Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 17:27
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
Resource
win11-20250610-en
General
-
Target
JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
-
Size
464KB
-
MD5
1c6ef7ad96a4b714103304a583e35ac0
-
SHA1
651e47b068efffe3d1eecb89ac0db0ba2d704b9d
-
SHA256
72ff03ee4a4ffaa7e1dfc4e03ad78940d52d24bc6b55dd9ed8584b795b882ceb
-
SHA512
e9266d824e68c5b66287aff8c3f94926c2e3cc18cf43dd629888b7ede937bb2f91709aa344c78a366734886a973a4979063fcc7408b3ee66b8a66ab3f85f5cbb
-
SSDEEP
12288:RcDzQkq2sSapMDOmvD8JQo/2HdxAiV+ybW2mBHDitYwTEfJi+a:RIQkPbkMqmvVoUdaiV+tjiGLiX
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 59 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
UAC bypass 3 TTPs 59 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (54) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request 2 IoCs
flow pid Process 34 3768 Process not Found 35 3768 Process not Found -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\Control Panel\International\Geo\Nation NsYgckMk.exe -
Executes dropped EXE 5 IoCs
pid Process 5052 NsYgckMk.exe 3448 yUkAAkYE.exe 3648 nugoUYAI.exe 448 NsYgckMk.exe 4812 yUkAAkYE.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yUkAAkYE.exe = "C:\\ProgramData\\DuEsYQwk\\yUkAAkYE.exe" yUkAAkYE.exe Set value (str) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NsYgckMk.exe = "C:\\Users\\Admin\\QIMkAIUA\\NsYgckMk.exe" NsYgckMk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yUkAAkYE.exe = "C:\\ProgramData\\DuEsYQwk\\yUkAAkYE.exe" nugoUYAI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yUkAAkYE.exe = "C:\\ProgramData\\DuEsYQwk\\yUkAAkYE.exe" yUkAAkYE.exe Set value (str) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NsYgckMk.exe = "C:\\Users\\Admin\\QIMkAIUA\\NsYgckMk.exe" NsYgckMk.exe Set value (str) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NsYgckMk.exe = "C:\\Users\\Admin\\QIMkAIUA\\NsYgckMk.exe" JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yUkAAkYE.exe = "C:\\ProgramData\\DuEsYQwk\\yUkAAkYE.exe" JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe -
Drops file in System32 directory 15 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\QIMkAIUA\NsYgckMk nugoUYAI.exe File opened for modification C:\Windows\SysWOW64\sheConvertToRestart.docx NsYgckMk.exe File opened for modification C:\Windows\SysWOW64\sheNewTrace.docx NsYgckMk.exe File created C:\Windows\SysWOW64\shell32.dll.exe NsYgckMk.exe File opened for modification C:\Windows\SysWOW64\sheConvertToResume.xlsx NsYgckMk.exe File opened for modification C:\Windows\SysWOW64\sheDisconnectNew.gif NsYgckMk.exe File opened for modification C:\Windows\SysWOW64\sheGetRepair.bmp NsYgckMk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\QIMkAIUA nugoUYAI.exe File opened for modification C:\Windows\SysWOW64\sheImportReset.pdf NsYgckMk.exe File opened for modification C:\Windows\SysWOW64\sheOutConvertFrom.zip NsYgckMk.exe File opened for modification C:\Windows\SysWOW64\sheConvertUndo.xlsx NsYgckMk.exe File opened for modification C:\Windows\SysWOW64\sheDismountConnect.wma NsYgckMk.exe File opened for modification C:\Windows\SysWOW64\sheJoinRequest.exe NsYgckMk.exe File opened for modification C:\Windows\SysWOW64\sheStartUndo.xlsx NsYgckMk.exe File opened for modification C:\Windows\SysWOW64\sheTestExit.xlsx NsYgckMk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yUkAAkYE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 4032 reg.exe 4720 reg.exe 2828 reg.exe 4460 reg.exe 692 reg.exe 1368 reg.exe 3768 reg.exe 4228 reg.exe 968 reg.exe 2860 reg.exe 4032 reg.exe 2660 reg.exe 1880 reg.exe 4872 reg.exe 4552 reg.exe 5044 reg.exe 4720 reg.exe 4880 reg.exe 3612 reg.exe 3944 reg.exe 1632 reg.exe 4288 reg.exe 2904 reg.exe 452 reg.exe 2920 reg.exe 2668 reg.exe 5044 reg.exe 4340 reg.exe 564 reg.exe 2100 reg.exe 4168 reg.exe 2952 reg.exe 4480 reg.exe 3644 reg.exe 3592 reg.exe 452 reg.exe 3552 reg.exe 1696 reg.exe 2920 reg.exe 3896 reg.exe 756 reg.exe 4032 reg.exe 1020 reg.exe 3644 reg.exe 1888 reg.exe 4320 reg.exe 4484 reg.exe 840 reg.exe 5072 reg.exe 2260 reg.exe 2936 reg.exe 3980 reg.exe 3972 reg.exe 1696 reg.exe 4984 reg.exe 4984 reg.exe 4668 reg.exe 4568 reg.exe 4304 reg.exe 1708 reg.exe 836 reg.exe 3512 reg.exe 4660 reg.exe 464 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3396 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 3396 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 3396 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 3396 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 3916 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 3916 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 3916 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 3916 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 3112 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 3112 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 3112 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 3112 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4408 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4408 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4408 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4408 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 1968 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 1968 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 1968 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 1968 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 884 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 884 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 884 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 884 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4984 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4984 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4984 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4984 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 5068 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 5068 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 5068 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 5068 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 3980 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 3980 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 3980 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 3980 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4880 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4880 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4880 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4880 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4528 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4528 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4528 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4528 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 5044 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 5044 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 5044 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 5044 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 3332 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 3332 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 3332 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 3332 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 3644 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 3644 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 3644 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 3644 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4212 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4212 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4212 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4212 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 740 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 740 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 740 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 740 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe -
Suspicious use of FindShellTrayWindow 22 IoCs
pid Process 5052 NsYgckMk.exe 5052 NsYgckMk.exe 5052 NsYgckMk.exe 5052 NsYgckMk.exe 5052 NsYgckMk.exe 5052 NsYgckMk.exe 5052 NsYgckMk.exe 5052 NsYgckMk.exe 5052 NsYgckMk.exe 5052 NsYgckMk.exe 5052 NsYgckMk.exe 5052 NsYgckMk.exe 5052 NsYgckMk.exe 5052 NsYgckMk.exe 5052 NsYgckMk.exe 5052 NsYgckMk.exe 5052 NsYgckMk.exe 5052 NsYgckMk.exe 5052 NsYgckMk.exe 5052 NsYgckMk.exe 5052 NsYgckMk.exe 5052 NsYgckMk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3396 wrote to memory of 5052 3396 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 85 PID 3396 wrote to memory of 5052 3396 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 85 PID 3396 wrote to memory of 5052 3396 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 85 PID 3396 wrote to memory of 3448 3396 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 88 PID 3396 wrote to memory of 3448 3396 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 88 PID 3396 wrote to memory of 3448 3396 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 88 PID 3396 wrote to memory of 2336 3396 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 93 PID 3396 wrote to memory of 2336 3396 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 93 PID 3396 wrote to memory of 2336 3396 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 93 PID 3108 wrote to memory of 448 3108 cmd.exe 94 PID 3108 wrote to memory of 448 3108 cmd.exe 94 PID 3108 wrote to memory of 448 3108 cmd.exe 94 PID 2060 wrote to memory of 4812 2060 cmd.exe 96 PID 2060 wrote to memory of 4812 2060 cmd.exe 96 PID 2060 wrote to memory of 4812 2060 cmd.exe 96 PID 3396 wrote to memory of 3580 3396 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 97 PID 3396 wrote to memory of 3580 3396 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 97 PID 3396 wrote to memory of 3580 3396 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 