6094925bd197d93c8d8642d442913493ef53ce41297db993e59332ded7c5c3a0b05b679f06fe3d5456e632e353e948157be8ff1358a40a3ca69

Download Submit
C:\Users\Admin\AppData\Local\Temp\YywAksYE.bat

Filesize
4B

MD5
f719dbb4537fb83a6e9702a853a31379

SHA1
6919341e9f3b6fc4d64eed9ff9ca37bf5128eea9

SHA256
4d121049a7f88ea67506529d41bcb42ccaebd7e75e2b78e0d634a441831e6718

SHA512
1e4724911368d79b44491cd673bb0b4b8b6c8ab042555e06c09b26cc58e0e8bdaa5752e8ba4453aabc22ff07b2c21ec896771c863fac618260c89f0c0e2a26a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAwEMIkE.bat

Filesize
4B

MD5
b208f750917f9e2ceb9f340b55c1e33c

SHA1
c64175edb628648c86d17b3368b162a7e11dc6bb

SHA256
f2709aa7da8662bab59d2ffe99186db3986bdef7a84993e4d99f74446dc6d78c

SHA512
3616de3548cc3ccfc248cec61b1e5cffd8686175cf870a69f6b68b5df4aeb7c04dfff13c57f1dee5c49455c93d362f4dbfae3c88684286ebfa9cc20449bfdadf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZGsQwQEw.bat

Filesize
4B

MD5
c37da4ab27d69fc15a00f78cfb41290e

SHA1
65e4dd5f450a18c1893488765030ce186c7e3651

SHA256
9533c6f9fd56c259094c4edd67d45ec2e1a66a0148532a189b75c3a53fc506a0

SHA512
ddda1492f973c667d7653ec482766d0fe9316742f2f611c9418cb69eb42c4cf8e65fe8a209667518a30abe7e196e10af7bf65edc622b8c5fc1eebde320946fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZWgMAwEM.bat

Filesize
4B

MD5
65deb928648bd2987f2831c7b56ac888

SHA1
945b9c467b4899a01b35560aceebd9efff7a56b9

SHA256
1ec9318f18f48efbd9ab1761b8a4fbb7bd9fd71868e511815364e537a09d51a2

SHA512
652ef25aeda79dec43313326cf9468e1763a1b382bc48cee19eb623535fda52834340118482ba174178f5cbbc38e7dc67d0bfae5b301ef404b8d8e6c6faa0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZWsgsEkc.bat

Filesize
4B

MD5
9993fa0f9a23806db21ce09619f0cc70

SHA1
a34e52573a26f9311b7d5b3cbd99cb779679c717

SHA256
d4a60018a03011f201aa6e3ffea317e3f71b450432730a3ff4e57ae4ef31f2a4

SHA512
522feeb379c5b894d5fad20153df5e124130ed93b9af55783f4a3913362fb40c50a5afd067a1bb48f924dde77ccb5fc222f2ef0197ca61489133571fce0ba550

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEku.exe

Filesize
236KB

MD5
140245045406e0c99da06a84db0ad2a1

SHA1
6de1b1e4ab2399063e47a5c0ce80468c0f4b3aa9

SHA256
10891b02be4dd3b53b28eabcd96f0968d4a03ca3634798bfa7c033d8695117cb

SHA512
b0866057681808ad1b3ba231ca95245d7c311c9d174fab07a38e53f26022f33c771f1be6fa0bb7b7f27c5c3ade7af369edb0c72112a2e52b3066009cecbab56e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIYggQoE.bat

Filesize
4B

MD5
faf3574e9bf7254889228765cca2d90d

SHA1
833ee708053c6c84cf008eb089eb604c2c2a6236

SHA256
16c77cf1c28af7a402dd1a0e767d571834ac42ad3d4c8ee57c1a7bffab0d43e9

SHA512
18cc2183275d7db6cde77835c60648ef2d6d178f67189c8fd546533510f18221bf912fb7f7ae299697854366c2af5886a46be816d963503c2c7e4bd9cf1d2260

Download Submit
C:\Users\Admin\AppData\Local\Temp\aKcIIUoM.bat

Filesize
4B

MD5
772165b987d34f731b9aa50f4bf98748

SHA1
ae3fec0aa7e18533e50df9daf6dde9364895846c

SHA256
01fbfa6c2f6f675214c2ecc1d8e295e62e153cc0a7c27641511f52bab2e639ae

SHA512
3744bfcf83e20ff087ca98eb4b3d7ed7cef423925cf22d5ee4a45115dfc37165749b60ddbda07c51ce6a5366bb81b0879a7bcbbb3717ca4c8139766cc1f7c25c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aSIYkUgk.bat

Filesize
4B

MD5
1127cb832d3ee169258cf5ff6e348270

SHA1
576edf6f41aa89e4356ebf64a112a11822b32c25

SHA256
d28e7ee744c9d6f1e0aa538a0f644b44eb029f7155fddc936f84faf69027b088

SHA512
dfeebfefd64b75af643c1af0e109bf2ffc369e3f8b6f3583c399b9bf658d6127c96861daf3ef287b3704700051d5d7e433a89857b62585953420db0a33247492

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYUE.exe

Filesize
191KB

MD5
364db0e044e9a6dd461022ebf6892383

SHA1
562978e9dab3a3cc997f3381dde30a619628491f

SHA256
a6c25511ccb1527e56b31fbf27fde3b1542d6db7b88879cdce8cf3a626bec37a

SHA512
f60b6f5bd91059a0d94e2e1829fde6f37ecd9de36c10317748de7927fa2859ce92c117d64aeca40cb037e353b917ee3a0b1e4a9eedfc0b167cdd620278285a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoQW.exe

Filesize
220KB

MD5
eaf6aab472d7e122977aab46400019b2

SHA1
6a6961acfe993020bb84f6ce373a31873779a3d5

SHA256
b333b2218ea965c747c921c42abefb7a6e5020e7bf2eaf72b338204f9367c1f9

SHA512
1eabfd5ceaf59ae46e1a05d2b5ec9ce0ee79f4f7621814fd70ab7e1676e7d942374f87933ebaf709f5483a78a66dc70e596410b58e6262f386ff5f1508f94a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\aooI.exe

Filesize
723KB

MD5
3115fc3239325a8bc51dd1a33b2e0afd

SHA1
a5ed69f2a388705c3c1869703f4f207c9ba4f372

SHA256
67ceabf8fc64c7bbb978b702c0dcfe359a17c8453b48b8c63a7c5c388fa28fda

SHA512
5bb7e3ca5490c14830fcbb0ed30c9bc83d35b04466b6b54e6446697d586ea11dd4848176095ddd72d5cdc547d6868ce77694d9947cb68f0be38795d554b44111

Download Submit
C:\Users\Admin\AppData\Local\Temp\asQgYUUY.bat

Filesize
4B

MD5
aed6114418105733b797e7f47cb62866

SHA1
12178c09aab5c056446f55feb46810358930ce29

SHA256
1985c85b7afb20d6d53419a12916b491e70077b8726ef1652d4c342796fd41d5

SHA512
64dbd790f8c6697df91ba6296d263d24a04e241166e982ca9b2ee9993897e66d9489aaea968071f01edb36e962e7dac4a92c3590e1dd182d78e6c3e8975eada5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bEYokowg.bat

Filesize
4B

MD5
08fb2671ebef5468c76a385d68753dcc

SHA1
201175fd6b08b3e1b41415f5203ad6654bdcbb9c

SHA256
e8d9ab7e39034a211c881b91e50cfab8807116b5e9c769505da1e2c66fc427c3

SHA512
caf431af0644be91b6fceda48ff2372e0e2b1b21d03cf8d1b0773ab2928b044bf27a254944e53af8bcd1b32ac278ef41a18d477b5c440943fadd74ff6ed470c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bUYAkwEI.bat

Filesize
4B

MD5
d804196ff70ed91a55c3df7661ca4cec

SHA1
3d8fce49a05a5af87b42de51a613c6f1625b8007

SHA256
e83a8b53551938010a828b1fc68d290816e0a9fd83c442b2c94b46cd6cfdb45c

SHA512
e86dcb62db61f49590707263dc31253643d3cc2e5d86e2dd2b8cde847527384182b7030b229defa43b9c18bbe94f04ebc8573db708dfa9ca52d2b8caea898f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bsgYAYII.bat

Filesize
4B

MD5
eacbf268bd0879c6cf9155ead713cd95

SHA1
fb0aa2fd8f4ee640257a36403acfb98febcdfd38

SHA256
7c2b4b961e91012bb88db42cb48154a59531f5e35fe806ffc5d269a4f4931f5b

SHA512
315724c5d1911c976d90c39387092a6c2b8230dc9866c7acb0412442d26798d9d04d51dc629a1c7901438626dbeadcb3c09ba0368de9d0a060e06a39b98dc171

Download Submit
C:\Users\Admin\AppData\Local\Temp\cKwcMEoY.bat

Filesize
4B

MD5
beb200f79670fd820336947986ad3af8

SHA1
8f6af5b53e7c96e6d50ab7b40e6a6216e5cfe482

SHA256
0ae81e7bb7d4f2ae463cb8d3956a7937c833f90e1372f3ee60f64cdf7d0a3225

SHA512
30c0708f6542ac0a16100343639e6085c6f3566ca1fc77f0588cc9562ac3d591601d90372ffe94cc65f768fb6c55ccca9fb2e19e07e0ab63b43d4d851dfe7f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQss.exe

Filesize
251KB

MD5
78d7e982b2ea04bab0c112f54c1e4db3

SHA1
90879af43488d14fbdb26fe95da041ecae3ad342

SHA256
d21bbb92bab3e36122f495fa16dc78fbd18728e6a1b38bdc6a9627707357999b

SHA512
215953680dd26cec2da32ee7ac7e211d5dee23b6839144136b2f1516addbdfa977d0b17d4018ac0b8454c875e7d9d9755e7a60164dd3be7c34f6574cf8312ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUQy.exe

Filesize
240KB

MD5
56e7c0ca9ca47f7bedff49ce1ccc0bc9

SHA1
37f99a344e35e22838901eb3e15afa784d1e91ad

SHA256
361a27e7db6c5d48f669079d98b96fc9e7a5cf8c2e16482b467a4b95994e6132

SHA512
c1efc733969bf9aba8bc6fb371be41d5965b3418f92d57694f758bb21a7b7ad4115c3648cd78a10be2e67bcfa9f69789c82ea36848d4aa377b9483d8e331ded2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cWIgkoQc.bat

