agenttesla | 60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

Resubmissions

12-09-2024 02:23

240912-cvfznswere 10

04-09-2024 00:09

240904-afvheascla 10

03-09-2024 18:57

240903-xl8csavfrb 10

03-09-2024 18:12

240903-ws828asgnm 10

Analysis

max time kernel
308s
max time network
313s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
12-09-2024 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Archive.zip
Size

25.8MB
MD5

83671dbfab2418604f11993fdc392094
SHA1

5386d1fb94ec2974736a4d8895a2218855ffda69
SHA256

60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f
SHA512

9cf982c9b2949f05ea4ab7d27b369924334cb9f8a0b85c374cf08ac059281ecf96c97088bb983f74033a1a8fba01f09c2f3f41ae3a60e7c79db8b6312edd5138
SSDEEP

786432:+r/Da8WA3C5BENmtAWzdVTkvq+GY8NEXcJap4DFEME/:4/W8WAS5BENmtZ1kvq+GYi8pw+T

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
XClient.exe
pastebin_url
https://pastebin.com/raw/2jTT3Lnj

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>TrEx/K0mZG7CkRIYYz35iwBcBdBcigykhfeQcWnzgVBXGms6gqADEsxFWp6PVUDsc9xZdyGWDKotQ6jgny+RQQCq6qU/NPqU6RxWED3ANLOugZh0+L9so5qeFQdBu8wkHlBCN+cZb4tjBRDiO7Q5c31qW4t4aVn5aPoqygSC/8qZAwq5g4q03YyoSLMuwuouo9kJstb9y3Cq56783ckbEG1/DMCkpZyJB8QZwl5SQ+dboXwaLoChq9ILyii3bqdvV0mC4CWmsUVhu4DelhS8Pr4CBqgGt8mE2AUDC4yu1ja2z//k/53dzaukewGlDYvPsUkliPJw3a+cPcAMZuILKw==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cipppc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daiegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daiegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Berbew.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Berbew.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cipppc32.exe

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/memory/4388-40-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2332-169-0x00000000000C0000-0x00000000000F0000-memory.dmp	family_xworm

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

AgentTesla payload 2 IoCs

resource	yara_rule
behavioral1/memory/8848-1518-0x0000000000E40000-0x0000000000EEC000-memory.dmp	family_agenttesla
behavioral1/files/0x000700000001ae11-7909.dat	family_agenttesla

CryptOne packer 1 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

resource	yara_rule
behavioral1/files/0x000400000002b0dc-12269.dat	cryptone

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2992-37-0x0000000000400000-0x000000000049F000-memory.dmp	modiloader_stage2

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 3 IoCs

pid	Process
3348	Cipppc32.exe
1360	Daiegp32.exe
4696	Dmbbaq32.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
9664	icacls.exe
7332	icacls.exe
7388	icacls.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/8848-1530-0x0000000002FA0000-0x0000000002FB4000-memory.dmp	agile_net

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/6028-605-0x0000000000400000-0x0000000002CE4000-memory.dmp	upx
behavioral1/memory/3652-408-0x0000000000400000-0x0000000002CE4000-memory.dmp	upx
behavioral1/memory/3652-213-0x0000000000400000-0x0000000002CE4000-memory.dmp	upx
behavioral1/memory/4388-40-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
61	iplogger.org
66	iplogger.org

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	geoiptool.com
26	ip-api.com
60	ip-api.com

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dmbbaq32.exe	Daiegp32.exe
File created	C:\Windows\SysWOW64\Ffbhnh32.dll	Daiegp32.exe
File created	C:\Windows\SysWOW64\Cipppc32.exe	Berbew.exe
File created	C:\Windows\SysWOW64\Idngkghj.dll	Berbew.exe
File opened for modification	C:\Windows\SysWOW64\Daiegp32.exe	Cipppc32.exe
File created	C:\Windows\SysWOW64\Oddeop32.dll	Cipppc32.exe
File created	C:\Windows\SysWOW64\Dmbbaq32.exe	Daiegp32.exe
File opened for modification	C:\Windows\SysWOW64\Cipppc32.exe	Berbew.exe
File created	C:\Windows\SysWOW64\Daiegp32.exe	Cipppc32.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2992 set thread context of 4328	2992	BetaBot.exe	92
PID 5104 set thread context of 4408	5104	SmokeLoader.exe	93

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1744	sc.exe
1576	sc.exe
4044	sc.exe
6300	sc.exe
5980	sc.exe
5820	sc.exe
504	sc.exe
2968	sc.exe

Program crash 5 IoCs

pid	pid_target	Process	procid_target
8872	7756	WerFault.exe	350
8552	7756	WerFault.exe	350
9376	7756	WerFault.exe	350
10208	7756	WerFault.exe	350
8588	6280	WerFault.exe	311

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbbaq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SmokeLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BetaBot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	default.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	criticalupdate01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cipppc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daiegp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phorphiex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Berbew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Azorult.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
10160	timeout.exe
8868	timeout.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
8824	vssadmin.exe

Kills process with taskkill 47 IoCs

evasion

pid	Process
2044	taskkill.exe
1512	taskkill.exe
4884	taskkill.exe
2660	taskkill.exe
6120	taskkill.exe
2836	taskkill.exe
1764	taskkill.exe
2404	taskkill.exe
2940	taskkill.exe
2032	taskkill.exe
2212	taskkill.exe
3592	taskkill.exe
6128	taskkill.exe
1592	taskkill.exe
2012	taskkill.exe
3156	taskkill.exe
4560	taskkill.exe
5504	taskkill.exe
2808	taskkill.exe
2028	taskkill.exe
2732	taskkill.exe
304	taskkill.exe
3300	taskkill.exe
5084	taskkill.exe
4792	taskkill.exe
4076	taskkill.exe
6136	taskkill.exe
2664	taskkill.exe
2752	taskkill.exe
3588	taskkill.exe
1940	taskkill.exe
4760	taskkill.exe
2924	taskkill.exe
2004	taskkill.exe
4576	taskkill.exe
1896	taskkill.exe
1864	taskkill.exe
4556	taskkill.exe
2460	taskkill.exe
3320	taskkill.exe
2076	taskkill.exe
3256	taskkill.exe
2676	taskkill.exe
3816	taskkill.exe
2620	taskkill.exe
4732	taskkill.exe
3856	taskkill.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Berbew.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffbhnh32.dll"	Daiegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daiegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	Berbew.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	Berbew.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idngkghj.dll"	Berbew.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oddeop32.dll"	Cipppc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cipppc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daiegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Berbew.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	Berbew.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cipppc32.exe