97 PID 3396 wrote to memory of 968 3396 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 98 PID 3396 wrote to memory of 968 3396 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 98 PID 3396 wrote to memory of 968 3396 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 98 PID 3396 wrote to memory of 2916 3396 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 99 PID 3396 wrote to memory of 2916 3396 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 99 PID 3396 wrote to memory of 2916 3396 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 99 PID 2336 wrote to memory of 3916 2336 cmd.exe 103 PID 2336 wrote to memory of 3916 2336 cmd.exe 103 PID 2336 wrote to memory of 3916 2336 cmd.exe 103 PID 3916 wrote to memory of 3484 3916 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 104 PID 3916 wrote to memory of 3484 3916 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 104 PID 3916 wrote to memory of 3484 3916 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 104 PID 3916 wrote to memory of 3592 3916 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 106 PID 3916 wrote to memory of 3592 3916 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 106 PID 3916 wrote to memory of 3592 3916 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 106 PID 3916 wrote to memory of 4276 3916 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 107 PID 3916 wrote to memory of 4276 3916 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 107 PID 3916 wrote to memory of 4276 3916 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 107 PID 3916 wrote to memory of 2920 3916 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 108 PID 3916 wrote to memory of 2920 3916 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 108 PID 3916 wrote to memory of 2920 3916 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 108 PID 3916 wrote to memory of 1444 3916 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 109 PID 3916 wrote to memory of 1444 3916 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 109 PID 3916 wrote to memory of 1444 3916 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 109 PID 3484 wrote to memory of 3112 3484 cmd.exe 114 PID 3484 wrote to memory of 3112 3484 cmd.exe 114 PID 3484 wrote to memory of 3112 3484 cmd.exe 114 PID 1444 wrote to memory of 4728 1444 cmd.exe 115 PID 1444 wrote to memory of 4728 1444 cmd.exe 115 PID 1444 wrote to memory of 4728 1444 cmd.exe 115 PID 3112 wrote to memory of 4536 3112 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 116 PID 3112 wrote to memory of 4536 3112 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 116 PID 3112 wrote to memory of 4536 3112 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 116 PID 4536 wrote to memory of 4408 4536 cmd.exe 180 PID 4536 wrote to memory of 4408 4536 cmd.exe 180 PID 4536 wrote to memory of 4408 4536 cmd.exe 180 PID 3112 wrote to memory of 4268 3112 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 119 PID 3112 wrote to memory of 4268 3112 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 119 PID 3112 wrote to memory of 4268 3112 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 119 PID 3112 wrote to memory of 5044 3112 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 120 PID 3112 wrote to memory of 5044 3112 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 120 PID 3112 wrote to memory of 5044 3112 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 120 PID 3112 wrote to memory of 1692 3112 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 121 PID 3112 wrote to memory of 1692 3112 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 121 PID 3112 wrote to memory of 1692 3112 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 121 PID 3112 wrote to memory of 4552 3112 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 122
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Users\Admin\QIMkAIUA\NsYgckMk.exe"C:\Users\Admin\QIMkAIUA\NsYgckMk.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
PID:5052
-
-
C:\ProgramData\DuEsYQwk\yUkAAkYE.exe"C:\ProgramData\DuEsYQwk\yUkAAkYE.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3448
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"2⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac03⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"4⤵
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac05⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"6⤵
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac07⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"8⤵
- System Location Discovery: System Language Discovery
PID:3432 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac09⤵
- Suspicious behavior: EnumeratesProcesses
PID:1968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"10⤵
- System Location Discovery: System Language Discovery
PID:4004 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac011⤵
- Suspicious behavior: EnumeratesProcesses
PID:884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"12⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac013⤵
- Suspicious behavior: EnumeratesProcesses
PID:4984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"14⤵
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac015⤵
- Suspicious behavior: EnumeratesProcesses
PID:5068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"16⤵PID:996
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac017⤵
- Suspicious behavior: EnumeratesProcesses
PID:3980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"18⤵PID:1536
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV119⤵PID:2936
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac019⤵
- Suspicious behavior: EnumeratesProcesses
PID:4880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"20⤵PID:2112
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV121⤵PID:5112
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac021⤵
- Suspicious behavior: EnumeratesProcesses
PID:4528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"22⤵PID:5092
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac023⤵
- Suspicious behavior: EnumeratesProcesses
PID:5044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"24⤵
- System Location Discovery: System Language Discovery
PID:3412 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac025⤵
- Suspicious behavior: EnumeratesProcesses
PID:3332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"26⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac027⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"28⤵
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac029⤵
- Suspicious behavior: EnumeratesProcesses
PID:4212 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"30⤵PID:5084
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac031⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"32⤵PID:1708
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac033⤵
- System Location Discovery: System Language Discovery
PID:4752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"34⤵PID:3644
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac035⤵PID:1168
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"36⤵PID:4536
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac037⤵PID:3696
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"38⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac039⤵PID:2872
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"40⤵
- System Location Discovery: System Language Discovery
PID:4696 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac041⤵PID:4380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"42⤵PID:404
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac043⤵PID:3680
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"44⤵PID:1776
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac045⤵PID:5084
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"46⤵PID:692
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac047⤵
- System Location Discovery: System Language Discovery
PID:4780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"48⤵PID:4840
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac049⤵PID:2212
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"50⤵PID:1264
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac051⤵PID:4212
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"52⤵PID:4832
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac053⤵PID:3196
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"54⤵PID:4484
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac055⤵PID:1808
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"56⤵
- System Location Discovery: System Language Discovery
PID:4284 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac057⤵PID:1888
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"58⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac059⤵PID:2920
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"60⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac061⤵PID:1216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"62⤵PID:1644
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac063⤵PID:4840
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"64⤵PID:4668
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac065⤵PID:840
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"66⤵PID:4408
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac067⤵
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"68⤵PID:1492
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac069⤵PID:3556
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"70⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac071⤵PID:4068
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"72⤵PID:3896
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac073⤵PID:2212
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"74⤵PID:4408
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac075⤵PID:1708
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"76⤵PID:3928