Filesize
4B

MD5
6075611b8644771df60e3782118c0b11

SHA1
ff45df3bbfe03c1b48bf7c23d68e22611e56bf1c

SHA256
864d01469441af2a2ca51ca06a1c9f489e4d1f446d67d47631898526ca2fbaa3

SHA512
c3816ecd6dcc5e89944dce8ca5f5275fa0d948538ee8f796921c76cecfe4e36f34ef376bec9a44d8b609678034cf676a048256d389c6237a2768daf3f42a8466

Download Submit
C:\Users\Admin\AppData\Local\Temp\cakMAosE.bat

Filesize
4B

MD5
91a9a441f62e3d29ea2367af50da4c4d

SHA1
7ef7c8302ced855839ecc3cafa869dd624139421

SHA256
8aadbcebdfd7e9f8ee7dab4fe6709d5df63dea2e08f8e2bcc9be432b5ce5dd4b

SHA512
b62a33ce72c8dd5bcfdb31875e3676b248750a7ca02ace792a3e9bfe6db5a9069ba98660a4fb9acb46d6a9e17fc1b688e7b56db246e517c940e7eb58a1891280

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccci.exe

Filesize
240KB

MD5
219bfd6178e7a62616554f120eb10eb3

SHA1
a2d9c6224b2ce04deca80fa0d836df8c5ae91ed4

SHA256
bab6e84e46e58ba59d0814549dd8eb79936079a8abeadcd428d380ae4b956da3

SHA512
c94803c7e4ad43f3318778d609222747cb8fe1081f239d9570607b50e17fdf13db6497f56d95da73f115437b2293a4a2466e960982c6f60086df57bc9dd0bc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ciwYwgcQ.bat

Filesize
4B

MD5
43fa03046a9cf8a7eecb716aff7c89a4

SHA1
0709e8213768fcba5237860bcb86a5a072295c08

SHA256
e01b7436f66ed467731d8dff1b1837ab13f0dcbc0a6831e717703adb1b4bebac

SHA512
4022d2b71b6ec7760d375f8f87134c7887c69958b785ee2e2ea0b80e0d859dcc5a77a94c4c1c7a70a186dc74043a18ee36cf1dc3f8ffb6ba8bd9b854acaae684

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwQG.exe

Filesize
237KB

MD5
8206ccffe2eee34212aa7c5828ba3cab

SHA1
5d7b81c30e13cde50ecbb5b8a7d32a4b1c08f271

SHA256
0333229cce065eaa9544bd8aa9e5055a370ce66d28c02d6811e62a27ef4841e1

SHA512
195fd0ae6c2944cc767fddd61d4cf5833919b3599fd400bd683ab73f2104bd9cb58037df189dd82d674b0f3ba019bc606a879261646866235c8fa36fa13e8d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\daAYAEcw.bat

Filesize
4B

MD5
7e34e0f1b6dd398aae424e66d031034b

SHA1
867c91fe53701df98bfb3461a27e4c221693d2d6

SHA256
348bd9c5ebd02809ebaf362eb70845bc9622a74e44bc2686b38429247c25deda

SHA512
3f657929be149b9a4c5846ae92af546011a94a1bb7f24ece9a814d043cb4a6d86b37bd396549022bf16978aa01f85b7b03b00534ff7a8d51dceaac54fe7227b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIMU.exe

Filesize
229KB

MD5
f3c2facc754f12fc8e5144da028665ec

SHA1
025032c6c9c2876fe989bb731e17ce29e10e7d40

SHA256
85e4be7b33dcae467518c050deb2fb451190956fc6e93313c9b25efaec68d7dd

SHA512
012b095e0216e54da7e8f94ee740866db28e74a4ff2fc413e052f40102218c37e3ac9b52d0025f833183e8cf43165ee05ab03e6981b1ae6bb60e7f4504aa3464

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIoU.exe

Filesize
363KB

MD5
8d247d2d356d4ca475f382f0f73e910f

SHA1
7b8fb4190a88c770648afcbff041dd3856224287

SHA256
7f19adce96c59a829f8eb6af853fcb7316009440d5a824621aa123d464a8029b

SHA512
6e3acd22efe56563207776b6a87fe95449cdb42aa9544f1e812e42278f2481de91b8615c9dfb2dba51e098333805d56354c3263a4ce3e9c5beaceff966c57f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKQwosIM.bat

Filesize
4B

MD5
e3dc1e2ed641c24c54a8c839132b5eaf

SHA1
b0528a6ebe5e7b9419647cccd5f9f14ef7f52f3d

SHA256
c0860ea4ce6e8df1d96da8e554f2914c2f2491f569bd3ea24bd4e65d693dbe35

SHA512
eb31d292fc53d16d5152d5c47128a405b31e9ea198d2c06a92281fee16df2debd10d757ec08423ad7bb918cc99deb9f767747e9958d14542c05673d641aef97b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eOgIQAAA.bat

Filesize
4B

MD5
dd3f03cc6b392a11d6c5e2971fd6e29f

SHA1
172b707f2d9d43d6ed5140da1a1513b37452d2fa

SHA256
1493f4b57e4db0deb9a4b685f9207c381f98257474c4de249dead8703eb3ef5b

SHA512
5cebd2d51d9d195860d25348669b9ef2d8a26784333e78710a34ff1f0574216cf4534389a42605547a0a5aba16778f3559377d8329776052ac52972158aea39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQIk.exe

Filesize
8.2MB

MD5
1aabc7a85777e7d4d228f9464c15acde

SHA1
be1e331d6b591e7b90c57d5dc204ecca7638ead8

SHA256
cba6d3414f3b90905cfb4bdc29e79f718cd41c0fecba2a53bb0611e9f22ae92d

SHA512
6de7dd035882244f3f5458f19a8e1f23c70eb8de926e84663f8a71a84f9086bba38ee5967f3b29a77e54bcc42c0e5f11e91a2d615ade0782e1007e7de8bd5c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecIcEIkI.bat

Filesize
4B

MD5
31cbcaa4495519eabbaacf51466d630b

SHA1
4872ae5e245104b14d31b63d4c1abbee7d908a2f

SHA256
e942321d20d08347df8b1f39f4058739c2a2e08f91f1e4be6a52f64746dbc273

SHA512
7a45d412a596edfdd84474d80b53ff1524b803afb1ce3a3b2bfbecdc8fb18618b096df241ef4ba28376122ac8aab76b62873a019f3823c9fe93320b621ace3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\euUEIAYM.bat

Filesize
4B

MD5
b4c28170acdf3ba81a09e26eeaeb6770

SHA1
9489a05cb89dd0dff35bfb76a622031293b6c1d5

SHA256
f371e0afc51ee112fcfe8662aa765509afac4106360bcb82dba24c3feb926325

SHA512
7b2139d1b43432ef2a0a09224829c7857fadc3bd42dcf99dcbead31c81a4495eb018a935f0d9ff2309b7fb9bc6e0fdeda66821b58f82e667bd49b65c1003f162

Download Submit
C:\Users\Admin\AppData\Local\Temp\fKYUoIsg.bat

Filesize
4B

MD5
a4107a4871dda388457faa931bc806c1

SHA1
66d88c7f46d1f2cd7da429fe61bfe531260adbc6

SHA256
6a85ce6d9a60b7540eece2dc5d6ad91340aa37745ab18e981525f1a999ca37ac

SHA512
769367fe0f7ee4ad48202aed851f433eef1833d0cdbcf11b403cf0867b93e985485885b1eccb35ae4a084db62046fe3ac8cc373ac79d277030e01ac606671838

Download Submit
C:\Users\Admin\AppData\Local\Temp\fUMkQgYw.bat

Filesize
4B

MD5
4dbf735ca03a5fc747ff3da1f8ffb8ad

SHA1
27986b9e301f379a8cdd5bd7d918ee746d0da038

SHA256
44cc7825c019de18b96f81289ac90c33e8011c3e8844aa4e5b908c1775c633ad

SHA512
54f55dd45e2b41aa847c708749f2aded9f1b2fc46050154ab51eee71bf488b0180a53017bf481ea94ed65c7b74e3f76d4ac53ab0626d2e3e31626690c89e5ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fUkgQQUo.bat

Filesize
4B

MD5
022862539cf2f9accbeec00d8963108e

SHA1
e1b1731d3a470898c3f2429617bc0f3bb266938f

SHA256
4f895156c6ccf1fe6aebad61de03e6b835be3e458e2d267d670c9f6fd00077eb

SHA512
86c64f7a76a45f457e155b75148311dbb630b3467bcb4230e267f18d340a2650e89e24b0ccaff48cadce31e3641d57836f9ae7f3252ca3ab0c59b6f3e1927ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuEMsIkA.bat

Filesize
4B

MD5
d70d1bdfe30a4cf07e121f4b43525ade

SHA1
db5039d5e3020953ca3c91a2640a0917a3df20c3

SHA256
b3f3d5431edc887be77512dded580a919efe324b462f6a50d16d5b5b56001469

SHA512
1c1de5d5ead11ca59d2cb387252142c04665f323bc14069c3235938b8787d231a4893e154fe13a7e2b3cd8818cf0cd8794c4f79a32d888459e9a97b9a0716699

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIIW.exe

Filesize
233KB

MD5
f2769907930b56e2f0c8a99a19a1c5d8

SHA1
f681294a5b3e2dac6f3a290ca3d7ee51f763094c

SHA256
5c5af3d6712e18faf279363dcf039fe8486a16d46ac1c3651c9fca026024b3aa

SHA512
dbfaa4dfffe092301a684882f2c09fc7b038a99293ae5cfcf451fdb2951b1cdbd4a6e603038c2905cda11f192e38288ccfd8a22b2873b1cddfb733c0ead020e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gKQosoIg.bat

Filesize
4B

MD5
6b1cb6c2a86d99f334115fa3e39cbff7

SHA1
75d2e47bc6ec9b8a5cb52728bb08d1903fbbc085

SHA256
10bf056da553c0aaef9cf3929a061205e631d8e50a715950cf8e9ed96792bf75

SHA512
1fb1accd894e82d81b2901b08fe6d73e98ca2d226aafcd3db838e98c373b2bf3515b256d171188757e000258b264d177eeeff804f0ed55bbae3e684f3471610f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQEq.exe

