Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-10-2024 02:30
Static task
static1
Behavioral task
behavioral1
Sample
54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe
-
Size
193KB
-
MD5
54fcde8c178f2f1ccb6e2035ad93c4a0
-
SHA1
ffaff8395397e06e0e17a2ed830738e665286923
-
SHA256
61590230942f18b7af4dde5e14ca1b4794f852b13c4c1b3c653f780b2aa3d966
-
SHA512
7cc2e46e0b801bd3bc17fdf8001b0a8da9ae7984d8fe5135e75840b719850af4f2f5a9f6e45839a22e0c80525d401345a7fa7eb0d78a9f7fdabd29c038aa5c8d
-
SSDEEP
3072:HCjaEb7wZjRPiD2SdTXAWWIkKEPkR4xBqxVUtkO0ZdDa77/nHi9Cq/cd:HCOEbUZjRER1kvPkKFeDZdYaCq/cd
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (80) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
pAQgQQgU.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation pAQgQQgU.exe -
Executes dropped EXE 2 IoCs
Processes:
pAQgQQgU.exeKeQMowMs.exepid process 4228 pAQgQQgU.exe 2396 KeQMowMs.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exepAQgQQgU.exeKeQMowMs.exe54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KeQMowMs.exe = "C:\\ProgramData\\NcYMskEE\\KeQMowMs.exe" 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pAQgQQgU.exe = "C:\\Users\\Admin\\fOIgMYgk\\pAQgQQgU.exe" pAQgQQgU.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KeQMowMs.exe = "C:\\ProgramData\\NcYMskEE\\KeQMowMs.exe" KeQMowMs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EqIcsAoM.exe = "C:\\Users\\Admin\\sGkYkgcw\\EqIcsAoM.exe" 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lawQAkkM.exe = "C:\\ProgramData\\XOYIggoU\\lawQAkkM.exe" 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pAQgQQgU.exe = "C:\\Users\\Admin\\fOIgMYgk\\pAQgQQgU.exe" 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4004 540 WerFault.exe EqIcsAoM.exe 3840 5068 WerFault.exe lawQAkkM.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
reg.execscript.exereg.exereg.execmd.execmd.exereg.execmd.execmd.exereg.execmd.execscript.execmd.exereg.exereg.exereg.execscript.execmd.execscript.execscript.exe54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.execscript.exereg.execmd.exereg.execmd.exereg.execmd.execmd.exereg.exereg.exereg.exe54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.execmd.exereg.exereg.exereg.exelawQAkkM.execmd.exereg.execscript.execmd.exereg.execscript.execmd.execscript.execmd.execmd.execmd.exereg.exereg.exereg.exereg.exereg.exereg.execmd.exereg.exereg.exereg.execmd.exereg.execmd.execmd.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lawQAkkM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 1464 reg.exe 4800 reg.exe 4296 reg.exe 1476 reg.exe 660 reg.exe 3360 reg.exe 4396 reg.exe 3000 reg.exe 4972 reg.exe 4140 reg.exe 452 reg.exe 3328 reg.exe 4636 reg.exe 1496 reg.exe 2716 reg.exe 3504 reg.exe 1124 reg.exe 5024 reg.exe 2256 reg.exe 3628 reg.exe 552 reg.exe 3000 reg.exe 3832 reg.exe 2568 reg.exe 2520 reg.exe 212 reg.exe 3644 reg.exe 620 reg.exe 924 reg.exe 3908 reg.exe 4492 reg.exe 2256 reg.exe 4904 reg.exe 4244 reg.exe 3716 reg.exe 4540 reg.exe 4668 reg.exe 2448 reg.exe 4212 reg.exe 3604 reg.exe 2344 reg.exe 960 reg.exe 2760 reg.exe 3360 reg.exe 3476 reg.exe 872 reg.exe 2116 reg.exe 4516 reg.exe 4424 reg.exe 2212 reg.exe 2256 reg.exe 2720 reg.exe 3568 reg.exe 3464 reg.exe 1496 reg.exe 2332 reg.exe 3488 reg.exe 1848 reg.exe 3716 reg.exe 4140 reg.exe 5116 reg.exe 3604 reg.exe 3840 reg.exe 2064 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exepid process 560 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 560 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 560 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 560 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 1428 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 1428 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 1428 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 1428 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 1188 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 1188 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 1188 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 1188 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 2384 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 2384 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 2384 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 2384 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 3256 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 3256 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 3256 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 3256 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 4260 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 4260 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 4260 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 4260 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 1236 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 1236 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 1236 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 1236 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 5096 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 5096 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 5096 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 5096 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 1528 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 1528 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 1528 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 1528 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 3788 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 3788 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 3788 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 3788 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 4176 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 4176 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 4176 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 4176 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 3908 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 3908 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 3908 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 3908 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 2760 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 2760 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 2760 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 2760 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 4208 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 4208 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 4208 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 4208 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 1028 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 1028 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 1028 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 1028 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 2720 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 2720 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 2720 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe 2720 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pAQgQQgU.exepid process 4228 pAQgQQgU.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
pAQgQQgU.exepid process 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe 4228 pAQgQQgU.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.execmd.execmd.exe54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.execmd.execmd.exe54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.execmd.exedescription pid process target process PID 560 wrote to memory of 4228 560 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe pAQgQQgU.exe PID 560 wrote to memory of 4228 560 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe pAQgQQgU.exe PID 560 wrote to memory of 4228 560 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe pAQgQQgU.exe PID 560 wrote to memory of 2396 560 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe KeQMowMs.exe PID 560 wrote to memory of 2396 560 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe KeQMowMs.exe PID 560 wrote to memory of 2396 560 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe KeQMowMs.exe PID 560 wrote to memory of 332 560 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe cmd.exe PID 560 wrote to memory of 332 560 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe cmd.exe PID 560 wrote to memory of 332 560 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe cmd.exe PID 332 wrote to memory of 1428 332 cmd.exe 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe PID 332 wrote to memory of 1428 332 cmd.exe 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe PID 332 wrote to memory of 1428 332 cmd.exe 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe PID 560 wrote to memory of 1832 560 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe reg.exe PID 560 wrote to memory of 1832 560 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe reg.exe PID 560 wrote to memory of 1832 560 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe reg.exe PID 560 wrote to memory of 1816 560 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe reg.exe PID 560 wrote to memory of 1816 560 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe reg.exe PID 560 wrote to memory of 1816 560 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe reg.exe PID 560 wrote to memory of 3716 560 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe reg.exe PID 560 wrote to memory of 3716 560 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe reg.exe PID 560 wrote to memory of 3716 560 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe reg.exe PID 560 wrote to memory of 4168 560 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe cmd.exe PID 560 wrote to memory of 4168 560 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe cmd.exe PID 560 wrote to memory of 4168 560 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe cmd.exe PID 4168 wrote to memory of 2116 4168 cmd.exe cscript.exe PID 4168 wrote to memory of 2116 4168 cmd.exe cscript.exe PID 4168 wrote to memory of 2116 4168 cmd.exe cscript.exe PID 1428 wrote to memory of 2796 1428 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe cmd.exe PID 1428 wrote to memory of 2796 1428 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe cmd.exe PID 1428 wrote to memory of 2796 1428 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe cmd.exe PID 2796 wrote to memory of 1188 2796 cmd.exe 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe PID 2796 wrote to memory of 1188 2796 cmd.exe 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe PID 2796 wrote to memory of 1188 2796 cmd.exe 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe PID 1428 wrote to memory of 2940 1428 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe reg.exe PID 1428 wrote to memory of 2940 1428 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe reg.exe PID 1428 wrote to memory of 2940 1428 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe reg.exe PID 1428 wrote to memory of 452 1428 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe reg.exe PID 1428 wrote to memory of 452 1428 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe reg.exe PID 1428 wrote to memory of 452 1428 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe reg.exe PID 1428 wrote to memory of 3648 1428 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe reg.exe PID 1428 wrote to memory of 3648 1428 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe reg.exe PID 1428 wrote to memory of 3648 1428 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe reg.exe PID 1428 wrote to memory of 2576 1428 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe cmd.exe PID 1428 wrote to memory of 2576 1428 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe cmd.exe PID 1428 wrote to memory of 2576 1428 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe cmd.exe PID 2576 wrote to memory of 1948 2576 cmd.exe cscript.exe PID 2576 wrote to memory of 1948 2576 cmd.exe cscript.exe PID 2576 wrote to memory of 1948 2576 cmd.exe cscript.exe PID 1188 wrote to memory of 4724 1188 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe cmd.exe PID 1188 wrote to memory of 4724 1188 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe cmd.exe PID 1188 wrote to memory of 4724 1188 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe cmd.exe PID 4724 wrote to memory of 2384 4724 cmd.exe cscript.exe PID 4724 wrote to memory of 2384 4724 cmd.exe cscript.exe PID 4724 wrote to memory of 2384 4724 cmd.exe cscript.exe PID 1188 wrote to memory of 824 1188 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe Conhost.exe PID 1188 wrote to memory of 824 1188 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe Conhost.exe PID 1188 wrote to memory of 824 1188 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe Conhost.exe PID 1188 wrote to memory of 1764 1188 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe Conhost.exe PID 1188 wrote to memory of 1764 1188 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe Conhost.exe PID 1188 wrote to memory of 1764 1188 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe Conhost.exe PID 1188 wrote to memory of 660 1188 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe reg.exe PID 1188 wrote to memory of 660 1188 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe reg.exe PID 1188 wrote to memory of 660 1188 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe reg.exe PID 1188 wrote to memory of 4652 1188 54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe"C:\Users\Admin\fOIgMYgk\pAQgQQgU.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4228 -
C:\ProgramData\NcYMskEE\KeQMowMs.exe"C:\ProgramData\NcYMskEE\KeQMowMs.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"2⤵
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes1183⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"4⤵
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes1185⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes1187⤵
- Suspicious behavior: EnumeratesProcesses
PID:2384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"8⤵PID:4680
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes1189⤵
- Suspicious behavior: EnumeratesProcesses
PID:3256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"10⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11811⤵
- Suspicious behavior: EnumeratesProcesses
PID:4260 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"12⤵PID:708
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11813⤵
- Suspicious behavior: EnumeratesProcesses
PID:1236 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"14⤵PID:4900
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11815⤵
- Suspicious behavior: EnumeratesProcesses
PID:5096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"16⤵PID:2796
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11817⤵
- Suspicious behavior: EnumeratesProcesses
