Analysis
-
max time kernel
150s -
max time network
110s -
platform
windows11-21h2_x64 -
resource
win11-20250610-en -
resource tags
arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/07/2025, 17:27
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
Resource
win11-20250610-en
General
-
Target
JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe
-
Size
464KB
-
MD5
1c6ef7ad96a4b714103304a583e35ac0
-
SHA1
651e47b068efffe3d1eecb89ac0db0ba2d704b9d
-
SHA256
72ff03ee4a4ffaa7e1dfc4e03ad78940d52d24bc6b55dd9ed8584b795b882ceb
-
SHA512
e9266d824e68c5b66287aff8c3f94926c2e3cc18cf43dd629888b7ede937bb2f91709aa344c78a366734886a973a4979063fcc7408b3ee66b8a66ab3f85f5cbb
-
SSDEEP
12288:RcDzQkq2sSapMDOmvD8JQo/2HdxAiV+ybW2mBHDitYwTEfJi+a:RIQkPbkMqmvVoUdaiV+tjiGLiX
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 30 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
UAC bypass 3 TTPs 30 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (57) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 5 IoCs
pid Process 244 KMcsAQMw.exe 3440 UEIAIkkk.exe 1472 xgIIIcQU.exe 3612 KMcsAQMw.exe 3460 UEIAIkkk.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UEIAIkkk.exe = "C:\\ProgramData\\fKIMUoUk\\UEIAIkkk.exe" UEIAIkkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UEIAIkkk.exe = "C:\\ProgramData\\fKIMUoUk\\UEIAIkkk.exe" xgIIIcQU.exe Set value (str) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Run\KMcsAQMw.exe = "C:\\Users\\Admin\\vAEQAssE\\KMcsAQMw.exe" KMcsAQMw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UEIAIkkk.exe = "C:\\ProgramData\\fKIMUoUk\\UEIAIkkk.exe" UEIAIkkk.exe Set value (str) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Run\KMcsAQMw.exe = "C:\\Users\\Admin\\vAEQAssE\\KMcsAQMw.exe" JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UEIAIkkk.exe = "C:\\ProgramData\\fKIMUoUk\\UEIAIkkk.exe" JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe Set value (str) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Run\KMcsAQMw.exe = "C:\\Users\\Admin\\vAEQAssE\\KMcsAQMw.exe" KMcsAQMw.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\QYoc.exe UEIAIkkk.exe File created C:\Windows\SysWOW64\ykAi.exe UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\MkkS.exe UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\Gsss.ico UEIAIkkk.exe File created C:\Windows\SysWOW64\wQMG.exe UEIAIkkk.exe File created C:\Windows\SysWOW64\UAYW.exe UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\aaoM.ico UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\EGgY.ico UEIAIkkk.exe File created C:\Windows\SysWOW64\mksE.exe UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\Asgs.exe UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\aMcM.ico UEIAIkkk.exe File created C:\Windows\SysWOW64\Asgs.exe UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\qyYw.ico UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\ukcI.exe UEIAIkkk.exe File created C:\Windows\SysWOW64\GQIS.exe UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\iwcq.exe UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\oIku.exe UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\CYUc.exe UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\wuAw.ico UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\kSwY.ico UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\siAE.ico UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\ykAi.exe UEIAIkkk.exe File created C:\Windows\SysWOW64\uooo.exe UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\OoQe.exe UEIAIkkk.exe File created C:\Windows\SysWOW64\mAQq.exe UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\ywEC.exe UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\vAEQAssE xgIIIcQU.exe File opened for modification C:\Windows\SysWOW64\ssgU.exe UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\wWkg.ico UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\IYcS.exe UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\CGow.ico UEIAIkkk.exe File created C:\Windows\SysWOW64\goge.exe UEIAIkkk.exe File created C:\Windows\SysWOW64\ysIs.exe UEIAIkkk.exe File created C:\Windows\SysWOW64\gwAM.exe UEIAIkkk.exe File created C:\Windows\SysWOW64\yoAm.exe UEIAIkkk.exe File created C:\Windows\SysWOW64\GoQQ.exe UEIAIkkk.exe File created C:\Windows\SysWOW64\YcAE.exe UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\uooo.exe UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\yQMK.exe UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\ssso.ico UEIAIkkk.exe File created C:\Windows\SysWOW64\YUoo.exe UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\ogMm.exe UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\YMck.ico UEIAIkkk.exe File created C:\Windows\SysWOW64\IMIA.exe UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\SEwc.ico UEIAIkkk.exe File created C:\Windows\SysWOW64\CIsk.exe UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\SoQy.exe UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\ysIs.exe UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\vAEQAssE\KMcsAQMw xgIIIcQU.exe File opened for modification C:\Windows\SysWOW64\QEUY.ico UEIAIkkk.exe File created C:\Windows\SysWOW64\qsMs.exe UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\kOkg.ico UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\EoYE.ico UEIAIkkk.exe File created C:\Windows\SysWOW64\QAIA.exe UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\magI.ico UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\ymUc.ico UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\gYEw.ico UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\UAYW.exe UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\CWIM.ico UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\wIIC.exe UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\mAIc.exe UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\sheUseInitialize.docx UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\AuEI.ico UEIAIkkk.exe File opened for modification C:\Windows\SysWOW64\GgkA.ico UEIAIkkk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KMcsAQMw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 4784 reg.exe 2568 reg.exe 5252 reg.exe 4724 reg.exe 1876 reg.exe 4208 reg.exe 2564 reg.exe 3076 reg.exe 1392 reg.exe 3088 reg.exe 6064 reg.exe 5536 reg.exe 3456 reg.exe 1252 reg.exe 676 reg.exe 3808 reg.exe 4880 reg.exe 1968 reg.exe 876 reg.exe 4900 reg.exe 3428 reg.exe 3056 reg.exe 1764 reg.exe 3944 reg.exe 3068 reg.exe 1756 reg.exe 4656 reg.exe 5748 reg.exe 940 reg.exe 3584 reg.exe 5404 reg.exe 4792 reg.exe 5472 reg.exe 2692 reg.exe 4700 reg.exe 1436 reg.exe 5176 reg.exe 3496 reg.exe 5400 reg.exe 2212 reg.exe 6112 reg.exe 2908 reg.exe 944 reg.exe 1704 reg.exe 964 reg.exe 3052 reg.exe 6020 reg.exe 4524 reg.exe 5488 reg.exe 2088 reg.exe 1960 reg.exe 5984 reg.exe 3452 reg.exe 1644 reg.exe 1548 reg.exe 3452 reg.exe 2540 reg.exe 5292 reg.exe 4792 reg.exe 3400 reg.exe 3780 reg.exe 5640 reg.exe 1136 reg.exe 3052 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5740 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 5740 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 5740 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 5740 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 5064 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 5064 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 5064 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 5064 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 5696 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 5696 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 5696 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 5696 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4248 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4248 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4248 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4248 