Filesize
1.0MB

MD5
090273a465361481bad56b922890d44b

SHA1
99af2d712fef7af5d73cb13011e7ba4b190fcb41

SHA256
292ff2b6167ed59587d74af4473d67bac6c297fd311464cc2adab00ac342ef78

SHA512
4974552e166e7411d6576c3269c44ace067b4d4d68887622eafcf57a628a1a00d3c21681e15a100208be5d5fca74a19848f2f6dd6b5439028c5a3b0da6574506

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYsE.exe

Filesize
227KB

MD5
4bb1385a9c39f521c1d4f597393270b6

SHA1
c7c2716512819f76d06b72364203bd3fd5476781

SHA256
18d2b2f601c8d62638f542f63da470c6ee4f15d9c62fc78a50f1711510da6fb1

SHA512
6820f3203e549f78d69a5619c4935ebb570df81f4d71f2ee5bee0f25f58b4cc665b7ba52610e9db304f148a65fc58dfc8dd3951d533bfa70189de5a365bead3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkQQ.exe

Filesize
760KB

MD5
2bd7e78f97763f2a2fe1ade1b23ef8bd

SHA1
d04e8b8a6c7a69c892f84d7853728b48c68665ca

SHA256
e06bc9d6628a5b88f804dcd4ac79aa37b4abfc202c7b7dd20a250dda9ab38c88

SHA512
876db18457b54f9d40dbe73ae3cfc418d94752b91369c489e880f49d267b35679de35b11b96ac039a65d3faeb174fd1f1c3aa6c74034f5a0bf863e7ef5c5272f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkYI.exe

Filesize
252KB

MD5
9e8a1826332d6b0f6dc97884b3ec23ca

SHA1
f6ebe704f38063eada58f1592e2ea385cac897f0

SHA256
1e2256bacd024045e182e7e73cd9f6403b45ab1d0d14bd74ac512f4670836145

SHA512
01d2e684b1b72faf0a3885c95eb89e8046673ad02edc38ca5ce4e9a45617692346dc4fa2d46020f1b333f4df2ea53f8f6c471d28ee9b8885ee7bae286e6c343c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkYw.exe

Filesize
197KB

MD5
105da8210b500f3df3792da7ead440aa

SHA1
c91bf8ed9863abe357c31c5ff9185612f49b4405

SHA256
8888d120e837f07bb345250c449f738595eb40beb0550c0447c9b5de7a7dfe71

SHA512
fd74c515f1aae3d5cd4a1fc5e321277d02979d3662026caf51acdd8c494a584345c6631302b46a7f800f2283eb5fd09385bc808d741911e82ab1bd77c19ea8cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\goAk.exe

Filesize
200KB

MD5
7ff8cde4315680af213651adcffc24de

SHA1
f3ecb655bf137b0846a51af6ab7d9ca29f4e8b16

SHA256
a40748ad6d2c6e842bc1b344de031cba8f19d4dbd80cfb3c9facd66adb038923

SHA512
ffc90573017c34e4f414bed69bf535f007ffbe52e1dd7cf3817d925ca6e75debf1ff6596155cb7ffebfe5045ccedc4709c1f799536f9b085ec0546fc72cbe747

Download Submit
C:\Users\Admin\AppData\Local\Temp\gqcEYwYM.bat

Filesize
4B

MD5
8414d2aba1fe758736b6d638ee37005d

SHA1
0ffaeb88ed42432cca8f1affde39158cfe093416

SHA256
fa270415eaccf667a4d51e1998c649c7a5f3c28ff89e27093feac65834881751

SHA512
7b0605e2abfe29ba546cfb59ae657278b5a6576716c736c901d0b27aacd3a59df7a8c0dc5a599aa55c8f914af85715f8e622af7f810d3cc68a1f6a14f345d8d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hqcUsEQU.bat

Filesize
4B

MD5
9ac8d848d6a440781ecd8c371ed885f5

SHA1
511d18e04b6882aa2b4170545af568adc63658b5

SHA256
5ec2d3c207f83937789ec9d50a19f4bf09f803e388cb93cf6ed951814c32d5f7

SHA512
ebedff8b41a4ecc92af4b8ce7544d2e55b6adc388f58c482a65ed144d633df180bfaf1d1d0ae19bc71b84f91d331d7044d2e2fd455c9b49211aa23d3c85cfbb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAgc.exe

Filesize
249KB

MD5
79a8ff620c1dc15bb1d1123cdcb9b133

SHA1
9e29b7786551063481fdff03419c40b314411007

SHA256
ee810ed5a6d0746c400ec32d9f6bbcbb0634d6925082ad9f9026c0a0509cad2e

SHA512
20b63be637a8e3c5b24f1063db6b81cb734f35ec34bb04219fd4e009eb2bce5c5ce9323ee6d3c5ee5c287c0e1a80cf333a1497e080bbd3821647f9391494f24f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAsc.exe

Filesize
188KB

MD5
ed93d25c7f3ccab78b1d44f666e1b5e9

SHA1
ca7edf04daa53edec2df5d64e3602479b560e172

SHA256
b620330d2093a9ffd610d88482e36e4db48d39e7e969def27fc162a3916d4eae

SHA512
faf43a588332ae455f5abcd817f9f9b07b445e1de58ff4d0299e81fbe82cf28ef8e6bcddaacb7636c042d74ba8ad6c55010aabd4add47f2e1b47b252bece8604

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIIU.exe

Filesize
250KB

MD5
10da93ccf57ec9b8c2fef264c26290cf

SHA1
95ec69b3c4090cf5fc8b0f69dd6e6ebd864efc5e

SHA256
9fdf31b87d1d3880b13e3a642f5bd9864e1513df5556fa2fd8940cfc53754e9a

SHA512
996383ed112f9b370f484037024690644ed7595a3df4d5f488de8eecb6f452363d082f271b9860dbe6688029aefeb565796c1ee65fc830bf4f007ceb6437718f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIYM.exe

Filesize
247KB

MD5
288918d967f678b30dcf15cdde6c5f11

SHA1
1d47985a52094dd60b30e27a8bb385b7436bf1d3

SHA256
2d80e485fc013a2bb69c627ba376b787078e4405e6be32db1938e74e451daae9

SHA512
589cb0f641841b17dcb500780c1fdcd53b3b7681c708bc225a861771cc7b83dea1729b68ed39004b657598643743762be54f8c646e40fd89ff65f93dee7c058e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMgQ.exe

Filesize
245KB

MD5
aab6b4104e332d15e5a9ac3226af6815

SHA1
dfc555d5374ab6025e46c3a00f8f9120bce914d3

SHA256
bd867c772de676a2efa443593ac16d168c09000013f472d51af2199e887ac36f

SHA512
a466bdfbf946ae20021d83841d9e01e494a5920c40267b608bd2a21efc7b135d006f1fecd98779e40d209ded23e5298551eeead75be7f697ab3d1e583f2fe116

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUQU.exe

Filesize
249KB

MD5
62e9cd89ec2ad43f9e053993a6723aaa

SHA1
b213bf690dfa187fb4e84c5071ea26ff54dae0c2

SHA256
a1215ad26950ea9c9f4af7996df27039c792b1e7bc200bbcf8522e5d947d5554

SHA512
a2077c57d2ed96087d40205fe2e13d6d42431e09df9f9d429d88359b39ba3d7d5d4f78c2dc392aca61db29699b035bdfecee29bdf23b2cd9403519668fff3ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUoS.exe

Filesize
237KB

MD5
a17f0dda272e6c7829652bef53983187

SHA1
c13ab36d1e8034014336974eaa520ffd50eb0f30

SHA256
460f4ae29b054e6ef2bbb9bd673484b9dcfbcd77194adbe36dfc417ea3acf17d

SHA512
856bcac75c762f620995b66672010cd59169d5e8d777c517942e19ae213aeebcbdd779880fa2f30288d0a4495861f6bef941b771748f1920178e6beea9a6e5cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYcC.exe

Filesize
229KB

MD5
90f97cf62493a9b49427fe0a1eb7a62c

SHA1
b106dba41a12fd1f07eaf04f0271ede863cf44b7

SHA256
ace23736e7ab0e26b2b665dce68e95ce7a3da74eaf7e83f7b99f2f9b6c22600e

SHA512
c4dac8c4fec4c9573a7e9186dbef0975304ce4db0f90b1b93efea6d972fb9e0ab01fc1efb62eb4b20bf017bf02ca7a1dda5264cd7f17798cfa883ef13e2ca26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikAksUUI.bat

Filesize
4B

MD5
71bdb1b9d5f8664d660c76a894e50606

SHA1
04df07693e5aeb9a0ad6f07935eae26893daba71

SHA256
3c9b3787874ab6773e8e2b3b85b688799a571c114f7080871a9c4c7ba129fde9

SHA512
731ea83ac335f2f8665a4f4917ea1c0fe62d194e198f42f2addc67c0899ec0769cfb609dd841f9c2bdd795dacd2035f11aef247eeb03923bd140429c35dccaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqwcowgA.bat

Filesize
4B

MD5
0a483ea6a617f740f587655bbb673e7b

SHA1
cf71e0a5614743e4847df2a46a0bf27f411b4dd1

SHA256
bec9ee4c02f0755e0ed1a1fbbc4ea9183549531eb3c4f3e8b5fe7dc9a2d8235f

SHA512
2eed398e8b6942b652d0719bd55d0ef4d795629b8c1be8575b8bf9ac0ce65a40344ba5406ff3e210b037d139b5637edebadc7c02b44d03db95c5449c2f106fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\joQYUEwc.bat

Filesize
4B

MD5
bbebbf2a48806165a463a70a34222317

SHA1
aaeb20bb8045cc42f6294761fd482aea04fc437b

SHA256
658030eb78c700e797e1880c4658f7ab195de1601b603016234795733b8aa6bd

SHA512
263030a463f475bb84bd596c1ecf907a336320d6303d78001cc9ebfbe1c640b7d1fbdc8f41afb97cabc3464723968bd708e20b3f8081c9cb27535f3a0d95e3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQsEYQwg.bat