PID:1528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"18⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11819⤵
- Suspicious behavior: EnumeratesProcesses
PID:3788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"20⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11821⤵
- Suspicious behavior: EnumeratesProcesses
PID:4176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"22⤵
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11823⤵
- Suspicious behavior: EnumeratesProcesses
PID:3908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"24⤵PID:440
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11825⤵
- Suspicious behavior: EnumeratesProcesses
PID:2760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"26⤵PID:4900
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV127⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11827⤵
- Suspicious behavior: EnumeratesProcesses
PID:4208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"28⤵
- System Location Discovery: System Language Discovery
PID:4716 -
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11829⤵
- Suspicious behavior: EnumeratesProcesses
PID:1028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"30⤵
- System Location Discovery: System Language Discovery
PID:4536 -
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11831⤵
- Suspicious behavior: EnumeratesProcesses
PID:2720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"32⤵PID:3532
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11833⤵PID:1948
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"34⤵PID:224
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11835⤵PID:2760
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"36⤵PID:3872
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV137⤵PID:872
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11837⤵PID:3536
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"38⤵PID:3224
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11839⤵PID:4724
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"40⤵PID:4176
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11841⤵PID:1964
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"42⤵PID:4540
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11843⤵PID:4040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"44⤵PID:1884
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11845⤵
- System Location Discovery: System Language Discovery
PID:1940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"46⤵PID:924
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11847⤵PID:3724
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"48⤵PID:780
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11849⤵PID:4528
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"50⤵PID:3224
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11851⤵PID:3184
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"52⤵PID:4176
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11853⤵PID:3292
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"54⤵PID:3116
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11855⤵PID:4960
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"56⤵PID:1476
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11857⤵PID:4172
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"58⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11859⤵PID:1600
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"60⤵PID:636
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11861⤵PID:2720
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"62⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11863⤵PID:2636
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"64⤵PID:2760
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11865⤵PID:4540
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"66⤵PID:1124
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11867⤵PID:4248
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"68⤵PID:1028
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11869⤵PID:5116
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"70⤵PID:4168
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV171⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11871⤵PID:4044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"72⤵PID:2856
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11873⤵PID:208
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"74⤵PID:4596
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11875⤵PID:4456
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"76⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11877⤵PID:4172
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"78⤵
- System Location Discovery: System Language Discovery
PID:4716 -
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11879⤵PID:3172
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"80⤵PID:4004
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11881⤵PID:2348
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"82⤵PID:2352
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11883⤵PID:832
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"84⤵
- System Location Discovery: System Language Discovery
PID:1832 -
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11885⤵PID:4712
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"86⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11887⤵PID:396
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"88⤵PID:5056
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV189⤵PID:1644
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11889⤵PID:3860
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"90⤵PID:4904
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11891⤵PID:2020
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"92⤵PID:1572
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV193⤵PID:552
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11893⤵PID:208
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"94⤵PID:2292
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV195⤵PID:1028
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11895⤵PID:4292
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"96⤵PID:3172
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11897⤵PID:4564
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"98⤵PID:4004
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV199⤵PID:2344
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes11899⤵PID:2640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"100⤵
- System Location Discovery: System Language Discovery
PID:400 -
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118101⤵PID:3664
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"102⤵PID:2912
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118103⤵PID:512
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"104⤵PID:4156
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1105⤵PID:1116
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118105⤵PID:3640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"106⤵PID:824
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118107⤵PID:4640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"108⤵PID:4800
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1109⤵PID:3968
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118109⤵PID:1380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"110⤵PID:2256
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118111⤵PID:440
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"112⤵
- System Location Discovery: System Language Discovery
PID:3980 -
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118113⤵PID:4148
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"114⤵PID:456
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118115⤵PID:220
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"116⤵PID:2344
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1117⤵PID:4136
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118117⤵PID:1644
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"118⤵
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118119⤵PID:2972
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"120⤵PID:920
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118121⤵PID:2284
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"122⤵PID:4772
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1123⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118123⤵PID:336
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"124⤵PID:4692
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1125⤵PID:1452
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118125⤵PID:3188
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"126⤵PID:4540
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118127⤵PID:4176
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"128⤵PID:1952
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1129⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118129⤵PID:4420
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"130⤵
- System Location Discovery: System Language Discovery
PID:3676 -
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118131⤵PID:3624
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"132⤵PID:2128
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1133⤵PID:1876
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118133⤵PID:4604
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"134⤵PID:2036
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118135⤵PID:3572
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"136⤵PID:712
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1137⤵PID:4456
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118137⤵PID:1496
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"138⤵PID:2856
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118139⤵PID:2520
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"140⤵PID:4504
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1141⤵PID:1780
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118141⤵PID:4172
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"142⤵PID:752
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118143⤵PID:4152
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"144⤵PID:1156
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1145⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118145⤵PID:552
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"146⤵PID:1476
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1147⤵PID:2352
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118147⤵PID:1220
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"148⤵
- System Location Discovery: System Language Discovery
PID:4308 -
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118149⤵PID:4156
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"150⤵PID:1980
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118151⤵PID:3168
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"152⤵PID:540
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1153⤵PID:2128
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118153⤵PID:220
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"154⤵PID:1348
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118155⤵PID:4648
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"156⤵PID:3336
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118157⤵PID:4640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"158⤵PID:2472
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118159⤵PID:5064
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"160⤵PID:3168
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118161⤵PID:1980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"162⤵PID:4188
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118163⤵PID:1284
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"164⤵PID:4648
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1165⤵PID:4176
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118165⤵PID:1644
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"166⤵PID:816
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118167⤵PID:5092
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"168⤵PID:3680
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118169⤵PID:4484
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"170⤵
- System Location Discovery: System Language Discovery
PID:4968 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1171⤵PID:440
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118171⤵PID:3328
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"172⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118173⤵PID:3628
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"174⤵PID:3256
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1175⤵PID:208
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118175⤵PID:1980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"176⤵PID:3292
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118177⤵PID:3128
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"178⤵PID:4904
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118179⤵
- System Location Discovery: System Language Discovery
PID:3116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"180⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118181⤵PID:3728
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"182⤵PID:3236
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1183⤵PID:2256
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118183⤵PID:4972
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"184⤵PID:4936
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118185⤵PID:2036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"186⤵
- System Location Discovery: System Language Discovery
PID:4596 -
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118187⤵PID:4776
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"188⤵PID:2224
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118189⤵PID:3380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"190⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118191⤵PID:3116
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"192⤵PID:2332
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1193⤵PID:1452
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118193⤵PID:5084
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"194⤵PID:1376
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118195⤵PID:2076
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"196⤵PID:2344
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118197⤵
- Adds Run key to start application
PID:3360 -
C:\Users\Admin\sGkYkgcw\EqIcsAoM.exe"C:\Users\Admin\sGkYkgcw\EqIcsAoM.exe"198⤵PID:540
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 224199⤵
- Program crash
PID:4004 -
C:\ProgramData\XOYIggoU\lawQAkkM.exe"C:\ProgramData\XOYIggoU\lawQAkkM.exe"198⤵
- System Location Discovery: System Language Discovery
PID:5068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 220199⤵
- Program crash
PID:3840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"198⤵PID:5052