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac077⤵PID:3196
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"78⤵PID:1124
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac079⤵PID:3332
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"80⤵PID:4320
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac081⤵PID:4820
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"82⤵PID:4472
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac083⤵PID:3440
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"84⤵PID:3872
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac085⤵PID:1056
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"86⤵PID:3168
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac087⤵PID:4268
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"88⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac089⤵
- System Location Discovery: System Language Discovery
PID:1084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"90⤵PID:4880
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac091⤵PID:1680
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"92⤵PID:3632
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac093⤵PID:3740
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"94⤵PID:512
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac095⤵PID:3440
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"96⤵PID:2384
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac097⤵
- System Location Discovery: System Language Discovery
PID:3888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"98⤵PID:64
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV199⤵PID:3196
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac099⤵PID:436
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"100⤵PID:1776
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1101⤵PID:4696
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0101⤵PID:3984
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"102⤵PID:2868
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0103⤵PID:1056
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"104⤵
- System Location Discovery: System Language Discovery
PID:4984 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0105⤵PID:1224
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"106⤵PID:3768
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1107⤵PID:512
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0107⤵
- System Location Discovery: System Language Discovery
PID:3928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"108⤵PID:2960
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0109⤵
- System Location Discovery: System Language Discovery
PID:4876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"110⤵PID:3168
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1111⤵PID:4340
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0111⤵PID:2392
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"112⤵PID:4312
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1113⤵PID:772
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0113⤵PID:2100
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"114⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0115⤵PID:436
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"116⤵
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0117⤵PID:4420
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1118⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4552
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2118⤵PID:5092
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1119⤵PID:3928
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f118⤵
- UAC bypass
PID:4892 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1119⤵PID:4820
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1116⤵
- Modifies visibility of file extensions in Explorer
PID:4832
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2116⤵PID:3656
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f116⤵
- UAC bypass
PID:1912
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWIAAkoA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""116⤵
- System Location Discovery: System Language Discovery
PID:3596 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs117⤵PID:4408
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1114⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3644
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2114⤵
- Modifies registry key
PID:464 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1115⤵PID:4480
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f114⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:5116
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocEUooEY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""114⤵PID:3608
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs115⤵PID:5068
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1112⤵
- Modifies visibility of file extensions in Explorer
PID:4668
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2112⤵PID:4232
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1113⤵PID:4320
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f112⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4660 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1113⤵PID:2828
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FwAQYcEo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""112⤵PID:1804
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1113⤵PID:2728
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs113⤵PID:212
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1110⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
PID:1660
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2110⤵
- Modifies registry key
PID:4288 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1111⤵PID:2920
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f110⤵
- UAC bypass
PID:4304 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1111⤵PID:3680
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYwgMQYU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""110⤵PID:1216
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs111⤵
- System Location Discovery: System Language Discovery
PID:2660
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1108⤵
- Modifies visibility of file extensions in Explorer
PID:4380
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2108⤵PID:5044
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f108⤵
- UAC bypass
PID:2384
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKsUkscQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""108⤵PID:4692
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs109⤵PID:1708
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1106⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4872
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2106⤵
- Modifies registry key
PID:1632
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f106⤵
- UAC bypass
PID:2728
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XKEIkkgQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""106⤵
- System Location Discovery: System Language Discovery
PID:3996 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1107⤵PID:1264
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs107⤵PID:3512
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1104⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
PID:1880
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2104⤵
- Modifies registry key
PID:4568 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1105⤵PID:3592
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f104⤵
- UAC bypass
- Modifies registry key
PID:2260
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAIIAgYk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""104⤵PID:2660
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1105⤵PID:4068
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs105⤵
- System Location Discovery: System Language Discovery
PID:1516
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1102⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4032 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1103⤵PID:2812
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2102⤵PID:4440
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1103⤵PID:996
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f102⤵
- UAC bypass
- Modifies registry key
PID:2668
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pQccgUwY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""102⤵PID:32
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1103⤵PID:3944
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs103⤵PID:1240
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1100⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5072 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1101⤵PID:4212
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2100⤵PID:5080
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f100⤵
- UAC bypass
PID:3352
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQwQQUIM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""100⤵PID:3872
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1101⤵PID:3376
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs101⤵PID:1264
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 198⤵
- Modifies visibility of file extensions in Explorer
PID:772
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 298⤵PID:404
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f98⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1880
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQsQUwwk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""98⤵PID:1856
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV199⤵PID:1756
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs99⤵PID:4288
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 196⤵
- Modifies visibility of file extensions in Explorer
PID:3996
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 296⤵PID:212