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 2008 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 2008 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 2008 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 2008 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 1104 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 1104 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 1104 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 1104 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 5776 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 5776 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 5776 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 5776 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 2448 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 2448 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 2448 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 2448 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 5456 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 5456 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 5456 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 5456 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4684 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4684 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4684 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4684 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 2096 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 2096 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 2096 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 2096 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 6112 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 6112 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 6112 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 6112 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4616 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4616 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4616 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 4616 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 2080 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 2080 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 2080 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 2080 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 912 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 912 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 912 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 912 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 1172 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 1172 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 1172 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 1172 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe -
Suspicious use of FindShellTrayWindow 24 IoCs
pid Process 3460 UEIAIkkk.exe 3460 UEIAIkkk.exe 3460 UEIAIkkk.exe 3460 UEIAIkkk.exe 3460 UEIAIkkk.exe 3460 UEIAIkkk.exe 3460 UEIAIkkk.exe 3460 UEIAIkkk.exe 3460 UEIAIkkk.exe 3460 UEIAIkkk.exe 3460 UEIAIkkk.exe 3460 UEIAIkkk.exe 3460 UEIAIkkk.exe 3460 UEIAIkkk.exe 3460 UEIAIkkk.exe 3460 UEIAIkkk.exe 3460 UEIAIkkk.exe 3460 UEIAIkkk.exe 3460 UEIAIkkk.exe 3460 UEIAIkkk.exe 3460 UEIAIkkk.exe 3460 UEIAIkkk.exe 3460 UEIAIkkk.exe 3460 UEIAIkkk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5740 wrote to memory of 244 5740 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 78 PID 5740 wrote to memory of 244 5740 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 78 PID 5740 wrote to memory of 244 5740 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 78 PID 5740 wrote to memory of 3440 5740 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 81 PID 5740 wrote to memory of 3440 5740 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 81 PID 5740 wrote to memory of 3440 5740 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 81 PID 3996 wrote to memory of 3612 3996 cmd.exe 85 PID 3996 wrote to memory of 3612 3996 cmd.exe 85 PID 3996 wrote to memory of 3612 3996 cmd.exe 85 PID 2852 wrote to memory of 3460 2852 cmd.exe 86 PID 2852 wrote to memory of 3460 2852 cmd.exe 86 PID 2852 wrote to memory of 3460 2852 cmd.exe 86 PID 5740 wrote to memory of 4160 5740 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 87 PID 5740 wrote to memory of 4160 5740 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 87 PID 5740 wrote to memory of 4160 5740 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 87 PID 4160 wrote to memory of 5064 4160 cmd.exe 89 PID 4160 wrote to memory of 5064 4160 cmd.exe 89 PID 4160 wrote to memory of 5064 4160 cmd.exe 89 PID 5740 wrote to memory of 4784 5740 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 90 PID 5740 wrote to memory of 4784 5740 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 90 PID 5740 wrote to memory of 4784 5740 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 90 PID 5740 wrote to memory of 4792 5740 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 91 PID 5740 wrote to memory of 4792 5740 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 91 PID 5740 wrote to memory of 4792 5740 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 91 PID 5740 wrote to memory of 4776 5740 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 92 PID 5740 wrote to memory of 4776 5740 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 92 PID 5740 wrote to memory of 4776 5740 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 92 PID 5064 wrote to memory of 756 5064 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 96 PID 5064 wrote to memory of 756 5064 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 96 PID 5064 wrote to memory of 756 5064 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 96 PID 5064 wrote to memory of 4880 5064 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 98 PID 5064 wrote to memory of 4880 5064 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 98 PID 5064 wrote to memory of 4880 5064 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 98 PID 5064 wrote to memory of 4900 5064 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 99 PID 5064 wrote to memory of 4900 5064 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 99 PID 5064 wrote to memory of 4900 5064 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 99 PID 5064 wrote to memory of 3516 5064 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 100 PID 5064 wrote to memory of 3516 5064 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 100 PID 5064 wrote to memory of 3516 5064 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 100 PID 5064 wrote to memory of 3876 5064 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 101 PID 5064 wrote to memory of 3876 5064 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 101 PID 5064 wrote to memory of 3876 5064 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 101 PID 756 wrote to memory of 5696 756 cmd.exe 106 PID 756 wrote to memory of 5696 756 cmd.exe 106 PID 756 wrote to memory of 5696 756 cmd.exe 106 PID 3876 wrote to memory of 4460 3876 cmd.exe 107 PID 3876 wrote to memory of 4460 3876 cmd.exe 107 PID 3876 wrote to memory of 4460 3876 cmd.exe 107 PID 5696 wrote to memory of 436 5696 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 108 PID 5696 wrote to memory of 436 5696 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 108 PID 5696 wrote to memory of 436 5696 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 108 PID 436 wrote to memory of 4248 436 cmd.exe 110 PID 436 wrote to memory of 4248 436 cmd.exe 110 PID 436 wrote to memory of 4248 436 cmd.exe 110 PID 5696 wrote to memory of 3496 5696 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 111 PID 5696 wrote to memory of 3496 5696 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 111 PID 5696 wrote to memory of 3496 5696 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 111 PID 5696 wrote to memory of 4524 5696 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 112 PID 5696 wrote to memory of 4524 5696 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 112 PID 5696 wrote to memory of 4524 5696 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 112 PID 5696 wrote to memory of 5816 5696 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 113 PID 5696 wrote to memory of 5816 5696 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 113 PID 5696 wrote to memory of 5816 5696 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 113 PID 5696 wrote to memory of 3680 5696 JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5740 -