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1199⤵PID:4512
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118199⤵PID:4312
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"200⤵PID:3712
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118201⤵PID:2636
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"202⤵PID:3572
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1203⤵PID:5024
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118203⤵PID:4776
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"204⤵PID:4292
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118205⤵PID:2780
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"206⤵PID:4604
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1207⤵PID:4536
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118207⤵PID:4628
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"208⤵PID:1980
-
C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118209⤵PID:1248
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118"210⤵
- System Location Discovery: System Language Discovery
PID:4032 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1210⤵PID:4312
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2210⤵PID:100
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1211⤵PID:396
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f210⤵
- UAC bypass
PID:3488 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1211⤵PID:1144
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqosEMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""210⤵PID:3348
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs211⤵PID:3904
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1208⤵
- Modifies visibility of file extensions in Explorer
PID:3496 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2208⤵
- Modifies registry key
PID:1848 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1209⤵PID:5084
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f208⤵
- UAC bypass
PID:3128 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1209⤵PID:4968
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCkAAowU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""208⤵PID:992
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1209⤵PID:1764
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs209⤵PID:4640
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1206⤵
- Modifies visibility of file extensions in Explorer
PID:2384 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1207⤵PID:1504
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2206⤵PID:2284
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1207⤵PID:624
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f206⤵
- UAC bypass
PID:2808 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1207⤵PID:4656
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkQsgYUM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""206⤵PID:5096
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs207⤵PID:3916
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1204⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1496 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2204⤵
- Modifies registry key
PID:2332 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f204⤵
- UAC bypass
PID:552 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1205⤵PID:4156
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NsgcUEQU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""204⤵PID:4044
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1205⤵PID:3568
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs205⤵PID:3000
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1202⤵PID:3236
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1203⤵PID:3968
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2202⤵PID:3228
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f202⤵
- UAC bypass
PID:1780 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1203⤵PID:4308
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWwYggsw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""202⤵PID:2112
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1203⤵PID:1156
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs203⤵PID:3328
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1200⤵
- Modifies visibility of file extensions in Explorer
PID:4656 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1201⤵PID:2164
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2200⤵PID:2576
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f200⤵
- UAC bypass
PID:416 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1201⤵PID:3728
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWwQsUwQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""200⤵PID:4664
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs201⤵PID:4540
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1198⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3832 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1199⤵PID:2224
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2198⤵
- Modifies registry key
PID:3644 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f198⤵
- UAC bypass
- Modifies registry key
PID:2448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mOIMwwoo.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""198⤵PID:4404
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1199⤵PID:4172
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs199⤵PID:2204
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1196⤵PID:4532
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1197⤵PID:3628
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2196⤵PID:4540
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1197⤵PID:4260
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f196⤵PID:752
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uqEEQUwc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""196⤵PID:456
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1197⤵PID:3188
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs197⤵PID:2020
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1194⤵
- Modifies visibility of file extensions in Explorer
PID:1280 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1195⤵PID:3724
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2194⤵PID:3352
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f194⤵
- UAC bypass
PID:3604 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1195⤵PID:4972
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XooIMMYs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""194⤵PID:1848
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1195⤵PID:3204
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs195⤵PID:4628
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1192⤵
- Modifies visibility of file extensions in Explorer
PID:2720 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2192⤵PID:5024
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f192⤵
- UAC bypass
PID:3968 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1193⤵PID:4296
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGwQMgoE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""192⤵
- System Location Discovery: System Language Discovery
PID:624 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs193⤵PID:4692
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1190⤵
- Modifies registry key
PID:3000 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1191⤵PID:2912
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2190⤵PID:4628
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f190⤵
- UAC bypass
PID:3236 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1191⤵PID:4192
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XqAIEUkM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""190⤵PID:100
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1191⤵PID:416
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs191⤵PID:4656
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1188⤵
- Modifies visibility of file extensions in Explorer
PID:4120 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1189⤵PID:3292
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2188⤵
- Modifies registry key
PID:1476 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f188⤵
- UAC bypass
PID:5084 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1189⤵PID:2212
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gIkswMok.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""188⤵PID:3464
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1189⤵PID:3624
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs189⤵PID:4680
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1186⤵
- Modifies visibility of file extensions in Explorer
PID:1496 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1187⤵PID:1348
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2186⤵PID:456
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f186⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:1452 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1187⤵PID:4648
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKIMUsoA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""186⤵PID:2292
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs187⤵PID:4140
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1184⤵
- Modifies visibility of file extensions in Explorer
PID:416 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1185⤵PID:1776
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2184⤵PID:2688
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f184⤵PID:2912
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yaswMIMM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""184⤵PID:396
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1185⤵PID:2760
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs185⤵PID:1584
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1182⤵
- Modifies visibility of file extensions in Explorer
PID:2340 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2182⤵
- Modifies registry key
PID:3464 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f182⤵
- UAC bypass
PID:5024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fgcYEosM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""182⤵PID:2716
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs183⤵PID:3536
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1180⤵
- Modifies visibility of file extensions in Explorer
PID:832 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2180⤵PID:2136
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f180⤵
- UAC bypass
PID:3820 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1181⤵PID:2220
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LssIYMMI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""180⤵PID:4244
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1181⤵PID:4484
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs181⤵PID:1156
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1178⤵
- Modifies visibility of file extensions in Explorer
PID:1476 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1179⤵PID:816
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2178⤵PID:4620
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f178⤵
- System Location Discovery: System Language Discovery
PID:708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nOkAgAsM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""178⤵PID:3724
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs179⤵PID:1144
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1176⤵
- Modifies visibility of file extensions in Explorer
PID:1348 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2176⤵PID:4580
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f176⤵
- UAC bypass
- Modifies registry key
PID:960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuckEUkw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""176⤵PID:4936
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1177⤵PID:4252
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs177⤵PID:216
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1174⤵PID:1776
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1175⤵PID:4152
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2174⤵PID:2636
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1175⤵PID:4280
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f174⤵
- UAC bypass
- Modifies registry key
PID:3488 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1175⤵PID:1952
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMEIEAEw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""174⤵PID:3048
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs175⤵PID:4712
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1172⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2716 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1173⤵PID:1124
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2172⤵PID:4972
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1173⤵PID:2856
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f172⤵
- UAC bypass
PID:5024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MaQsQUYQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""172⤵PID:4528
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs173⤵PID:2720
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1170⤵
- Modifies visibility of file extensions in Explorer
PID:1832 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2170⤵PID:4452
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f170⤵PID:3604
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\coMQYEwc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""170⤵PID:1764
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1171⤵PID:4088
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs171⤵PID:2112
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1168⤵
- Modifies visibility of file extensions in Explorer
PID:2696 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2168⤵PID:208
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f168⤵PID:396
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAcsQkMU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""168⤵PID:4948
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1169⤵PID:712
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs169⤵PID:4472
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1166⤵
- Modifies visibility of file extensions in Explorer
PID:4536 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2166⤵PID:4972
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1167⤵PID:1828
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f166⤵PID:512
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1167⤵PID:2520
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jkwEsAss.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""166⤵PID:4540
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs167⤵PID:972
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1164⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3360 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1165⤵PID:4208