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV197⤵PID:564
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f96⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:3556
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xaYwogkE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""96⤵
- System Location Discovery: System Language Discovery
PID:996 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs97⤵PID:2960
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 194⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:840
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 294⤵
- Modifies registry key
PID:3512
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f94⤵
- UAC bypass
PID:3608
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AAcscQIs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""94⤵PID:4872
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs95⤵PID:4168
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 192⤵
- Modifies visibility of file extensions in Explorer
PID:2828
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 292⤵PID:2608
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV193⤵PID:3796
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f92⤵
- UAC bypass
PID:1168
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKscAEkw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""92⤵
- System Location Discovery: System Language Discovery
PID:1516 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs93⤵PID:3612
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 190⤵
- Modifies visibility of file extensions in Explorer
PID:3504
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 290⤵
- System Location Discovery: System Language Discovery
PID:3888
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f90⤵
- UAC bypass
PID:1804
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\riYkQQAE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""90⤵
- System Location Discovery: System Language Discovery
PID:832 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV191⤵PID:4752
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs91⤵PID:2284
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 188⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3944
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 288⤵PID:836
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV189⤵PID:3760
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f88⤵
- UAC bypass
- Modifies registry key
PID:2100
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZGYQcAQo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""88⤵PID:3440
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs89⤵PID:3680
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 186⤵
- Modifies visibility of file extensions in Explorer
PID:1652
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 286⤵PID:4420
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV187⤵PID:1144
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f86⤵
- UAC bypass
PID:4004 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV187⤵PID:4332
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bUosMkQs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""86⤵PID:4800
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs87⤵PID:4364
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 184⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4668
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 284⤵
- System Location Discovery: System Language Discovery
PID:512
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f84⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:2812
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgscoEEs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""84⤵PID:3504
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs85⤵PID:1680
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 182⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1696
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 282⤵
- System Location Discovery: System Language Discovery
PID:1756
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f82⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:564
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\saYcAsAk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""82⤵
- System Location Discovery: System Language Discovery
PID:4880 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs83⤵PID:3944
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 180⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4480
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 280⤵
- Modifies registry key
PID:756
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f80⤵
- UAC bypass
- Modifies registry key
PID:4984
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAIckQko.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""80⤵PID:452
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs81⤵PID:4332
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 178⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3612
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 278⤵PID:2392
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f78⤵
- UAC bypass
- Modifies registry key
PID:4340 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV179⤵PID:1360
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GqwkMUEw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""78⤵PID:2812
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs79⤵PID:3040
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 176⤵
- Modifies visibility of file extensions in Explorer
PID:3740
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 276⤵PID:3748
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f76⤵
- UAC bypass
- Modifies registry key
PID:2920
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCwUUIgI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""76⤵PID:3264
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV177⤵PID:3588
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs77⤵PID:840
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 174⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:836 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV175⤵PID:2952
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 274⤵PID:5080
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f74⤵
- UAC bypass
PID:4320 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV175⤵PID:4572
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JowIwksY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""74⤵PID:4984
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs75⤵PID:4500
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 172⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4484
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 272⤵
- System Location Discovery: System Language Discovery
PID:512
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f72⤵
- UAC bypass
- Modifies registry key
PID:2660
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NYUYYQUs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""72⤵PID:1016
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV173⤵PID:4536
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs73⤵PID:5116
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 170⤵
- Modifies visibility of file extensions in Explorer
PID:1680 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV171⤵PID:4228
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 270⤵PID:4332
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f70⤵
- UAC bypass
PID:832
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GAIkoAcg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""70⤵PID:3376
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV171⤵PID:692
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs71⤵PID:1652
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 168⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4032
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 268⤵
- Modifies registry key
PID:4984
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f68⤵
- UAC bypass
PID:2384
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ysckkskc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""68⤵PID:1144
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs69⤵PID:3764
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 166⤵
- Modifies visibility of file extensions in Explorer
PID:1224
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 266⤵PID:2660
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f66⤵
- UAC bypass
PID:3632
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuAwwIcA.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""66⤵PID:3596
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs67⤵PID:4340
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 164⤵
- Modifies visibility of file extensions in Explorer
PID:1912
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 264⤵
- System Location Discovery: System Language Discovery
PID:1680
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f64⤵
- UAC bypass
- Modifies registry key
PID:4228
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BKMIwkUc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""64⤵PID:2576
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV165⤵PID:4452
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs65⤵PID:1696
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 162⤵
- Modifies visibility of file extensions in Explorer
PID:4380
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 262⤵PID:1424
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f62⤵
- UAC bypass
PID:4984 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV163⤵PID:4428
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUEQEAQY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""62⤵PID:1880
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs63⤵PID:3400
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 160⤵
- Modifies visibility of file extensions in Explorer