C:\Users\Admin\vAEQAssE\KMcsAQMw.exe"C:\Users\Admin\vAEQAssE\KMcsAQMw.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:244
-
-
C:\ProgramData\fKIMUoUk\UEIAIkkk.exe"C:\ProgramData\fKIMUoUk\UEIAIkkk.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3440
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"2⤵
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac03⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"4⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac05⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"6⤵
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac07⤵
- Suspicious behavior: EnumeratesProcesses
PID:4248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"8⤵
- System Location Discovery: System Language Discovery
PID:3732 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac09⤵
- Suspicious behavior: EnumeratesProcesses
PID:2008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"10⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac011⤵
- Suspicious behavior: EnumeratesProcesses
PID:1104 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"12⤵
- System Location Discovery: System Language Discovery
PID:5324 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac013⤵
- Suspicious behavior: EnumeratesProcesses
PID:5776 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"14⤵PID:6020
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac015⤵
- Suspicious behavior: EnumeratesProcesses
PID:2448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"16⤵PID:1936
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac017⤵
- Suspicious behavior: EnumeratesProcesses
PID:5456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"18⤵PID:1420
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac019⤵
- Suspicious behavior: EnumeratesProcesses
PID:4684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"20⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac021⤵
- Suspicious behavior: EnumeratesProcesses
PID:2096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"22⤵PID:3228
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac023⤵
- Suspicious behavior: EnumeratesProcesses
PID:6112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"24⤵
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac025⤵
- Suspicious behavior: EnumeratesProcesses
PID:4616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"26⤵PID:5824
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac027⤵
- Suspicious behavior: EnumeratesProcesses
PID:2080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"28⤵PID:1104
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac029⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"30⤵PID:2956
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac031⤵
- Suspicious behavior: EnumeratesProcesses
PID:1172 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"32⤵PID:5512
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac033⤵PID:6004
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"34⤵
- System Location Discovery: System Language Discovery
PID:5392 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac035⤵
- System Location Discovery: System Language Discovery
PID:4872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"36⤵
- System Location Discovery: System Language Discovery
PID:5636 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac037⤵PID:4888
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"38⤵PID:5788
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac039⤵PID:3420
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"40⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac041⤵PID:1088
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"42⤵PID:2204
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac043⤵PID:3780
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"44⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac045⤵PID:1188
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"46⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac047⤵PID:2120
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"48⤵PID:4984
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac049⤵PID:5040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"50⤵
- System Location Discovery: System Language Discovery
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac051⤵PID:1116
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"52⤵PID:5772
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac053⤵PID:4236
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"54⤵PID:4792
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac055⤵PID:1408
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"56⤵PID:2712
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵PID:4732
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac057⤵
- System Location Discovery: System Language Discovery
PID:4920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"58⤵PID:480
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac059⤵PID:4016
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0"60⤵PID:4512
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 160⤵
- Modifies visibility of file extensions in Explorer
PID:2388
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 260⤵
- Modifies registry key
PID:2088
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f60⤵
- UAC bypass
- Modifies registry key
PID:5488
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqIsQswY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""60⤵PID:860
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs61⤵PID:1896
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 158⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5640
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 258⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3780
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f58⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5176
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fWsAAgMo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""58⤵PID:5400
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs59⤵PID:4828
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 156⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1436
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 256⤵
- Modifies registry key
PID:3400
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f56⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3808
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMIkcoYw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""56⤵PID:2360
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs57⤵
- System Location Discovery: System Language Discovery
PID:4872
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 154⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4700
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 254⤵
- Modifies registry key
PID:5292
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f54⤵
- UAC bypass
- Modifies registry key
PID:6020