Runs .reg file with regedit 2 IoCs

pid	Process
8976	regedit.exe
9064	regedit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
7432	schtasks.exe
11596	schtasks.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2024	31.exe
4976	Azorult.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 3348	2788	Berbew.exe	493
PID 2788 wrote to memory of 3348	2788	Berbew.exe	493
PID 2788 wrote to memory of 3348	2788	Berbew.exe	493
PID 3348 wrote to memory of 1360	3348	Cipppc32.exe	90
PID 3348 wrote to memory of 1360	3348	Cipppc32.exe	90
PID 3348 wrote to memory of 1360	3348	Cipppc32.exe	90
PID 2992 wrote to memory of 4328	2992	BetaBot.exe	92
PID 2992 wrote to memory of 4328	2992	BetaBot.exe	92
PID 2992 wrote to memory of 4328	2992	BetaBot.exe	92
PID 5104 wrote to memory of 4408	5104	SmokeLoader.exe	93
PID 5104 wrote to memory of 4408	5104	SmokeLoader.exe	93
PID 5104 wrote to memory of 4408	5104	SmokeLoader.exe	93
PID 1360 wrote to memory of 4696	1360	Daiegp32.exe	94
PID 1360 wrote to memory of 4696	1360	Daiegp32.exe	94
PID 1360 wrote to memory of 4696	1360	Daiegp32.exe	94
PID 2992 wrote to memory of 4328	2992	BetaBot.exe	92
PID 2992 wrote to memory of 4328	2992	BetaBot.exe	92
PID 5104 wrote to memory of 4408	5104	SmokeLoader.exe	93
PID 5104 wrote to memory of 4408	5104	SmokeLoader.exe	93
PID 5104 wrote to memory of 4408	5104	SmokeLoader.exe	93

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Archive.zip
1⤵
PID:4892

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4752

C:\Users\Admin\Desktop\anal\SmokeLoader.exe
"C:\Users\Admin\Desktop\anal\SmokeLoader.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\Desktop\anal\SmokeLoader.exe
  "C:\Users\Admin\Desktop\anal\SmokeLoader.exe"
  2⤵
  PID:4408

C:\Users\Admin\Desktop\anal\BetaBot.exe
"C:\Users\Admin\Desktop\anal\BetaBot.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\Desktop\anal\BetaBot.exe
  "C:\Users\Admin\Desktop\anal\BetaBot.exe"
  2⤵
  PID:4328
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    PID:6912

C:\Users\Admin\Desktop\anal\Phorphiex.exe
"C:\Users\Admin\Desktop\anal\Phorphiex.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3652
- C:\Windows\3049586940303040\wcfgmgr32.exe
  C:\Windows\3049586940303040\wcfgmgr32.exe
  2⤵
  PID:6028

C:\Users\Admin\Desktop\anal\Berbew.exe
"C:\Users\Admin\Desktop\anal\Berbew.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\SysWOW64\Cipppc32.exe
  C:\Windows\system32\Cipppc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3348
- - C:\Windows\SysWOW64\Daiegp32.exe
    C:\Windows\system32\Daiegp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Windows\SysWOW64\Dmbbaq32.exe
      C:\Windows\system32\Dmbbaq32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4696
    - - C:\Windows\SysWOW64\Ehlpjikd.exe
        
        C:\Windows\system32\Ehlpjikd.exe
        5⤵
        
        PID:4964
      - C:\Windows\SysWOW64\Fabqdl32.exe
        
        C:\Windows\system32\Fabqdl32.exe
        6⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\Gmqgjl32.exe
        
        C:\Windows\system32\Gmqgjl32.exe
        7⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\Ghmbhd32.exe
        
        C:\Windows\system32\Ghmbhd32.exe
        8⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Hhdhhchf.exe
        
        C:\Windows\system32\Hhdhhchf.exe
        9⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Jqpfccgo.exe
        
        C:\Windows\system32\Jqpfccgo.exe
        10⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\Jkjclk32.exe
        
        C:\Windows\system32\Jkjclk32.exe
        11⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\Kdgapp32.exe
        
        C:\Windows\system32\Kdgapp32.exe
        12⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\Kkechjib.exe
        
        C:\Windows\system32\Kkechjib.exe
        13⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\Lgamhjja.exe
        
        C:\Windows\system32\Lgamhjja.exe
        14⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Meefhl32.exe
        
        C:\Windows\system32\Meefhl32.exe
        15⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Nejpckgc.exe
        
        C:\Windows\system32\Nejpckgc.exe
        16⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Oeccijoh.exe
        
        C:\Windows\system32\Oeccijoh.exe
        17⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\Pklkmo32.exe
        
        C:\Windows\system32\Pklkmo32.exe
        18⤵
        
        PID:808
        
        C:\Windows\SysWOW64\Phddbbnf.exe
        
        C:\Windows\system32\Phddbbnf.exe
        19⤵
        
        PID:504
        
        C:\Windows\SysWOW64\Pkencn32.exe
        
        C:\Windows\system32\Pkencn32.exe
        20⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Qaabfgpa.exe
        
        C:\Windows\system32\Qaabfgpa.exe
        21⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Ajkgmd32.exe
        
        C:\Windows\system32\Ajkgmd32.exe
        22⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Allpnplb.exe
        
        C:\Windows\system32\Allpnplb.exe
        23⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Ackbfioj.exe
        
        C:\Windows\system32\Ackbfioj.exe
        24⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Bfkkhdlk.exe
        
        C:\Windows\system32\Bfkkhdlk.exe
        25⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Bjlpcbqo.exe
        
        C:\Windows\system32\Bjlpcbqo.exe
        26⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Ckaffjbg.exe
        
        C:\Windows\system32\Ckaffjbg.exe
        27⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Cfldob32.exe
        
        C:\Windows\system32\Cfldob32.exe
        28⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\Diafkl32.exe
        
        C:\Windows\system32\Diafkl32.exe
        29⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\Dfjpppbh.exe
        
        C:\Windows\system32\Dfjpppbh.exe
        30⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Elienf32.exe
        
        C:\Windows\system32\Elienf32.exe
        31⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\Epikid32.exe
        
        C:\Windows\system32\Epikid32.exe
        32⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Fbcfan32.exe
        
        C:\Windows\system32\Fbcfan32.exe
        33⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\Fmkgdgej.exe
        
        C:\Windows\system32\Fmkgdgej.exe
        34⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Gkhkdjli.exe
        
        C:\Windows\system32\Gkhkdjli.exe
        35⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Hpabho32.exe
        
        C:\Windows\system32\Hpabho32.exe
        36⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Inecac32.exe
        
        C:\Windows\system32\Inecac32.exe
        37⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Ingpgcmj.exe
        
        C:\Windows\system32\Ingpgcmj.exe
        38⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\Jgigfg32.exe
        
        C:\Windows\system32\Jgigfg32.exe
        39⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Jjjpgb32.exe
        
        C:\Windows\system32\Jjjpgb32.exe
        40⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Jjlmmbfo.exe
        
        C:\Windows\system32\Jjlmmbfo.exe
        41⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Kqknekjf.exe
        
        C:\Windows\system32\Kqknekjf.exe
        42⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Kmfhelke.exe
        
        C:\Windows\system32\Kmfhelke.exe
        43⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Lqfnqjpi.exe
        
        C:\Windows\system32\Lqfnqjpi.exe
        44⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Ljcldo32.exe
        
        C:\Windows\system32\Ljcldo32.exe
        45⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Mkhajq32.exe
        
        C:\Windows\system32\Mkhajq32.exe
        46⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\Mebchf32.exe
        
        C:\Windows\system32\Mebchf32.exe
        47⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\Nmpdbh32.exe
        
        C:\Windows\system32\Nmpdbh32.exe
        48⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Nmbaggce.exe
        
        C:\Windows\system32\Nmbaggce.exe
        49⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Ncofjaho.exe
        
        C:\Windows\system32\Ncofjaho.exe
        50⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\Neqoidmo.exe
        
        C:\Windows\system32\Neqoidmo.exe
        51⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\Odfljp32.exe
        
        C:\Windows\system32\Odfljp32.exe
        52⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\Oldjlm32.exe
        
        C:\Windows\system32\Oldjlm32.exe
        53⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\Pecefa32.exe
        