PID:5068
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 260⤵
- System Location Discovery: System Language Discovery
PID:3768
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f60⤵
- UAC bypass
PID:1360 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV161⤵PID:3588
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swQAsQgI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""60⤵PID:1604
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs61⤵PID:2392
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 158⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4880
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 258⤵
- Modifies registry key
PID:452 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV159⤵PID:2672
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f58⤵
- UAC bypass
- Modifies registry key
PID:3552
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZwksgMEk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""58⤵PID:3796
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs59⤵PID:2668
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 156⤵
- Modifies visibility of file extensions in Explorer
PID:1632
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 256⤵PID:1536
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f56⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:3620
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SSwsIIoc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""56⤵PID:4572
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵PID:2728
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs57⤵PID:5084
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 154⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:692
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 254⤵
- Modifies registry key
PID:1368
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f54⤵
- UAC bypass
- Modifies registry key
PID:3768
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TcwAUkMk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""54⤵PID:4820
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs55⤵
- System Location Discovery: System Language Discovery
PID:3608
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 152⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:452 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV153⤵PID:3796
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 252⤵
- System Location Discovery: System Language Discovery
PID:1124
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f52⤵
- UAC bypass
- Modifies registry key
PID:1708
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kikssMIU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""52⤵PID:1128
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs53⤵PID:996
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 150⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2952
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 250⤵PID:1168
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV151⤵PID:516
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f50⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4460
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sGwoMQcc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""50⤵PID:5072
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs51⤵PID:2116
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 148⤵
- Modifies visibility of file extensions in Explorer
PID:3276 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV149⤵PID:4408
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 248⤵PID:2480
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f48⤵
- UAC bypass
PID:4724
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAUAUQMM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""48⤵PID:4720
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs49⤵PID:4304
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 146⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4320
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 246⤵
- Modifies registry key
PID:3896
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f46⤵
- UAC bypass
PID:3504 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV147⤵PID:1672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmwIsgEE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""46⤵
- System Location Discovery: System Language Discovery
PID:4880 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs47⤵PID:3168
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 144⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2904
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 244⤵PID:3928
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f44⤵
- UAC bypass
PID:1888
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIEYAEIg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""44⤵PID:4228
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs45⤵PID:4928
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 142⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4720
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 242⤵PID:2964
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f42⤵
- UAC bypass
PID:3588
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYUYcYQY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""42⤵PID:4392
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs43⤵PID:4820
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 140⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
PID:1492
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 240⤵
- Modifies registry key
PID:2828
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f40⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:1708
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eugAEggQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""40⤵PID:216
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs41⤵
- System Location Discovery: System Language Discovery
PID:4216
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 138⤵
- Modifies visibility of file extensions in Explorer
PID:4228
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 238⤵
- Modifies registry key
PID:1888
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f38⤵
- UAC bypass
PID:516
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GyMwooUc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""38⤵PID:2868
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs39⤵PID:2284
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 136⤵
- Modifies visibility of file extensions in Explorer
PID:3760 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV137⤵PID:1544
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 236⤵
- Modifies registry key
PID:5044
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f36⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:1652
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TyEcIkUg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""36⤵PID:3888
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs37⤵PID:756
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 134⤵
- Modifies visibility of file extensions in Explorer
PID:3504
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 234⤵
- Modifies registry key
PID:1696
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f34⤵
- UAC bypass
PID:3656
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOoIUoEg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""34⤵PID:1372
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs35⤵PID:1084
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 132⤵
- Modifies visibility of file extensions in Explorer
PID:4740
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 232⤵
- Modifies registry key
PID:3592
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f32⤵
- UAC bypass
PID:4384
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tegcAMUY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""32⤵PID:4696
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV133⤵PID:4936
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs33⤵PID:880
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 130⤵
- Modifies visibility of file extensions in Explorer
PID:1240
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 230⤵PID:1224
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f30⤵
- UAC bypass
- Modifies registry key
PID:3972
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\duoAAIck.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""30⤵PID:3928
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs31⤵
- System Location Discovery: System Language Discovery
PID:3440
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 128⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4720
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 228⤵PID:4420
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f28⤵
- UAC bypass
PID:3552
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\teQcAIUU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""28⤵PID:3904
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs29⤵PID:3992
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 126⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3980
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 226⤵
- System Location Discovery: System Language Discovery
PID:3440
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f26⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:3596 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV127⤵PID:4284
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rOAsUUIo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""26⤵PID:3164
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs27⤵PID:4428
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 124⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3644
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 224⤵
- System Location Discovery: System Language Discovery
PID:2728
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f24⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4032