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LiIkEYIM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""54⤵PID:4012
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs55⤵PID:4756
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 152⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:676
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 252⤵
- Modifies registry key
PID:2692
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f52⤵
- UAC bypass
- Modifies registry key
PID:1252
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckYskwIM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""52⤵
- System Location Discovery: System Language Discovery
PID:5812 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs53⤵PID:5712
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 150⤵
- Modifies visibility of file extensions in Explorer
PID:4804
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 250⤵
- System Location Discovery: System Language Discovery
PID:5788
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f50⤵
- UAC bypass
- Modifies registry key
PID:1764
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IgwokYgM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""50⤵PID:2868
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs51⤵
- System Location Discovery: System Language Discovery
PID:5740
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 148⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3456
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 248⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5472
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f48⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3052
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VQggsEAU.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""48⤵PID:5632
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs49⤵PID:2300
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 146⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3076
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 246⤵PID:4036
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f46⤵
- UAC bypass
PID:2908
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkAIwIYg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""46⤵PID:5504
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs47⤵PID:4772
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 144⤵
- Modifies visibility of file extensions in Explorer
PID:5860
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 244⤵
- Modifies registry key
PID:2564
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f44⤵
- UAC bypass
- Modifies registry key
PID:4208
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWYsMgsQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""44⤵
- System Location Discovery: System Language Discovery
PID:4980 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs45⤵
- System Location Discovery: System Language Discovery
PID:3504
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 142⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5404
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 242⤵
- Modifies registry key
PID:3584
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f42⤵
- UAC bypass
PID:4648
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqksEkEc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""42⤵PID:5720
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs43⤵PID:2492
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 140⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:6112
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 240⤵PID:6068
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f40⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2540
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIsoYIMc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""40⤵
- System Location Discovery: System Language Discovery
PID:3140 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs41⤵
- System Location Discovery: System Language Discovery
PID:2360
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 138⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
PID:3812
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 238⤵
- Modifies registry key
PID:3452
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f38⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:4380
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amMIwoMo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""38⤵PID:4732
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV139⤵PID:1644
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs39⤵
- System Location Discovery: System Language Discovery
PID:2168
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 136⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
PID:3516
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 236⤵
- Modifies registry key
PID:3052
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f36⤵
- UAC bypass
PID:3252
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsAQEosM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""36⤵PID:6080
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs37⤵PID:396
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 134⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3944
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 234⤵
- Modifies registry key
PID:1548
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f34⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4792
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAQIIIUg.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""34⤵
- System Location Discovery: System Language Discovery
PID:4784 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs35⤵PID:5848
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 132⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
PID:6036
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 232⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3056 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV133⤵PID:5984
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f32⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:3376
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKoAcAoM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""32⤵PID:1552
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs33⤵PID:4736
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 130⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:876
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 230⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5536
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f30⤵
- UAC bypass
- Modifies registry key
PID:964
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEwMQMMM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""30⤵
- System Location Discovery: System Language Discovery
PID:860 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs31⤵PID:868
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 128⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:940
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 228⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:6064
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f28⤵
- UAC bypass
PID:1136
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EOcAwQQY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""28⤵PID:5196
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs29⤵PID:5784
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 126⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5748
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 226⤵
- Modifies registry key
PID:1876
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f26⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1704
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CikUgEkI.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""26⤵PID:772