        C:\Windows\system32\Pecefa32.exe
        54⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\Plpjhk32.exe
        
        C:\Windows\system32\Plpjhk32.exe
        55⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\Alfpijll.exe
        
        C:\Windows\system32\Alfpijll.exe
        56⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\Aklmjfad.exe
        
        C:\Windows\system32\Aklmjfad.exe
        57⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\Aojepe32.exe
        
        C:\Windows\system32\Aojepe32.exe
        58⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Aolbedeh.exe
        
        C:\Windows\system32\Aolbedeh.exe
        59⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Aehghn32.exe
        
        C:\Windows\system32\Aehghn32.exe
        60⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\Bekdmnio.exe
        
        C:\Windows\system32\Bekdmnio.exe
        61⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\Bhkmoifp.exe
        
        C:\Windows\system32\Bhkmoifp.exe
        62⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\Bklfqd32.exe
        
        C:\Windows\system32\Bklfqd32.exe
        63⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Bojogb32.exe
        
        C:\Windows\system32\Bojogb32.exe
        64⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\Cdlpjicj.exe
        
        C:\Windows\system32\Cdlpjicj.exe
        65⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Ddjmkg32.exe
        
        C:\Windows\system32\Ddjmkg32.exe
        66⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\Efpofi32.exe
        
        C:\Windows\system32\Efpofi32.exe
        67⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Fnegqjne.exe
        
        C:\Windows\system32\Fnegqjne.exe
        68⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\Giaaoa32.exe
        
        C:\Windows\system32\Giaaoa32.exe
        69⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\Gihgoq32.exe
        
        C:\Windows\system32\Gihgoq32.exe
        70⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\Iocliecb.exe
        
        C:\Windows\system32\Iocliecb.exe
        71⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\Igomeb32.exe
        
        C:\Windows\system32\Igomeb32.exe
        72⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\Ichkpb32.exe
        
        C:\Windows\system32\Ichkpb32.exe
        73⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Jmplbk32.exe
        
        C:\Windows\system32\Jmplbk32.exe
        74⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Jcoapami.exe
        
        C:\Windows\system32\Jcoapami.exe
        75⤵
        
        PID:516
        
        C:\Windows\SysWOW64\Kpjgjefj.exe
        
        C:\Windows\system32\Kpjgjefj.exe
        76⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\Kodnfqgm.exe
        
        C:\Windows\system32\Kodnfqgm.exe
        77⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\Lngkjhmi.exe
        
        C:\Windows\system32\Lngkjhmi.exe
        78⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Lfeldj32.exe
        
        C:\Windows\system32\Lfeldj32.exe
        79⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\Lfgiii32.exe
        
        C:\Windows\system32\Lfgiii32.exe
        80⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\Mggecl32.exe
        
        C:\Windows\system32\Mggecl32.exe
        81⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\Mcdlil32.exe
        
        C:\Windows\system32\Mcdlil32.exe
        82⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\Npbcollj.exe
        
        C:\Windows\system32\Npbcollj.exe
        83⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\Oafido32.exe
        
        C:\Windows\system32\Oafido32.exe
        84⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\Ojajbdde.exe
        
        C:\Windows\system32\Ojajbdde.exe
        85⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Pnfiia32.exe
        
        C:\Windows\system32\Pnfiia32.exe
        86⤵
        
        PID:356
        
        C:\Windows\SysWOW64\Adcjhf32.exe
        
        C:\Windows\system32\Adcjhf32.exe
        87⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Amnlfk32.exe
        
        C:\Windows\system32\Amnlfk32.exe
        88⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\Bmceaj32.exe
        
        C:\Windows\system32\Bmceaj32.exe
        89⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\Ckphamkp.exe
        
        C:\Windows\system32\Ckphamkp.exe
        90⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\Dklhmlac.exe
        
        C:\Windows\system32\Dklhmlac.exe
        91⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\Egjobl32.exe
        
        C:\Windows\system32\Egjobl32.exe
        92⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\Fkcgdh32.exe
        
        C:\Windows\system32\Fkcgdh32.exe
        93⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\Fofiff32.exe
        
        C:\Windows\system32\Fofiff32.exe
        94⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\Giqjdk32.exe
        
        C:\Windows\system32\Giqjdk32.exe
        95⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\Henajkcc.exe
        
        C:\Windows\system32\Henajkcc.exe
        96⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\Hhfplejl.exe
        
        C:\Windows\system32\Hhfplejl.exe
        97⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\Iecclhak.exe
        
        C:\Windows\system32\Iecclhak.exe
        98⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\Kafcmglb.exe
        
        C:\Windows\system32\Kafcmglb.exe
        99⤵
        
        PID:8636
        
        C:\Windows\SysWOW64\Mckbhg32.exe
        
        C:\Windows\system32\Mckbhg32.exe
        100⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\Mjggka32.exe
        
        C:\Windows\system32\Mjggka32.exe
        101⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\Mcaiif32.exe
        
        C:\Windows\system32\Mcaiif32.exe
        102⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\Njpjap32.exe
        
        C:\Windows\system32\Njpjap32.exe
        103⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\Nqolii32.exe
        
        C:\Windows\system32\Nqolii32.exe
        104⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\Oqcedino.exe
        
        C:\Windows\system32\Oqcedino.exe
        105⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\Ooibee32.exe
        
        C:\Windows\system32\Ooibee32.exe
        106⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\Ojqchnpj.exe
        
        C:\Windows\system32\Ojqchnpj.exe
        107⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\Opphed32.exe
        
        C:\Windows\system32\Opphed32.exe
        108⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\Pbqago32.exe
        
        C:\Windows\system32\Pbqago32.exe
        109⤵
        
        PID:8436
        
        C:\Windows\SysWOW64\Pimfji32.exe
        
        C:\Windows\system32\Pimfji32.exe
        110⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\Piocoi32.exe
        
        C:\Windows\system32\Piocoi32.exe
        111⤵
        
        PID:8668
        
        C:\Windows\SysWOW64\Piapehkd.exe
        
        C:\Windows\system32\Piapehkd.exe
        112⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\Amkhfegn.exe
        
        C:\Windows\system32\Amkhfegn.exe
        113⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\Bffiejkk.exe
        
        C:\Windows\system32\Bffiejkk.exe
        114⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\Bdlfdnhb.exe
        
        C:\Windows\system32\Bdlfdnhb.exe
        115⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\Bfmoei32.exe
        
        C:\Windows\system32\Bfmoei32.exe
        116⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\Bkkhlhlj.exe
        
        C:\Windows\system32\Bkkhlhlj.exe
        117⤵
        
        PID:8944
        
        C:\Windows\SysWOW64\Caqpdpii.exe
        
        C:\Windows\system32\Caqpdpii.exe
        118⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\Epalakcd.exe
        
        C:\Windows\system32\Epalakcd.exe
        119⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\Fboellof.exe
        
        C:\Windows\system32\Fboellof.exe
        120⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\Gqfochal.exe
        
        C:\Windows\system32\Gqfochal.exe
        121⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\Gqkhng32.exe
        
        C:\Windows\system32\Gqkhng32.exe
        122⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\Gnaemkjn.exe
        
        C:\Windows\system32\Gnaemkjn.exe
        123⤵
        
        PID:8708
        
        C:\Windows\SysWOW64\Hbdgnilo.exe
        
        C:\Windows\system32\Hbdgnilo.exe
        124⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Ibmjdgdd.exe
        