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PeEEgEUM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""24⤵PID:3588
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs25⤵PID:760
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 122⤵
- Modifies visibility of file extensions in Explorer
PID:544
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 222⤵PID:756
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f22⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:3456
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEUkIgEQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""22⤵PID:2672
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs23⤵PID:3600
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 120⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4304
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 220⤵
- Modifies registry key
PID:2860
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f20⤵
- UAC bypass
PID:2260
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEkoMQQE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""20⤵PID:4692
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs21⤵PID:1032
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 118⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
PID:696
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 218⤵PID:3796
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f18⤵
- UAC bypass
PID:4292
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWUAcMsI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""18⤵PID:4312
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs19⤵PID:4360
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 116⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4168
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 216⤵PID:4408
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f16⤵
- UAC bypass
PID:2612
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AUYwEMcc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""16⤵PID:4100
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs17⤵PID:1672
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 114⤵
- Modifies visibility of file extensions in Explorer
PID:1240
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 214⤵
- System Location Discovery: System Language Discovery
PID:3972
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f14⤵
- UAC bypass
PID:1652
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tKgkkYwE.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""14⤵PID:4284
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs15⤵PID:5072
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 112⤵
- Modifies visibility of file extensions in Explorer
PID:1424
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 212⤵PID:2480
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f12⤵
- UAC bypass
PID:1544
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZiQwwYgk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""12⤵PID:4936
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs13⤵PID:1852
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 110⤵
- Modifies visibility of file extensions in Explorer
PID:2192
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 210⤵
- Modifies registry key
PID:1020
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f10⤵
- UAC bypass
PID:3896
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOYIwQIQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""10⤵
- System Location Discovery: System Language Discovery
PID:4316 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs11⤵PID:5112
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 18⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2936
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 28⤵
- System Location Discovery: System Language Discovery
PID:4668
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f8⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:3412
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fyMYIAgc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""8⤵PID:3904
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs9⤵PID:4248
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵
- Modifies visibility of file extensions in Explorer
PID:4268
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵
- Modifies registry key
PID:5044
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵
- UAC bypass
PID:1692
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQwYYsUI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""6⤵PID:4552
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs7⤵PID:3768
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies visibility of file extensions in Explorer
PID:3592
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:4276
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- UAC bypass
- Modifies registry key
PID:2920
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tiMIkoQc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""4⤵
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵PID:4728
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
PID:3580
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
PID:968
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
PID:2916
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qacoMIoU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""2⤵PID:4376
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\QIMkAIUA\NsYgckMk.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Users\Admin\QIMkAIUA\NsYgckMk.exeC:\Users\Admin\QIMkAIUA\NsYgckMk.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\DuEsYQwk\yUkAAkYE.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\ProgramData\DuEsYQwk\yUkAAkYE.exeC:\ProgramData\DuEsYQwk\yUkAAkYE.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4812
-
-
C:\ProgramData\nQwcAcwg\nugoUYAI.exeC:\ProgramData\nQwcAcwg\nugoUYAI.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3648
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:3332
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4100
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:2480
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:1492
Network
MITRE ATT&CK Enterprise v16
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
433KB
MD5104ccfd8e7ebd319dfa9addf81cd6c88
SHA1976dad3a329f1055b11cf2fa240580a6f37a425a
SHA256dd85ca35936ce8efdcaceb753d45928a9a597c1fe470c6a4cc4ec55ca8beac05
SHA512b0d733fc064a7b4208d9e9d833ca70ba9dc0ccf42c295b94de194b90ff89af384a7666eb3193a0329b99ad59814dacd02ed323a5305ff1eca6a23365edaef200
-
Filesize
429KB
MD5ebdfa183576bb309b9dbed164a167d69
SHA1f282130701f91a4e0c803b00cb3ac11eac4dcef6
SHA256a9fa8f7dd520aae5443850ecf0373a405ef4e994b884f156aa830a273d15eeec
SHA5125e9b34adbe34adfd375088afde1c0af99d542c8f8d9653ad367f76aa819012bfd300d3abf8bef6e25a1c03520696f4d13e85e1cea7a44bb97441eb81f2829a18
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe
Filesize440KB
MD5181d6116f922343ff538ba0676cb0a31
SHA10ee99800c064278df5e125cd32a269cfd2d9f5f4
SHA25640dc9f8aa52efc1f87a1228d524d8c65cb093011a08a39387da8c035960bc89e
SHA51230940b9ae9063df23c16450a0f6e5db96b17bf725b12feb1c3df067d95151fe83512930cc411d88ab6a3d08d5a6af224602d89191d5fe83846546ec0b608c2a7
-
Filesize
459KB
MD5f937eb1580f9ab26bdf675531f0d07e6
SHA19c031aa609381c8232f3089083e9c640acc1e457
SHA256612270efee014b9118d8d374ae08c5bf0411127b7c7cac4f0e3f656b34b8e821
SHA512375b1a912ce7a5dbe8163564cffa215c9c6849d2dd57c88375648bb3fce219ebeb707ab0cef6d5a4f53afd54cfb88f01550d6bddcee70b62aa35f5dca9d2cc01
-
Filesize
635KB
MD55a0b5e52e9da9f25e95463ec3f424bd9
SHA142ea838595dd24adf3f48e50748aa01350212a12
SHA256fdd7effd564983a78864b2b803d8c6b84112f98d0d1dc3ca84911955b8a91002
SHA5128569c0d023f3a55fe3a26e995412e0cf009956698e49d62f24387ae95ee1db8c2e15081dd4c9e7768c777f7b42c371f7040a3491930af6d77a5c31a5878104ab
-
Filesize
437KB
MD5883b93bd9e379ebcd1f759a318c99455
SHA17d9ca3b7ad809a64382feab502dc8530e4d71069
SHA2568a2ee821d838859acde6ab9b530c3614fb0c813cfe1cb5e2be720fc3a9ada1e3
SHA5128c57f96ed9843682e56882b6d76e85ebc5b2db07978404c6c85ebb53799a080c3e7fd26fb26f06fc5b390980f2df8ee568de99585e379c3fc580f7ca12ec542d
-
Filesize
446KB
MD54dfe4d9684b451beebdba76fc8502870
SHA10fa76bf7a4c237429ea17f3c0ecf93728709edf8
SHA256f371e27ea20041ed8deaf542edacc2dbcca51cff0783f2929d3564eb90a8ab2d
SHA5126a62b6a343f82900d5528bd46ae3fd995730fca1f4f20f5236f502f2fb7377dc8bed7e45b2b69ad5159a00c24dae6de1ccecae50a0f357b50625867b5dbb6bc6
-
Filesize
2.0MB
MD534b62d090508f6389c312b0b3487a706
SHA1e56753b66255ad2b311d4c038111743366ef2784
SHA25686917fc6710244ed4bc0b8819aabb38915a8153f72f4859f14d2fd59575e5ac3
SHA5124b968a5a612eaa30760783ff6d449ccb4cae0d319198a30edb55fa41baa1911f1ba202f11ab7a62331f36afb66e4a9a6833acf58934ccbcfbe269ad8ae278838
-
Filesize
452KB
MD5b90cb759c2872aaa377b76f0e8e433ee
SHA1c6ef92561bcd60db98bccb6aa6002b273fb75853
SHA2567e77f075147a3bc9d43da5ecea45d77f18fcba1d5b80ba9e70b18a8bcf654fac
SHA51285d6b52d0df8ad7917d4053dd328678f9dbcf4b07343be97930f6374d30742e59f3c895b89df8b1957882602846a640512014f4e8cc7cfdc25412eb72558c9b1
-
Filesize
442KB
MD5320bf7432bc94b13a08ae45aedda3a34
SHA17c09e00487e673e9be198f2e649c122fd338ccee
SHA256d43747f21466283a45ff5bf7660dcc6b442ee0b9986350ac5fa1b88d0b3699f1
SHA512f440118eec21a6122da19be1e402a331b29ecbeb7bfcdd89fc0b8102ffc102f2648f61e9951cc22e1a852ee095f21de3fdb26fb4633dcd7ef07e0faaf270e238
-
Filesize
435KB
MD55002fb97508e4ad3de989cadd1196169
SHA1f1e65bd3beb47de33c9a861e8983bec00bad485b
SHA2564eac05be3f1fb9814d20f8d6ba3916b19b6bed3a731e32e9663436317050b08a
SHA512833c64cde084809a365c8b7e6e0c1b6e9663a0267bcfdf426d05e98c35ecca9a650b242c001084c68ddd529459177e768608f5a008fdfefddd5893e344db43eb
-
Filesize
439KB
MD51656bd312f7f04609f1657af179cc546
SHA1b5d65def3b0b941da187a3aa21f688cfae8ad452
SHA25646e6a5e7b218b6d2f6ea53438a94979384eded24f82bd0a5e410c68a694d374a
SHA51202fad3eada4ac8763853359a0ad5886804d7114a15b2edaa4344cede6f4bd1d31c2e4ce69b4843bba55aea3e195f2a277e271acd46c81de04bffbe2895360f4c