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs27⤵
- System Location Discovery: System Language Discovery
PID:4440
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 124⤵
- Modifies visibility of file extensions in Explorer
PID:4660
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 224⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4724
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f24⤵
- UAC bypass
- Modifies registry key
PID:2212
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ikkMkYIs.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""24⤵PID:5772
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs25⤵
- System Location Discovery: System Language Discovery
PID:4244
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 122⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5252
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 222⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1644
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f22⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3452
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vmYgkYgw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""22⤵
- System Location Discovery: System Language Discovery
PID:4632 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs23⤵
- System Location Discovery: System Language Discovery
PID:2688
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 120⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:944
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 220⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3428
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f20⤵
- UAC bypass
PID:4596
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VQosUQck.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""20⤵
- System Location Discovery: System Language Discovery
PID:3724 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs21⤵PID:5108
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 118⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4656
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 218⤵PID:4812
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f18⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:1964
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\leEcsIsc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""18⤵PID:3532
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs19⤵PID:5020
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 116⤵
- Modifies visibility of file extensions in Explorer
PID:5980
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 216⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5984
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f16⤵
- UAC bypass
- Modifies registry key
PID:3088
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcIEooEc.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""16⤵
- System Location Discovery: System Language Discovery
PID:5804 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs17⤵
- System Location Discovery: System Language Discovery
PID:484
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 114⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
PID:5328
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 214⤵
- Modifies registry key
PID:2908
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f14⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1756
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umkEksgw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""14⤵
- System Location Discovery: System Language Discovery
PID:3948 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs15⤵PID:3788
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 112⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5400
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 212⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1968
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f12⤵
- UAC bypass
- Modifies registry key
PID:1136
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qqMMQwws.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""12⤵PID:2380
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs13⤵PID:2316
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 110⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1392
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 210⤵
- Modifies registry key
PID:1960
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f10⤵
- UAC bypass
- Modifies registry key
PID:3068
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XokoUsMY.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""10⤵PID:1208
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs11⤵
- System Location Discovery: System Language Discovery
PID:1188
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 18⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
PID:2624
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 28⤵PID:2212
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f8⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2568
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZycsMkEQ.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""8⤵PID:3548
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs9⤵PID:1432
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3496
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵
- Modifies registry key
PID:4524
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵
- UAC bypass
PID:5816
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGcQcYgo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""6⤵PID:3680
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs7⤵PID:4008
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4880
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4900
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- UAC bypass
PID:3516
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUQEoAUo.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵PID:4460
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4784
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4792
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
PID:4776
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZGAwIMYw.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6ef7ad96a4b714103304a583e35ac0.exe""2⤵PID:4236
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
- System Location Discovery: System Language Discovery
PID:5440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\vAEQAssE\KMcsAQMw.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Users\Admin\vAEQAssE\KMcsAQMw.exeC:\Users\Admin\vAEQAssE\KMcsAQMw.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\fKIMUoUk\UEIAIkkk.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\ProgramData\fKIMUoUk\UEIAIkkk.exeC:\ProgramData\fKIMUoUk\UEIAIkkk.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
PID:3460
-
-
C:\ProgramData\yWIEAAEA\xgIIIcQU.exeC:\ProgramData\yWIEAAEA\xgIIIcQU.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1472
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:6020
Network
MITRE ATT&CK Enterprise v16
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
Filesize477KB
MD5f68b8e896be5e89834df6d2fd52ecd66
SHA1b5437e4719c1a093b23ea74b0a1ca710a1981447
SHA2566203c67830a65b035ba248daf0a5a38cc7bec303f48643e6650ba910bd8eeb8e
SHA5122cb5cc81015fc2b2d4dcfc91cc9624328f489bf8b3be0788f9af1488a96a37adb8b269944f2839eae1585832677ee9541e501f8fe5c2336d492cdab009edc62d
-
Filesize
432KB
MD5a360696ffe49a3a1a4ea34d3124d012e
SHA16c9b77b0c16f9a842d922daf61d1c3640c2ebcec
SHA256150b11c0fa57b4e107771b42669f4691cc96dc74fffd6db630edc0fb14fc3ff6
SHA512d1e9d2fbfd16aea3ae9c2687017864f89c4947191c55bf85d3ba4ff03ad70846d9a7e09d43269bd3d604dd25350325ee977d282b68cd4b8a08e97c06e6c69233
-
Filesize
433KB
MD5b3d93ac5643066e180812ff52457bfed
SHA1f4d104c54f1b6285aa81009fa957fdd0a4c18b3e
SHA256438c536f3d4d1a65b2df153d74fbdd2db9e5aa143c0e6c694e017a031f3a54b7