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2164⤵PID:2640
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1165⤵PID:1144
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f164⤵PID:3896
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwkkkAIw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""164⤵PID:2084
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs165⤵PID:2940
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1162⤵PID:3712
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1163⤵PID:3660
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2162⤵PID:2880
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f162⤵
- UAC bypass
PID:2636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BucIsckM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""162⤵PID:2344
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs163⤵PID:4280
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1160⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1496 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1161⤵PID:2924
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2160⤵PID:4776
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f160⤵
- UAC bypass
PID:2780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIEMgwgw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""160⤵PID:4184
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs161⤵PID:4948
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1158⤵
- Modifies visibility of file extensions in Explorer
PID:4424 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2158⤵PID:752
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f158⤵
- Modifies registry key
PID:3568 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1159⤵PID:4980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQkMQwwQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""158⤵PID:2224
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1159⤵PID:4656
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs159⤵PID:3352
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1156⤵
- Modifies visibility of file extensions in Explorer
PID:4728 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2156⤵PID:2164
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f156⤵PID:3188
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIAEMQYs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""156⤵PID:3476
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs157⤵PID:2824
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1154⤵
- Modifies visibility of file extensions in Explorer
PID:2144 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1155⤵PID:4504
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2154⤵
- Modifies registry key
PID:2344 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f154⤵PID:4192
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PUYsAwEk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""154⤵PID:4692
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs155⤵PID:2044
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1152⤵
- Modifies registry key
PID:552 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2152⤵
- Modifies registry key
PID:2760 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f152⤵PID:3204
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1153⤵PID:1236
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqoUgsEY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""152⤵PID:4948
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs153⤵PID:4004
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1150⤵
- Modifies visibility of file extensions in Explorer
PID:1988 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2150⤵PID:752
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f150⤵
- UAC bypass
PID:1504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKMskgQA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""150⤵PID:5024
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs151⤵PID:2340
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1148⤵
- Modifies visibility of file extensions in Explorer
PID:660 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2148⤵PID:3128
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f148⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1149⤵PID:1832
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCwQUUII.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""148⤵PID:2388
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs149⤵PID:2084
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1146⤵
- Modifies visibility of file extensions in Explorer
PID:2292 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1147⤵PID:4452
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2146⤵PID:1116
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f146⤵
- UAC bypass
- Modifies registry key
PID:3628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YsMsUUgk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""146⤵PID:4700
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs147⤵
- System Location Discovery: System Language Discovery
PID:3328 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1144⤵PID:540
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2144⤵
- Modifies registry key
PID:4668 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f144⤵
- UAC bypass
- Modifies registry key
PID:4540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQcgkEwg.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""144⤵PID:2912
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs145⤵PID:4260
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1142⤵
- Modifies visibility of file extensions in Explorer
PID:2796 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1143⤵PID:4996
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2142⤵
- Modifies registry key
PID:212 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f142⤵
- UAC bypass
PID:2940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mMQQcAkA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""142⤵PID:2584
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs143⤵PID:4512
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1140⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
PID:1124 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2140⤵
- Modifies registry key
PID:2256 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f140⤵
- UAC bypass
PID:4120 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGkwgAEE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""140⤵PID:960
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs141⤵PID:4004
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1138⤵PID:3536
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2138⤵PID:2384
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f138⤵
- UAC bypass
PID:1156 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\teMIkIMg.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""138⤵PID:4980
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs139⤵PID:4244
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1136⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2064 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2136⤵PID:4620
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f136⤵PID:1952
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCoAAsEQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""136⤵
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs137⤵PID:4044
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1134⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4140 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2134⤵PID:1112
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f134⤵
- UAC bypass
PID:2388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOEEUoQo.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""134⤵PID:2940
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1135⤵PID:780
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs135⤵PID:3724
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1132⤵PID:3416
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2132⤵PID:2924
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f132⤵PID:4876
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUUcoQAU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""132⤵PID:5056
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1133⤵PID:632
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs133⤵PID:3348
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1130⤵PID:4292
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2130⤵PID:3352
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1131⤵PID:4636
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f130⤵PID:832
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1131⤵PID:208
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uygMkkYI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""130⤵
- System Location Discovery: System Language Discovery
PID:4424 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1131⤵PID:2068
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs131⤵PID:2696
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1128⤵PID:3644
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2128⤵PID:216
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f128⤵
- Modifies registry key
PID:4296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYgMAEEA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""128⤵PID:540
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs129⤵PID:4996
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1126⤵
- Modifies visibility of file extensions in Explorer
PID:4244 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2126⤵PID:1112
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f126⤵PID:3572
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1127⤵PID:4800
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vugUQEgw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""126⤵PID:4492
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs127⤵
- System Location Discovery: System Language Discovery
PID:780 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1124⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3840 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1125⤵PID:3808
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2124⤵PID:4616
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f124⤵
- UAC bypass
- Modifies registry key
PID:4972 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1125⤵PID:3000
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGkcIAQw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""124⤵PID:3536
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs125⤵PID:1404
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1122⤵PID:208
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2122⤵PID:4192
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f122⤵
- UAC bypass
PID:5068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSUkIAgA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""122⤵
- System Location Discovery: System Language Discovery
PID:1236 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs123⤵PID:3204
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1120⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2256 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2120⤵PID:2220
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f120⤵PID:416
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1121⤵PID:1780
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEwooooY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""120⤵PID:1496
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs121⤵
- System Location Discovery: System Language Discovery
PID:1348 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1118⤵
- Modifies visibility of file extensions in Explorer
PID:3048 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2118⤵
- Modifies registry key
PID:4492 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f118⤵
- Modifies registry key
PID:4800 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQQscccw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""118⤵PID:400
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs119⤵PID:4208
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1116⤵PID:4960
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2116⤵PID:4088
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f116⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2212 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OYcgwEoQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""116⤵PID:5096
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs117⤵
- System Location Discovery: System Language Discovery
PID:2492 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1114⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2720 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1115⤵PID:1584
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2114⤵
- Modifies registry key
PID:3604 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1115⤵PID:1284
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f114⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGIUwMws.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""114⤵
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs115⤵PID:872
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1112⤵PID:4252
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2112⤵PID:1780
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f112⤵PID:832
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DqYsYwgs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""112⤵
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs113⤵PID:3660
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1110⤵
- Modifies visibility of file extensions in Explorer
PID:4776 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2110⤵
- System Location Discovery: System Language Discovery
PID:3572 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f110⤵PID:3680
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LigAYIMk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""110⤵PID:4208
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs111⤵PID:4504
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1108⤵
- Modifies visibility of file extensions in Explorer
PID:632 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2108⤵
- Modifies registry key
PID:5116 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f108⤵
- UAC bypass
PID:3860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiIkcgoQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""108⤵PID:4004
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs109⤵PID:3536
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1106⤵
- Modifies visibility of file extensions in Explorer
PID:4128 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2106⤵PID:4564
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f106⤵
- System Location Discovery: System Language Discovery
PID:4192 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1107⤵PID:3988