Filesize
4B

MD5
cfedf7a706c59150fa38c6b0c3fd57b8

SHA1
e632adf2dc2fff580b4423b538949b84d94f70b3

SHA256
3b598807a0b11155cafa04bae8b871add42244e2696ee78224b4d51bee5bd1e5

SHA512
b862ddfa2a155e9444eab9df2b425601be152fbd34a12f429827c550bb54c99f32e71280e15d82826ce27a2b130fb87c1de3153e069fea26e4e74dbcc6dbcce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYIk.exe

Filesize
831KB

MD5
30bf64391ded4242111b42a2322ced04

SHA1
6030fdcb6451e5774abd1085a3866cd330e903a2

SHA256
6e227503bbeafa639dc1592e1ca23094882035a30b01cd95f2bd53e81d49771d

SHA512
032f56cb073972b24c770e6745f07ae13b40f30d428da00cf51f6ceca5c34d9a32048cbd21da0e60d6e5a3e4883ac7f44be34cff7f56fe16109d69cf3f35fc1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kigYkcMQ.bat

Filesize
4B

MD5
49dbe6703242dcdbd685ecfaa77a21b0

SHA1
a40f382e0dcc8f7039f079c683850f3050650826

SHA256
c94cd0b82d527cc59d825548f6209968e52150dfb4c7a494125d367f715e17e4

SHA512
b99effe9d51ab5e45f9d5a6e0c3f3130cfcacdc25ad56f6ff56900efda2bac52ffd8f6ec538aa21b513ee46dc4224549785a0a7c13b625db6293c0602ee2a494

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkkU.exe

Filesize
241KB

MD5
fea8e7f1f46adce9f2fb4511e53669cd

SHA1
56a6ec15be22341af66fb7a3cb8c8c6e904a3e10

SHA256
165e30dfdc200bb6bf975fd264f32fa73f2c50e8a68d2883ab80f0ec0092456d

SHA512
36d5f35705b6e702e8aa67d93251028d00c9dfa44147327d1db3ec237adecf994d0c77d7f7c353d37734b5dc8bb4c83e95e2d77afa9441149af8d7aa90330d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\kocS.exe

Filesize
218KB

MD5
fde9707ec9799682568bb89f8f41234d

SHA1
bdb0f4e186ce089b0322c5a601799a305352c6e8

SHA256
6cd5801b2c3f1f5b9a7c057ccd11db7fd08a90f506dfbe56efaedcd029027a6d

SHA512
6e60425d92f8a250b1fa60522f31c3b070a20b13e43211065bfb1736f277c303102cf382eccfd3646ca4ba4f2d9fff95a564485c0473c24df675534aa7c3dd1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kqwwMQwE.bat

Filesize
4B

MD5
482924e0245c42657d64374f9f315504

SHA1
b0105357e81dd6e3f993655146d26528c44924ca

SHA256
f0ae4133dc22bbfd4142ba9f426a8570c186ca4c47d9cd859891d8adf40216e5

SHA512
903c3283f72956f5f28ce1fb81d2799aafd48d4d21d08044f3a6dc1f17a36c7b069dc3b0ba1f28d531f6d2b64a6d66b31db303ae01b4193897d6f682fe326b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\kscw.exe

Filesize
625KB

MD5
7ae8cf460d1e6847e774c3349916c45f

SHA1
9c966f05165438e2a29e5e40ff60cfcde4fd8f80

SHA256
093c262042918ad228db00f61a6f2fdd59a6ef2e4ee414794b2ac7c065339f09

SHA512
f222807107a5dc64f5d8f563093b813101bfa91cd9f54475e78c735cc6c10d0b17732bee3b10724314baddf21694e1c391da02d854083f2bd3a7a96f404cd294

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwoksAoY.bat

Filesize
4B

MD5
6410ddcd7caf67318a4d032e1184c2a0

SHA1
0057adf03401795a25f88231b6afeccf20421c76

SHA256
1f60f69f90127eb474c67f40dbbd9590212351be034fabe16e61236dcd9a861d

SHA512
805bbf461a10d5f092b7fda27194776c201e93f17c76a676f17417abdd729f10220625e84215d7697f1bebe4cc543ff373982742b308e62e0ad3db0b6e7fdb50

Download Submit
C:\Users\Admin\AppData\Local\Temp\lEgYQQkI.bat

Filesize
4B

MD5
34a0908f8333c40220b413eb2271a2a6

SHA1
f2136ba8f2b05581a9fe99aaecb3c991b08c3959

SHA256
b3f8386ae41e4e3bf4572ce6ad612673b4dd738e4e8054368e2ee53fdefa7543

SHA512
8bbe48aaf39adc17cf80095ff7c3ece60293d0fae21d711181da12138e0af79cd863ee5cdd275d2fc863c393ed9379e88bd3a0b26169855210c2b29039f56463

Download Submit
C:\Users\Admin\AppData\Local\Temp\lIIkEkwk.bat

Filesize
4B

MD5
10cb755518a891bea8aae398e6ce22e9

SHA1
ee3e04b9fefabbda0cca8d09503939189dea6f0a

SHA256
960860e18d21c699070c355030f9b886a50f8bc85606600cd9e11d2d6eb80c28

SHA512
c6cf302d530cdd070f659a62c2ab3ec1b23118d2bda106c17a2fcf780217c2569e79a11275f8278a4ba422c1ee75b6283436ecbfbf7b93c334e7010c049e3851

Download Submit
C:\Users\Admin\AppData\Local\Temp\lIQoUIoA.bat

Filesize
4B

MD5
bf76b8a2c9e55af3c886b7123acca6ae

SHA1
b6902fffb442639baf4f270499b6a6bbfe0583e9

SHA256
93137a7634224a1d92fb0c0c2c08ffd165497a8b7fea3158bb8eda0d84024349

SHA512
093590b626a328ba675a5d83b34e0766c36c0677b9a6dd5b93abae7c36c58cfd74ded50abbe12de9362afc8d4f8cc63424b8f0a9e88c2a7ecfd7c6e6e4ff34f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\lugUcYgQ.bat

Filesize
4B

MD5
d2912863b3c619e455c88c0667d5383c

SHA1
2c21e30809862aab64f29caa71f167215aa2e081

SHA256
0e0b21f74d18cc7309fd2a5bd6625517c36ed5e0c03f6eb885d522de24e69d38

SHA512
d9ab82f89c9bcaabcf2e15974ba53ce63ecc94e870969c72cc0ad74633fe5373d2e8343fba97f5f86633ab9cb38e19d850fc24894c985b963d1531743d91f187

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEQc.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIMA.exe

Filesize
234KB

MD5
f847948c3f78c0ac49025c2aaaf3f469

SHA1
1d3ea15dd561b77d6e995a5fd4732ade4dacb1d0

SHA256
dabc7cc494b5aea3c58c54922df71cb872e98bef070ce6fbae9ca9f88a626839

SHA512
8cbe7ba0aec00aed5ebf83ee6a4cda55bbfcab6bb040e4a91eec316cc337a49d8c99e4a15bfa63cfe91880811612ffb6b457d2cfc48c5e6ba46cfbd00a0a0f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIYc.exe

Filesize
229KB

MD5
6277bb2092958efe3f29c097e574f8f6

SHA1
850cc67a555086f6b489bf74a11b534fb64d5f1a

SHA256
676c2dea6b9e852ec4201e565f6a8e539997a330cc5fbd7f68d446b48ce9db9b

SHA512
40a7f80a654a976c89c6517c2b0370b41f80a469be5dd472765d3786162ac35a726d790a93dddaa8cd4c4e811bdbfa3834bfaa76f736160f5aed4baa4b57d02d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMYo.exe

Filesize
244KB

MD5
b3ef0edb823c3449c503055fe735bde2

SHA1
be8f3b1598311f19794a7ddad5fc6b957239e713

SHA256
12389f6b00de411fce5092ed97769f7f59d78639070757b1e2a4e1dede1de39a

SHA512
725fef11023fa71ddde39798d060c1345354023c820c3e60d64b0d1f6e209642d23b44a24022ef02231daac2caf2b604e1d0ea78a3f5ef640b54801700bff893

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQwwQUUA.bat

Filesize
4B

MD5
c751e56f75204d124e86630ae46e977d

SHA1
c916b6f413d6840f78021560d7b8e45458782be7

SHA256
e4c35a510386a90563715716c9f47f49e32e2c443fa9a8ab26415526f0202525

SHA512
2dd18c87b5ffc87f5aec19c776ab71b47f86021819f49dc70e63ff588a68825a9dc4d2ffa9aa422e34af3032d2bce7a04907805a2a7d5070cd2b53f5a30f1d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUAY.exe

Filesize
189KB

MD5
3aa378aa9cae1e317a91bf0921f48be7

SHA1
8007efccbfcddc0e50353db4f5cdfca0bdaedf55

SHA256
b5dd5e8872fd835063eef0b30e994c9b02e4a11f8affa47c4860b940c23dce04

SHA512
ff7d9c60b32a46ebd0fd9c2bac7fad7d2ae9c53a7dd1f045992b021d063696f81da46316d9796348396e3693e121021fe1b1e6919ae988999fc19dcd8b2fa581

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYUu.exe

Filesize
250KB

MD5
91ed0f4af5f7924569c4f5c7f51f3ada

SHA1
74b4453df9331205870042411c93e612b7f87dca

SHA256
4bd0d6c6d837cc34235db059c440011b02c3922822146cad248c397588936fd2

SHA512
481b8974f8621e77e36380171eceac273e8c19bd18b6c6e0917932ca1d03fd4666cb8817f2b60004aa4887af51e23463f78d988d20775ff683a5e3bf75c7e24a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYky.exe

Filesize
191KB

MD5
6bcfed8aff1a3fd07f0e89c35fbb8d18

SHA1
d93b2fbfcd36eeb37db4f0abd772d308f9662e9a

SHA256
abc828fcaef40a31e40aa707596f94dc85fef6301e90eda4c622f6b61b82f252

SHA512
38e80cf7dd0b00f8853e6125a73fc6d77fe9de0f2ccd910dce7ce363284076a8235128929cf645e5099242bd5ff6292caac5b14f695db0d244522d238553db5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgwk.exe