        C:\Windows\system32\Ibmjdgdd.exe
        125⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Ieqplb32.exe
        
        C:\Windows\system32\Ieqplb32.exe
        126⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\Jelogq32.exe
        
        C:\Windows\system32\Jelogq32.exe
        127⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\Klkaojhl.exe
        
        C:\Windows\system32\Klkaojhl.exe
        128⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Leoedn32.exe
        
        C:\Windows\system32\Leoedn32.exe
        129⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\Mehhjm32.exe
        
        C:\Windows\system32\Mehhjm32.exe
        130⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\Neakpk32.exe
        
        C:\Windows\system32\Neakpk32.exe
        131⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\Ndlamg32.exe
        
        C:\Windows\system32\Ndlamg32.exe
        132⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Oljonc32.exe
        
        C:\Windows\system32\Oljonc32.exe
        133⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Oomeenke.exe
        
        C:\Windows\system32\Oomeenke.exe
        134⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Pcacll32.exe
        
        C:\Windows\system32\Pcacll32.exe
        135⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\Abgjdeai.exe
        
        C:\Windows\system32\Abgjdeai.exe
        136⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Ciakhmkc.exe
        
        C:\Windows\system32\Ciakhmkc.exe
        137⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\Fjpppipq.exe
        
        C:\Windows\system32\Fjpppipq.exe
        138⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\Gdadip32.exe
        
        C:\Windows\system32\Gdadip32.exe
        139⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\Gdfmdpbd.exe
        
        C:\Windows\system32\Gdfmdpbd.exe
        140⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\Hnhdcd32.exe
        
        C:\Windows\system32\Hnhdcd32.exe
        141⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\Incdob32.exe
        
        C:\Windows\system32\Incdob32.exe
        142⤵
        
        PID:8396
        
        C:\Windows\SysWOW64\Kndmfphj.exe
        
        C:\Windows\system32\Kndmfphj.exe
        143⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\Kjmjqqlk.exe
        
        C:\Windows\system32\Kjmjqqlk.exe
        144⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\Leqkog32.exe
        
        C:\Windows\system32\Leqkog32.exe
        145⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\Mdjakcpd.exe
        
        C:\Windows\system32\Mdjakcpd.exe
        146⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Mobbnl32.exe
        
        C:\Windows\system32\Mobbnl32.exe
        147⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Mhmcmqbe.exe
        
        C:\Windows\system32\Mhmcmqbe.exe
        148⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\Oglcdlob.exe
        
        C:\Windows\system32\Oglcdlob.exe
        149⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\Ohnlcndb.exe
        
        C:\Windows\system32\Ohnlcndb.exe
        150⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\Phdbdm32.exe
        
        C:\Windows\system32\Phdbdm32.exe
        151⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Abdfdp32.exe
        
        C:\Windows\system32\Abdfdp32.exe
        152⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\Dnbfam32.exe
        
        C:\Windows\system32\Dnbfam32.exe
        153⤵
        
        PID:10104
        
        C:\Windows\SysWOW64\Gcaqeg32.exe
        
        C:\Windows\system32\Gcaqeg32.exe
        154⤵
        
        PID:10172
        
        C:\Windows\SysWOW64\Hcmpqe32.exe
        
        C:\Windows\system32\Hcmpqe32.exe
        155⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Hhnbdl32.exe
        
        C:\Windows\system32\Hhnbdl32.exe
        156⤵
        
        PID:9516
        
        C:\Windows\SysWOW64\Iomcle32.exe
        
        C:\Windows\system32\Iomcle32.exe
        157⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Jmdjag32.exe
        
        C:\Windows\system32\Jmdjag32.exe
        158⤵
        
        PID:9872
        
        C:\Windows\SysWOW64\Mhjpmkql.exe
        
        C:\Windows\system32\Mhjpmkql.exe
        159⤵
        
        PID:388
        
        C:\Windows\SysWOW64\Nieoja32.exe
        
        C:\Windows\system32\Nieoja32.exe
        160⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Qgehfbei.exe
        
        C:\Windows\system32\Qgehfbei.exe
        161⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Cqghld32.exe
        
        C:\Windows\system32\Cqghld32.exe
        162⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\Eldlaiph.exe
        
        C:\Windows\system32\Eldlaiph.exe
        163⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\Geoffl32.exe
        
        C:\Windows\system32\Geoffl32.exe
        164⤵
        
        PID:9648
        
        C:\Windows\SysWOW64\Ihlgkc32.exe
        
        C:\Windows\system32\Ihlgkc32.exe
        165⤵
        
        PID:204
        
        C:\Windows\SysWOW64\Lmclnnkm.exe
        
        C:\Windows\system32\Lmclnnkm.exe
        166⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\Oboinqoa.exe
        
        C:\Windows\system32\Oboinqoa.exe
        167⤵
        
        PID:9700
        
        C:\Windows\SysWOW64\Ofalpnac.exe
        
        C:\Windows\system32\Ofalpnac.exe
        168⤵
        
        PID:9296
        
        C:\Windows\SysWOW64\Bjecddpl.exe
        
        C:\Windows\system32\Bjecddpl.exe
        169⤵
        
        PID:9692
        
        C:\Windows\SysWOW64\Fnigcn32.exe
        
        C:\Windows\system32\Fnigcn32.exe
        170⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Fjdacn32.exe
        
        C:\Windows\system32\Fjdacn32.exe
        171⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\Hkicekeo.exe
        
        C:\Windows\system32\Hkicekeo.exe
        172⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Klehbj32.exe
        
        C:\Windows\system32\Klehbj32.exe
        173⤵
        
        PID:660
        
        C:\Windows\SysWOW64\Lnadeppb.exe
        
        C:\Windows\system32\Lnadeppb.exe
        174⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Lkjojd32.exe
        
        C:\Windows\system32\Lkjojd32.exe
        175⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Mejichko.exe
        
        C:\Windows\system32\Mejichko.exe
        176⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Ofjodi32.exe
        
        C:\Windows\system32\Ofjodi32.exe
        177⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\Poqcdj32.exe
        
        C:\Windows\system32\Poqcdj32.exe
        178⤵
        
        PID:10092
        
        C:\Windows\SysWOW64\Pbahph32.exe
        
        C:\Windows\system32\Pbahph32.exe
        179⤵
        
        PID:504
        
        C:\Windows\SysWOW64\Acodafoq.exe
        
        C:\Windows\system32\Acodafoq.exe
        180⤵
        
        PID:10096
        
        C:\Windows\SysWOW64\Binfiobh.exe
        
        C:\Windows\system32\Binfiobh.exe
        181⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Cjlbkm32.exe
        
        C:\Windows\system32\Cjlbkm32.exe
        182⤵
        
        PID:9808
        
        C:\Windows\SysWOW64\Dnggbi32.exe
        
        C:\Windows\system32\Dnggbi32.exe
        183⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Egdefncj.exe
        
        C:\Windows\system32\Egdefncj.exe
        184⤵
        
        PID:9844
        
        C:\Windows\SysWOW64\Encgnhfa.exe
        
        C:\Windows\system32\Encgnhfa.exe
        185⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\Fmmmjcgd.exe
        
        C:\Windows\system32\Fmmmjcgd.exe
        186⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\Hmdlap32.exe
        
        C:\Windows\system32\Hmdlap32.exe
        187⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\Jhapffnd.exe
        