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kuMwEcYQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""106⤵PID:4260
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1107⤵PID:3260
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs107⤵PID:1828
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1104⤵
- Modifies visibility of file extensions in Explorer
PID:1832 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2104⤵PID:4456
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1105⤵PID:4172
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f104⤵PID:1144
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awAsIUoc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""104⤵PID:456
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs105⤵PID:1940
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1102⤵PID:2064
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2102⤵PID:2940
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f102⤵PID:2044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCUIAsIU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""102⤵PID:4656
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs103⤵PID:212
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1100⤵PID:4884
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2100⤵
- Modifies registry key
PID:2520 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1101⤵PID:4904
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f100⤵PID:4536
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1101⤵PID:3568
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DEsMEkAc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""100⤵PID:4776
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs101⤵PID:4680
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 198⤵
- Modifies registry key
PID:5024 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 298⤵PID:1584
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f98⤵
- UAC bypass
PID:3380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heQoIswo.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""98⤵PID:1528
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs99⤵PID:3676
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 196⤵PID:1876
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV197⤵PID:4936
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 296⤵PID:3724
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f96⤵PID:2696
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV197⤵PID:2896
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWoYYgoQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""96⤵PID:3476
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV197⤵PID:4624
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs97⤵PID:2068
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 194⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 294⤵PID:1544
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV195⤵PID:4248
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f94⤵
- UAC bypass
PID:708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiIYAEMY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""94⤵PID:1940
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs95⤵PID:4156
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 192⤵PID:2352
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 292⤵PID:3572
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f92⤵
- UAC bypass
PID:4164 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV193⤵PID:4596
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCIMwYMU.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""92⤵PID:4876
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs93⤵PID:2256
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 190⤵
- Modifies visibility of file extensions in Explorer
PID:872 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 290⤵
- Modifies registry key
PID:4636 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f90⤵PID:3224
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV191⤵PID:2636
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QIYosYMg.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""90⤵PID:740
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs91⤵PID:4452
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 188⤵PID:660
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 288⤵PID:3748
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV189⤵PID:4960
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f88⤵
- UAC bypass
PID:4420 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV189⤵PID:820
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsYEMUAI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""88⤵PID:348
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs89⤵PID:4692
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 186⤵
- Modifies visibility of file extensions in Explorer
PID:1116 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV187⤵PID:4700
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 286⤵
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV187⤵PID:3712
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f86⤵
- UAC bypass
PID:4968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGUUwMAk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""86⤵PID:3260
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV187⤵PID:100
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs87⤵PID:2720
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 184⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4424 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 284⤵PID:3808
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f84⤵
- UAC bypass
- Modifies registry key
PID:3000 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV185⤵PID:3624
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKoAgEgQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""84⤵
- System Location Discovery: System Language Discovery
PID:3872 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs85⤵PID:3820
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 182⤵
- Modifies visibility of file extensions in Explorer
PID:2856 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 282⤵PID:1584
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV183⤵PID:5048
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f82⤵
- UAC bypass
PID:4972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BogwgUoA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""82⤵PID:3676
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV183⤵PID:4672
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs83⤵PID:3636
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 180⤵
- Modifies visibility of file extensions in Explorer
PID:4068 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV181⤵PID:4516
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 280⤵PID:1784
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f80⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:4936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dKYksYkI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""80⤵
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs81⤵PID:1592
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 178⤵
- Modifies visibility of file extensions in Explorer
PID:1452 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 278⤵PID:3504
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV179⤵PID:3604
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f78⤵
- UAC bypass
PID:4600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CaQkQQgw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""78⤵PID:2332
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs79⤵
- System Location Discovery: System Language Discovery
PID:3988 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 176⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1124 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 276⤵PID:3624
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f76⤵
- UAC bypass
PID:560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWscgEEI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""76⤵PID:1964
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs77⤵PID:3680
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 174⤵PID:4636
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 274⤵PID:3968
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f74⤵
- UAC bypass
PID:3664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAQswwUs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""74⤵PID:1284
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV175⤵PID:4192
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs75⤵PID:4136
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 172⤵
- Modifies visibility of file extensions in Explorer
PID:3348 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 272⤵PID:1764
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f72⤵PID:4420
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgcMkQYA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""72⤵PID:2896
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs73⤵PID:1592
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 170⤵PID:4700
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 270⤵PID:3712
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f70⤵
- UAC bypass
PID:3604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REAcgIkM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""70⤵PID:3292
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs71⤵PID:216
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 168⤵
- Modifies registry key
PID:4140 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 268⤵PID:1380
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f68⤵
- UAC bypass
PID:5092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\liwocAcw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""68⤵PID:4876
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV169⤵PID:2224
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs69⤵PID:4536
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 166⤵
- Modifies visibility of file extensions in Explorer
PID:3568 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 266⤵PID:3804
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f66⤵PID:4672
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqokcIUA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""66⤵PID:1552
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs67⤵PID:5024
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 164⤵PID:1784
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 264⤵
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f64⤵
- Modifies registry key
PID:4516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAEIEwIA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""64⤵PID:1592
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs65⤵PID:1644
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 162⤵PID:1452
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 262⤵PID:3168
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f62⤵PID:992
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQkkYUcI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""62⤵PID:4180
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV163⤵PID:4040
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs63⤵
- System Location Discovery: System Language Discovery
PID:100 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 160⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3908 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 260⤵PID:1980
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f60⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQoUoEII.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""60⤵PID:2028
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs61⤵
- System Location Discovery: System Language Discovery
PID:3836 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 158⤵
- Modifies registry key
PID:3504 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 258⤵PID:4136
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f58⤵PID:4484
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UskkYYkM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""58⤵PID:1116
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV159⤵PID:456
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs59⤵PID:1780
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 156⤵PID:3968
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 256⤵PID:3416
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f56⤵
- UAC bypass
PID:820 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵PID:4312
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWYUgkIk.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""56⤵PID:4192
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs57⤵PID:2612
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 154⤵
- Modifies visibility of file extensions in Explorer
PID:2760 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 254⤵
- System Location Discovery: System Language Discovery
PID:4540 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f54⤵
- UAC bypass
PID:3612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMYMgYQs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""54⤵PID:2068
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs55⤵PID:552
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 152⤵PID:620
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 252⤵PID:2636
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f52⤵
- Modifies registry key
PID:3604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAYkkooE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""52⤵PID:2536
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs53⤵PID:3712
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 150⤵PID:2752
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV151⤵PID:4612
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 250⤵PID:2224
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f50⤵PID:2912
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYUUkoYw.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""50⤵PID:3472
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs51⤵PID:4684
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 148⤵PID:4136
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 248⤵PID:1028
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f48⤵
- UAC bypass
PID:1600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAAUUkcQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""48⤵PID:4308
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs49⤵PID:2644
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 146⤵
- Modifies visibility of file extensions in Explorer
PID:2220 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 246⤵PID:5048
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f46⤵
- UAC bypass
PID:4796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIgQcUAA.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""46⤵PID:456
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV147⤵PID:400