Filesize
227KB

MD5
83037c0dfb2d4a4c1a019a432e40aa78

SHA1
a938b87be014f81c823cb60af1c179b76bdf4533

SHA256
d9ad7db80e195e0c7e566eb422145eb013f4710cea6ba7a15cd4677a1bcf79b8

SHA512
620932385ffc30f818a563e1a1b292e6beae80aff953fe57ff3181e31de4e0d5dffbd2e36aa1cd35d256f3b6714d87b6b5def16b8375d584fc1dfbbd04efb877

Download Submit
C:\Users\Admin\AppData\Local\Temp\mmUkMcIc.bat

Filesize
4B

MD5
49f6cd529172c75c234135199a2982ee

SHA1
9268ff564a35aaddd3d9b79dccadb6aaa59f90a9

SHA256
93350c4cb266f5f3588236d1ba6ed22130f47d3ed95503e5fd9cef9594e02e26

SHA512
011dbf7e9b99040f6dc3208f0d3a4d2bb19066d015708f0995c8576cfe8e74bd8b62a46a2a0cc8b703b6bf552bd48e7a61d93825ade1aaf2197932033d3377be

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgskkYo.bat

Filesize
4B

MD5
952bdb3b21aa0086b7008a62509ecf72

SHA1
b3d150e2b3737b46aeefc59614a7459075ef9be2

SHA256
8dc321b9135ee4fbee83a304b911e871f83e7ae84d344bae6f464804f77b2f86

SHA512
e016f51a53c8582c43c3fc432f0dce55685b83989ab490fe23037f976fb7b6fc9d976b0b105ed6c1db6398eaa42abffcb4b97e1dcfc86620ea121d6ec850ee88

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwgq.exe

Filesize
237KB

MD5
b3c420b8215f1e59dfbfc7735567a018

SHA1
4a6beefdd37c8defa36285b1f720387a35948edb

SHA256
0f0f753041dca5ca8ba84c352ff93f5e62528ea06ddb8bfd121fbdfce390632b

SHA512
4adefcd04d12e369939ae1ac34058c8b7effa4ad09e2fb32139dc61b1eabad45d81d200c35f63db33280a132c52613a1670e98666cc5f16f557707badb2eac2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwwA.exe

Filesize
1.2MB

MD5
6edb7be53b5f0907a3489f5b120ebc7c

SHA1
a2569fc7240540da4f6ce0f72fbc9a78d251bc81

SHA256
59c4621e256e991d4b95ca1e1c16a1834b1431fd673b835ba91009818d406aa5

SHA512
d262a3fbb9bad4c8debfc1e88ca7a8310f4227b8ac2244f070a43b6ea1bd604ea1c0b5e8dc7ea3c26208afd25a759bd8d395c1bfba3787f70490266310078c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\noksAgAs.bat

Filesize
4B

MD5
8d6dfbf48b4b1d1449fdae4ba07bd7f6

SHA1
993310883e4c72a593aa5a452772a731025604ff

SHA256
973fa94e6e7619f011bb20fe09d94c0e1e92b560a5fc23e5fb1e97d2766c3eca

SHA512
08a01e72cc121bc6c628f69fabec229b19c91932ec027a7978b0a18fdc6c4729c58dcb0399d93e0116c7c8b4a9d679248b30121b50484f43f8adccd369391d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAYK.exe

Filesize
228KB

MD5
cbd2c3cc67c105870ee5fb927312b403

SHA1
30bf268a083e4342e5914dc1bca0c56f0d71c935

SHA256
2f83fa97232aac2640dff8f3517069219f02809f857b00cfd135d07421162ec0

SHA512
75f51b1e208b21d6c0f437780346d87c746dc76b62855b4ff5980298a1224c088069acd456405cd07903256beec1f1607b528f94d99094651fd6d03656b00958

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMYc.exe

Filesize
241KB

MD5
e8062c2ebd8a56c709de4c3d3bcd9580

SHA1
05ac1c23c814403259ec27de85ff6c89059a8790

SHA256
bfc3aa2b72de9a59fc50a278b8a7f0142e3169d855356fbc5a0cacb26acdcb1f

SHA512
2e749fe4e2751408856ae3567ba74b2163d65d11447c3da6cae117af604fef8601bddb95c202b38e4ff16240b9b7e274836e40ce58656bde9e2367131097797a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUAg.exe

Filesize
231KB

MD5
6cafb8be31384534ebaa33b56d3bfa2d

SHA1
ee0cb45753ee39ffd8f44a9b75abb01d6a5076d5

SHA256
e69f5ae8b7498e152f4ae579ca768f7bff7ee330409d4afe68e7efa5da8671b1

SHA512
3c6d3a1777a40b5adb87f439f5fccdcd8dfce7c4d6fef6ce72a66f7fc678921eb15d33b74e5e8e7eeeef6fc59e8696c24cee678b7f33659bdd3bd05963b89d11

Download Submit
C:\Users\Admin\AppData\Local\Temp\oisEgMQA.bat

Filesize
4B

MD5
88bcae69ae5602998f6338a6dd7f70dd

SHA1
cc16ee7b2b732bdec1ad8b437a334714a8498750

SHA256
12c1827a9f4035ed63956c8287a7737de3573c02e7e36795772812faf684d889

SHA512
831e0c796462d976d9838711743c0820b072fc6897e64b833105474fa16dafd85ffbd0332864e29813613651dc69d097e2e339e090a471afc436a7b50e4e8de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\owIw.exe

Filesize
544KB

MD5
f17f9c77888e56ad45a7b8a4f4e77dad

SHA1
2bbe128853a825c8e8520c718736d6c312ade29b

SHA256
6ec0d1c8ad2d3832567177dbd3f0d9d29b4b8686c94f5606bcdf43efe7eb5510

SHA512
76916671df834915eb406939b0ce601cbb0e87f8eca2d0a8a3fb75490a0f813ec7f1696988e0aeef59a4eedca575d367056e4fbf58afb6fa309af7110bb8c72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pCIEMEUU.bat

Filesize
4B

MD5
dc76b145f4b4f43fef7f9ba433e57acf

SHA1
76857436fcbd9e727b58ec9f0fdc87193e530558

SHA256
e0b62b7504b4143634cb95b0f36dd928c8a873069e1e12efed68fa91344e58f2

SHA512
622193c5eb401ed56c012ce90c391b894e078b756b9e33eadad0036779a6d470ad764b24d7adaf956785ea5fbd060950a858c474ce5e1fd7c70478e50993c4e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pQMQQwAs.bat

Filesize
4B

MD5
101573382e7e674cc5d8421e4a679389

SHA1
cae433907d9a13c1967954e9f31c03428ea24569

SHA256
ed0705e66e09ce19fe7ef46ff3716b497577c7f64f86f50c3074d8e6dc1f5285

SHA512
a288bd15fb567ea3b51642e31c6dc01ee213972b9477b64c20f5add42eebc54b98336952b03a1035d247ee7a7e90b52c5a2c7c135d875c616ebbb1db67f458a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwccYMYw.bat

Filesize
4B

MD5
ed2b6bf0c5efc8583c7f50003ae92103

SHA1
7c731c8cf772db49b724f7488d93beaa9b7e00d7

SHA256
78511a0d7aad84449ffc97f3adb1192d40d91c2f3536fa8530d20a8226b6a74f

SHA512
6ffc4940a91e8bf1f0f7f50ea9e1886d997f1f363ca27edd897b2b4bd3420ae01fe07f1508d09292f372f2644fd20e78e49949d42178db32f54575322984c6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEAe.exe

Filesize
943KB

MD5
36c1d5938d8ee40100c20b59ec45e3ec

SHA1
c68bff5e137198b801b84774c184abee530f0b13

SHA256
6ee1e5e65a01f5bb31fa0aeadf10a4a348b909f00d9a5c39d7650b7d3d126fe6

SHA512
b31c8fe42fc70aa599328acb5133894b825f3e3ea240845d2a14c76bbf35c94f0a98801e41bf2fd4e018d65d7cd6f1d9f08685ec5f97d0dc0ec86f8b9e7f18b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEcK.exe

Filesize
226KB

MD5
127ed47732dbe630d51ad26b5ff63b71

SHA1
d75679604c5cf8f223a6ab83aa4f03fd51b708c3

SHA256
17ab7e4375f133261272fcd8def6b2fe31bc1df28b4db4f38a10609f685857e6

SHA512
48a38d574376046e513962f8fe7c1acf439f6c10004ceae9b273c7f3823cdd11350d80db397e6d444c63e006bd2cd9c75cae6e53822e67e577133958872f1e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEwe.exe

Filesize
653KB

MD5
b8f67c5b02ec760a679cd97e6733fc3d

SHA1
a93b4abb45696403b894e7b39759ad0feda29ab7

SHA256
1b6ccd6a7d1f3a2a39825c6b3a4c94041e57f03fcb18108ecb0f0a865b64c49d

SHA512
1e4e5f26cf21762ea21fe2d2d08d52a6fb3ab6cfe79ec826210cb33b7320b0c2c153b4fa01f5bc4f8e0d6ed88a82c44c42a1a05d8f925a614ae8aa2342a61f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQYEsMMQ.bat

Filesize
4B

MD5
59ea281fbf9201b1983cfd344d83cc8d

SHA1
5b2a81fa7e829ce74625fb239f079ebb1a989d09

SHA256
a606552ba9785f9672fdfa1797564937d5996603ed3070b327270da9031ddcef

SHA512
944baffb784ef941df2317ae1e1188da7e6fe9c72902ecf722227af3a621c3ce145b18fdbd7a77b1e089db5e7d3a380ae6cd9c6547d380f2b068c959c9476e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQcc.exe

Filesize
228KB

MD5
89952b0b2bd679952325c0327ca4d060

SHA1
348d5e0e8a2c021445468a7f0ac0dd19af951f9f

SHA256
bcbace1700013a11df77039aaaa1e865fe4d68d9eed4a086867d914122a7480e

SHA512
d6acffaf7f11a947f09ff9293501e188b7c9d15e265a9109839d001fe1ab05e87695c65ef4ecf26b1c5e12d2faa6ba1935e0e293231334085f7de5b8f72428bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYgc.exe

Filesize
193KB

MD5
9175417bf8da830abcc6a1812a2ea49a

SHA1
df334f4f7e79d0a3f4bdf81ce8f76775ce09016d

SHA256
78df00541c364fac08932e60aad293abfb8520cd0d2672e7f412be132cb56de0

SHA512
6df61902fa59c0ee4ce5764bb651615261b7d79e6d363062c01c20ff94ad271c8171d28c43a7d59cb9c2f04285eb7f0e8ebb3f2585dbcfdd04b9ff059758df92