SHA512d35a693e6939395e98fe871e06d760a19ff3b875af991d7dc178cb39db91254bae2b5a7a5a2534f1191cb7618a4946e018b146475bf06a8d1c271c22b96e81e9
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
28KB
MD51f93b502e78190a2f496c2d9558e069d
SHA16ae6249493d36682270c0d5e3eb3c472fdd2766e
SHA2565c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e
SHA512cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3
-
Filesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
Filesize
886KB
MD5a626f224015d3c6d884489b6a5d3b4af
SHA113a352036c64e17fe3739aed923e76e2b5f82eff
SHA256d59db777939675313aa5837669144ef180bcc4a1b32ff951cb89560bf19ec32b
SHA51289ace93b72526be1ec043dddfe3e92d4e8d3d868c4c95be50a2e003157f4da8e4876f2709c9614fec18b470c675ea45ff7a271ad7f7a5838d074a2a74148db68
-
Filesize
731KB
MD55d52d1cd75ce22b8870b068e05bbce82
SHA1caf1cd9bf02674ad697237496296974a8ff81c00
SHA25635abe51dad305e152b6a8d5009bfa064605bbd916d3906757e3f54523f225c22
SHA512738e85004289f4b2c4687c2484fdfe73f40d8a0f5b7d628c37f0ef7246749245e21e01df58a51b95478eaf33e5b6022dd6ae851a24ccbe46a9301897f2bd95a2
-
Filesize
437KB
MD50ac7016c63b3f0b85610ab14d8cafd6e
SHA18e8a9319d670042e990cc920dbab33df3f7b654b
SHA25689a73155018cf0725ab717f809a7165c27470074215973dc3bc0d735914d28d4
SHA512ab7fe0205dc44a0402f0f2a1b3120f60fe5b45f6034a1a1b6f0db1a5240d906608a9946b4c658bf4fd10e752b9c94e47529fa0c0de7fd9f24724831b04f6fe83
-
Filesize
436KB
MD58bd013a5949251aff96c0963f2f42140
SHA10b995ac94280cbe427eca3a37e2af32334b085a3
SHA256d1d0fb93e9df7fc5c8c79a4ed67e52caf104bb4bb95bf1bc4d2b2d31a096793e
SHA5129073506937896d65e4cbc1f1d7a78fb4d08625dc8ef005aea9eafca454a4b221ba277606f18431b90e48168e1aea41c5aacbcd4f9fd60254988b66ec82c73f10
-
Filesize
439KB
MD593ac5a3bda172bc4d0620de84d22c6d2
SHA186c193249a99cf83a0d6642e8a36284286c62a27
SHA25695afb9a901572e19d7f7201b046b3b8b675005b7d6135df1bbcd5570a00184e5
SHA512c2e2cc63f486751d6b0181ceb0a234ce0dfb070f4e39e682cd976b51db7ba9a6295d4c01542cead4ef69664ae31a2d49087d3721efda2423980bff5d8d2f0920
-
Filesize
502KB
MD56632b6080824ea3df85a9f1ec9e36710
SHA11dc8399ba2b9eb953af8faac7361bdf01be589e8
SHA25633499212efeaa825d0ba67d5a7eb547ba2f0ef638dac641ce8f425425dc55b4e
SHA512e7d5d51043cdd2d6b3487fe2f30ef6b4ff9628ae7904dab786752bedbfab369123abe933b187efc48f72befb143b76b02304a0f5b4959c0f77abf0a4e058dd13
-
Filesize
444KB
MD5888ff600421b3972037e248c18a9f70f
SHA1f0193b3822c8b0283944ea714e073e8d2a173685
SHA256aa4daa593b942e44c4893483b982b2a560a5fa14c78a48d5811efdf1704da1f9
SHA512c66b77a37519e3ebe71db7496a47ae31597a33bb7cd1ff497a47003f640c926b7d28d5eb89c5dbfc981df450c6f222cb411710c380b7d2ac0f415cfcc5d7ac5d
-
Filesize
433KB
MD594b48c13079c41317a3800ad2f31c20e
SHA10221e15c159f01709c208181049f1c8f6d087c6e
SHA256a1bcab6c9424317aa21cceeff8ac95bd2fcedd276cd7df6d4d9b05cd31c8c6de
SHA512f72bdac099c22f19681c2b05caa30e745392a9e61f30fa3df48a97a920fceb509c229364a361521b2194c5d58cef810a8f7483df5483c10d00411039bc9826b6
-
Filesize
438KB
MD52d1dd4692a56956a9a7020d3a3a795fc
SHA14c0f98d644ec090ace3d08725c1923d722fbf0cd
SHA256ff684300f8781c5d1dfb01d66a0041f45ab76dd510b8790727ad043477f6b01a
SHA5129a407985902163c5657e83c998f7fcef726894ff6b73f744f85cfe54e6e3cd41a599b943bf5cda3d9ff04c69380b858ef5002e212f4fbf96a6d63c43e68718e2
-
Filesize
449KB
MD55bd8a1561ffc4bf8793a9b4df3f635a9
SHA19b8de8b587e3e9dab3535bcf5cfd0b5c717566fc
SHA256394163600192827f37a00ded46f256c5e320f00c7508a2f12c8858fcad399979
SHA5124b8965a409f2c62aa08ba1f9ee1b4e3680a2e9b7c14ca6e4173739e0695a980c34cf557c0f9e462debd0958f47b2a9b4b5473b3862715e8d1b554f7988bdec7b
-
Filesize
878KB
MD5bdda120760525dc480708cc4e11d5174
SHA1e393a78bafed9dd171f05a5eedd32aa09a7fbc63
SHA25603d42f9b43ef75f37a4ef0cfe7653e50079b6af12c638103a775ea011ecce7b6
SHA512b82763c8a792ccffad13972eb268857c060174603e58d8238c91e646ab7eb5085ec9ccee75923a3465be3505b912ca3e88f22d26a08bd221b97a0c5c6868fcee
-
Filesize
437KB
MD541c5d6f211d4fcdd1f7e29de5d58ac4b
SHA14b61f269328214c8000d15be64d9b870506457b5
SHA256ddef160a257382053a7e53a89bd391a2ce4bbaecd68e93184fd776c7eb797ed9
SHA5121dad194979d14582ec6ccf3a1dfc69e302712dbeaa0606745968858ae1a42710526ed220c1b4e0d36e9fe833d35532293c2bc6d1975015d6b615a2d3d71f75e6
-
Filesize
460KB
MD5f9520333b144b3c1777bb9300e87a459
SHA1dc46c12925120b59e9a9b6763dd7fd1a51d83620
SHA256b0763fe3d60ef495e252360ddf445c4c9f3c416853bb757bf1dea2168358cc5f
SHA512f6ff53d6312ac6463dc03c5e73e32b8f6fdeaedffcc43929bd6c9ca8a6ce7b0cbd2dc1b02c763a8a9ffc8e77846299abc278620e0c5abcfcdf2616f830f3ee1c
-
Filesize
434KB
MD5209bfb7589330b756f26f7d0b80923f9
SHA1d4c4f0dc8cfff0aec023d5f39f8fa98e3b0c66d7
SHA2568de33445d70b63e74b222eeaa1401c4de55faf81b3fdca2a9625df9f7086a773
SHA512b1c6882c6e0b845c53a8d3ca32277cfdf0cc7bab5f30be99249d9d073e3b107aaa4ddca653c4f1d183cdac57b3e8828f51bfc341bea5fa5991267194db03933a
-
Filesize
559KB
MD5bc9365222954ad3b9d3d92e95418c218
SHA1fc0b2cf785c8fc5d7bfdb4c007796f3b3cd7066a
SHA256da35e7c64a783a287ce7fdc645233fba7b6ac50e1c83696802ab9c1d8e92db32
SHA512c23a9f3f3141d5f7a0989efaa1887efbf94c7aed82f6c29009b58f96a95a85ed7dad0f0c19fa084dcc8849e50ef0a808befc65f00090c18cdfb66e62cf078e95
-
Filesize
475KB
MD50c387781384c5571e121557a7850ed63
SHA1d6d51fac911473338b83e1bc6bf1900cfc94246d
SHA2560d380a5fa67c5f9857619be286090aa659d01d272ac3845fefa32b96d4b26229
SHA512343671228c1c18f8f4ffd466469836fa596a723edbb21a4a5be3ec735a2d4c4e37921416e850ab3d3472c870b0b816c3fae21cf14c96129564612526d56cbaf6
-
Filesize
4KB
MD5ac4b56cc5c5e71c3bb226181418fd891
SHA1e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998
-
Filesize
443KB
MD5189ffbd432dc55ae904fbfff127f27fe
SHA13a6f9100ce1442a2d305074c2ead8be7cfafc0bb
SHA256799681990f4a0b69b1ba471c65510fb0cc957ac1adf44339d5b75eccebd8696f
SHA5125932abce1588db1f6bfca6ee75e5e3aaa5230f5d10610f34f5f965fbbdecd8fac674855f7c06214eb5d263f408c632814cbb20399d6935a07990f8378d3ed2d2
-
Filesize
1.0MB
MD58128ca3c13ffa3a55d4bd2acbd9908ef
SHA1d2ceb4da48751f2064e3320bcff87847252a3ef6
SHA25609f8ccd649d7b3c0ef31749151c5d35286c9da6b909477cf4598e254cb4818c9
SHA512b7505cd86ec19c1929091967d0d73f94ee32190beee9e0858bdc6fad0ab35c59304ce7bfe5a961653433d2606151ed1726b5ad0c1ae2b71e5eca8447754746ce
-
Filesize
440KB
MD51780775bb4fc5d759d5098b33b8c8599
SHA143c79ae0b61e42123c4a90d12eb5260b4494bb0d
SHA25614822ea68022d1e9edf1fb39e0b0fd2deb2bb939a2ce162cff5559a706f84704
SHA5126bb786b56d2cf2428a706ce4636d461cb203c5648d40976edf6c001fb550e351ce715863f406cab41057c6f9f03ed66c454caa9fad3deb3c6d956fb677a904eb
-
Filesize
4KB
MD59af98ac11e0ef05c4c1b9f50e0764888
SHA10b15f3f188a4d2e6daec528802f291805fad3f58
SHA256c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62
SHA51235217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1
-
Filesize
451KB
MD535cea8773eb4083166d03e7735f694bb
SHA10ffa5225d14b4ca5871f199e97e136c9fb0bb5d5
SHA256a508f33e342880c38c5315ef359d0916cddadae0599408f64f3d3aadf1beec45
SHA512fb1f085955e6ab79f4d579376f4d0ea8979eb81ed6a5c768ded6b4a981dc31ebe2796aabcafbfcf83c1c3f183832d69ead692e5080c701b1804060d799f8ee2e
-
Filesize
433KB
MD5913362f055890e862ffd17d1cc1ae8a5
SHA13b3d459f1464e8561e313480119159e0299cf664
SHA25669b9b2e4d0b597b520778993ba4e84fd08a80d45952f77d0e6e0c8b3a0a6023c
SHA512a87b1dd0e93859377af1ba05d972bcbbc5e54cf9e5df3a34bee1b90609c598c5c8318339e5b0421414918cff1e6e4f7099fe3355b14a8e5b5806f44ce0c2a7c3
-
Filesize
767KB
MD51d731adf5cb793b1c5ee01ade52ec0f9
SHA1ddbf5932f0eaff19f7f4c9675e6b68eec03ca86f
SHA256cd3f4d0487199408c5f94255204addc03da1d31fb37f9f8ea571745d81036810
SHA51238de7064086ea3db17820be64639e215d090fa8e7c317da12b5504208b37ccd67528f802a03636cd24fc4cccdf6c949417e9e8a00c8e6be9637e46bb80bdc01e
-
Filesize
443KB
MD579598afca0f6140cf6b2517fabb0c858
SHA16520d5581153f3d830d854fd909afdd754167f18
SHA2560a65ea30f1a411676d1ab587e8e31b82c95e9ee3733289ba0e8be0166eb16ed1
SHA51284fb16c615bf64c3e45c5631356c509db136890805741c9d51287db03502c580c23b56bab074f7e0231de30cf5c44dd348a86f3ddbe143329e2950e28089f918
-
Filesize
1.0MB
MD5ea702dd3638d0b25c9e9458ceee5b47b