-
Filesize
440KB
MD5efa2febccf3f1fd14a49d88d26f5976a
SHA1029733d7f66563eb49c47ae418c39f0f7850634b
SHA256784472543af5a3e9590efb5d4fe33cc003a57de014f6296973d0e2991b60de90
SHA512cd0d9cc485a24d1ce06f6f905600610474d1046d4452b81f7c26e585608485fde57cb53c80bd76dfe2d7db2af338c408fc0e22b8f81c949dfe48373ac09234f5
-
Filesize
439KB
MD56d85c4360cda022da2d8abc6adc3be9c
SHA173ebdab9f3e38ef07140e9ed87cd6f14b4d01593
SHA256db1f4efe0bbd0e3c859b7e1d8019b59499a2f1b68ffdf63395d6702ab9ad6693
SHA512fae418f3b15e6d49c5ded83b2e0affd92aa4eee87e83e3da08685db3b84da4f2fa7a734af4b6cf946af5326c50f469486c866af003de772f6caef0028cd56ef4
-
Filesize
434KB
MD5a02fdc99df697faae2995ff3dacc4925
SHA1f9256de757d1de54cfb2e541d0f82230c22178c7
SHA256f95da48ab6b4b373b7e085529ff81756933cef80e90287760fd0d518990badaa
SHA5125f17627ad8e2d4067591fbc52ad4354c31f54c0889d64844ea1c46239b62450ac16a3ddec3d9f00958037d3cf459f1ffb4f6db960187238e63bec52c988f6dc2
-
Filesize
1019KB
MD5ad8cef161cdf26dbd20ca8bf6d016258
SHA1a2c832d4574d5ad71580f45e5bb8ae59b6b2aa44
SHA256c1e974473e119ee3cfd1990d31eba27b042ab0aab4244d27b76e64f7049fa1c7
SHA512719f67f239f2c33427943b98eda590bf21d8fd67f3d1b9d1e3f06b7044215891a0b580bd998e9f7d96325efcfd7457727a2aac1bbf78277e71d02065599b236f
-
Filesize
437KB
MD5887f65577e51d928b876247e5385da78
SHA1bf1b867b7c6e9bc34faffd1f549afdf76f872eb2
SHA2565985f9e7dfe42a41212f62a770e5e31d2f25bcbc2fd40f92f1c41e3ba6745cda
SHA512652e18d878a1df0a9808f17d5c0f3e019d8a34eb9c0f6519c37ca95e970c471b2b6c226eb0aa9f860df5edd455b9396ce5b7bae90f82fa9d638665b5efa133f0
-
Filesize
438KB
MD5801cfe9edc872371b3423cd1ea9c4f2c
SHA12c7d1573145ec67081929925fa05d07b1d7627f9
SHA2564db53abe6109fc75a6b5ed1fc4c3ed210491faaeea0231fd270f61d8f1f35275
SHA5128259a1135431b3c95eba29ea4051b0e6c653673e601a95a2cf2061692d113fe3bb5a50a22908d348bbea1b7c89cc3fc625b66f289fa3b8e4ab6eec91c4aa2519
-
Filesize
28KB
MD51f93b502e78190a2f496c2d9558e069d
SHA16ae6249493d36682270c0d5e3eb3c472fdd2766e
SHA2565c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e
SHA512cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3
-
Filesize
447KB
MD59a55fc628c6639ee612730f22c95d8a4
SHA11baf091338a7064de266d46f75376d26d9de18ca
SHA2568f9fcf9503e65b0423ca9257428797ab487a451367e84dac2509fed2c1a27489
SHA512083f0442a573372ded2528030356b146a5a6732191ae83099c1bd6f60e4a786f6d3a367e56e0eea55aeb66ea8a7cd4d8bd3dc0d9537fdc96c173c6ca8fbd666d
-
Filesize
560KB
MD5292e18ecc5ee9de9a1dd1e54bfa2e858
SHA1acbdf97c06fff32c762ffa61ba8a83726802c7c4
SHA2561a0a3109ff40c1ec995adc937556880c692129c72d706577d747fa891ab60d70
SHA51218128d2a7bd4877d278f2854d787df72360d86c22bd42931b465b2eb7bc9f9452edf78190bc67e9c7340556a7c86a642f3fb5f1993aafabd2dcf75aed02e45a2
-
Filesize
473KB
MD5bde656d66071b691e169a1b62acfa3fe
SHA1aca7980feb3291d3dc6434844cda827252d35b8d
SHA256f3020a4fb7d81bca24d2b46124014556834efed8dce4392b73ac2839a840d10b
SHA5123658b48ebc16d8f421d089e1207484339891f6038c605442060df762b26e156e3d80d26e280e8db016189f768e79fe590b4ba0a86daa46e546c0643e23d38995
-
Filesize
442KB
MD5ecea104cf6fd77922a2b71541c2c23ef
SHA12e48d49a1b9cffb10045f148459259f47db7659e
SHA2563b8157309fa177396eb51c9f60c77d562dea05c22a7f5edd797034f6d86fc8d8
SHA512b4e1d5df3d4ecba4e1809fc1e4a10396f6d07da7af6ad245b3a10e7ee3b66d082eb7fe1dfae239cce820374bc54621a75987e80d5c9c4ae09271bea36e5149b8
-
Filesize
437KB
MD537063a005db36a1d1a826d49895e483d
SHA10c00eee12532f4c71f7279b3e8794afc6cd40cba
SHA256a0107c96aad4d80a81846503f50d2e587361072617fc8d74a61713630dff48c0
SHA51299613bbd963b4719f855c740bbcf6382ba3244d4f9d8572c9c640529a34c5db4910ff69a4bd79d443f532573e0ac135971b4320b1ab67a135d523baa7fa80f97
-
Filesize
792KB
MD54ef34e1ca5593ae12f4c92a038d2cd1d
SHA15c7951ae22f5a45edfc860abf1163a64c5ed6dee
SHA2561e09c73e421fb6629bfccd556ae6f03fb5ca4efcfc23d8352edefff23b210d19
SHA51278521a042682708461cbc633008cb9c37c372c6146d3d1412dc42f0a5038c17b53794dd1b14bac263d6432c50101c90dcfbb26ee8e356f4234febeea86e9373e
-
Filesize
670KB
MD5b6e93788387a8bdfa9859e8029f0e365
SHA187eb781fcece373adff8aba3b4b820ea9e4839f0
SHA256e702d071ea5ea18f356cde8b2090ac161e7f6f02bda10c0e9655f513db3be3dd
SHA5127240f10fcf551b06a8c0c457dfa93fb7e471378b91d0e82a10f98cdff3337c52a3f72063d216bf1fb6f8f7bfb237e575500e411e58b81939c0395b771265a4d7
-
Filesize
438KB
MD52a678449b974678785d3a0fb97d7ab94
SHA1178054b630ac671baad004e9549f8f67c6bda260
SHA25610ddc861d45e0f7ea6fb284d859eddde1908f6d606ee3c6f505a74b7ce63e557
SHA512f63aef848b14f81b4b269aab935624d3f9cec4b46bdb7c6613795a99ac0c77d8185bc8c4a8264cce4c84683a3e2634f3557e27e901b54072839f0ee0de5b723c
-
Filesize
439KB
MD5e7dd2f011d3cae7a908334a837dbfcb3
SHA17bc43af22f69e4edaac13ca960966c7ed503b7f4
SHA25678fc9a17a6c050906c46b1e3eb2789b7ade4f0633c141c1fa34fb3fa164d6ad1
SHA512325c6a4645d7e8145b79d2d57e5698926c9d0b38a8c16a939214851679c92a7f71521034642147180fd2c795e6a350316ac507c2be47b50f691acee18a00623b
-
Filesize
438KB
MD529d4fb675ffc5feb6c87aabb07ba62f4
SHA1aa71dd96e720913dc8467297a062e5950c067414
SHA2565e86c96da15b4cead22eb90df168d245f805476eef484638a13306145c6201af
SHA5122addbab4458d94fc73faebc61a740bcee5e8a18f3a3ee20f2515b3364f8725669b11739a5eb8ab123dea57994bb08579694b46ede42638ff5a467bcbff4b4091
-
Filesize
810KB
MD55502cde963cd3b84d91595d92ff500eb
SHA14e1b5267743ae799c079dc6c4b71a0ae56b99aff
SHA25665aba2afecd11fcdefd87476b6a344827445e3f025a7fd33610e641ea1cd6c72
SHA512c77db5ce36cfd0747202ef622f9fc6d87078f658cf6822999c4c1962b3b00272840d372bab795ab2beeb1e0ab4623d37da5abfb76a6fbbd5ef8099fb8135b435
-
Filesize
434KB
MD522e60e3d35757f399fcd37478de8413d
SHA1f5f634888a5341aa8761f4288e2786bae5ad999b
SHA25630f2a26bd2a9b50dae9da730f644c83fcea19a30b691299ac6b3d9ee84f4a04f
SHA5128395bcbebe4908219b3b6c8ec12e12337c8c8394eff2f58bf46da0f067068571d60f03c47197ccfbbdb5ca5e3dd6c2de9b763ef8a56264930facea51b1e64c34
-
Filesize
443KB
MD535c7b6a830365e0fcb5e59e22661384d
SHA129c614d2b0362ec3dba558a107238b1e9cc450ff
SHA256fbd7b7af7e8e06566fbab72c85b59aeef980583a2600a18e5ba9c20f1c9b60a2
SHA512b0b6edddfc0efc48b1fa629ed77460b0d835a8d855d12366b6e8bc59f2ac611599a6d53c81b86642b865e282722734e8ab9272242cfc92aa8876cc35a65e5718
-
Filesize
877KB
MD51ec175cd7bebfb3508de0f9bb9fd9f24
SHA112f6476a0dfc366050a7629015e488699ba4afb3
SHA2568e0eddb14e9e451f77a14aaf481fd0860bf904f42791e3391879a6bdb007c833
SHA512e024c87d6cf62c344cad0c97adcc3a9c200c11cee804bc4b797b79a21a19c4b30048d231e9800122017b4e6cacd4a93712cd1bae37ecc3e3010b940270bd2c44
-
Filesize
440KB
MD595c1555ee883491d47fdf5bd7f614d1f
SHA1ce087f356acda238c5b20a3c42587fb992ab349a
SHA2562d703f8b49935e687e519248529e6a0a8553885f79e6c5b80b61e9b11f045495
SHA5126e4006d995aa5ca517b94804ed345cd570f2a500addd9d6750a240bdf62e86e65ba692ea1d8658de24add94e871c2f496da40565fefacd2c7424fece5512a94b
-
Filesize
1.0MB
MD50667519095014036bf61c4e8d8a91a0e
SHA185c0a0883bf54fe2155de5eaab406d7b86f24804
SHA25611e80a0116af4b0b18131bef2dddc9d9f3a7d18dfbc4a4c98ec85d4acd5504d9
SHA512b7c175e3e384b0f2a6bd045bec5a1dc0ae57d2c5b11e9a33b7c7564cb1e1c00889b490445eef9c0c39be0c6b6cccf61ea6e827b60492a1ed19a0aaf90cd0b6c9
-
Filesize
443KB
MD53232d2607b2336b0d777bd772849c62d
SHA1b752e493888e50dd927acd7af7fd980af37ad1b5
SHA256bba7762135f33f4310d1890f9080f8b9fedd26f578c730f60660c81bd842e245
SHA512a27639a521b52e76ff26ebd2c68de3c04c7cefb2f99a7d2c4902a5f987117e9184313d8d2542e207c925f55648ed2a2ed2de5e51a1baa8fd0cfd7c477811b3c0
-
Filesize
432KB
MD51fdfe43a7993cf5e5e46c38b74b4be55
SHA154106db4f3969c2f0076da691f0be33c4966f53b
SHA2567ad7f8c48f9c9b06d0aefb0b02c1951a6a04edb993e9c7eb223477ffbcd9e4da
SHA51200f90c3134be4993a6c6473e9c80bb91e1d535134b633b88e8a3521fedf70876a5461383e3701da04b322e178146d28b9fbebc50b553afa724786e8164f1cbfe
-
Filesize
1.0MB
MD5891bbe1fb75f7fa36d21376d5f7767e2
SHA19c47398888540222fad98f6afb99c1e9ab87e838
SHA256ee6376d9128e2475fa1198f08173e277cffb8d436a5c7f5ca996559d1af7e75e
SHA51218869719037184aec8ce8f55a7e07626a3070b9b61799118b81e23f3a60cedc126efc99dca3902fcfa80466925672bb39ce11011e3e0cd24fb0c52e624e7e683
-
Filesize
437KB
MD50b1647a5af94874f958a7a2038f5be91
SHA11f5bc013d8dfe8d5060e320b7e835a72d234e381
SHA25681b11a52f03ee538e2c36a6ac5177bc5b474ee38b0d74fe687bbf1c0880290d1
SHA512cac9ede230a78b6ff2fd94fd3696adb8390f608b1a6bca86199197b05f70093205003b54ebda682a32b9e7311165361e555a2b4b13abf6bda3443825b1dde96d
-
Filesize
437KB
MD519c83a1466b2226a6884d3ae03f1ec8c
SHA1477378ce75376a457a9d0966133240b1fbd538a2
SHA25675512500b6520dc4e45a55d325ca7ce6353a4e52dc1237e99e02f3f0f740c534
SHA51238ec599a9493307854a17a4a96c0b68434c4ae52de5b99f59a4f7cade97a8bb11c2d4eb7802ba49f58e329bed1cd25e616831d06f14b1132212e582d6b7a1b67
-
Filesize
443KB
MD59a6ec21a49abb2808a46933142ad2e17
SHA11701b674701ef278bb9297feed8ef0853621e8ab
SHA256d393cdb655e99ab0179c32090e8c7b1d9ca1a1e28f44cd2001a708676669e3f7
SHA5121d1cc743ce11a6bb8f7077139116dfcfb22601c75c3d8de9cf412ec8861111a54e7bf679abf744838813208bd9b0e55917dc41523b220208613e60651d15f70d
-
Filesize
434KB
MD53dd240e7dca05ef4659e2f8cbcb304c6
SHA12280b429eb7f03b5d7f24fc5b95804eb4c7e6bd8
SHA256f64cf12695df43d126fc611965e4e1d56bf5762f4b463a96b4cc5d911b8a543e
SHA51223ce9d0ca9cdb50c8944e7ca870a187ea96222f4ba138387d20502834f7edd6a32988747ea1418d4e5ca91156dd6970c1ef7e6f866031b04221e84bbd2ab827a
-
Filesize
444KB
MD52aaf7487b4e8c318bbfe76637901311f
SHA1d1411b753674e9076ea84bf76b3a18339a49219f
SHA256bdc2016c986635f8ec424c125a41483bfef841266d87f091df29ee7745a7ee68
SHA512976073355139bda692d4945b0e746c294a7e255127aac9fa25fd857c93ba8505f5196116b8c818001addea1fa0fed46b903c4ad3e7b0d8add75494d256471907
-
Filesize
6.1MB
MD5f7774d8c164b5347dc3b56cb5362f969
SHA141c3be516fea51c7e6cdde7f10e06a65681aaf37
SHA256c815e872b75ad136f4609c01882dd6d3dce00474c22da9f6dbfffa96560bb70d
SHA51234c6c0b395ef55b23492efef7d1d7ac1b38ae42b04e5c0ef27e6654f2a1603d53ab43b42c5c44869bcc9e57313b3a57bd4113d4af34602badca62a0e83b8ee21
-
Filesize
438KB
MD5fc5523bbc70af4b21e83b5f114902616
SHA1dff321d4a8694660dc39a036238221086fa7d545
SHA256ae77bb4bc3804f935d12bfeb6abd64092d95989d6ce095e7551aae1752ce8dc5
SHA512c2dc5ddd960f1f32d4d544067221adafccbc982b02281308f392325e5cf0328b278e0cfc78b71a90494b7a2c838d14e41a20784cc11544fd42f7ef4037b97e82
-
Filesize
436KB