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcoI.exe

Filesize
725KB

MD5
c4dcfff6ba75fc91e95a42e4ecf8f7d8

SHA1
54ef51727265bb3d2932d994f52cd52686665a72

SHA256
c27f42f844022279c0742bd4e176e4143f93309213548723add0993d3a91b0a0

SHA512
a5dc510afe13910ecda912553c7c43e6bf94ac85af6356c397d28085d00c2cc3af0798e73d44e5a522fc9dcf94297c9a0a124373e7e2101c73ed985fa4102ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwIY.exe

Filesize
247KB

MD5
54dbdf7615158232f121696f076efdc7

SHA1
8685e051f798189b9f2ab3f7168e8c1403a3e921

SHA256
434f6d0ee15ce8f60749e723ee5d862b42aa98306f4155da508d706f3909fee0

SHA512
d2ffcfc0a97f71d6181d43fa528a6b57ac82bcee948f7d2ff21ffdba2c785a6a14372d058a6c526410850d96a2d9ca9bbf407e5f1bc0766621157d4602c9a9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmkwEkEc.bat

Filesize
4B

MD5
3ce037b4737c4ac73bdeb2c33aefc97c

SHA1
11b4447080878767378099a0f79c323a38ae9a69

SHA256
6d063cb77565fc6e7b3ea0fa3cdafaddbc783e2ae7dfa65165b965671b531be8

SHA512
3d7cd983497ef74163e5737853f0aa4b69f4a56a94d6bc7ef59d5d636e5edb989817ca1f433b90cc3bc43699fc8777a379c10ffef532975e10dc0eaf1b3add79

Download Submit
C:\Users\Admin\AppData\Local\Temp\ruQEwggU.bat

Filesize
4B

MD5
f4ee0a7071ef2c1adec3e9d70edadf3c

SHA1
642a2870ec88b577154f57ce5b369d1251d49907

SHA256
c0957c37ab0b4497f90727dbb2950678073afac3b66f096ecdd595fc91370796

SHA512
2be0a9c97115a4fbf750cfd5f193b8f0f3a98911e16d8ffdfe18004aad3576ed5b3a4026b6f59bce16928c2e87aa5a9aa81b249c43f136bd288eca58ad023dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIoS.exe

Filesize
212KB

MD5
ddc7b5051e04fa8965989cc200e97508

SHA1
db9165e276033bf28d772bc618a1fe3c22c594cf

SHA256
dd09eb8fe872fc1f28cc83f4ba398135fc37747f152a5adc4c40fc26f2c0897c

SHA512
13930843aedf307224012ad3b4755104eee040b26a15090a60fa07fcab9bdaaa74d2be502d7d9a2f44c810fafb8e2246826a86d550fd3e575df6ebef57fc6b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMkYsEwI.bat

Filesize
4B

MD5
31380a733e91f2d1595d82e3f81319de

SHA1
624d73298e1bbcde5ea6495607260f4f8acdcc2a

SHA256
91b06641078909d2aa2817e4fcf5922da7d4c8a62bccc702c2c88bcac47a84ef

SHA512
75e302e217681da0a223fcda476bac4765a647554997a02f5ca82d80c6e3f419454d62efd3e08fe9ed5882fb2f705dc633a07fe8d9525b1e98504e1a6ea9d9a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUEa.exe

Filesize
636KB

MD5
a1d294d60cbf7a2c505e48c51a68fc03

SHA1
6ac59e5efdb326a5b116c5422b3e90a415c17a19

SHA256
30fbff0d2db196b4979742386006753e5fd07f1ed7b3694875b6f1ab7628a0e2

SHA512
b2e66d54fbf190715f50178d43c191aa6aa138006b4a5e2c55a5f946381556dbf7fd38d8da2596c7cbd26bb3778ef8854a415739035c85f53a3e339fc530f82e

Download Submit
C:\Users\Admin\AppData\Local\Temp\skcAwIUE.bat

Filesize
4B

MD5
f9c820be6e1c79ac97ac9b399795829d

SHA1
7c9a6e19d2f62aa8a2175a3409fd33f3bbee9378

SHA256
e34df3319f9cd6dcfa2b09e4fe63347f58bda9f1b5519d974bc22daea67aa0d7

SHA512
95234746fc0fe84e9a21bc2880c33ddda3bca97b52fad521f12bdaa66f8657e9d41e3d774f684f21435cde28356f134be1b7654cf03e28d8827af6bfe40f62df

Download Submit
C:\Users\Admin\AppData\Local\Temp\smAAUkAY.bat

Filesize
4B

MD5
2b3b70b8babd5a5a973c029d9da95084

SHA1
216d43a2b6d6860d604258c4752887a029923e0d

SHA256
1ee24d465ede6d5f61e65104162dd7c20a5339b51abe06191144feeae9efaa6c

SHA512
10bf2e76c291bfb0e9d5452e5c1fcd084bb9feffba2ccbd764defedde4f3b1d5d2f6d1736dde63e07a0dba806c31c63d1d96608e859b2e0253bbd9ec64c742ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssUY.exe

Filesize
231KB

MD5
6860b2c4804da0ede76578f2528e9844

SHA1
4d4101fb5f84c64858ba4ed84b491defaa0be56b

SHA256
f4a0080e5b2cab196139cbfbab1d9521aa2980c1da0ad5c366fd0aed41a97126

SHA512
cff49b2dcb8e5e3eac8c6f6fb1f18a463d3f40d32b4d8d1cfad0acc182e340541f88e4ee79998efe83536bdc0ba11dfbbb23176ea4681cf516d486ee7abf6261

Download Submit
C:\Users\Admin\AppData\Local\Temp\tQgcEUws.bat

Filesize
4B

MD5
6d2ffa5cc6891c3f5e063c5c3872d910

SHA1
91500e0429b5044ceef3d6caad0ab139aa92dd18

SHA256
3a6b337c29c832076e7d0352febe99d6a0d774aac65f79654d8dc64db1fb095b

SHA512
8583e8bb26d8b9e8221edaf68103df19ca5ff86362657ec69fc12732289c99380aae2991ff69f24032a7da239b6296521ce9a17bf5dd8c3486129bd4f2296a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\tWEgAkAA.bat

Filesize
4B

MD5
ab24457bc7537b1e14c4c618dc6e3774

SHA1
104edc69e18ecee1f494f26b278dabd9ac91130c

SHA256
f142adbad86b2bb0bbf637d19e92c19a0067da686f5d701fe42f25694aab1017

SHA512
b1404c95d4621a9bd065695e609dc67d1946ceacf029e7262ed4666b3b38afb9dbc96e27e848c17863be95eec8530f091379dc46411b2b714cf2f76916e4f3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\tYIIsUkw.bat

Filesize
4B

MD5
2989004fb947dea374a05b0f954c0cfc

SHA1
867e58c6c49092464ee8b6b98bb91113b6722a63

SHA256
fe53a98ad6b690a777a266e49da38bd05777d3665a1f94ee313caed7860ea691

SHA512
5787f47ed456db964ba892bc951decf2e1427a18aa4e4155adac063945f929806a1adabbf98c30a8bb7c5692731bbc90944168496bd6d3540c7c796fed0bbd51

Download Submit
C:\Users\Admin\AppData\Local\Temp\taMgoMgc.bat

Filesize
4B

MD5
aade23e12a54adfdf168c4a655dace87

SHA1
e67319c8581d264bc14072f1de007eba7b65c257

SHA256
4531565c4b7bd638c7c802cc3eae1be413a4cca11990aa6687184eaa62084f8b

SHA512
90c0fb60e41e31399282b64e60733ada76d25460cee0d8c7475899d5b407b5ea15428d16b9736fb2d9c63bace824f8f26ed757b5702c09c0159226d6429d4fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAso.exe

Filesize
566KB

MD5
b262a00c9456f217252721a0d8488180

SHA1
ce8e5ec3307f5f323030042c00d0a8f4dc0d0472

SHA256
4dc3f05ac637c4e66604b955ca6d277ef53e69ed96f8302d5dd5c100190c3dbd

SHA512
39363fb6529c73931b21a4e18735189154407050604882e964774f9a2d5d5bcc861780c47f378290f66d2c4711896841d07c4b53243f06c8ff4de03a3ff27444

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAsw.exe

Filesize
217KB

MD5
c4900f7e9a3fce1feebafe04e0831202

SHA1
78047be060acca1377f540b0ee6ba26715dfaa7a

SHA256
b027f5a6ed785763639183681417cc7388d850c466482f7323bb7674529390e6

SHA512
dc3d18d45b31b121eeb471c15ac3cdd350b10572980e87776a9a4f02998ff4327c903019670153fd8677e8926803da291579640685d3709b5f0643f3cafbc821

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAww.exe

Filesize
231KB

MD5
9394c1035b2331210ec4f939b8e6ea0c

SHA1
addc9a90a373993caad8eb6d959886d7379e1b82

SHA256
16cd608d845272655f4fd74b92a0e6e105b8ef8f714634063cef1999bd6f9d9f

SHA512
3a0be95dc3734421f73f2c938d5dd29ca46be2b2aa120929f5f4cf833af215c69f999eddb1868919755851388fbf3f630090167c81024464d0c47bca0ebd00ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMgi.exe

Filesize
230KB

MD5
54ab1fd4e6837e4b78f5e9a3d171d510

SHA1
1f503598043ca4f3de206bb02422bed638994604

SHA256
68bd04f0d8a586fff1f61c27e9a7cd2982029e9e9279f3817f0edb9f69eb5cce

SHA512
0372f94bba902b1d8363a0a429ceab5810e6c2d525a6a3e837bfe625053acc85d93110adc56d1dfa281d89d6b50e0343927efe367edb29b80953687cf8e8a201

Download Submit
C:\Users\Admin\AppData\Local\Temp\uSkAYkwE.bat

Filesize
4B

MD5
0930af1f282c42d310e0c4556672338b

SHA1
f7653d4c54637777706c2693e5941b82daf3f4d0

SHA256
7a6c4723999816643994755cf96ee976a7be8c3ea8571e0de0ae9315a704346c

SHA512
64f1dd8cf128907391494095bc2d4d37a41d50bfde4d16b3d20f846b2aaa8b9c574c3b03bc26f0443d36f018d8d37eabeb3e07522ff7437340ced4d0546884b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYkE.exe