SHA19787137143fe088511cbe9cbf7e03c38b76c9d96
SHA256daeb5a88cef7df9ce05d021df4a0c42fde8e5fc42cc1a7dee1d9cb4e97f7ac35
SHA512d8f106d21d6fa66aad3aeb0671d7b721381437dd844952372b5a95321bbf5b77419a5003a51916903bf3a55d132a9d88a1016683526c0948a7dc3f52f4024879
-
Filesize
1.0MB
MD592ffad35c595ce5b71a9e74b13bbf864
SHA14c397b49c2e2b79cfa035359f1473b524685189e
SHA256b1b4f0c24c5f3897970e03bfb93bc147621a75b7a4be88a74bc73ab2f9b8ae2e
SHA512f977ac35a8384451b984c3379343dbbda04e5d24d41f53d911b5fbc4389c30f61e67b593455538e8d9e7eb9ce12722c2b0d80c0a55367acafc771bd5f8c9fea7
-
Filesize
439KB
MD52568aa7dc93b6501c03fcf3a7888b10d
SHA1f125559f236d8109d498de4a113848a355255f48
SHA25684c4938f3234ca8c5c5c83995abdc04f00232bd121eed5326293d3697c1667f3
SHA5127292a9777f07992d758b44e77a0669fd67dcb506394b428e378dd73cc761802d185501ee959f68154547ca53278e3b7ad4011a6c82f0604f9f6447f1d1a7bbe9
-
Filesize
438KB
MD5d824568ee0f3717d6064adea34308c4b
SHA15da5a6386b34fae6ece8c87c072ea81f2472f025
SHA2560e1b9da6a42969b246d0618e2707c20beedb853f7b0c2384cc8e9e53c9220466
SHA512277e76e8e4732869a630b11eea38635f6b14b63ab0edb68c54dd8cda73776dfcc7856c05696fd75ca26ff269155d190b6a260356b5f809ffa23f3e9589880fe2
-
Filesize
704KB
MD5fd69a685ddb3fba268ca63c1dd3a63fd
SHA1089fd6f622d36dca9bef8f020745c6a3daed9bf5
SHA256dc0f41a98075d447216d38c607497bd463cb763c850beef638b3ef31829d7a58
SHA512b718f2c98c2f900c17b311f2dac3f1aec335d9330829f9a5ce8fd15dfe63a15d287f365b2fed31f2c303592cee55330308a4a8b23acd1d2e4eaea6843e1aa7fa
-
Filesize
460KB
MD553424a09df67198e21575d0d7d3ad920
SHA15271cd8c4962bca0f7206dd3c868c00f7781437d
SHA256496aef9aa9357318aaf0b912c45c2603750da6232d790ac4be875979629383c9
SHA51235f0c575635febe2f613a067894c6be916f01b3f4b2acd657bd1dfabc2a151e519c7284972b40440f9f91a8855e4b104768e54799b9bb3f26b6c6cae197dc1c8
-
Filesize
437KB
MD599799f36f91b74f86d7c031e29ac8ece
SHA1d2e86d937519329fc6718096e2a866f9b699d104
SHA256298b13bbc636965002f7357e3fd06e8066fd8c822711f479cd5532e92468e23e
SHA512a2b13dc657a27d3467a32575fd1b666e946c5cf07c3e8963dfb5213573d3c671ac6ec0a0ef2a71328be16a35b155560acfe88c3903ce8c5146cad4b9521523f8
-
Filesize
441KB
MD5da984fa9aeed534931bb829052cd95cc
SHA1932b32239ad81256a297dcfb3b390cbaf6d7ecbd
SHA256a5a540f69f400d5951458347dca2b8934c3030e435aab26fd8314c5633a83262
SHA512482513022f52053a29a07dbdba8359d6fecb3b81378530c45b7933ef95546a57ee9dc0677e0b54ff2af01ea304a56e39fb365e747dc9fc11fd4ae6d19b1e4b5e
-
Filesize
436KB
MD52e440833a3633df648417d9f9e977685
SHA1b89d3dbd52e9f77c44e3404f7220764baf73cec2
SHA25687a5941f85df15f9902d151a9aaa27a54dbe8a7b3aa759713ee36d925d7360f5
SHA512150ea4cd41a13980fbe8fd793fdf76eede318b44bc86596b49858c2dfa06fee71ac84fba95416bb85c778ea685d4b6d7eba4a03418d44a63eae0f175c0c1b4ba
-
Filesize
630KB
MD5abbe6dfffa9f1dd90031c80fb16924da
SHA13e6d221dbdc2d58aa87f718a47feb9bda7a3d8f2
SHA256067ef5c8d48035e76db4f6a8721c8b60f1cadd55d7b742beb3fd01b85fc1bcc9
SHA512d070e521235a7481f935424e201176186978d211ce3db9802adede9a4057570769e4c2e2675c935a8a1f8ba4bfd05cd64dfb9afa04265fe4a56bc49062169d5a
-
Filesize
438KB
MD59087ac25ca86bbf9f0ab83273d73d389
SHA1fd6bc2a09c665439641470896096e93ab7a7555e
SHA256702728f6e5941739214caf180844759d3f5e814ed74e960e440ed3adbeeb581d
SHA512e5bde0f0156bfcdde35e21f968ad18fbe358e15d7032d7a73a60669269fc693c7f6c3c6c0fe901cb50d5eb22ead50f2fbad277249747ed108b97d153dd052a41
-
Filesize
442KB
MD5baf94ae7c4df21dc0e9316d81b794529
SHA178247fd4ef748f5ba4ffc041a529c93fbc2bcf75
SHA25629c869d873506024f56abf518c5d1a70fecdfc449958df43cf6c64dcca193a0a
SHA512c2c11fe8828fe7d4ae13d92d67df105acf1e4372c8a5d603be6e02693582fedebbe33d1bb57d93b4f39ec0730d3d9cdeb89b3421ba256d97910001144ecdcef7
-
Filesize
433KB
MD50b905b6f5425b7674df15d8eff248f64
SHA13d176e0d1e6dcc87bd0eadfbf150485cf40353d5
SHA2562a2c7c44b4df1fc2faa38a6f772c74be46b8723ef3cdb2097eb9824a6ace71a0
SHA5124d88c94114f0da9ded96dffe38cb1bae480bad6f18d75d54c93f567e13e8a8b2e9efe85e6b9b77312d1aa1a689ecd4d03cda6f83b5659b708ba83978657061f2
-
Filesize
1.0MB
MD55456a5d7ea83dd434868730100ae6c94
SHA1c49df723b03af14633e761752c332ae213bd2a29
SHA25602ef0a3515bc081bf54d3f39b1e416a1b4fe0260f45889f38fc36de4d96c4f00
SHA512c327a429cb662ebdb8b297b0aeba9483a9488f127ee38d882773aeb0db386a89175f51fe182bff78528ea8302b9ea9909f39ac547e0b85800a8cd665703cbcb5
-
Filesize
890KB
MD5f318bed33bd9fb61302823e9a94e7bd3
SHA1d348e9f0cb201ccd90dcf14654985fc3a38bd679
SHA256730979f39f3568a4386ed0bedc734f45867beb1d3355bafcfe7ecc2ad0558f1e
SHA512a7c118ead6e3abc02088be0429f3d191fae27997c4af0b618b4f658eb4729a5c4e6e8d4a66150466e9356b386d5f5d0d90c6ac11a9cf5469d257abe75011f5b0
-
Filesize
437KB
MD5d554780c1ae7d91a992364d24a50281a
SHA180cb3c16dc53878a745e72bf8442eb137a7a736d
SHA256f1fa0752e8d2f78577f58a66f278f13011de6968ed54f66d576a66a35bb8f879
SHA512bb4359b4e8b474751164fd163d3c1c20862d206c0f7878b334bbf6892653cd283a7ede0e80ceaeca35419dfa4920bfb925dfb5f540531e197de9a41477ba28cf
-
Filesize
1.0MB
MD5b3b95f8be6ce7c0bc6524509bbe49376
SHA1491fd35247dff19f29f687820fe925933f6f4fae
SHA25684770edcf5ccd90b0b80ccfaac7f7cbc1ab8ad21251429329696214c6706124f
SHA512b28b15dd6864c954e099f3971a560dc95a77900f81603fa8ce1b17c4e43c269cc217d770a537b890943c2ef33b2cc9b2506ceec407dd8d4d4bee618f92d3808e
-
Filesize
440KB
MD5eb5001d5332c8a59eb14b80de060804e
SHA133cd141ef81f9f9b04ada85c9a80cd3a288cbe17
SHA2560296db912ba5502d475771e98ed00e9556dd2835a54707d2332361d50496643f
SHA5120a3652a2012067dfa0c9c947725ec4cbbe312b19eddc5c08ba0832d4cb99862fb549e686929772b94953af5182051c549adc078a27dac59a52890bdc207adcb6
-
Filesize
435KB
MD5c69f1b7aa0e7fbd8a2f65fb279b8c294
SHA1bb6eb9da555175180f7b3803c9f010aa96197bb5
SHA25663f1a79eec7b3e9d41eac80f1b4c1ff2bc66456ec647e1aad057d5da96b7e7fb
SHA51275377a0dee0f8443268c578e1a6def0259b4b588c7b9b529dcc8056ca83294f686a81c5bcabfd6387afe8c495998dd1dd9136ba9733f19b77f4210262fb18553
-
Filesize
672KB
MD5b799dfcf030f709a1f2ac4913b98c1f7
SHA15bddf7cdc3facf1dacd757972033f8799ffc59ce
SHA256b70a571aaffabdcb618680cd57c3402e4c4942d2a7d0b3bf5d23325ce48c6f2a
SHA5120de67ad3a770ec3bc1cd45be4dd1c7abdcb9d74bd4d54143a4ca317f1248ebaa87e9271a52e85500d78bba4b583543a0ef0a271aa198c91ea724743e5fb7269a
-
Filesize
435KB
MD5ddb523791a16484dccaddf0d4e279d73
SHA105ef9850a2d51f360903e2728ffdf9ee715f214d
SHA25678a919dee18db73b6f3079db8a8c74c1c434336270e6c02a6bf4638e11de5fd0
SHA512c632f7406052023bb5aa7e68cb4951fd3113d19febaedf2303cd72b877659763e33e11968a2e44ebcbe0e3c903511c35e9f11d75daa1b2f56be74fa9213c62b7
-
Filesize
444KB
MD5f6f98c608d1152e0bdfd20652fe05da8
SHA1de956b83be7a04acab861c9ccd515464441f0651
SHA256d394045940e548c8f31f076b1db5b664f897234c67616de2cc243c9794a140ff
SHA512fe8e111b504c0ada184fba9afa7e585e6bb43c3671dfdf4a03752007ffc7292312f7c615c51cc96f034f800c1a69e46c9b94a19c422a0afbe31099bfb6938b93
-
Filesize
436KB
MD504fc1adb2f09c93bad07edbfaa438db1
SHA15d2aaf237384ccd3ee7d2a55e03d7a19e3b29b82
SHA256f05d2d51560c94c080c5491a5ca422ac8db2f79f05739820eb949d89c1a30f7f
SHA51235955e7784a0ea323585ff18b9a7cb89c51b259b3c648dd23afcb2115fa3542294f5bf697feabded7cf40c811315f0598a7dddd079f080150a3104ebe85783fd
-
Filesize
438KB
MD5356e053c4971cea1af234832b2e890c3
SHA1ab0689ddf6a766395bdffa32f251c223cdabc07c
SHA256a8020955fabd102f49a315edd8cdcfc28c9f118e298caf90dd055473e0b54024
SHA512943d99261dab90e409aa52cee80b71cac299d1260b0c26d7b1e80bf3cb8133d357fd29f7df1e9f1cff86ff82d5ccdaf30e3b6fa2524d6576d728db3e35611ccd
-
Filesize
2.0MB
MD573b38a3f7842876deb0a38510d9b4d89
SHA13cf0ec89ee1f1c6691fb5b0d0a7260b4d264f9a0
SHA25684efdd60f35e6a20b31ec570d8ad6f38f49988b33695b0a8f361daf0295f8972
SHA51247de4bb9167f8ad08920fe6faff534c04716e019f6f7f03656ebf66e81671366371b634b5481fdf6cc1028ed29dcd30cdac1766dcd475fa6545da29869f61028
-
Filesize
435KB
MD5865ada3d9c326f408d9557dc4fcc501c
SHA12d8f1b311fb4e2ba50fe6d9ff4484a09d595def3
SHA256bd34837131481745a7b1b80ba7703a93b93740f15961db96acebf77f0e347c01
SHA512f976805983377429ea52ea08b20c1eb94f5f71059d32049a19623e7820b329d189b14acdc8cf4a1ae1e7e416a468411710ccc93c8b3220767a454e37027c4223
-
Filesize
1.0MB