MD52732f61d4bd07609d47013b2670a2a1b
SHA1aa27b3c89eb1fa7f3d79fc7d6af58803e9b94e3e
SHA256f0ae7a08cdbdd0bfda81db48ab2ea79b35ce233cddaad48ccdb80983ce0d3b92
SHA5127ef99086ed31e9745856f597e7a6c1c0a416246aa1dd9b1ad4ba7af140f8996bf7cece0589ccb91afc4a57f7e1521dec80d2f05d269260326bea4ce6eb98ec9f
-
Filesize
886KB
MD5532a7c419f85660f1b87624ff2b19880
SHA180f1c79d7aa65a721a6aa131ae7d1815b6946c34
SHA256d878ecb566308f841907a09e72bd2ed9dc8e7ec4686a6b67a6fd499e9c10f9a5
SHA5121acbf647adf323fd2a3024dc4a6bd12c6c14e5afadfc677cf17d2bf39faecec87b97bf633ce177b77b971524b823e85647015dc4ff30bb4add056b8400272aa0
-
Filesize
437KB
MD54464923fb5d44357e7098d486d86ea2e
SHA1cbc243dcb3cc7ca154a8cfc42dc244808a5be51c
SHA256b53c110d80f6e887b4908ea3ea7fd1db65e1de413735c9651118d187dd18d4bd
SHA512af63cf6eb6775be5c2e605b48312f6da1375e37084e30a98b3497d6ce4cb3832f0a14ca9f3e9e81632aa7e0b62bb164469d51be068f3f2fcde2401bea74f92e9
-
Filesize
887KB
MD5e032e61ea99ff1f4df2173330252b7e4
SHA149d658200baa1e7ef735b320645d5465942ee9a0
SHA256eb87c1d8dfa9310d43f2f114b16f78d1d1b97547b2f726d9b7a9e15a484d3641
SHA5126d099e4b38cda3a756a589aa67a2847ec06cb718a5af3c145eedc91dcaf32539fb8898d3ba09fc9608d7fe8e160e7bd56f0ea37c3b9edbe91a834f35acb9943f
-
Filesize
437KB
MD57054aeb61f9fcef396bcd30dfe669a21
SHA13b16a68bf448ca5500b9c3bceebe0bb91a4dcec4
SHA25669b80c31499b34bf6bfa4edab6ef2cc72ac7f510217a85dba2b7590ba6b36209
SHA512289598d44a6ed37198b59f2b66135460441092f74f5e0efc0215b06f93b75d9c0005f2d28d0481f807fd8b7943c87c94d12aa8c65daf2715d14b71c69d73eed5
-
Filesize
1.0MB
MD5068073624afe0c809457b75d8813de1d
SHA111721d91d504ba15e36ca9737c5d6805cfe7cfb9
SHA256fdab3d60bd5b033c05223bc0b3b138b9fe13f89bd92a3592aa18f1d79b17af2e
SHA5126a90996d510b40e0052be6e23917a0c65c904f1ec522309246018c494e5292d60caadda6a86da6a5f75c4e2bb720af60b7f93cf84fe35cf1b80f108a8ef1f2a4
-
Filesize
879KB
MD55ec90428eddfc705e15b2668bf9292a4
SHA1b953977c950929b5aa783daa9ab2fc4908401ca0
SHA25618c6247cde66dcc5e4e276440412cc63999f844d3470428b480b8521ea4f3113
SHA512c4986fc2fc6386247486217ae36611b3d9910203caa2a5ab71c752acb833452b494ed820fec1237c6262aaf7b960e9f6da1e5f3e26aa1f5a6886055db34c7286
-
Filesize
503KB
MD58c2eb12ea7d5b52120291ab14f9f0e81
SHA13ee6a0fca724e2b7540b566426922703050f72dc
SHA2564e2c14bf6dcc84a8e1470df79ebd4bfb5881e62454a7cab839cd9dc225fc5dc3
SHA512deb5f761e688d1de03b17f866a7b47123ef56fdcdff8117eb5b38b219464ae063c49d524f7c1cb982799d983653ab14dfcf7219e13f6715ef9125b07214f1c97
-
Filesize
1.0MB
MD5118fc2132e7f085f80c7e266777d3311
SHA155defdf97da6c8c63c225f2d792d156015d9bc46
SHA256e1d2dca1ee9fb6211e7b640452b736ffd4dfc18e859982890247b8d4230ab8de
SHA5125e413ad73d1f056b9dbde0d5034fa3c85fbc4eb43f567ccf6ef7e861daa93da960a32504ebaae8a7e9a86ae1b1a7322449c5c665c30d91f4c841984a40791b15
-
Filesize
433KB
MD529e1289c5cb845119bff1091a714a064
SHA1c35eb013468236177f60fb40850d7560981b0930
SHA256cabfc82ab42ccf19c8a782775d12a393f8b63db167d74eb4d8db2d912521d343
SHA5124549140fd9b635d92f2527b87cb5b2248985062ac950a9f6303c80191f89d0e3bee3d6763e9e6f63ff0d2f67d36afbaa8bd93a111aca6371f286455a29e7122e
-
Filesize
891KB
MD5f44ba422a07c24d4300d67b4c0dd5cb8
SHA1d05d64acbca46617918eedc052119ae3dcdf3910
SHA2563489dbdd45164292a51436df5318d34411f8c32de7aac496e935b7bf758b6a66
SHA51204a5e40da1028863efdeb53c67e3905a4b484702993cc4e0ebe06f0f65877ad9ac1dd042b3bfd1510452b68f810a41c9ebb0990ac6dbacefd36b76f62adc3cf9
-
Filesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
Filesize
1.0MB
MD568d3e3ded4a0eb3217c47b424c49dd8e
SHA1dad8b4977b9ab374e6548535d1221bb23698f884
SHA2563c60cb3806c521c3174e32c4ae2827de2ef87db27d6e7b88e3080d6e269fd7f6
SHA5128e0d7f91dfb313f24f611dbd5e46d1b7b374e6e4fe6543178ab0a56aa6b08e5451b4b42658a984eb14889858feed254b5150dced1a21dc78a79859f39c50b11a
-
Filesize
439KB
MD5d5acd6aca35aaed98bd241ee431b9538
SHA1ebc5a100042d3802c5bd426dc300ed08fbfff71f
SHA2563629869b7cfec6606e5b166b489abf671f1603f087042c9578dddbed100f605b
SHA51205ae4dc689a629927ffa49d02f7129ada36eb18949bf94bb835b517648829d703f69c94a59d0633f52d0f669a919ecd9195e852744c4a619078029959de0fe92
-
Filesize
846KB
MD571e204e916f0aac4325e98fb91d9f188
SHA129e6931d43a4cc7233e3b5d2a55bf71a84c8d947
SHA256ad012a97bb3da6ea2a9813ff48e2e4a092ae1f0012483dbcc83143458eb50463
SHA5121e39dc9c819890689d3b7b6ac1efb4e5207e6f5f15b9f6d04d83c025ddd788c4f2ccc772c1ae5009aafee07c51fa0600924c2a0a59c574c3bd0dee4f50f24282
-
Filesize
446KB
MD5dbb44b664a72744e191aec591a9c6d24
SHA1f606a33fc709c75691dc697d5c6331b1c2e28440
SHA25625822c516ea46a30640324c63d79ef86153b45e8ad834542bbbfb8c3d61510e9
SHA51211d3f6235eba203ba4bc5fd9d2fdb8b827d2b0b612dc120e733330568096b6da72ef6823658252115e23035decbceadca1c055476e5f72f77bb584f8297361fc
-
Filesize
4KB
MD5ac4b56cc5c5e71c3bb226181418fd891
SHA1e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998
-
Filesize
445KB
MD54b2b2e909b9694e7f4e72fce86b7d1af
SHA1477fe4902cf340fdec5b3546d28b51c9b0febd19
SHA256788e1764fc909ee051c3571a4ca6a28897ad6ba3ffe66a902d781f4ee654d298
SHA51266d992127364a10fff7b79b3df0d1f17c6ccaa67242e38cc8c6fd9fa4fc321d841f706509527fce21cc6c5fdea8ba1b2fe8d0286b726ba311f3da538b56d6652
-
Filesize
5.7MB
MD559ef2b13e61fc8dd7c580d4ed29155a3
SHA11a7b8360ecdf5e59469b68624f0ad164d38bc829
SHA2564b37be352340d8dfa9708d355ce9de89ac63cd530a7d4bc6e4c20d7894f7750c
SHA512ca9e24fbb2230e4d555f0b1e1cde57694722f8606cf37973545644bdf9244a8483e33ea98a994f67c91ee27c88b697d2266bd46b08228401c460c07a964485b3
-
Filesize
473KB
MD5f3423d76dbc526da3a37f269c0e2742f
SHA1c4480a12ab94bb370cbe991a98b86dd635f7458c
SHA256d9a984a02266a276932a99dbfde61dff415e0c852167cdc1d9e1dc14e2bdcb00
SHA51250f2fe6d7d031da70bf1fb9649d38c69d41c7c284ded7109005073a5ba422a424a438c587213ec3fb9bf1c8b7869a6d88f432eea09a04474bdc6e21f98e50793
-
Filesize
434KB
MD59b7b4a88e5144038ceb507117349bce3
SHA12a490bf1ea7636f2ff62eaebedd7768c52730d1d
SHA256c9b0c96ee73afcd58bf121a5953ca57ecc9793288a97521bded0d74c909ac987
SHA51235a03cc2374621e7ee748511b25ba40a006443efb686cf396f442a7e55dd3949db7e0fc1c7d01dff2de1160d4c7b744b1feb67b418d0daa6edf7019755a96918
-
Filesize
462KB
MD568239ed20f42a4c3f67897f380902b54
SHA109321ca30feaccbefa65f7f4d89b4670adf2d948
SHA2569cb3f7442138fff84d5c829f99c2929776410aa7cee33b390153572c9edb8cbb
SHA512687df6261f0575d11071e4be6c0bd5af582c2a860dc20592a261e1445149527e46a24296270a8aa21cfaa4cc965c0add08fef17e4c40c52c176472617db87449
-
Filesize
447KB
MD568b54fe5e8c95cac8c89f362b40572fe
SHA1762e57e717c61a7fc9b9872267be401708f4a27e
SHA256072de302d56380aa87a2f93d75ba8d09586ba82e8de6de699654c318e7c8f0b0
SHA512a2c5379a43c34516e3eeac22dd2f76acc800e25622bc861e68e5df1bd2dc6b8319d4cb195f8227e26b6970248b0fbe3091bf612cd87881642132ce153afeb743
-
Filesize
436KB
MD55db40cce99a737f3cc97116f3aa16c33
SHA1378c8eea5235470fc1b506c21c839cd3b3817684
SHA256e0c24397d8ed2e07c61929080147bd4f936e7417cb698c80fefd3b6f99b93e45
SHA5120f95bf79ebab97fca435ba2cad8dcf522382a1220b0125f7a0506469a10de124226cf0e5fa1258ced2bb3abfebe80ec1ab8996beea85445cc8a7fd050ddbf071
-
Filesize
447KB
MD5e0332c860b59725a8dbbe266c8920711
SHA11dd5f4147618a8c0b8e126c30bac55aa9af69d4e
SHA2567f26e12263c46db61e7a6665afa780a658aad3b5db2ce3719f0be90155e802e4
SHA5120096f89401b64e8cd31a0b921fbfaf15cbcfbc217d58f0c17aabb4c5c5ac79b7cb0398a9a535a6685ba9d7bcc5784f24f819671e4357c2015676c1e92c4904c9
-
Filesize
437KB
MD5cd2e7de205d5f387afe754364b3c1bbc
SHA16aded3dafddbed97bc4ec23a7058c319bdd7de4b
SHA256c552e1c48f659d23691b31017a92bba5a3a08ce744317d23a0b7391f62fb3709
SHA5128c1af3ea9d59b4b49982232424559c9d72a99d2fc3380a0ea7b3558e103cbf48cb445d2d03f92b37ac28063a3bcf827b1dbb019a3c2cad290c64a4430e25353b
-
Filesize
460KB
MD505400b5d2b2b0a3a8ee3c9754b27ab78
SHA1119ee4f33af17eea7b0462ab0dee6c89dfd0000c
SHA256c2ef448f02548379cc8f8656b18e109f7a5ec262f5bba176dd723b370cb2cd27
SHA5123d2d776a761ab3c013eacd8dcfb097269fb4ae018918465ebd87277a7416c49b8f1528dbe2fd1b52394877fc8a31fd223a7f587ba02ecdf7a335941061c450a4
-
Filesize
438KB
MD59c56696a48edee2e07a2f8d519768329
SHA18181d795d6672aa63efcd5dbe39a07a0776b9c5d
SHA256bd6dbe2cc75f01dd7bb5754a1bd1e130e0821461b678c712a4625e2f08a9a194
SHA5123a2eda3a06fc1a1fe2619a5a27a4e9751cb45a4667c0e0bf2b7471c67153ab17903eadcd52b455500621b2a5fda488797f97aace978ddcef633123d8369bcafa
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
561KB
MD5a9815c2ffc1c8e6410c453feb35896f9
SHA126ffa958a5f7514a2dd84f2b047bb6e18d189d4a
SHA25611a5afd88394e35ae6e5e775e57c1c4b1f8a6265bbb1a4e26105994af1c0dcf3
SHA512139a4eee9caeab0b877ff4adb8d03fb9caf2261842284458613eb44d8dc9066e7cc921b618c6827520ea2ebf80b28ae4c424f113d65c1d886ed06f8781e47a92
-
Filesize
1018KB
MD5769120a3fc2afad6df814899ae6f71a6
SHA18b9ba6461cdca08d20ee27645c7a8b178c1899d6
SHA2569a0782dbcebe541a3acafecf44d1158ae034c5a499ed0b83f235b3a684bffead
SHA51257ad242cb2d052215d35cf0e7b8740eb0d6a13d380fd9a57ddf7f054712087359fc0500562be9c8c95fa5d4f335f123c69c2a9c34874b620b1eadcd0f302b5a5
-
Filesize
438KB
MD54c82c3c055a1bd100512146766944925
SHA102017ec68063447fdddd0c053af52298bb9100d8
SHA25622e051e4c6da8172ac37e20ea1b9cec324329b806bf6163ee02975b4fd3cf6c0
SHA512d97ffe66967599af8ab4f78137b90447c7a1f1fe77a36fa78a080890ca13dfff6a863e89add013edc5e315fb25b022a2c3e9136f54c694b32878243504db1b8e
-
Filesize
4KB
MD5ee421bd295eb1a0d8c54f8586ccb18fa
SHA1bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA25657e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897
-
Filesize
4KB
MD5f31b7f660ecbc5e170657187cedd7942
SHA142f5efe966968c2b1f92fadd7c85863956014fb4
SHA256684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA51262787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462
-
Filesize
437KB
MD5dc98e33fded28cf249c21c1a967d069e
SHA189948e0b4fc7439f0636f1405bd4b29c1d414e15
SHA2566b043312e82019c72480fc23b2e9759e7c6cb26187c992f7c05929d0553b1d32
SHA51242b0e5d5ec234c3327560ea86ca57c90f8917243822c469c4f2b85336efb93f6e5d731a143874154635bfc379445ccb862a55eca6f463b31f7b7afab57006c72
-
Filesize
434KB
MD5c60c9892550be94e6e8eeed918087199
SHA1306e1d9f68144b4dcff920c974a425df771f0345
SHA256de0334278af8446457eae2c1853d13e49bf0ac0ee57481e58f9d00251c3a2baf
SHA512a8b5a87a4ab88abd10aaa5c88d2ca7da538605f085fedd29e0bbe89875d2447cc156bcd35eb6bf6b215a0b4e6d552d5dd0b023a042b7df79077a42d72ccc2863