Filesize
197KB

MD5
18d6b75cc82a5613e4a66649e77a773e

SHA1
7cc70c571073ae0d7415590c21ce9c582c0c5844

SHA256
15c360e61582cadfb46c928408bfa4d97f9e040b92141f5f25e87887c723dc0a

SHA512
50b6f277c4543316247ec244282c88618dd632cd00ed6d5f2e99b2c35c27e4c5116258fe5a144302360173ca9c5f655c165670da7729160bd9806241fbf635ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugEG.exe

Filesize
222KB

MD5
411983e98e3234ef90027add0b602e92

SHA1
77612729e1aae2356e27ea4cf18633d3b6205e69

SHA256
4fd966e01a2784d2b4cbb483fe9221f73248327bcdc295fd046296bf847382a7

SHA512
842f77311433593b4f972f47d06d489a1b61ee963f493be06a8905eaa79e1f6f3f416093ff76538006d961d29924b18025fc3b2167bbc137a7c88b094b529343

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugcMgwYU.bat

Filesize
4B

MD5
8828c79b360ada6638e9109d2a527032

SHA1
c876def1c105ff2969bf2a790373eb7c5750f93c

SHA256
814228baa31690b5a6be51460834368ff8963e7e2a64430a3e4e747d01007ce7

SHA512
5ed022c0466e483af403a54a949e56328be08b981ab2fca2155ff11fe235944829706366fcc9a517446d2d22dfb92b2215265ffbfa6b50e66f99bfa681b88892

Download Submit
C:\Users\Admin\AppData\Local\Temp\usAYgcgU.bat

Filesize
4B

MD5
0df9a523a4cab03079e3f795d5994b68

SHA1
4db9393b9b076da1523211b5914dc3bdd8c120fe

SHA256
bbaee103a085690eb1e4f38dc9ff8d8d21344b24893937bb30f98079a467155d

SHA512
06d1ea088d29dd2aec72d6f667d9b1cdad514c35ec2c18ad50de4fb903bffdc4043a039fb55cfb8f727e456e1cef87c928165ba3d8689df83752a106e44602f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\usMe.exe

Filesize
231KB

MD5
dfcc3de9e1de0c487905398f384958c3

SHA1
a95a48c06f274c06c5bb312961abe571a03b9bd7

SHA256
c4ff8e7577e5553f8c4deeeacd4ed1dd1535ecb5c67f8fe5fba9321d35a907e7

SHA512
4866dfc651a1353b2cdfe07af3fbf9b9abc1dd06b638a973f5379e2422466a8df7667b813208d12ad2d83c64d66a3441b59790598c68a2de3af0fd62d86879a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\usQi.exe

Filesize
185KB

MD5
b07c29f538b9dd7e3872152349cda8ee

SHA1
a52e414e7320293a946e419f0a799dc050be6d8c

SHA256
045e2035b45b2cf30732a9724882b19a60f8946820dbde729e7fd0eb9f8817c8

SHA512
70c9474774d7a3db826a37ab890d20d2d97f79ca52a83510df1d51bab3d094a5c1614d0bebe73016210c8cd294d3c118bb68f17bf9ac82a1c8f5a8ca2a29ed6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vCsoEYUU.bat

Filesize
4B

MD5
b96475ef81d8109532d1c417cc50ad12

SHA1
9362764be6471f717de35c33c5df1b618df38d67

SHA256
3832267ee1d572aec36a701f6e5f2f66818a238ff372908bf439689e33bc5b80

SHA512
57f597d42aef6fc48d52f22fc1d0f47967dbc7707d4eca0987b7f2bea0494c19fd84c04c844667aa171b7c3cf6c2cb78ce9977c48404cbd3b2036d6a5f2d3f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\vGEIssEg.bat

Filesize
4B

MD5
b05da2830097cfaa92c5b2299e3e00b1

SHA1
c7207983ffb4062b77e1799d037791a588561a5c

SHA256
b5fa868e4499be4f39b20b6207874a4ecf90afca01a56cf0dd3bbf5f6b9556d5

SHA512
75f74f498d12ff61029a9e7469ccc95ff9c76d3e21a48b4af4a27490603eed7f2cf8187215be46c549011127647f68b13ecf1e49706d816ac18958b396dd6529

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAsa.exe

Filesize
192KB

MD5
32e7f040f98e6b1300db8b275ea71e4f

SHA1
a1c0c370368657d4fba171b97363ac9033a95259

SHA256
af510b9da99b9a61a40a878fd9929ccdc506e22fff5a409c3a9cb66b8231b2b0

SHA512
a32ef8746469350ff5f5540645c7acb21c51dbb284d003a9e79110d9ce1bf958b3e08d8d7a09b069ccde956c78154efd8d5d2bf53863558aab30b42fdb4708db

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEkYEowk.bat

Filesize
4B

MD5
440e4ccca0f0fad1d76e1b4e2812293b

SHA1
37031f85ea28e4b5190db082073b1c273ab54743

SHA256
c049d9ba9fab52280710323cd25a6050fd59e75b8c058f64ccc33611ff4ef702

SHA512
42806f005efbf67c0470f9627527458fe79df9020900e707de58f41e2ae5eb32af070f79d1b0ac01fb7f1c3c6907103a9eaa400b2ba31608368af444b496d0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYUkgsgY.bat

Filesize
4B

MD5
29f958bbfc139a3f9223d8c8e20f3aac

SHA1
9efcddc4a846e835bca5bcf449847460aa40038e

SHA256
746ec78a82ed5367946917dfe4812b65d2970d2c00955cc3d65a271e855ecbf9

SHA512
ee0787612ad0f789c67c08380ceaa09e1bc0de7efbb77ea23f304362e48f14d878d0fb8412f0259f86693420c47299f092508f4fa9817c7241769b7959c92b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\wqwMgMIE.bat

Filesize
4B

MD5
d107d7839ea050c21e0a9651c3f98506

SHA1
85e96314fd283b7f95c4c5457c4a902016bbfca2

SHA256
db1c2d8dc2086311b13d9b7d4b3f7efa1ceb7d4d427272f708d5fe9b11ba6b7d

SHA512
6fb31ee546b7108d7ab3d378823ab0f8b4cfbeff04ba5cc0f5c5ab770f03af4da7786e93bc98acf803decbccdf73826a4a7d756cb5c14a95b0273567b46b3b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsse.exe

Filesize
235KB

MD5
11508d1166b2468f7caa18ff4e007054

SHA1
c05a714a32ca0041aa030c6352a51254c18bea4f

SHA256
e346022674072d6d8860142a7bb19894dcfbef1c12ac59ab115dab9bc2bcdd44

SHA512
6a92edcfa0908fb8322f18f179539014c3e663e8654736e3977a0ba4faab7b11d565b1f0bf7f29855c84fc8e96627d4550751d4aaeeef4405990bb84784cf211

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuAAMsAY.bat

Filesize
4B

MD5
708ca067249d8071841bb2c8c930292b

SHA1
ff2fd8f656d99807fb52c6a274b5550239be245d

SHA256
b6afc6bbbaf5daa22cf0b7f0b3670a6b3e8f0a3c4f1b44def9b0cf939083fb94

SHA512
e092917a1114b139ececd61fa8c3593dba56cdca6cabb30e1e6d28577fa0ddc2454642f8c6c7bc09d5520c63eea9924d00c28ca24ca32bb4c49c51c59a3e36c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwEg.exe

Filesize
233KB

MD5
e48eb655a605ccfa58127e010c7734f1

SHA1
cb91e202c8e3aaefb76129001611f6b5e16c9294

SHA256
641a17c7c0f1e1b325d7285a51eb2524d53af6afd223f952100979a516abdd29

SHA512
ca1f19923dd0ddff1d9fca6811e25b236adbc8304e56aada01bbeaf9b1c2588add559b005af870071035788d0e5ea032ac2e410cc70a385f736ee2ba19647d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwMs.exe

Filesize
244KB

MD5
44837594762c4839178f55da15697ece

SHA1
4ef1df6c92eaec6ee85d82a9a6c87da597813804

SHA256
f4114d8fa0fddcc4bbe12a8752d9da546a23afdb9172ed83d6fc139824902d7b

SHA512
a9470dbc826dc30296a30c338638c85aa18be6c550c105b5f777f85329985ff29027001b863140ef474bc84250b148241b963e3b71761ac672cd58e2b3d40d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\wysIkEIk.bat

Filesize
4B

MD5
ed60671642fb9e0aa3406cd05273813d

SHA1
2020f7474767ebe378b8fae3b1da5a7afa97133e

SHA256
bfad4d15202283f236e9b4fcda02e7f20c0c65f75be3e5d12f78527b63533a84

SHA512
bb6dba695a30bae274b59eed3cccdc5138183f685fb78a7b5a52adff2080689070409acda8bdb02fe742d3bd5269a6d6f8d1947b0f563389e25c4135b5ee2367

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwYwgYMQ.bat

Filesize
4B

MD5
a3b42e9994f41fd353846d667029aafa

SHA1
53d7ea7131e05ec2540274577b9da912545f7019

SHA256
5fd65c4c36a0fb5e9fb1ee514434bf384df37d2aacb1c082e5b76237d05ba7ad

SHA512
00afe46b25c6db763ca6197056eed33f68cb8f0a7472891888be5fb9e8ab0a8054ad2e8868f1e8a29a8c583572a022b4ca8e8b564bd39c1d0044138ac1703219

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEsYAUAY.bat

Filesize
4B

MD5
fc286ec71672c3ca1b1fdbafe6c57fa8

SHA1
ec1723427f4bd1fbdb4c1638765e970a24316ab1

SHA256
f3b4e86e268f2f0b13ecc4f746e7e666615f8ee5fedcef77f8843b9638b22939

SHA512
71ffbc87c42ae155be3b2adfe4b5eb0a16ee72d555d3b1cd53465f759ffcc2822cdd827a2b1e05e324c257747191c99fe10029db1fd566440e7cdf094b182cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMUI.exe