MD59006e5a0f6e4bd48d7c905f84488ce3c
SHA10cf732d0b793b638222f804fcf95ef3b2ad1ae6a
SHA25698c71bd2c7d95d6c7bb7e9e64163cd966226a024f0cc3a6a954ffbd0dc556d64
SHA5126c312ae41fd87793219c58a1e55c3127edeb6e54435770a4bc52d95752a1f2008282c9e9b28510246a275a0970a2426f64a7c5ee4d6556297408dfa4545d5ea0
-
Filesize
778KB
MD5eee45cc17f15794d025b46bbd44409c7
SHA1b80dfb21f8457413dc6b1046bc701d1afdc20a6d
SHA2565b24a8fe501d7a9ee3063bd79058ce8c7162754705824b0ca0a40f255c1307c6
SHA512c8375f662e7ffecd156180d95b873978956f7c3a97961bd80726267c44e3a58c7dc78ba2913ae9618904493d6c60256220e621dab9d2e290523d7acf5da95f64
-
Filesize
451KB
MD55ac7996e52337350aede2def9fc073bc
SHA1e6e2525b5e2ab42997ce9a0c1eb618f8bf6e1cb7
SHA256755aaf12f4a28c7f2683a6f60b4148a3e879948cc02264c70ba68b6cb0179f4a
SHA512d4182004dbeff4ce7bdeb01769a36e527d062496818cfc0f3d80760a46279a2f230bdddf2aef0d8c4c024994f322fef5c2d51ab79a48d1fc0a9cb3706eed12c4
-
Filesize
446KB
MD503a24225c67e4176baf66030aa9899e3
SHA12458f9464bceac02c8454d70fbec5ef33434b0d8
SHA25696e33bb5a6ce0e42d3b3ca59490276095f77b592765f78ace7d17a92e7c65cb4
SHA512b493541a72859aefef7b52aea7164e215d53d11bc54cda6d441e9fcd8332ffd6716204f840939b3e427c599548cae1a82d29545503a92063f23cb439e12acb8e
-
Filesize
444KB
MD5fbb6c81381c63d6d97c81cda09c9d802
SHA19b409e73b85ab19d903c7d90ab5d136db5b620f8
SHA256ca417928e2fd979ce05b3f24dc87ff470b463ac5286c8f9834f98a9ac709ca22
SHA512bca35b99ae9f97bb64b3455ee8d26257966763c3c35c1f1b63e4b4af4eb6534b590fbbf1eb8d68c64f8f4a15b72a89e185d095e965b35c17219575f16c91a6fa
-
Filesize
435KB
MD561abb115d4827f2e70e5bde670246ac6
SHA17c5f12402ed197d038551ca67f30f2ab829e6bae
SHA25696a17d91ea28451154b558bdc5f0ff49bab42677507dee9f912e713f6bc5c8f1
SHA512bdad91b59f873f3d5a2651e3724b96da81f786719087ecad57d5c22239b827b1bd88ab20983f7c402324c4405984c5a33778774dd5d5577477060c103af5de90
-
Filesize
438KB
MD5100e0538cecdceec8ac6adb01b609f7b
SHA1cf81de854e202dc69f18ea6e14b50f2eec0179a2
SHA2560252c95389410d9db3fe5d342610059d912aeedddb5e6df02c2af99742d22742
SHA5126bb3ea55e16657b93328008860a83e660ee86fd7d09ee32ea026e9aee58b3602204bdfc8b56e62bc18fa3e141ab1951c5fecce02d39e8b4affe900f6b2b5666e
-
Filesize
563KB
MD5d557d97345267a6a57cdf514d7ea35f3
SHA1a42347ffc5790143065fcb4a5835f92a7cddb845
SHA256ffe1ab27f43cd29ecd0a1e49209a96e15d2632d5605b2f8497777297d684150b
SHA51265d2e72b99787a35cc0f98a7a98789098f1a00ad48224672c0fad76b5502a5639919457faece23c701738172ba2fa989ee7617de1c348bd9ee6ce0881e153c96
-
Filesize
892KB
MD5d27383fc46255500fd0ce250118ebb43
SHA137137057fe152caee901a87db77023b69b4fd248
SHA25674de6a0cb410f42a41c4f013e5cdf8cf6a4a48afb9ea51f2e4ce760fb880147e
SHA512596e55fba526f280eda50b0d4fa959dee7364b8c195cb4088c8929b0d5621cabb19bc5e58039972fb5f805db2bec28bc45f910a319204b588db22633ccd7370c
-
Filesize
860KB
MD5a902164c3152ac91821f645b912c1836
SHA1f29c1af985096d02b79580037bf67b047bb73bd1
SHA25670fd317238cac8fb1320f10205bd0c4d5f639f332b98adb40d089bf42650edd5
SHA5128e893dc514d861f5fe56b7fd81a78d93db56787ed5c83e979b8e0d0f023329854f6ce7ef19ef68cc813af49fece44cca50c1ffb8e343f7509eee3d8391ad4757
-
Filesize
439KB
MD5a285a8888df9f9832d16c56e7e1902e3
SHA1ab0986e9e5482785e287797259d31053729a8958
SHA2569203d6499864962162702e61228b1b5df1504099de1f48da8f2c7cf4c040ee2b
SHA5123ed41bddc6e75b31e84f9b470674e8a812936fa9508bedf71f0d771bd116f438c4eb7c7cf06c896ece0743592ca49c9b7c6e882b20558b9483dfd9fadc78acd9
-
Filesize
435KB
MD5246c89806e978794f84c7076b175a81b
SHA145c4fb322db91058116f6057d3a42829ceebc353
SHA2565f17e3cba53f5c6e657d59cdb8110ce27860883f99b636750c981e6d267dd479
SHA5127a37b0d7064ec593a5aafbf521354a66f9a6722c8fd3723f5eff4dfedf37109a3ad07334ea9d908cb9ecd4963e0843ecbd31d96e952fda5a7cd03ac59efdded1
-
Filesize
6.5MB
MD50cc82c788c89ddd7a47968c0eeffb758
SHA1058e68bc656b33663d0851a0c884a90aedf4b789
SHA256b09c2e97e3c1a19ee02562f2d86622acee1f9cc3f22595153b874e5ae3244daf
SHA5127a2d7cc7639337db7cd3e4431145138535d94a79d11995f00395344dc9984d85803c891b41070a39609b72f6fe944ff9216966fe7a4f854a9a9fe251a5ec397b
-
Filesize
443KB
MD5250e673ab8f86c18a797c29f15a2104e
SHA10f3f91d69aed7ee2cf4d397548674cfbeff6fec5
SHA2564246095a0522d8044c53e0ef621642815c4ab5a93787c151fb1f1a44e9b195bd
SHA51233cb823576d9b24073664d0e75569d1b48cfb58c943a4346c167467cedaf74c20d466b253c50c5b8d75f6afdea953e34de085443a2ec971090cf4b169eaf9dc3
-
Filesize
438KB
MD56d0095de56cbd7d226cb21759a8731c6
SHA1cf86435c9b8449fe69b2decaa2afebf7054c8c19
SHA256872aef99779673e822b7894d6132c333ae8469719d97fcaa9dddc5afbd0db0c7
SHA5125f7e527f37594069f49b2204e7b2899be119215ba871421f4b1ccfd9325e1b64ffdf4a0b1fd67c84c431882fc1cb44c093b010122e9546d65892e7edb1d2b096
-
Filesize
436KB
MD52d24c8a32ae0bb7cf31366e957e1a327
SHA1938b92f130d7e060b953b528485604410f22a188
SHA256ec1d93946304f1a82e0e73629faf47952b2138de59179c532da84ebe457af53c
SHA5121d4261adc8709f21a9f7caf83a6173e509a21445926640efdb814adead66054042d4dcbf8a2c31a6643a53578a809ef7142caea824a2614ce9cfbcd17e4a61fa
-
Filesize
435KB
MD5a5babc89795dd5127dfc616b1ecb3a64
SHA1c49022009d12e109d809bfc68b0c407b3ecfb697
SHA256af3d1b33f7116cd965b2f94a2f720c533c7d9222fb7df069d3969dd96cea35e9
SHA51247820956934b6d8df5ce72b4d417ef3633d077504a73e039918e66bc690d35ca3cf74c040034fbbc5016caa34b58dfc54934640429b5dffaf5a3d1601edf6bfd
-
Filesize
882KB
MD51c38def6e685211b276e51f9b0e47743
SHA1ad009d0c0bd8eba706f9e45a73c069909eb15e0d
SHA2563641964e9e2e15f61dec63b29054bd648a8ae686a94be0e8cb7a7af76802d89c
SHA5122f67dbd61c675543e693e153f3d2a9ecb22ad44d04f6f2d44c9c6e717ef4e4ed043b69c21515e0b0078ff5d6bf8e029a2d06c8fcb9b86d233f262e0ccdab56d0
-
Filesize
878KB
MD51de2124c53a3fb082ac15ef6f785b5ad
SHA12335257902e386ffe713fd7ede88d08cea400006
SHA2569037079d4f90d1097ad078386516474f93d40fd74b49d83db240369a6b254e1f
SHA512c303a92ffecbb7c56b9c999ebb7b767a37215c8a8a3fb78a68d8017d6c81f6d1e0938664c51c1f999ba243d653d4851d4d7df7d4bc0763f3ab53b6e922013e16
-
Filesize
809KB
MD5c6edbe835bf49ac0a6067cb45f14f272
SHA140db38c095e3691abdda4bc5690d0a63edfa58fa
SHA256116f2ff08e872575c2705d6b0ad22533e345a56935f871b0ab76c70bd469e3c9
SHA51272796dd1266660567650f9c371675a33b8b1993a5cdefa47cc13f415ed2ccff5745a50de9784a12c8b4a079d9fc70e3ea90d2a3d11a3e2156993481e89eef0f8
-
Filesize
448KB
MD5b68fbefe43db690b893111695c716583
SHA1dbd81e0c3dc05b55494c281bc4ea1c479018f34f
SHA25641b1ba2ff5f525687cf3aef8d7edcb29b02e0bce42d9b075f307711fd9013927
SHA5124bba6269684149d8e83b580fbad2f21e3ddd82c65b16281fcb3c15b54f0764320b5192c1ad64b3317c461214dc46998880de6ee05ab193da284f369562f40cae
-
Filesize
1.0MB
MD55b867b63438a5c5afb474c6e28d92017
SHA18dbaeaeb2f34f2bb968c5b226a6d97856708456d
SHA256e8cd500ac65f1dc902c50c0c8776656a2826522d87937256d36b1799b0e49dfd
SHA5128f8ef3368223c69ef1fab6621e8d456abe02cb4597f60ddbef48b39ec9de9a6456067c65f577186c17abcde8e878fff10e25e323c9379df706195cb7727f4d56
-
Filesize
438KB
MD5a5b9aa74db32c9ecdc2adb6977bea5c7
SHA1febed118486f9066c8a83aa10dde8b7c145c66c5
SHA2564961ec39476b268106ba32e59e5b334b9a59f70bf2f1f72e6638c769b070a034
SHA5126abb7704b9b345e75de5b4e03c4c91484a080ed586f35569d86ea09cbfe1b5b6c062b08de3cf65e253d4ee3fdc0be70544520b541f7709c059326cfbda410f3d
-
Filesize
441KB
MD5d09c9049ef512e6c41e0f2ff9d2c4384
SHA1eeadc927b272b9a9de205f4ccdee18df1366ceae
SHA256a056488060ff3cda8529789a734cb6efae1b3ce4f6a0810972de746d9f84592f
SHA512997ad7371e92e9d5e4354836c3e30848fa9118ea8f5f090fa969d765e6b3821d17271fea90a79dd4a39522899a5651717622fc579efeab2777f6e206cf8300c6
-
Filesize
435KB
MD51d970a8697b7e321c63bb72e227c5acd
SHA170e721e6ddf4df83d79a47af6ec03b77af7b57f7
SHA2560a57f7d7877e7ddd71e04242db2edf14ba4be54f6e6b2495e022df3e90b36b6d
SHA512b9c40d6c7ac742c1e3680b983516478782d39f20cefbb979e767b23d067aef96aae29429e220449ddfdc1719a246055b793a7df45f664aa6a4a9fb7c4de2cb13
-
Filesize
443KB
MD5d8c69ed1ec1b1571c3fdd1440aee147b
SHA16d645e48142ec9a621312aa9dc3168c1fb9e9570
SHA256d22411bf0d12e9824437ac6cd90e4c206a4914806d671abd95e42a64427dae5e
SHA51262713e7aa53d51b3ab7c5fde0527e0e2416f69455e27ef517eb8756332834f8f2f996c9a2250eddf2fd6d15165eadb411d65d527453eb30bb9f427948c01057f