        C:\Windows\system32\Jhapffnd.exe
        188⤵
        
        PID:9172
        
        C:\Windows\SysWOW64\Lhplhd32.exe
        
        C:\Windows\system32\Lhplhd32.exe
        189⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Ldkfhd32.exe
        
        C:\Windows\system32\Ldkfhd32.exe
        190⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\Mknakmce.exe
        
        C:\Windows\system32\Mknakmce.exe
        191⤵
        
        PID:9560
        
        C:\Windows\SysWOW64\Nhgkoq32.exe
        
        C:\Windows\system32\Nhgkoq32.exe
        192⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\Nnkihf32.exe
        
        C:\Windows\system32\Nnkihf32.exe
        193⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Ogonmj32.exe
        
        C:\Windows\system32\Ogonmj32.exe
        194⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\Pnnodd32.exe
        
        C:\Windows\system32\Pnnodd32.exe
        195⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\Pelalm32.exe
        
        C:\Windows\system32\Pelalm32.exe
        196⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\Aonhkaga.exe
        
        C:\Windows\system32\Aonhkaga.exe
        197⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\Cpecmaji.exe
        
        C:\Windows\system32\Cpecmaji.exe
        198⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\Dpljnp32.exe
        
        C:\Windows\system32\Dpljnp32.exe
        199⤵
        
        PID:9608
        
        C:\Windows\SysWOW64\Dpcpno32.exe
        
        C:\Windows\system32\Dpcpno32.exe
        200⤵
        
        PID:9756
        
        C:\Windows\SysWOW64\Ebnolflm.exe
        
        C:\Windows\system32\Ebnolflm.exe
        201⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Fqciempf.exe
        
        C:\Windows\system32\Fqciempf.exe
        202⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\Ffekhc32.exe
        
        C:\Windows\system32\Ffekhc32.exe
        203⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\Gihqpneg.exe
        
        C:\Windows\system32\Gihqpneg.exe
        204⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Gimjkm32.exe
        
        C:\Windows\system32\Gimjkm32.exe
        205⤵
        
        PID:9812
        
        C:\Windows\SysWOW64\Hjappodo.exe
        
        C:\Windows\system32\Hjappodo.exe
        206⤵
        
        PID:9360
        
        C:\Windows\SysWOW64\Hpbace32.exe
        
        C:\Windows\system32\Hpbace32.exe
        207⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Jpgdeb32.exe
        
        C:\Windows\system32\Jpgdeb32.exe
        208⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Mneplcde.exe
        
        C:\Windows\system32\Mneplcde.exe
        209⤵
        
        PID:9384
        
        C:\Windows\SysWOW64\Nkepae32.exe
        
        C:\Windows\system32\Nkepae32.exe
        210⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\Nqiojl32.exe
        
        C:\Windows\system32\Nqiojl32.exe
        211⤵
        
        PID:9224
        
        C:\Windows\SysWOW64\Pnhoon32.exe
        
        C:\Windows\system32\Pnhoon32.exe
        212⤵
        
        PID:9124
        
        C:\Windows\SysWOW64\Pbkaplho.exe
        
        C:\Windows\system32\Pbkaplho.exe
        213⤵
        
        PID:9448
        
        C:\Windows\SysWOW64\Aaiahg32.exe
        
        C:\Windows\system32\Aaiahg32.exe
        214⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\Bdhfkp32.exe
        
        C:\Windows\system32\Bdhfkp32.exe
        215⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Cdolkope.exe
        
        C:\Windows\system32\Cdolkope.exe
        216⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Ddklgmeg.exe
        
        C:\Windows\system32\Ddklgmeg.exe
        217⤵
        
        PID:9536
        
        C:\Windows\SysWOW64\Dkjmogio.exe
        
        C:\Windows\system32\Dkjmogio.exe
        218⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Edkdnkge.exe
        
        C:\Windows\system32\Edkdnkge.exe
        219⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Fkjffdjl.exe
        
        C:\Windows\system32\Fkjffdjl.exe
        220⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Gdlnei32.exe
        
        C:\Windows\system32\Gdlnei32.exe
        221⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\Hfdmejhj.exe
        
        C:\Windows\system32\Hfdmejhj.exe
        222⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\Jfjoggfb.exe
        
        C:\Windows\system32\Jfjoggfb.exe
        223⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Kbcehe32.exe
        
        C:\Windows\system32\Kbcehe32.exe
        224⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\Mibpgm32.exe
        
        C:\Windows\system32\Mibpgm32.exe
        225⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\Pgnphnke.exe
        
        C:\Windows\system32\Pgnphnke.exe
        226⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\Pggbnlbj.exe
        
        C:\Windows\system32\Pggbnlbj.exe
        227⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Agpedkjp.exe
        
        C:\Windows\system32\Agpedkjp.exe
        228⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\Bglepipb.exe
        
        C:\Windows\system32\Bglepipb.exe
        229⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\Cfkegd32.exe
        
        C:\Windows\system32\Cfkegd32.exe
        230⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Chlngg32.exe
        
        C:\Windows\system32\Chlngg32.exe
        231⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Emjofl32.exe
        
        C:\Windows\system32\Emjofl32.exe
        232⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Eonekn32.exe
        
        C:\Windows\system32\Eonekn32.exe
        233⤵
        
        PID:8556
        
        C:\Windows\SysWOW64\Hbkgpe32.exe
        
        C:\Windows\system32\Hbkgpe32.exe
        234⤵
        
        PID:9740
        
        C:\Windows\SysWOW64\Jbdbmace.exe
        
        C:\Windows\system32\Jbdbmace.exe
        235⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\Khfdpgng.exe
        
        C:\Windows\system32\Khfdpgng.exe
        236⤵
        
        PID:684
        
        C:\Windows\SysWOW64\Lfeaomjf.exe
        
        C:\Windows\system32\Lfeaomjf.exe
        237⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\Mlklnbpc.exe
        
        C:\Windows\system32\Mlklnbpc.exe
        238⤵
        
        PID:9800
        
        C:\Windows\SysWOW64\Nbljklah.exe
        
        C:\Windows\system32\Nbljklah.exe
        239⤵
        
        PID:9492
        
        C:\Windows\SysWOW64\Pphjlm32.exe
        
        C:\Windows\system32\Pphjlm32.exe
        240⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Acilde32.exe
        
        C:\Windows\system32\Acilde32.exe
        241⤵
        
        PID:8340
        
        C:\Windows\SysWOW64\Bjgnlo32.exe
        
        C:\Windows\system32\Bjgnlo32.exe
        242⤵
        
        PID:9948
        
        C:\Windows\SysWOW64\Biogck32.exe
        
        C:\Windows\system32\Biogck32.exe
        243⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\Emdoqf32.exe
        
        C:\Windows\system32\Emdoqf32.exe
        244⤵
        
        PID:10132
        
        C:\Windows\SysWOW64\Ehlpcopa.exe
        
        C:\Windows\system32\Ehlpcopa.exe
        245⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\Fmpoldhq.exe
        
        C:\Windows\system32\Fmpoldhq.exe
        246⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Fiilgelb.exe
        
        C:\Windows\system32\Fiilgelb.exe
        247⤵
        
        PID:9624
        
        C:\Windows\SysWOW64\Fgpifi32.exe
        
        C:\Windows\system32\Fgpifi32.exe
        248⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\Gdffem32.exe
        
        C:\Windows\system32\Gdffem32.exe
        249⤵
        
        PID:9676
        
        C:\Windows\SysWOW64\Hgbobfid.exe
        
        C:\Windows\system32\Hgbobfid.exe
        250⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\Jgngebpd.exe
        