Filesize
197KB

MD5
754abedfe2ac2e226f4760dfd43dc6a9

SHA1
57ad0f1f5776c5a1c96ab583fa985f4a4be7524a

SHA256
b1ff94a52cc6ba862a7e3dd063a70f5545d547a7e11295f54cd510d4c3908914

SHA512
bf7511034cdb3181baea4b8df9d24251beaaa7e35c5f916c76f5fe4e79f0be83cadacb05728f9b4aa1ea81ca068c6c8705aff9fb91e480e614a9b6a35b508937

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMYm.exe

Filesize
188KB

MD5
c20673c9e61b20d17a3abefc9c7a9a2e

SHA1
70e6315a78fe24202b1191b6b8b1993fa01fa125

SHA256
b4c6f442fa15848423999a7c787d551c1ed81dc5cdb3c6c889a3a7b6c40d2246

SHA512
205c38e8ead8273ecb41e5cdde1de9f4bd9b78b150d3fde11a6bcaeeea386bfc9acea3c0ab19e292ff0b31e84b1762ef674097dd3a8579bfe57508ae22211cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQUM.exe

Filesize
839KB

MD5
38239f62b661d8eab6fa45e8ddd24256

SHA1
1457d09b9511101f1be84777588e57e2a1571529

SHA256
7923c25685301a1da5fbb105f801b5d62690e521feab4127d2e3712cfe50b3b6

SHA512
233a264bf5411b8b6408e47b0c9e760e9b7ed867a1765d0b5984195e8498e4da554f33b6b98e77b2c4ce110a142ed50910d466f1ae4939c5e06e26406a2e16aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUIQ.exe

Filesize
240KB

MD5
202c04cd6f5d18541025e3fe98896d9e

SHA1
a9c2049d4387e4a955b8c0ea6d53c98c83bf9a57

SHA256
f3c55726779adbe2b9d695bc53d22a3130e243b8ff68c2adcbe60d98f99d7ede

SHA512
b578d1bef081a53309eb45ce594637d86a631e5168ded95900995529744b917950de9376cdd6466c4cfe97f73e70c0f1c2beea8f4fb7f96bd1f003e2713fbdcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycQgcUkY.bat

Filesize
4B

MD5
c09c7e6fd8c433a0b4f827d7295c420e

SHA1
f56da8e5c98139d957ceffbba3eac0f52ec24afc

SHA256
d4c6d6dabd81fa4cc6004ac0d20140d2eb422ecd8a4dd8c3fb30dfdd6cdeb7a7

SHA512
4d61a426a2fe2d0b8a65ca318862c985c8e672c95e72e2659e30fad723247b25069284d2021bb0ec28bd003c146a0b90ba0fe7e723727f2d15db5e6a012c02b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yusYIgcE.bat

Filesize
4B

MD5
9a59a97f756cd82f0e937320de068873

SHA1
8675eb5952d0f96c3dde95c77501abd405899846

SHA256
252df2cd26cf92a7aae3965cec5b246f64023377524b393f810c0bec94e973de

SHA512
13a780b36e9220c5fec738e53e98a12669d615aa29a77026435629bf211bba771678872d167466b7a5f412e34f25cbc9b1c2f3aeb727c9438b1a69bf522fd98c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywEA.exe

Filesize
222KB

MD5
1185e0004ca95c93a1d612d02863214e

SHA1
5b3bb5b59842816ecc61f1068a4f42c44ab22868

SHA256
53c02cd008b3ba5f3ee87c23477f6d800b1904ef5e61b594948dc02ce0db98c0

SHA512
da833d08b0589fc0c82d3ffe5f040aad35b84617d15ba4db4f1eed7d36afc5a4a8e2f2a1612460893b6a7244fcb0ab6406153c3fdafd7931aa402c046e0a7a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywIK.exe

Filesize
249KB

MD5
fd82a94f882f10297bff42c575cf4a36

SHA1
d099da2819661e7438fd29501c635bec2ec2727d

SHA256
da0eddfdf7716cb91833907e042563705d3f66ea15858a445b38f81c209e21ff

SHA512
dc55c3838803fc2dee33a5f3c44c33aba7c043c83bea6a9e84c71f9146d77908ccc2431fb69a4a7e631958daaf50abd6b93f73c8c28e6f9e7f2f030fdc79abfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zIcEsAUQ.bat

Filesize
4B

MD5
d44c7a64c760648cbbea6601b36d73e2

SHA1
16d1e2809849806ba1fa6a8502a0abc7dd5257e1

SHA256
79f0edfc5d37a3b82bdb99ced53bfa7ce5d39d0845cf8eecf235bfefb8c23987

SHA512
b1edbe3c2667bfba689882168112a3086b150c6c307b9425807b9fe22e3f799e1f304793dff7f6f8da39f0ef4ff78f9d7a9a3bbc9b1c9edcd4baa6f7d645fd07

Download Submit
C:\Users\Admin\AppData\Local\Temp\zOkgUUcg.bat

Filesize
4B

MD5
1095c68b0f45d79f8ebd78183f596473

SHA1
32deaa9e4a1ef415340f76de1d932a497713807d

SHA256
87c2e006d028a04e0e50db768de11ca5a66b7875c92581b7b6862c2f8fdaf779

SHA512
61a24bed533e2e1da77bac3b3fbedc868bb27c20dcc1f1ae254e9b89fb3bc04ba72a13c9a329fbcc6e4073019e40e9152f18e1c832e4a9d8fa2abc18eb211ace

Download Submit
\ProgramData\XMEQoIQs\PWgkEYYY.exe

Filesize
182KB

MD5
d0663b98b960f7803c15e600f3707e56

SHA1
02303487fe847b6f6b3e32041beac672a8fd94a6

SHA256
9ca43eaeab081791f9e39375ae0ee46bc147585939590a7799e9d1311a6baff5

SHA512
6c7cf4dae1b4485b92e6a0f310c9e38d3dc7783cb0077164e8537ad41474c497565a017f54edba028276a4de5eef0bae49b3110ca75fa410edf27096e3317a33

Download Submit
\Users\Admin\lAwUUQco\SUIEcMEI.exe

Filesize
192KB

MD5
6df84fdab369c1101c4c3e1ad42737a2

SHA1
2afd564743a68815c05ecc4a73dd373526998ea2

SHA256
d07051a0446ae5712bace16596390524fd51fb01db12c22cd98b97d454168230

SHA512
a0e57ec16f0091fafc21d570bff1109b3ca3738b96c912813fa8e546316a6283effd6e252847c800c8265bf2a8dc5275dd90608547dad98409702abcf05f21ef

Download Submit
memory/112-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/468-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/484-776-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/536-79-0x0000000000160000-0x0000000000194000-memory.dmp

Filesize
208KB

Download
memory/576-486-0x00000000001D0000-0x0000000000204000-memory.dmp

Filesize
208KB

Download
memory/604-110-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/624-464-0x0000000000120000-0x0000000000154000-memory.dmp

Filesize
208KB

Download
memory/676-226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/776-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/784-633-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/784-605-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/976-727-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/976-748-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1000-739-0x0000000000120000-0x0000000000154000-memory.dmp

Filesize
208KB

Download
memory/1000-871-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1256-614-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1356-170-0x0000000000160000-0x0000000000194000-memory.dmp

Filesize
208KB

Download
memory/1356-171-0x0000000000160000-0x0000000000194000-memory.dmp

Filesize
208KB

Download
memory/1416-564-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/1440-101-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1544-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1632-679-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1632-706-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1672-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1692-624-0x0000000000180000-0x00000000001B4000-memory.dmp

Filesize
208KB

Download
memory/1748-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1764-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1772-604-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-834-0x0000000000210000-0x0000000000244000-memory.dmp

Filesize
208KB

Download
memory/1952-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-861-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2024-147-0x00000000001A0000-0x00000000001D4000-memory.dmp

Filesize
208KB

Download
memory/2044-722-0x0000000000170000-0x00000000001A4000-memory.dmp

Filesize
208KB

Download
memory/2064-123-0x0000000000200000-0x0000000000234000-memory.dmp

Filesize
208KB

Download
memory/2072-495-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2076-585-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2092-824-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-583-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2120-14-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2132-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-420-0x0000000002260000-0x0000000002294000-memory.dmp

Filesize
208KB

Download
memory/2204-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-815-0x0000000002230000-0x0000000002264000-memory.dmp

Filesize
208KB

Download
memory/2212-271-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-843-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-13-0x0000000001C90000-0x0000000001CC1000-memory.dmp

Filesize
196KB

Download
memory/2268-12-0x0000000001C90000-0x0000000001CC1000-memory.dmp

Filesize
196KB

Download
memory/2268-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-30-0x0000000001C90000-0x0000000001CBF000-memory.dmp

Filesize
188KB

Download
memory/2268-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-195-0x0000000000110000-0x0000000000144000-memory.dmp

Filesize
208KB

Download
memory/2272-194-0x0000000000110000-0x0000000000144000-memory.dmp

Filesize
208KB

Download
memory/2284-474-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-543-0x00000000001E0000-0x0000000000214000-memory.dmp

Filesize
208KB

Download
memory/2404-880-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2416-351-0x0000000000120000-0x0000000000154000-memory.dmp

Filesize
208KB

Download
memory/2428-645-0x0000000000110000-0x0000000000144000-memory.dmp

Filesize
208KB

Download
memory/2472-505-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/2524-451-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2576-688-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-901-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-373-0x0000000000120000-0x0000000000154000-memory.dmp

Filesize
208KB

Download
memory/2628-66-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-803-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-584-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2720-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-524-0x0000000002240000-0x0000000002274000-memory.dmp

Filesize
208KB

Download
memory/2752-655-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-42-0x00000000001F0000-0x0000000000224000-memory.dmp

Filesize
208KB

Download
memory/2780-442-0x0000000002290000-0x00000000022C4000-memory.dmp

Filesize
208KB

Download
memory/2780-43-0x00000000001F0000-0x0000000000224000-memory.dmp

Filesize
208KB

Download
memory/2816-217-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2860-329-0x00000000001A0000-0x00000000001D4000-memory.dmp

Filesize
208KB

Download
memory/2916-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2940-766-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-911-0x0000000000120000-0x0000000000154000-memory.dmp

Filesize
208KB

Download
memory/2956-912-0x0000000000120000-0x0000000000154000-memory.dmp

Filesize
208KB

Download
memory/2964-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-785-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-707-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-726-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3028-678-0x0000000000130000-0x0000000000164000-memory.dmp

Filesize
208KB

Download
memory/3068-892-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download