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs47⤵PID:1144
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 144⤵
- Modifies visibility of file extensions in Explorer
PID:4896 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV145⤵PID:4972
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 244⤵PID:4244
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f44⤵PID:3612
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uaQsIwoE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""44⤵PID:4312
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs45⤵PID:4580
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 142⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2568 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 242⤵
- Modifies registry key
PID:2116 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f42⤵
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQYEkkMQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""42⤵PID:4280
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs43⤵PID:1628
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 140⤵PID:4944
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 240⤵
- Modifies registry key
PID:3716 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV141⤵PID:3184
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f40⤵
- UAC bypass
PID:2064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCokEEEo.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""40⤵PID:3728
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs41⤵
- System Location Discovery: System Language Discovery
PID:3380 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 138⤵
- Modifies visibility of file extensions in Explorer
PID:3808 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 238⤵
- System Location Discovery: System Language Discovery
PID:4308 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f38⤵
- UAC bypass
PID:4188 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ByIIEEUI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""38⤵PID:4612
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV139⤵PID:4044
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs39⤵PID:4716
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 136⤵PID:5048
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 236⤵PID:2796
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f36⤵
- UAC bypass
PID:2856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIEkYccs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""36⤵PID:960
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs37⤵PID:400
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 134⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3328 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 234⤵PID:992
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f34⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:4892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCUcEAgs.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""34⤵PID:4972
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs35⤵
- System Location Discovery: System Language Discovery
PID:4312 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 132⤵
- Modifies visibility of file extensions in Explorer
PID:4100 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV133⤵PID:2348
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 232⤵
- Modifies registry key
PID:4212 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f32⤵
- System Location Discovery: System Language Discovery
PID:3348 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV133⤵PID:1496
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYcIUYcI.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""32⤵PID:2128
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs33⤵PID:5064
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 130⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
PID:4556 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 230⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4396 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV131⤵PID:3360
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f30⤵
- UAC bypass
PID:632 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSQQAIkQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""30⤵PID:3184
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs31⤵PID:2424
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 128⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 228⤵PID:3676
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f28⤵PID:3916
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BeAEIokc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""28⤵PID:4044
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs29⤵PID:3644
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 126⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:924 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 226⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4244 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f26⤵
- UAC bypass
- Modifies registry key
PID:872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYcMUksc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""26⤵PID:3276
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs27⤵PID:4636
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 124⤵PID:2940
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 224⤵PID:1220
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f24⤵
- UAC bypass
- Modifies registry key
PID:620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEIooEwQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""24⤵PID:3376
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs25⤵PID:752
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 122⤵
- System Location Discovery: System Language Discovery
PID:1496 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 222⤵PID:2348
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f22⤵
- UAC bypass
PID:3308 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYwYIYkE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""22⤵PID:3292
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs23⤵PID:2792
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 120⤵PID:404
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV121⤵PID:632
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 220⤵PID:3184
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f20⤵
- UAC bypass
- Modifies registry key
PID:3360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGMQYwIg.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""20⤵PID:3504
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs21⤵PID:4604
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 118⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4904 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 218⤵PID:456
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f18⤵PID:4716
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWcQgokM.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""18⤵PID:1240
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs19⤵PID:5100
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 116⤵PID:924
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 216⤵PID:2808
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f16⤵
- UAC bypass
- Modifies registry key
PID:2256 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV117⤵PID:1764
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psskMUYE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""16⤵PID:4988
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV117⤵PID:824
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs17⤵PID:2384
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 114⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3476 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 214⤵PID:1540
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f14⤵PID:3648
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dyIMQEgY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""14⤵PID:3712
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs15⤵PID:2068
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 112⤵PID:2064
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 212⤵PID:2140
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f12⤵PID:2388
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OmIcAswE.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""12⤵PID:4212
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs13⤵PID:2696
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 110⤵
- Modifies visibility of file extensions in Explorer
PID:5116 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 210⤵PID:3184
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f10⤵
- UAC bypass
PID:632 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YksYAEEY.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""10⤵PID:636
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs11⤵PID:4172
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 18⤵PID:1572
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 28⤵
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f8⤵
- UAC bypass
PID:3988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQMMoUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""8⤵PID:820
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs9⤵PID:2284
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵
- Modifies visibility of file extensions in Explorer
PID:824 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵PID:1764
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵
- UAC bypass
- Modifies registry key
PID:660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmIoIcQc.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""6⤵PID:4652
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs7⤵PID:3260
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies visibility of file extensions in Explorer
PID:2940 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
- Modifies registry key
PID:452 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- UAC bypass
PID:3648 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BekcUcws.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵PID:1948
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
PID:1832 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:1816
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
PID:3716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYYIMAMQ.bat" "C:\Users\Admin\AppData\Local\Temp\54fcde8c178f2f1ccb6e2035ad93c4a0_JaffaCakes118.exe""2⤵
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:2116
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 25de4b785844f03fda3918e399084898 bOv4goY3W0ai0jLffGy+6g.0.1.0.0.01⤵PID:2568
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2116
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:3184
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:1784
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵PID:5056
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5068 -ip 50682⤵PID:1600
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 540 -ip 5402⤵PID:4900
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵PID:2248
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
647KB
MD59955667933e798747af2fcc35b6504eb
SHA122beb84701d936418fd01430cdb821f90611cd0b
SHA256f2af14e223b98bc58fe9934835995ac3def73b26357adfe994053930175bf36e
SHA51242bb8345780a2d01aa83fe3bdfe24ebc11296c4bb899086b56be1a308eb4a3e9a2ecf2351afce6f1a80efaf757a6c20eb9e9b27f27d815517756f0bea3d59ff5
-
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe
Filesize329KB
MD591a9f7bc23700b54edde82f550d4ad58
SHA15d768f7ed5d1fb021903d2f0cc131824d8dbaf23
SHA2566c876bf4b47085976b0ca0f3d51f6b332265177c6e0e614ea69b8c353c30fb72
SHA5124ff58525019f155cd197d04a3a92c51d72611a01645fd423eec488822b12732622f59f495de405feb76a01b77769c7f62e8921bdb7788eab2ba2f12eff69eefd
-
Filesize
217KB
MD5b35b0f9a5a494c1bc7acfcb9b06d2339
SHA13e8529ecd6eedef8b70d129152587afce1139e07
SHA25681784d5552380afd5e21e61cdffe06a2a637a67866cec7ef7a6ca78d6f9197d4
SHA512e14fd784db07c03da421bf04543c8604f832a22c98aa5117520112939ae40758b57126182f5a29d26c60fdacd1356e09b7ed31296d2ca0001c437a4f8c684c3e
-
Filesize
192KB
MD5b3b42f97c37fe68e8c04eff1d3885037
SHA15997adcbc7a05feaeba5cc332dc83d9867ef24b9
SHA256b6d0444bee9eb4a35e782b492e3a6659ff3eb7a8d5d4ee3df81e14be96751854
SHA512a86db95a7c8e4a414e8ec8a87b47bb752643ccf797c8f1409faacc2a347beea5e9d72b26bdeeb8fb52859d50e8498b6171658ea61f4a5e6d1ae6ea69d0842cc2
-
Filesize
4B
MD5d550859a3d648bd8a5637635c061e620
SHA162010b48c3bda5fa92b8235a33b650cbf71d7ebb
SHA256470f1c5e5ba87d948131125870680f200b0722627c1bddeee7856aec56926a91
SHA5128c326bd5ebf41d252cd558dd650b2afea41d4a47dd628716598ec0e06ec46c4e8a41feb672f35caf74a1b1ea91af2831ebfd92fc471d0dddf6c69febabc18529
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe
Filesize186KB
MD50742ab1c6943fcc074535985ffd2f662
SHA1dc511ca477ad2d6db1f32d27947260cb1c33dd63
SHA256d1639726cfe77264d5bdedcb7e8498e88ea212ac39084d72a36129c0f91da81f
SHA5120354ad8048177bacd5d5430dfe3602ef3d9258d0fd337cb99a124625456c21c41a612c710f0b8ce1689c46174a635d80ab40929c8b66ec8d3af1e56e1a2e4d13
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe
Filesize188KB
MD504ab38dadfa1467caf1f364b1228e2da
SHA10323a2b3905f07ab137f4a9992938f885ee8d8e4
SHA25673cc3cb02aadf962e3942351762d6f7e352b48bd353495833bf8d6e4392ce3e6
SHA5129f25aa779b582966040ad6cac279a5dec38bf4c9c7ccbceebf1a62d1302574d07ef80240b360f876e79301849735f1172c0dd4570ad498ae373831445645beee
-
Filesize
196KB
MD569f514034c3f34164752980196e639cb
SHA1d4e76f18ce54db3e5a88b7932ac1b4edd93ddf4d
SHA256b270b0cc4c6e3d89151ba4857a394bd91d97794a5b1e13b301535bd4ecb3562d
SHA512a196b698d01546cc8c0dd61295dd68067cc1d426fb6a76ed5b77f1e99945f927259a4fb659979e417db0944c296dc9532ecc928fab5c4c6b2e9c02e68039b236
-
Filesize
188KB
MD56c20ddac8cb367819e35fe1c74082e7f
SHA1183db1ce2143d4007469f236f6abf767d26bcff7
SHA2568b1a474bbc2e16995ae61cfe7160cdc8c9b1f2773dd9164bdc3c3fe0de79e61e
SHA512cf5c0ed350fd75635f8729ad167ad0094ecfd3a9f5c191b2a24b17e2558fcf4459c279da6728e05061c2e94582a9a894a205c850439b81acf477751cef9daced
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe
Filesize200KB
MD5c4eaf7f60afd4c362f7313e13bada026
SHA1c8785f6f5e6bc8c0e783835a84d7c50751fc5727
SHA2560a141da533ae16f95b8621296922d768dfb734a7b0ff2796f6bfb7915a084cc5
SHA512fd305a225576ecbedaa925add7d50a3ac4c025cb545226c5da67e02e1be6664d68ca7c3971469d9592ce8d1312d8aaad795b41c99a9d4ad632cef263b2047a32
-
Filesize
4KB
MD559be91b17983f2d8de110d2534075292
SHA1184ce4f6b89530f58a9952fffdce4ce254447937
SHA256f9b54f0a6c4a21daea6f41263e8df267367f5b491094bea56179a9c3b4ebd65a
SHA5126c37049c71557a3bee37a8380912733b009f68844818f3d2586802ad437c82c32ac51f170056add421976b24e0e074ce619d3987195ce693f28eff657c028c74
-
Filesize
188KB
MD5453eefa33c430db087d6a9e58be24cdf
SHA1db08507909c73aec1dcfa0ec47448922513a5c63
SHA256d1224b2b4974c47cb4e83f390b8885375b23631745b66b27e968a74f30e49e46
SHA5128d5341d8b56b15be97e0097d432f10cc40110c49ea56d69748b6848003c310155736aa5fed7bbd5a02485c76bb2dfd6839f0847cf771b3fa7a5d4d53a9e27cb2