        C:\Windows\system32\Jgngebpd.exe
        251⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\Qekbjl32.exe
        
        C:\Windows\system32\Qekbjl32.exe
        252⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Aklcnbjm.exe
        
        C:\Windows\system32\Aklcnbjm.exe
        253⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\Bjdjli32.exe
        
        C:\Windows\system32\Bjdjli32.exe
        254⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\Bjicgh32.exe
        
        C:\Windows\system32\Bjicgh32.exe
        255⤵
        
        PID:748
        
        C:\Windows\SysWOW64\Cooofnnk.exe
        
        C:\Windows\system32\Cooofnnk.exe
        256⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\Dbeabh32.exe
        
        C:\Windows\system32\Dbeabh32.exe
        257⤵
        
        PID:9560
        
        C:\Windows\SysWOW64\Djqboedd.exe
        
        C:\Windows\system32\Djqboedd.exe
        258⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\Ebqqnf32.exe
        
        C:\Windows\system32\Ebqqnf32.exe
        259⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\Ecdfcipg.exe
        
        C:\Windows\system32\Ecdfcipg.exe
        260⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Hpcfpfaq.exe
        
        C:\Windows\system32\Hpcfpfaq.exe
        261⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\Hkkgco32.exe
        
        C:\Windows\system32\Hkkgco32.exe
        262⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Inbfei32.exe
        
        C:\Windows\system32\Inbfei32.exe
        263⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\Jlafldcj.exe
        
        C:\Windows\system32\Jlafldcj.exe
        264⤵
        
        PID:10200
        
        C:\Windows\SysWOW64\Jpoobb32.exe
        
        C:\Windows\system32\Jpoobb32.exe
        265⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\Kdaadpkb.exe
        
        C:\Windows\system32\Kdaadpkb.exe
        266⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\Knlbbepp.exe
        
        C:\Windows\system32\Knlbbepp.exe
        267⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Lnchcd32.exe
        
        C:\Windows\system32\Lnchcd32.exe
        268⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\Mjclndga.exe
        
        C:\Windows\system32\Mjclndga.exe
        269⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\Mmdepo32.exe
        
        C:\Windows\system32\Mmdepo32.exe
        270⤵
        
        PID:8600
        
        C:\Windows\SysWOW64\Mebcalol.exe
        
        C:\Windows\system32\Mebcalol.exe
        271⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\Ncgpbhdd.exe
        
        C:\Windows\system32\Ncgpbhdd.exe
        272⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\Nabfmkmf.exe
        
        C:\Windows\system32\Nabfmkmf.exe
        273⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\Ookpao32.exe
        
        C:\Windows\system32\Ookpao32.exe
        274⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Pkiggogf.exe
        
        C:\Windows\system32\Pkiggogf.exe
        275⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Qajedhhk.exe
        
        C:\Windows\system32\Qajedhhk.exe
        276⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\Adadfbod.exe
        
        C:\Windows\system32\Adadfbod.exe
        277⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\Bnclef32.exe
        
        C:\Windows\system32\Bnclef32.exe
        278⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Cfdgmbfb.exe
        
        C:\Windows\system32\Cfdgmbfb.exe
        279⤵
        
        PID:9232
        
        C:\Windows\SysWOW64\Cboambhq.exe
        
        C:\Windows\system32\Cboambhq.exe
        280⤵
        
        PID:8748
        
        C:\Windows\SysWOW64\Dhlfol32.exe
        
        C:\Windows\system32\Dhlfol32.exe
        281⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Dhnbelkh.exe
        
        C:\Windows\system32\Dhnbelkh.exe
        282⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\Dnmhbb32.exe
        
        C:\Windows\system32\Dnmhbb32.exe
        283⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Ekceaf32.exe
        
        C:\Windows\system32\Ekceaf32.exe
        284⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\Ebbfipgk.exe
        
        C:\Windows\system32\Ebbfipgk.exe
        285⤵
        
        PID:9788
        
        C:\Windows\SysWOW64\Fegifj32.exe
        
        C:\Windows\system32\Fegifj32.exe
        286⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\Fpbfoblh.exe
        
        C:\Windows\system32\Fpbfoblh.exe
        287⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\Gmhcnf32.exe
        
        C:\Windows\system32\Gmhcnf32.exe
        288⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Glbjjbja.exe
        
        C:\Windows\system32\Glbjjbja.exe
        289⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\Hihgiffh.exe
        
        C:\Windows\system32\Hihgiffh.exe
        290⤵
        
        PID:9212
        
        C:\Windows\SysWOW64\Hmfpodmo.exe
        
        C:\Windows\system32\Hmfpodmo.exe
        291⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\Hlnjeqpd.exe
        
        C:\Windows\system32\Hlnjeqpd.exe
        292⤵
        
        PID:9368
        
        C:\Windows\SysWOW64\Hiajoeon.exe
        
        C:\Windows\system32\Hiajoeon.exe
        293⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\Iblkmjck.exe
        
        C:\Windows\system32\Iblkmjck.exe
        294⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\Ieanjd32.exe
        
        C:\Windows\system32\Ieanjd32.exe
        295⤵
        
        PID:9444
        
        C:\Windows\SysWOW64\Jolohj32.exe
        
        C:\Windows\system32\Jolohj32.exe
        296⤵
        
        PID:9488
        
        C:\Windows\SysWOW64\Jeidkc32.exe
        
        C:\Windows\system32\Jeidkc32.exe
        297⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\Jekqpc32.exe
        
        C:\Windows\system32\Jekqpc32.exe
        298⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\Jemmfcbj.exe
        
        C:\Windows\system32\Jemmfcbj.exe
        299⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Kgofeegj.exe
        
        C:\Windows\system32\Kgofeegj.exe
        300⤵
        
        PID:10120
        
        C:\Windows\SysWOW64\Knlkho32.exe
        
        C:\Windows\system32\Knlkho32.exe
        301⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\Kpoaojgb.exe
        
        C:\Windows\system32\Kpoaojgb.exe
        302⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Lgmbgc32.exe
        
        C:\Windows\system32\Lgmbgc32.exe
        303⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Lgblbb32.exe
        
        C:\Windows\system32\Lgblbb32.exe
        304⤵
        
        PID:9344
        
        C:\Windows\SysWOW64\Mjeainbc.exe
        
        C:\Windows\system32\Mjeainbc.exe
        305⤵
        
        PID:9260
        
        C:\Windows\SysWOW64\Mflbnogg.exe
        
        C:\Windows\system32\Mflbnogg.exe
        306⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Nnojkjnl.exe
        
        C:\Windows\system32\Nnojkjnl.exe
        307⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\Napcme32.exe
        
        C:\Windows\system32\Napcme32.exe
        308⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\Oabpbe32.exe
        
        C:\Windows\system32\Oabpbe32.exe
        309⤵
        
        PID:10008
        
        C:\Windows\SysWOW64\Ojajliic.exe
        
        C:\Windows\system32\Ojajliic.exe
        310⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\Pmgmhdbo.exe
        
        C:\Windows\system32\Pmgmhdbo.exe
        311⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Pmkfcc32.exe
        
        C:\Windows\system32\Pmkfcc32.exe
        312⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Bmcekp32.exe
        
        C:\Windows\system32\Bmcekp32.exe
        313⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Cknlec32.exe
        