-
Filesize
200KB
MD597ab133ebfce7530537fef5e702efa24
SHA167a36a27402e7ab0e5b65a4780343d91ba9e1b81
SHA256fcc5793e322018f14adbdb6c40e893ba5aaf00e2160a02957a68ebe6c54cbaec
SHA512ca81cb5dde9bdbe38b8aaaddd73fe61af2aa2f59e5ec256525c5963efede921736822bd2335be2505268b9a03a09fa5bf62b4a3be27d78028b70b730970f0d3a
-
Filesize
645KB
MD5e3d67ab57446e68e5b932dd9f8feae58
SHA143d3e0a8ff327532e7b3d92b94c960674f27dda9
SHA2569c37f37acc3f4c741e89c498cdba849ad77e10bd196b0d0c4637806b7c617a77
SHA5127c9e4e963f0c9453675bf8749110b2300766ff7998b1e988ca73d105bab8896558507f14f2e27218718f7eefa5d3fcd828ba1d0352b26c466016b4a483826dfe
-
Filesize
236KB
MD5df92f85e688d96daa617cb81c67fd6cf
SHA1dc28be73e747e8005a20d4e21cb22ed269dfa71b
SHA256db9e31c8c5c992043de139d929178d11e5f38f675e4ae397f4d249a0a9478285
SHA5128bd91cadbc11987c461c6c4d6a962bba491345e03f88cf1c084f9833571be55435aa4249096e61800aa3b91fd7fa5d7a67b9f91b3c3a4d055aa63631c668abf4
-
Filesize
1.2MB
MD520c3b872002b4d2866404dbe151c7d60
SHA1686bc59acc9de8ed6d8dc8d739045cd58b584929
SHA256fb74402d8130c09260a6d1c880a10a89660d7157a6672862a24b484566967152
SHA5127347988ff0f6cebbd5c54cdf304672614ca5d64585c17d54587ffe47ade18eb5389705cace1f92f3c2c879d0ffe10d3ae8da0577495449f3e295c9410d22031a
-
Filesize
213KB
MD501af251f96d2e316b7c2378202eebdf2
SHA1d8795a490d5c7ad95d3aaa21e229c426a06604e5
SHA2564537b151707039681a180b9f2af5c43e0590866e112213d95c74551d22d24fc8
SHA512c5fe737bc24244dffa810623fe086c3a8f9a0fe235cbc42d4df65b3890b78fa2beda91d1a81ad7cad6f4800e404f20ef6ee3e43059416871ca080386cf490c2e
-
Filesize
248KB
MD514234e96d6a779d2a5459eeb9db8f1ec
SHA1d51782be12fd4f7ff124c6fdd37b2795b7c73655
SHA256d212fd6937f6a88f98bce5eaeae6b5a04f9bf60dccbe803e33c76b7f0748dad4
SHA512e3e8e2ff24b463e783b36d07f2cbc16bf2f2802d0ecd201d9ce21c6b6c5983a63a983050f873b8da9607d782ff1e8cd8757aaa3dda7c52319ff6c0e4022fe59c
-
Filesize
185KB
MD5547d998bb6c42c5a5ef5d2573d63e1c8
SHA14f317bba70d51e98ed051d6d1e728fe0521cbc91
SHA2561623af7a0f43c9ba43b5609b0c9886bc7a833d76d6edc4cc01fbb791a042a98a
SHA512fd40e08d94e55afa82f35e006d2712adc2b971fc2d1ae8cb0c83f0d3d352c90a859c1706dba1bf730966d89221676b6d92ca1bc97bf965dd1b1d92b86145e755
-
Filesize
212KB
MD5485880657867703d087d29bf0741109f
SHA14a09adf8a22ed7647129dd51a8c5497261369ee9
SHA2563129820a3318fc3688861ad1d0ad67800b48dd107a80fe90c65a9ad3f4231ebe
SHA51233a379199f215409b7d7d9c58bb9c3b0f037eded156025a38e39c02d2ab2434c98ab2ba69231916383631820713568e98f02a43a71f59c9d226ab124b79b1f42
-
Filesize
785KB
MD59040b41d8cdc8fe62d3f9d89957fe4a7
SHA17a0501b31a42ba9bded12ff42dd0a8b443df4eed
SHA256071f2ec4890e4e4d46ee32f76cd41a31e8e4b1dfa5b71bb119d746796f0e5276
SHA512cf605a37a5a8dea41e86e2ea58b2be1baae268267ec3bbf4ef206a1a55113a63fdbcf14c186dfffd6baf64af7f9fb4701f585e3ed39a50b7a7b4107258ed6371
-
Filesize
213KB
MD51bfbe13dbb7107c6b57d6e9c3d55e66c
SHA1b91624376cdb59b067fb49444d7925c578937006
SHA2569fda914107272859c6b6c98e1eddc3ea04426360042d5cb25b5890f8268c773e
SHA512510569142adb19edfa5ea7c6ddf0ba6a48e245c4085082c19e98a69ff25c7a252e053767c7b9acdd748402f0752943546a5182673d1379e155e66b7f1c83247e
-
Filesize
198KB
MD5ed17246d915c0e6987b6aabf9600093e
SHA1d12367f94cfa8f1b457104d0fecb0c0fc6aa1491
SHA2566717475088faf1da846b861a19e1ea457c2f595f2d92ef133f8324aa99b66935
SHA512347fc29162ec758973b569eb9e642fb6cfdb4a7cd9bfd45f7e226e76f43a59eaae64808ffc0acb6d737d4b39e4f35edfd93990fe5e244caeec57971a7087b7c7
-
Filesize
190KB
MD524a34d44ee24168b7eab2f13a45c8125
SHA190405b71ca684f21ed10467a6fcd68eba9ed66ca
SHA25618400687fc1c1276f8fcbb92adb6dbdfc2da7ca232984995f93ad41f155d6254
SHA51275a0d82353f43a1162b634c0949fa635f1f37974a6ff802b5a15b3523cd571a3e3fc276ff9694b1f41a143fea870163a3a0d27f435eaf4bf83d22e3f739b70af
-
Filesize
188KB
MD5a5e60f48466cadc8fcd1b4275245b514
SHA1576fa715957d4060dd6dcd8b75a7f0101da6de96
SHA256b756ccdec9d9701cf73e7821503e3389335427d56b5c035e14cc80c0814c109c
SHA51222cbb31705faac10c8aa256977a0c65f355404a009da8021985c449a29d9897460c68879918e1739641e8a4298089dc6bea3104cf987dfedf427bfabb6c06353
-
Filesize
191KB
MD51f4478a6e13bc3b0b551dd5a18d93562
SHA1b92394f3f16a360d4f1caa3c0469bca439c46201
SHA256aea9e76cb65afae8253b6b53ab0a2320ae3196b2e6458e9a16edaf75095bece3
SHA5120ababa406f53cef7e1602457f87ab7407e41f77ef127ef40b278958d1ea7ea23a8c00b10a65fae854f307d2156fabdb460a75f98d9c00380e59992ed17169a6e
-
Filesize
186KB
MD5ce42f878d2c8fbc4a6cbeeef81410915
SHA17c3e137c92f943ffbebf7ac798790eeaada12a51
SHA2566189753d6b2ef8a4ce107066a03c04e3580427183703917c48cf4057912af772
SHA512310622fb3c54ec3184cc5bd7d193d90fa5c5ea489fb407dc95aad538f4c4825590a50a47d40ab50d93b1460a8b0b55e361908801805a74cc8e86250d917c3ada
-
Filesize
4KB
MD5ac4b56cc5c5e71c3bb226181418fd891
SHA1e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998
-
Filesize
643KB
MD56eeca4347203d76683100ac88a2128ad
SHA1da24864b44449b007e183ca2f73304d2eed19268
SHA2563df85afcb323030e9477f14420e4862547f0e94c08a5e2c32c42ecfe148f80d0
SHA512c7550fb1ac9949cafb07ec00b4e7b9c64035b8882f8c35dbc600ceea8c814acb47e43573405c3263fe35306535686c6160de4a08bb105d9a4bb2c86fb89c3e02
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
196KB
MD5d71ddb695c88d9fe4b7eece17c40ad58
SHA1cdf4cfb0fa7fd1c88f56bb1a473eac524daa71f8
SHA256d59fb52eda27a600079b2c2891724078f03f61433c664a9f0a2ae8cdb72729aa
SHA512759ed4d8bafec25b85eba5d7e4cf44f1c15291b6c1f031802537d32b281ba65f30e78ce74f526edb31f7deb67ceda471c1a7ffe544ad0e7d9503bc5f071a3acd
-
Filesize
193KB
MD5c9dcd87e0bc7338e0411b086fb907345
SHA11fb9bf0d6c0dbb59380b2ed82144601581ca1590
SHA256b2440d5c82b05789480103884b8537d0ff717b64c193f01e97dfb4e78a6b72f0
SHA512163f3a5a868e834bd2f57e175fa6c65e26404babbea67282743ceae54c916c8151b3a1f8dcce87c19b365d3a61f4e5dff7ce7d1aad8a84cafe4911ae060e2558
-
Filesize
197KB
MD505796176cf24237b434875ee5e44ca0a
SHA1b046797b30f45a160b88078ab8eee9a17199d77e
SHA25684597697d7e5a860620544226506e12dbfb614f94cd85192e5d131a5417b554d
SHA51266c865ecefd6b2593756b214e21cfb7465493c72a3bec0aa1de1e3c3c583850341fa41ebd056d1b150802f8ef04c086dfb8f31e0ba414af7c541e782f5814ab0
-
Filesize
200KB
MD53762b48af981a1a81401c6c00237326a
SHA19ecbf1778562cb2d2a5f93f690537e6aa244a58a
SHA25626cf12f013abf31fae6bd0ddbc53f731efc4edc0d879042ae3c04eb1f0e224aa
SHA512bccbfc803086d806cca5dd2e1f0b049897924f6eb740161680f3fe59b80ccc3ad3b3aebabc5eb859e5392e6283a9ce6efd7b596584bccd1e43b5e94bdcefa2f1
-
Filesize
367KB
MD54a073916c4245ae038477823ef44fd62
SHA18900522fe5ac29bd5547ba85235dbc516e79f6e7
SHA2567dbdaf8acf67fc1fba0fd984dd2f48d7ec75753829afd7dae99322d480ae50dc
SHA512ce39a4a55f4177c15b359742fdb63b8ee1141641c2dd1b599b6ee15f8a82b567bd9ea041f39c03676c06ddd6a30ab848728333ce628d58be50cff29c0b95d340
-
Filesize
537KB
MD55d5801c3bbb38f93b79cc02a94309e6d
SHA19ee5d08e9d1b19b8fb444e79bb9d081e2d6c99c0
SHA256c953aeae6c262bdd837398e7dd38ce1e0c6659c90b390752e972e11cd100f07b
SHA512b0cae707b8c42dde92b39546b244df19506209b0806ea9df1e5e81a8ab704133dde3c94b06dc78bda7f09d41378f4cef4dca59eaff95001599d03607220d9d70
-
Filesize
264KB
MD56b29ea1d02d1358073f904a85e2039fe
SHA107288c6dd39f5a008d1b26cc679e148b386d4df9
SHA256c8c941e41161b1b0dadcf2e0f3b8e4d5233c7e22b31754f3a58b49100d4a552c
SHA512f33aff877c30578e468e30260445c911de69d2be9e76f278c35ca9ed6bdd995414c65a997074e2428af26ec439f8d573fd579e412d6fddb21822f34be886e539
-
Filesize
202KB
MD53a09e036765f5a12d0b2e625091e11c0
SHA185dbf14ff06dfa193d5a61773289ea1a3382f62c
SHA256fb838cc211ea8b54dd08906cc924898b63cf8cb29f299b0810313a38511539b0
SHA51280c986859e83c7eb8e656ad8095d4a47053c4d9e805838144e6a5a62b66d7dca3f83a822eb6a4dcf1be4e1429f879d921fe43309547ab1c44b19b2096e9f9f31
-
Filesize
196KB
MD57a0f75db68ef54ac764ed3fbc5662d4b
SHA1837164112c7b8b82284dd18a91f1d5fe12367b7a
SHA256b3ab99af8afe7fe4ada17ae296e1e26fa2d157504d4a39ce17f9d30463d3f72c
SHA512411696fa976e4a44a16f3a2b46dca989f023f4215e94aea0258c18eb05dedb6a5bcdd9acc0314fb105247cf52c0764cf71b26cfa615c76b067155cfa2db1a318
-
Filesize
182KB
MD50a048428f546c7636967168641795a53
SHA142170964d0da14da15b46c922a30f7cee89381ee
SHA2567c2dfd90847bb09687546d13f0e2872c68dd0a71409fe551197bb12730d43ffa
SHA512acb915b495bf54f1a1f71be98f98361f6bd2c26d8957dff3e1f1e5ded38c23437b62294cb91f5c9f76ad841b15d335ee9a5b61950ca552b47792c2e15203d027
-
Filesize
198KB
MD5e79c78fd2cd83d4f4e7777cb017db03e
SHA1dd24f471a63360025372386237a55f7155b777f6
SHA25654d02670171d5a3aa3e40923a752c3bb74610a9e0a7f534cb386ae2b3581891f
SHA5124221dc99557ccf83a90c00fb17bd2598773e12af63234afbb3168279f4e7e01c344d1c39878240d565bae5035da2011eb5f6e4720d14b909e1361eab9793da39
-
Filesize
233KB
MD56111992069039b534bb1c6b9cb3f8ebb
SHA17682b7ff0ccb85afa7693b80cec2b56364c04416
SHA2563c532b6589f8613a4e31c561193c4f21bb85bcf2721cb779d63499e0be96f7c9
SHA51267bde63217d51f4efa245bcb9331f57240bed2c58e163110466a968ac752f12a1638883501b3982662cc741285486a7783f22b2cb9da33b13048f137868448a8
-
Filesize
195KB
MD5cbc35c8307eda8916c2001087ec7e158
SHA19f5783ff8b39f25b1f214c257a835ccda1545244
SHA256f821f4a842ac74f93bdcebb1ea848e780055b6b5c7c7db5c2243ac399c545310
SHA512658e797269f49c10ded3b09d6b9bd3675cdfeaaec21c8a360c656137accb4fa1ba5c77eb00d6890f578a9aac045eae3812559851fb05515aeb5743daf2cd970a
-
Filesize
206KB
MD5f7f6a421186c3207a9d6740a869c85dd
SHA158cd921b1d9df3b291ff5b7a3769b88ae0536e70
SHA256f6192305cc920ab281abb4912a6b2d23cddf5e2b64eb5bcc3708cbb8d83b86cc
SHA512aa73a7b9d3b962d0d91f9b1e89cb1603cb755bd3e5eeb9709733fdbf4301434d7c2de5fe7f2d891601044d4aad32dd4f2ff9835280e1e775730ccd2df773eb06
-
Filesize
629KB
MD5d7f9e1f2125366e7fae64ff313e11909
SHA1fa9eb0815c1931e00ddea2835fb50fee78d14f75
SHA2562d516a142d956e85764a7e876ff654139e2389091967c04c23c4e0ca7293cd1a
SHA5122b7910e6127c01db69138f812fe6315a26aafedbc3c07b1d6bf8aba262cca980bdd32c1d07f6d33684b255ee16e5dc8a766430306a67ceeb3f508a5b0e445852
-
Filesize
184KB
MD59b6426345e0c207db8221000a3297843
SHA1c8e6e8922ef3581b4228aeabb09d6fafcf835733
SHA2560a044b1a38a4ff3f38b385e8dfa37c71dc7fad3add6ae97b27b81c2a8aa288b8
SHA512971d361625a821453e2c35d9a725ac06b66c5af6d4bff7b32b08b79f6be2e2974fa8f048eaba6644d237289e1fd28f831379bc2d5ebd2c71397ceedbda30e31d
-
Filesize
473KB
MD59be614ccb835abfc33a29d95194a0f0e
SHA195bded175ab4e25aaa590b2f8506af4ac0dc8a7e
SHA256336864896745aa5708f16d3b18ea8d40cb15929cc42ff75950e7cd4b7024d500
SHA512576ffd32cb11250cc11e97e812edfc927fd4a94fa7176bd35abca488674502f9c3963ba7ea5c20cbcd5311bb080dfca522ec59fe0d0a150247a055dc73ba1356
-
Filesize
785KB
MD514618c40a708abd05d783457cff9ace6
SHA12d0ba4de43fe5559cdda2fc794e437cba2df7f21
SHA2567c6e0bd7c004c5bb283427de520941496dcaa351e93c0cad7a5be5e0c9d740ce
SHA51205b49960fced728e781ab4f5ccf16faa0cb5112978bfa2ffbe570f7a597b9437d6ecf99366f6243f9f4042fcd96e23a1c01f1ed875320a1338297c08e1084571
-
Filesize
202KB
MD582cf9af68d2dbb7507c5240050bbe220
SHA119bf50c8aed7db7d7493eb59420b9591c1e8d1fa
SHA256b0712f7a232af18d2628dfe9f890b32d6e02f32712e77e21402b796b3e7b73ef
SHA51215677bd97f15a0a0e56ce8186931c0750bbf8c36079269e26028fb00adb82119fa788ea3162782f909612dc25054fdfbf82fb052563f54ace4798af577c941cb
-
Filesize
210KB
MD5401c3aaa487fcc6c45448bed6ff6c461
SHA1a2391cbfa59eb3bb430c5dab6cd7402cc05cca70
SHA256263d19e25d921346bc9ec4950e446e3bd425b099fde201c0ac27fb91ff046255
SHA512fdd0477f795ee5538181a35ffaa55062ada73ee7593a740cb079eed07c362377dd4e4b40312ee0122f4ed644c3100b31c824cc04d1402f2fd458054507e1af0d
-
Filesize
223KB
MD500ed73f09512cd738f6b289ba3d53b8c
SHA122e78b2da8b0fd68360707ac7a0c347ca0d14cc3
SHA256f141483612b55349ed6ab12948cb7093437798937db2f0e699ec4299142c8971
SHA51247b9fe302caf53d270981da7b25c11cac3f3ff180b41656ff8e724a2ae8d6823beb818eab50b76df1bff6d797d7797b76af92457b19ba49f9e5179574e551058
-
Filesize
207KB
MD521902bfe197942a9fa0825e37cb9da39
SHA14966addbf2570d55a05a09e39cac7322138f6874
SHA256c936f54bb3028f637cfafdc64dbce843855fdc8381b8bd872591f512d6829c83
SHA5121ebc4e552c11c82ef497b2cff8e4d8959d9b3edcaa960e254ee0dd04f11cbab9fa98f82000cca1489fbff44ccee7b658c1117172034b76a0097fb52d99d8fffe
-
Filesize
191KB
MD548aee9f006946d06779f9c65ab43b681
SHA16f63a1289698243a7f77dad654cbe6ea80f99e18
SHA256f93fe507b957478951318a133c2a8790125d87d5db7a2b2c6879676718f7a135
SHA512522cdb1e4a52efa54e58ae5b3b991aab7fe87f6bcfe46adc77727c2b5fe4f8f658abea656d5a7b502959757c71f9886ba6d63a1c310104c6d7ee77e934366318
-
Filesize
662KB
MD5d7de16e36aa4ad06725bf62249c2f357
SHA1660cdd0ce6808831178c40a51ea2e8f07f9c7530
SHA25691c4501bfe0c61cef7db6f4669cff506992ca3bab64f0be7c4663742eafd6909
SHA512fcd0a21edbc5add92b2893368da585d9a7ab499aac60de4efbec0437f4698be8a744d8abd3dade0a421fe8f54b7743d40f2e25cb9817ca635b5bd3d2699b4129
-
Filesize
196KB
MD54057ed871472a3c0b8b0bc51b6943620
SHA10c55fa8099646a2beb289b506530f10af44fb507
SHA2564d5276d28ed7b584666bc13032bdffd54259156da02fbd604b0194330bb31f02
SHA5127672742cb585a6bb4ca18dafcd93cc21008055a6c92af1949c6be872ffd314062fca22145bf088b42c7bcefd30446857e9f8914c9dbcbe659d6e03b699d0d5c8
-
Filesize
657KB
MD55add5a60ec4546749d0d75dc480af017
SHA13b10fde7b31d9c9baef5623f361b3232056949ae
SHA2561bb06ed2fd9665317b76c91d65ae5dbc93df48342a5efdb8eeb0fa09fe982685
SHA512713e44d740b504156bd7b3064f413288379f6dd10b7dc0dcadfaa983d86091646441e18317a105621a4c59b2418218c5fc14e45ceabf299a144831bf35b51e74
-
Filesize
639KB
MD5649a3771f0ca92f479dd6eff2873c8bc
SHA16831d2837893030662c7103007f17a39f25226a6
SHA2565b716b9302df0783f76024b01308231232a802697a64023c85c345100f0fc56b
SHA5127a78cf0aa1afbd63956ebf8b38e01c8c5f53cdb962ee362dd0e7a5a50a9403a6c37d3e58584dff04ebd604742847e6096f421160133068be080245ae45e1cca6
-
Filesize
209KB
MD5751243c16cc5fbc7685663a727df4e07
SHA101fcaf9eee574624b0dacadcf2995c43323e7e2c
SHA256895e413d3d30c9b9bc5f77e023121e16091e02fd0b7ddcca4967698576b60f9a
SHA512075a98c6cceb4806bdad946154e1c619850c7f0688b509382419adeeda1d1277f3b6641bba4aa4e6c92f312e5c14e54c4ec21d98003ec1aaec7b9de1babd5cf4
-
Filesize
1.8MB
MD5c062564ef0dfcb4debdbc9e51b922bb7
SHA17d500a889793392ac8297aef2ffe4c623211833b
SHA2565fb49aecca152abde0d55adbdc739241d365e176c984f2cdbfcf5bd5220cc2a9
SHA512e3e8bc7f7b9f7e3cbee0d215030dd6326fe9ed870bcd38fb3f3a983a70818167b46de648d2b5d50e1e32a475f14d8797d1cb6c59fd1c256fbbcd8ec86311d7f1
-
Filesize
187KB
MD53b69c9250264ee2eb405dad9836c1fe7
SHA147360b65122975c07e863057c17676a6517b4d93
SHA2561f1099799a7967abf0df147cffa4f0e9efbe5a4592d1198167485d11be274ea0
SHA5122ed7ee258282d5a130ea0d18b8e8612bde1e694028370adb1deceaf4f5e8da6ea5ab1ff5e8c1c5f724399cf7c1499327d9c80e0612da5fbd0a3835bb847bd6e0
-
Filesize
208KB
MD5e5ac02240f28db4a1e57dff23aeb9e98
SHA1eae5f2b3bd45ffcfdf859275244ec5dbbed3a8b3
SHA25675686bf46dc0b0e8d08998a252e5b3619300f6fe271c4b298785d03e73d5e572
SHA512e3493d9cf81c616b544fe868675947ca67d3b7a91ba6b943eb7fd41ffbc7617cf3a1021ec5488db746092bb3e6338375cbe204f65827a24eefbf0263e79b6220
-
Filesize
449KB
MD580ee39246f8b89deee1225942ff0386d
SHA116c0b0150ac9969160de1647763547b947b40116
SHA2568622e18dd866fdb245feb943fdbb548af8217bb5e6c911d4f6650d7f2bb9ae2d
SHA512ca5d2b4e414c8e13fa3c2be7082c037d1c74dd1052cc49ed1db46b4de47ceb3b210b2982fefe309efd959b9c3f812ad4a4527216014ab5fe15b2f7b79da0fe77
-
Filesize
189KB
MD58a691268d5bb2a302a39a7e591e5d9cc
SHA16d5945f896f33b1cd4ce4b48780ce0006e3dab45
SHA25629ac5cc9f9cf1929ea0e4fb21a388c17220f5ca1141659fc382401d5389012a9
SHA5129143a91818adc5fdcf0371f94062a716c9d2f47bf9d06c83b2ba8b496f885d2ad8a4a0f546bb94cd10f2238073962e0b0ae235973acc423c74e55451cb190000
-
Filesize
198KB
MD5101d80b11fe13af688d56e1a6e19359c
SHA1cd8c92ee14f1af7e6cc3e60c9481390974f03c41
SHA256fde8d6814aed5f281733660dca33d18586f6a64c707f23b717f6b53273d59fda
SHA5125b510393683656935ced6b9a9870d121e6b4a60ef4628f547d036a093d86eef6adb2a6b39aa0bf21957fba0da99418e2923c5043858f18b5741876ae9f695823
-
Filesize
200KB
MD59b21122710c710c7d33f8381819e8020
SHA1720c42d711c1549386cee59bee16196b01a1fcf8
SHA25671cf32530de5bdaf1942bd02327fd542b1f9a7776377c4c95d40c21c661c54cb
SHA5120c5f1359396925a3ef95e55fb35d0cebc7cdbe45e514a3e9e065ebb484107ecbcc74a50d21d4af3dc3c0445aa292045971acf0ed797422cb1d54fbd74060e96f
-
Filesize
4KB
MD57ebb1c3b3f5ee39434e36aeb4c07ee8b
SHA17b4e7562e3a12b37862e0d5ecf94581ec130658f
SHA256be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742
SHA5122f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6
-
Filesize
205KB
MD5494f3055de1142d10413ca33efa1aabc
SHA1bb8f29f908c3de34867a913669af5843746fbc47
SHA2564aeade84a165a1bf388daabf5164f699995555761c3330652dfd74de64a86854
SHA512ca8dedbf5935ab7038422f5f0661b735cfae65ccf3562b6c27960494369c1195b52e3b8beb939dd8c50ee9cdf714acbd0136270e62aa9a0ee4df79fea2e0ff4d
-
Filesize
233KB
MD583cab8d892d51481c2f08c68b4330c16
SHA1b5d1e700c9579a0e5d58c1ca2f87d3b5b84e75b4
SHA2563712a089bb939b0a4db781c0fce71e0f9f1dc4b76367f639de2a43e2cc509232
SHA51211c144ae8153a15c189fe0f020df458aec1b2cb7bb7ee28563bc6302b3ea4de5678f554e70cfa5d0749e3e9291c8c6a5dcc9022ee0e202cc9eb2c1f68f834639
-
Filesize
207KB
MD5681e3683853feff7d06eaae559765c5d
SHA1889a2b59e4f920d1ae37380bcd196cea1c79ea1f
SHA2562a5dd73d503aff81665dd4f901a165fbbe8b15bbcafd165f23c1ec01729a0736
SHA51207a35e8edfcbd17195ac27cf20f06224aad60adad828022f36b88fb4c8b8b88766e370b3380a5c67cb565e84a05e15f9d2b4ed0348b518f9b90d87c482723568
-
Filesize
185KB
MD5ee83853c19bc64d61baa02e1c43e5e7b
SHA17e3ecb9367572af1c304f9df7d088e7e7d7b9ba4
SHA2564dd6686f17b12bf4212f3f67a9923d1d68f7c7957a9172cb43877162a01ae2ad
SHA512be0bd6199d92b9957394be697ce722f69de15a4b2d91c9f7d3c385295479cd7a8c7871f661fce1d93e4469da2fbcf76fe62f11053f01db48ed65d005d28c62fb
-
Filesize
225KB
MD5870c45ee1be0b6e4876228c89421c592
SHA121098d39d21a123879fcd5ae5b4a5aad2c17f1f3
SHA2560f46e200268c4df18d8448aec54907ae7789597aa6e3b858d9ad951ea8ae286e
SHA512cc31200506e05e7553fb3decc9950c92964833bb33b82137df9f71e9ff9db8eee704dc5ee31f7bfa3f82abd43f9133fe22c7366c8ce5587dba6f522237c4ad95
-
Filesize
195KB
MD5aeaebe8b6e811154b46f240e2d13a70b
SHA1c76b9e0d46027a10fc4a593c2b351acee5dc4ad0
SHA256b5f3a1d277717e2e52bcba68fcfbebb6748a275dd428f8371cfb76c8e47c097c
SHA5126957523ed7d99738a4563049393591f19cc17023daf47fb44f86fefa4dd277e6326fe7cccb05c28972443c82fa9905704b2d4416d70861b7fa0aec0c0eecacb2
-
Filesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
Filesize
807KB
MD5dc7f22de3fb639c1893ad4461dc098b7
SHA1c6fff42fbac2da8149b11f30dd7a2b3af7f4a149
SHA2567ed1b8f77235758624510b8285f1f4f51855ef372d8687fc34fbbfc7c768b5d0
SHA512b23aaa15cfe32183e27959fd6215cd067e44a3879a649e7a0a67ead68c0b278c79d0ec787a3f27e6d4f59959374d3ab27defeb4b60f8153e4aa6f2d48756ee0a
-
Filesize
193KB
MD5b99db219ede67bc3507ef1b11f8bdcab
SHA1b35af2c45e52ef7c4e71a40d5aff4436c7aa3e43
SHA256e779e950ba1b34b6fe83877f3bc5815713fc1b7b94a05ad4e1365f5db7181e34
SHA512508b412dd505a6c05b99f4fa554449ecc012699e27fcbd8884739bc910a062372184235f663da5da0ad50fe28654df8fd1bf5fc351b886fac58849c436c13fbd
-
Filesize
187KB
MD5653f7d726d057ad2764a2a9ea9e99287
SHA177c72356c024a5346df052a8dc737dc6051482d5
SHA2561c67e2e887e05d01c57cbb8b57e1af768fa15818265dd3dbf062614d9ad2a0d2
SHA51273e09e4c6981b439ab16b7e70e72a16654593db4234463f93889a09796627cd4578b70c077f5dc16aab5dc401e4dd3aee4c9789f8bc1909cd5aedfef175a2a8f
-
Filesize
807KB
MD58b77229c873568cf0ff389b89e29a362
SHA1c28dd8cd71dadc799ad6d1c2cd4684d137a89c26
SHA256e9f28e9405fc1dd7202015ba1a705aa1454f36921f797b22853f193298d23ec8
SHA512011370827747175438e9e2f8800a1544c8dee628e7bb80f1a68c23941d1dadf84f91025166d42eea8ac724c3915d8b849e0605758d9d103920f76fe83fcac02f
-
Filesize
322KB
MD5065930a7cf8c5cd739c3dd86d05a944f
SHA1a67fb8950aeae32ade26795c896fc895814465bf
SHA2566a33024a14b2b9d007ae2ca15ce16f78f369bb575204d9a03f669506383527bb
SHA51262e5cc70f7be49b9f0a6420f117678d66dcde69719357e1fda0500fa97116e952e479c3866e0ceb9b84438d67d08cb40bbdd90355792f5ed71ef7a21e4402e0e
-
Filesize
464KB
MD58ad9ca28cb6afafe29b1a2083241e513
SHA17dc6dcea2896b04be1b8ac15dcdc032c07823a9b
SHA256b5ec73fa1d78a2a4ff2021c4dc13711ed7d3a0c6dbea107e9aa815a1854a003a
SHA5128f5f7deaa8b639a9774a303dd02ef3ea64022f5dbea1eef14aca9025efedc3f1bb0fd1a6fb74a707db7d0a2accba9f0d1c6759e92a1b7e9a6d1bad4f5389854c
-
Filesize
197KB
MD5563abd70f3979694bd3706c6b2cd524f
SHA174f46a1fd005a4844e4c7f779e4b80d2ad5a6c37
SHA2563a459510710f13aa8727b843844c909a7c7e68d183fbc27576c4a360811befd9
SHA512c12b40546bb2d0c9d957e75252d07e72d2daf5adecdf509a7427bb8d5f9458475889e3167e7891285e31ef7bb3d2fbeb7c64d81af6e3d1aadd03186208a2a219
-
Filesize
4KB
MD5ace522945d3d0ff3b6d96abef56e1427
SHA1d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA5128e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e
-
Filesize
810KB
MD561de332645fa6960aba1046a1ac1d928
SHA1f73ae6293a25e6a5c194de40b41578981da135da
SHA256601813981622d7c1989e673b18e31ae3472d56af331587f2f3460c664668106c
SHA51235a863a9f648454f1b8cd8b1068a47c45456bd0c5e3dfc37be5a1c95c83aee96ac17d05ddcb6f3f5ba40aef94e7bd90c912d7e07d74eb9da16a48986c5c9d142
-
Filesize
829KB
MD5f7526f545a245e0e8bb10eaa77a56601
SHA1adeff66e0b01c5b51c22bc2cf1db1f21dabaa726
SHA2567574a31e5c65f6223041b74d400b4c9ebb43e17eeba9703e4b91dddf22c3d43f
SHA51298652f51b3deed1f2f9348cc5ce2fe907191b66d3191f3f2cb22e6675eb7ca5e7032979a5875642cf88ad2307a6f71010e446b4b9e0b2aa1b2ef43c4d3323988
-
Filesize
233KB
MD5db259022841c4ef62acd74269dbbfd4f
SHA163672fde1b61d4ae5f6801808c00fcf803f249ce
SHA256583a5fb48fe7fd47c88052817c55e81ad42f46388d2133c91093c5d2d10aa1c1
SHA512fa1901609f91fd70881f0bfe9cb075465cf5f574c1b8596253012a0a0efb316b6ed925c1f5497f9e11f32b657e4dacbe26ddedc96171f341c87e545fbacf48a1
-
Filesize
196KB
MD5b6234379ddb54c9cf5dbd222d7654814
SHA1ba492d4706dba8e04ca29c447dc1d9aaf717fc76
SHA2562504bab1713683aaaf6510bd8adc67f1a2b10e54640875efe438078b7157b885
SHA5124656ce88e5dce040b66fa91f49ac1724e5f93a74988f535c7153e39b2ebbd5fd6dcc1409cc1458b30964cea46e357d741c2b494e628419c46b133895e6b2f6e1
-
Filesize
422KB
MD594eb64168f3b5a1396b6a13f40dc0a53
SHA142742abd451a58ae57b9b9c1e50461968eecfd1c
SHA2561422d2ba08981b5f9c7a370c8e6370e4d6d892bf4348c68247c70c519f6bc26d
SHA512d13165410480647a45fb548bcd2872ebe5e8673ee59c8ba2a46dbb0d8d8f29a7d4542746026c4a2d9cdcb1179099bbb3afceb62d6af85a1d634c7e2dd770d695
-
Filesize
1.4MB
MD520f604daf1fe5c70a62ae28ccc211cf4
SHA1757cc458eed6c1ebbfcce5043e4e5f9f59f578c2
SHA256ea73c412484605fd640e258eab77a40292dd204ed74cea0abfc6ec0eec272bb1
SHA512370fa5139cdebe9f6805fde1ad2ff79c5b83135319a92e6fb13290cf34b56e5b1f35bff6474e2a417ad64a71fa163e8d5c0985f87a77c44bf2c8bcfc3eccc4d4
-
Filesize
209KB
MD5274dc56da6b626e1e8931d4ab3725719
SHA17ac2d9daf1f0738e7f0dab970459aa8d18d2de98
SHA256263fc37c67fc2ee514849c96c86f7453f7320fbc27004bad583051a11cf4685a
SHA51298aac6a54d07d1a29e0dd32721d6680325806a7d90f349fabc2e7b4e8f9262c59ce49c3f08eec9d759393d61fd5fcca495e5f8f8e94c605d9de18ff011c44c05
-
Filesize
554KB
MD59e1045ca2579e5d9fd815b14ac88e050
SHA1ff4a866bfb1a82a9122e2d8b72b1a1cc0ac159be
SHA25605d053e861a3ddea788d546600a48991cb4f347dc9986aebe7c7f56f7e7a4b9d
SHA512e84b7cbc2f84cf0acce952c879ad9063e2031accba191c22af8d3d0b5d1c053c556d39ed92eace6efdeb1cd176ad79da44aa7329a1704d67b62520c7a05e9c27
-
Filesize
201KB
MD54b0882d2f1533aa73ba9084d35e3d3ff
SHA1d08b7f4501aea99e71ad4208dfe9f4a94ce5145f
SHA256ebda289c099ffb29b9e520f520a08d282a39279d3c7513003abdf29c8f46c42a
SHA5121aff3eb2b0c861d074fd0b7667a914179da1a716b457c2bdcff8a20a936b35212d9d13a3768c7c6c24199b4aad881adfcd4ce5983b5e2395c922dced4f58c2e2
-
Filesize
366KB
MD590aa105ba7a56986fc818d6af89ce530
SHA12dd79c51b139fd5b68d120caf0a8d7ba930c2b68
SHA2563749a89d8a1d30fa26ed84d33d42144239e0e0f72e9887a6b6b533cfac7fa979
SHA512f83abad2b0b9b8dcb9031bcacf48387d24e7f3b62d17e013e2a42c319a015eb7832db6c1d59bc557106928a9329cc4b3ac407bb328488c60ded21d8a176e87e1
-
Filesize
201KB
MD563ac6ebe3d1a40d67da1293bfd5b807f
SHA14aa7354d6e073c7123a34b72ad4df37bae90f35e
SHA2560501665f6f81219f9c7a612e420e5006af952f90770bc843c7eb9b0c09a8d01d
SHA512296f78b63a47b8001b8de23e70d8a551e5063ea86b4103659ad176aecda89018c61fc193dd13af21542ef9794422c67cb0e8a7cc646564cc246f8df882573a9a
-
Filesize
4KB
MD56edd371bd7a23ec01c6a00d53f8723d1
SHA17b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA2560b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA51265ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8
-
Filesize
521KB
MD5320eecf329629676fcad53e121b870c0
SHA1fbe7baa756beb0e0b3dc329b1421bbc7cfdaa9bc
SHA25622c20c5332a21605ea9ae40225d846c9eb6665b9e920566246d104d0ed96bce0
SHA5123fe22ebd480170b4ac715a242d0cca03081c86560b5e721dd764d4deee1807c5afedac745bedd899c046fe5ab517c76735d7f68d6cde4680e07572c7b6cf9e67
-
Filesize
4KB
MD5f31b7f660ecbc5e170657187cedd7942
SHA142f5efe966968c2b1f92fadd7c85863956014fb4
SHA256684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA51262787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462
-
Filesize
319KB
MD5026e300943aae16966fbd8f255f0ddd6
SHA11f140486bbd86144dbe1b540ebabee10c1f3ff7e
SHA256f858517e83e97c59e9a2d230fdedcace4c99ea56ead6a3e61f11a2a76a1af7b0
SHA512ff6b20987c05c7bb0c179895fea20c9555e0f2af257da4a46e79ba8fd2f5b3d906a995069c1529bc07f911e969ad1ffab6c3a5093d026d66d96a2cf2ffa542fb
-
Filesize
203KB
MD5b957e2fbe2eb03e5dd4eb51d125f2bd8
SHA12ab593a3e21e9c374db9435d23780ac004888f4c
SHA25665a9ede774410ddff239420d72582e305d97f46f55fab7eba6adaf184b682d30
SHA512e42df4ef4e6c8f82323cb2eb0e84f9161e57e1839a4a6e164c869cd5a836bb9e235743965fe477dda1950e7c998098b044ed0376c761010ba31dd7985b74965d
-
Filesize
202KB
MD50f905b150fc267682af3d4d21b1c2ab4
SHA1bca931869d62a7ec525278693b26e88bf594420b
SHA256cd47e034e5b479f05a7c27cea275c6b998915b42268921725412406636f53172
SHA512ff6e3429744896aca23eea5b3f6c5ed0f50899ae44448aef41a9dcdb1fadf1a00359799726772410de2338f50f3e782b1f9ef86331ce586502dd3f34e72d87d6
-
Filesize
202KB
MD51b188323b152e2e6830a06837ba5a2b3
SHA190549b5a20026270a21d551242ebcaec9b9e6a67
SHA256c3e1243f1db176c2286f96d28bf77d24870dd421c6babc4a713698cb5bdd0a79
SHA51204cc70e0ec2275446401f30e82bdd68f2be54e63bdb872b216e654351280ef12a8b654094ea2cb09d53be6e8861ae3e369fd3e15b63a5ff4b996ce9607100940
-
Filesize
4KB
MD5ee421bd295eb1a0d8c54f8586ccb18fa
SHA1bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA25657e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897
-
Filesize
190KB
MD507cc69acd35f744c612d1fae1953de36
SHA1d39e155d746a3b200af62537ec7383c4919a3012
SHA2561c7820abf2cfee3f6230a037f6fd3dfabfb2d8d1278c00e7edb18b4854effb22
SHA5124d29b7c9712a99d0b94f7c96b2e84ab3d29938c264450c4d01a75685b712af46ed6f3337c07bed001c9c617da7a70a38cd3417b0a262a37ae703dde584f299f1
-
Filesize
193KB
MD535708af9a3c36f619e46fa0e4d35bf5e
SHA198d1880e38b85922196fb94990ad5e5db85d0f24
SHA256474620fd4498cb417c3f073bff2bd6eba0f9f1aca544a6644904215c1b95d835
SHA5129c2f3a5f450d10f22e2e0faef1e97d710f3785a1a15d73cf1e1a4e036b4f25115824eae250f084b945be1d93b30ce987770fa4808b43c17ec496b24662faa042
-
Filesize
829KB
MD5fd3eabb9b4dc3488cd38868fd0c2ad1a
SHA19e60b4e94bdc2f041743dfd2bf2395e1d6486352
SHA256a4fdd007e6f09f5742f7def61b5cdf43277e4ed8e0e3bc356c9638f2cd582113
SHA512144cdd45cd521b532214a63bbe8d66df6c437eef8c3026cc919007eaa29801c7cf6acaebbce51e6af60a4f596122156038cfc3283b23be2d64fbe7eeb5b59866
-
Filesize
180KB
MD573dd9349677d14873df0d37816b0b07f
SHA193d786762bfc34d61e16a32d0398784e6de0b731
SHA256134385916575b3a8ebe93c76341c86f4e99c5b39e4f3107170ec0ba6975f45ca
SHA5126c56c8846268fc72fd73560fcd802e03b139c892df412c849de0bf56dd8a0d8bf673205dd27d4c11b8dd3eee05d82117dd48d1f2a12c03279169ae104c9b284d
-
Filesize
193KB
MD536ae05a3f0721d42ce55cba9359de92a
SHA1493583aceb4a4ca967039dc6d215cb2d9aedb10f
SHA256b7ace65299a18890cd350b24f20fa343ef267509af0157378ee54711301eeb32
SHA51281b103e345057fa67653becc05d01c7267d99f1e57edcfb7c142546e015a8babced3f4a1bf20ea5694aa477578d4d87cedc65b67f80b2af72c8a1516bed968f2
-
Filesize
325KB
MD55c82b21f25d3871220e23b6467c84f85
SHA10929cc50071bda7ac93a98ac1775b254e6904a82
SHA2568944c47a056019cacccebf372743345d84a1bd7471c3bac39b3e5156e96c9c01
SHA5129741f0786f9c3e33538f43a1590773b72b9aa6934a32227696cbb7d3905618f2474f70859dd610113994304112db31e40b4ad3d7a0109da48a95dcccd6fc8099
-
Filesize
193KB
MD5a80b6ff40fd6a3f79cf6ab4399a4d4d2
SHA1c61816b841fc06eea8abfab9a608fa4665390c8b
SHA256f11372979ef5e2367471116fb7cb102e2a2d123505e582655acfcf5d1604c7a0
SHA512452bd01c366b47d6633dd3068146cf2d91326b412c74d0218d831dfb953f1bce497f3825624253bb19c32bbb1130572cf6d75dc50c00a8820351cdfef9314e9a
-
Filesize
193KB
MD502f1f989ee8e8ad082140240edf7affe
SHA1d79d775ca22fa0f686b89275296f5f3dd4c68dfa
SHA256f16b76e70fe9d77a3e55b60d35d90f9ca61d8d4d0d641683a1acb1ad93bf651c
SHA51292c70d3c3cd19118575cc09c6e3ee4a889e2968687328ab0af5acbb42e2665dfb052eb0f21d7889e93483895aa647f81d77625cb89bdf31f1a09da68ff6cf39d
-
Filesize
199KB
MD575812fe3b4cbf54646bb2d93c5bb1608
SHA10d6dc377b13ab3af8375ae2010d40a64ed2119c3
SHA256567e37d4a320b65d5fb2f3d3fd8bbc0ab4eec04648898169edc035034a5c6210
SHA512b9c62a14362a17589e27440134acf85d4ddbb5f37cf640f8afceb17e31f72a5ae2faff7fc28e9e27925a366b2a6ddb6f17eb38bba8ea14ca9047a0196cf6e25a
-
Filesize
206KB
MD5b1f5c4b4841fdfda35628b6932f158dd
SHA1c3b59218ef448174c990052fe91b9fc04301d7cb
SHA256fb1e96683a701d487dc65df90b69b665277893c6b68d820f938cf1e4e957f090
SHA5120d8284b5a0d7e1ff7072bfb7bb271dd1e126aaecfa690cd4beb06292a4b1f5cdb35407452e3d82a5780663d35382b300e0344a847d699b4102f7cea5ba389d0f
-
Filesize
377KB
MD5d4def941ab512453fdc2dd85bc5c8712
SHA1ff648c145f8612bf5354b59f433624fda6fb0bf8
SHA2566543ca077be1f8c134ff0fe042345cfc998ae3aeb7f194f5989faa19ba47d1b4
SHA51247d932ea0fd22b7864dbd7c5e2ad104b24a3cca2feb9a4600b1ed637e816d8fba6586e59021b12e6025cfe5a3c0fcb6e4cfaa141498d38084a29a52a2ff7b7f6
-
Filesize
590KB
MD5d78cfe83202a55e419aa79b38aaa6917
SHA100bab913e84ce917c1c3bf7d632ec47edf54626f
SHA2564482a03e95396f91ab4cadddb573b1e03fb0a242b3f2c892647ced081be2ce39
SHA512c93214ee00ad49597137551bb1f6a6a8921ae95c89228e3b692cfe169864228dd31212da659351c500fd40be70418264abb6a7fb748598c58346ec2a1b6b00ec
-
Filesize
643KB
MD5fafcb065d1022b49fe190f6a777ee694
SHA1a39a6be6fb3c87a8c855a00cee0b2b43099324ee
SHA25683d017621a843edf914c60f25d99351adabfb97bee779f59818518d5683a488d
SHA512a4b0ef1a2a3635c1fce37e7017de5cb046f4907b6b7cb13b221f6e86f8a0a85be2ede7ff87cd2a93aec00a255dfdfb4aa50128718a5f593b6ba8c49cbdf12704
-
Filesize
506KB
MD54fbb6883aa9f866a7efb2874fda8d7b2
SHA1b5a4e0dd24dbaa115a432bfb04fc613fcf7478cb
SHA2565997e0c88dfae85d12ce72a50a4417138a2dec0e622c3a4c6ab1484b51eb5f08
SHA512f33c1e7aad408dbd92c2bbd315bb4ce29d9db981f96fe5aae2e13b3058e47dce508d9ae0c0f11ca53d57158878ce1a1dd1b220f2976a2cdba38daf02f9d11265
-
Filesize
180KB
MD5e8671b59931a45aaf27573d8c0233027
SHA1b89e67381632befaac806af7ef047499f6b82c11
SHA25631c37366ad0f804444a90cf7f704f110c2230d6b4e79a3fc647fac175a7716ce
SHA512219f859cec23ae9b287423ba14cc3063fadf57213a4418cbb691294e247138cd2b70c77830873abd54726e66c2d1257f6d88e0f2f63f9de4c5f5606935417e72