        C:\Windows\system32\Cknlec32.exe
        314⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\Dkikaa32.exe
        
        C:\Windows\system32\Dkikaa32.exe
        315⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\Fqkfkedb.exe
        
        C:\Windows\system32\Fqkfkedb.exe
        316⤵
        
        PID:10516
        
        C:\Windows\SysWOW64\Gbioffpe.exe
        
        C:\Windows\system32\Gbioffpe.exe
        317⤵
        
        PID:9988
        
        C:\Windows\SysWOW64\Jahgeo32.exe
        
        C:\Windows\system32\Jahgeo32.exe
        318⤵
        
        PID:11060
        
        C:\Windows\SysWOW64\Moofanna.exe
        
        C:\Windows\system32\Moofanna.exe
        319⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Nbnldg32.exe
        
        C:\Windows\system32\Nbnldg32.exe
        320⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\Ofbkkepq.exe
        
        C:\Windows\system32\Ofbkkepq.exe
        321⤵
        
        PID:10812
        
        C:\Windows\SysWOW64\Ppbeei32.exe
        
        C:\Windows\system32\Ppbeei32.exe
        322⤵
        
        PID:10384
        
        C:\Windows\SysWOW64\Qidldnno.exe
        
        C:\Windows\system32\Qidldnno.exe
        323⤵
        
        PID:11776
        
        C:\Windows\SysWOW64\Afocnagq.exe
        
        C:\Windows\system32\Afocnagq.exe
        324⤵
        
        PID:11876
        
        C:\Windows\SysWOW64\Bdgmbd32.exe
        
        C:\Windows\system32\Bdgmbd32.exe
        325⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Cgoldo32.exe
        
        C:\Windows\system32\Cgoldo32.exe
        326⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\Cghokm32.exe
        
        C:\Windows\system32\Cghokm32.exe
        327⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\Lopcej32.exe
        
        C:\Windows\system32\Lopcej32.exe
        328⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\Mdikjo32.exe
        
        C:\Windows\system32\Mdikjo32.exe
        329⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Mocibg32.exe
        
        C:\Windows\system32\Mocibg32.exe
        330⤵
        
        PID:10576
        
        C:\Windows\SysWOW64\Nfdgpq32.exe
        
        C:\Windows\system32\Nfdgpq32.exe
        331⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\Ocmaddci.exe
        
        C:\Windows\system32\Ocmaddci.exe
        332⤵
        
        PID:12124
        
        C:\Windows\SysWOW64\Pcacfa32.exe
        
        C:\Windows\system32\Pcacfa32.exe
        333⤵
        
        PID:10532
        
        C:\Windows\SysWOW64\Amhdpe32.exe
        
        C:\Windows\system32\Amhdpe32.exe
        334⤵
        
        PID:10284
        
        C:\Windows\SysWOW64\Bckpcnjd.exe
        
        C:\Windows\system32\Bckpcnjd.exe
        335⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\Cbhbei32.exe
        
        C:\Windows\system32\Cbhbei32.exe
        336⤵
        
        PID:11972
        
        C:\Windows\SysWOW64\Dpbiolae.exe
        
        C:\Windows\system32\Dpbiolae.exe
        337⤵
        
        PID:11280
        
        C:\Windows\SysWOW64\Fnlljm32.exe
        
        C:\Windows\system32\Fnlljm32.exe
        338⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\Gcbgic32.exe
        
        C:\Windows\system32\Gcbgic32.exe
        339⤵
        
        PID:10004
        
        C:\Windows\SysWOW64\Hckjoa32.exe
        
        C:\Windows\system32\Hckjoa32.exe
        340⤵
        
        PID:11784
        
        C:\Windows\SysWOW64\Hcdmep32.exe
        
        C:\Windows\system32\Hcdmep32.exe
        341⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Jmpgjcjj.exe
        
        C:\Windows\system32\Jmpgjcjj.exe
        342⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\Knhfke32.exe
        
        C:\Windows\system32\Knhfke32.exe
        343⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\Lfkapf32.exe
        
        C:\Windows\system32\Lfkapf32.exe
        344⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Oehjpjpd.exe
        
        C:\Windows\system32\Oehjpjpd.exe
        345⤵
        
        PID:11160
        
        C:\Windows\SysWOW64\Pnmakked.exe
        
        C:\Windows\system32\Pnmakked.exe
        346⤵
        
        PID:11336
        
        C:\Windows\SysWOW64\Ailaep32.exe
        
        C:\Windows\system32\Ailaep32.exe
        347⤵
        
        PID:9280
        
        C:\Windows\SysWOW64\Bejhkpoi.exe
        
        C:\Windows\system32\Bejhkpoi.exe
        348⤵
        
        PID:8600
        
        C:\Windows\SysWOW64\Fpdhacnd.exe
        
        C:\Windows\system32\Fpdhacnd.exe
        349⤵
        
        PID:11208
        
        C:\Windows\SysWOW64\Fgffnloi.exe
        
        C:\Windows\system32\Fgffnloi.exe
        350⤵
        
        PID:3892

C:\Users\Admin\Desktop\anal\criticalupdate01.exe
"C:\Users\Admin\Desktop\anal\criticalupdate01.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4736
- C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
  2⤵
  PID:8300

C:\Users\Admin\Desktop\anal\default.exe
"C:\Users\Admin\Desktop\anal\default.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3380
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -start
  2⤵
  PID:6280
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6280 -s 1936
    3⤵
    - Program crash
    PID:8588
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:8172

C:\Users\Admin\Desktop\anal\Client-2.exe
"C:\Users\Admin\Desktop\anal\Client-2.exe"
1⤵
PID:520
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:1576
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:1744
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:2968
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:504
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:4760
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:4884
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:1512
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  PID:4556
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:4560
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:4792
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:2044
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  PID:3156
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  PID:3592
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:2212
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  PID:2004
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  PID:2012
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  PID:3856
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:4732
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  PID:2620
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  PID:2732
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  PID:1940
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  PID:2028
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  PID:2032
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  PID:1864
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:3816
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  PID:1592
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  PID:1896
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:2940
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  PID:2676
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:3256
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  PID:5084
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  PID:4576
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  PID:2076
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  PID:2404
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  PID:3588
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  PID:4076
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:3048
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  PID:1764
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:2808
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  PID:2752
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:2836
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  PID:3320
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  PID:2924
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  PID:3300
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  PID:2664
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  PID:2460
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  PID:2660
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  PID:5504
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  PID:6120
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  PID:6128
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  PID:6136
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  PID:304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  PID:3124

C:\Users\Admin\Desktop\anal\31.exe
"C:\Users\Admin\Desktop\anal\31.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2024
- C:\Windows\System32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A8E8.tmp\A966.tmp\A967.bat C:\Users\Admin\Desktop\anal\31.exe"
  2⤵
  PID:5048
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\1.jar"
    3⤵
    PID:7896
- - C:\Users\Admin\AppData\Roaming\2.exe
    C:\Users\Admin\AppData\Roaming\2.exe
    3⤵
    PID:8020
  - - C:\Users\Admin\AppData\Roaming\2.exe
      C:\Users\Admin\AppData\Roaming\2.exe
      4⤵
      PID:7608
- - C:\Users\Admin\AppData\Roaming\3.exe
    C:\Users\Admin\AppData\Roaming\3.exe
    3⤵
    PID:8076
- - C:\Users\Admin\AppData\Roaming\4.exe
    C:\Users\Admin\AppData\Roaming\4.exe
    3⤵
    PID:7756
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7756 -s 740
      4⤵
      Program crash
      PID:8872
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7756 -s 848
      4⤵
      Program crash
      PID:8552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7756 -s 856
      4⤵
      Program crash
      PID:9376
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7756 -s 792
      4⤵
      Program crash
      PID:10208
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Roaming\4.dll f1 C:\Users\Admin\AppData\Roaming\4.exe@7756
      4⤵
      PID:2568
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Roaming\4.dll,f0
        5⤵
        
        PID:8080
- - C:\Users\Admin\AppData\Roaming\5.exe
    C:\Users\Admin\AppData\Roaming\5.exe
    3⤵
    PID:6344
- - C:\Users\Admin\AppData\Roaming\6.exe
    C:\Users\Admin\AppData\Roaming\6.exe
    3⤵
    PID:7732
- - C:\Users\Admin\AppData\Roaming\7.exe
    C:\Users\Admin\AppData\Roaming\7.exe
    3⤵
    PID:8500
- - C:\Users\Admin\AppData\Roaming\8.exe
    C:\Users\Admin\AppData\Roaming\8.exe
    3⤵
    PID:8848
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\feeed.exe"
      4⤵
      PID:5160
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\feeed.exe"
        5⤵
        
        PID:6184
  - - C:\Users\Admin\AppData\Roaming\feeed.exe
      "C:\Users\Admin\AppData\Roaming\feeed.exe"
      4⤵
      PID:2440
- - C:\Users\Admin\AppData\Roaming\9.exe
    C:\Users\Admin\AppData\Roaming\9.exe
    3⤵
    PID:1660
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wWTxgR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE408.tmp"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:7432
  - - C:\Users\Admin\AppData\Roaming\9.exe
      "{path}"
      4⤵
      PID:6392
- - C:\Users\Admin\AppData\Roaming\10.exe
    C:\Users\Admin\AppData\Roaming\10.exe
    3⤵
    PID:8760
- - C:\Users\Admin\AppData\Roaming\11.exe
    C:\Users\Admin\AppData\Roaming\11.exe
    3⤵
    PID:1672
- - C:\Users\Admin\AppData\Roaming\12.exe
    C:\Users\Admin\AppData\Roaming\12.exe
    3⤵
    PID:6756
- - C:\Users\Admin\AppData\Roaming\13.exe
    C:\Users\Admin\AppData\Roaming\13.exe
    3⤵
    PID:8780
- - C:\Users\Admin\AppData\Roaming\14.exe
    C:\Users\Admin\AppData\Roaming\14.exe
    3⤵
    PID:1188
- - C:\Users\Admin\AppData\Roaming\15.exe
    C:\Users\Admin\AppData\Roaming\15.exe
    3⤵
    PID:8972
- - C:\Users\Admin\AppData\Roaming\16.exe
    C:\Users\Admin\AppData\Roaming\16.exe
    3⤵
    PID:6936
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:8296
    - - C:\Windows\system32\mode.com
        
        mode con cp select=1251
        5⤵
        
        PID:9464
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:8824
- - C:\Users\Admin\AppData\Roaming\17.exe
    C:\Users\Admin\AppData\Roaming\17.exe
    3⤵
    PID:7332
- - C:\Users\Admin\AppData\Roaming\18.exe
    C:\Users\Admin\AppData\Roaming\18.exe
    3⤵
    PID:10088
- - C:\Users\Admin\AppData\Roaming\19.exe
    C:\Users\Admin\AppData\Roaming\19.exe
    3⤵
    PID:9752
- - C:\Users\Admin\AppData\Roaming\20.exe
    C:\Users\Admin\AppData\Roaming\20.exe
    3⤵
    PID:3180
- - C:\Users\Admin\AppData\Roaming\21.exe
    C:\Users\Admin\AppData\Roaming\21.exe
    3⤵
    PID:7504
  - - C:\Users\Admin\AppData\Roaming\21.exe
      "{path}"
      4⤵
      PID:2388
  - - C:\Users\Admin\AppData\Roaming\21.exe
      "{path}"
      4⤵
      PID:1224
- - C:\Users\Admin\AppData\Roaming\22.exe
    C:\Users\Admin\AppData\Roaming\22.exe
    3⤵
    PID:8676
- - C:\Users\Admin\AppData\Roaming\23.exe
    C:\Users\Admin\AppData\Roaming\23.exe
    3⤵
    PID:4300
- - C:\Users\Admin\AppData\Roaming\24.exe
    C:\Users\Admin\AppData\Roaming\24.exe
    3⤵
    PID:9164
- - C:\Users\Admin\AppData\Roaming\25.exe
    C:\Users\Admin\AppData\Roaming\25.exe
    3⤵
    PID:8092
- - C:\Users\Admin\AppData\Roaming\26.exe
    C:\Users\Admin\AppData\Roaming\26.exe
    3⤵
    PID:8432
- - C:\Users\Admin\AppData\Roaming\27.exe
    C:\Users\Admin\AppData\Roaming\27.exe
    3⤵
    PID:7936
  - - C:\Users\Admin\AppData\Roaming\27.exe
      C:\Users\Admin\AppData\Roaming\27.exe /C
      4⤵
      PID:7420
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Ifouauwioue\ipjvfmvr.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Ifouauwioue\ipjvfmvr.exe
      4⤵
      PID:5148
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ymimzfduru /tr "\"C:\Users\Admin\AppData\Roaming\27.exe\" /I ymimzfduru" /SC ONCE /Z /ST 02:30 /ET 02:42
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:11596
- - C:\Users\Admin\AppData\Roaming\28.exe
    C:\Users\Admin\AppData\Roaming\28.exe
    3⤵
    PID:5780
- - C:\Users\Admin\AppData\Roaming\29.exe
    C:\Users\Admin\AppData\Roaming\29.exe
    3⤵
    PID:7204
- - C:\Users\Admin\AppData\Roaming\30.exe
    C:\Users\Admin\AppData\Roaming\30.exe
    3⤵
    PID:7192
- - C:\Users\Admin\AppData\Roaming\31.exe
    C:\Users\Admin\AppData\Roaming\31.exe
    3⤵
    PID:200

C:\Users\Admin\Desktop\anal\file.exe
"C:\Users\Admin\Desktop\anal\file.exe"
1⤵
PID:4544
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\skpxe0bs.cmdline"
  2⤵
  PID:4844
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vqgzr91n.cmdline"
  2⤵
  PID:1500
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5342.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA68381034A884FA09A5EB13E751394.TMP"
    3⤵
    PID:6944
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p4g6kiuj.cmdline"
  2⤵
  PID:8728
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7679.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5879B18A6E524EC6AD7A6B2B8A193651.TMP"
    3⤵
    PID:9144
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lxsvwanv.cmdline"
  2⤵
  PID:7084
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9636.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc876393761E734EB29B176369B490777.TMP"
    3⤵
    PID:10096
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xcb7-oce.cmdline"
  2⤵
  PID:9768
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFA5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4B49AA9F1DEB4E7BB466DD4FA1295712.TMP"
    3⤵
    PID:8532
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tsbssuww.cmdline"
  2⤵
  PID:9840
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2FA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC3C8BD8CC30646DCA521A2E83352A9B.TMP"
    3⤵
    PID:10132
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\io4brlod.cmdline"
  2⤵
  PID:5856
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES27C8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD7A5FB858C4B4F57B58810D987B89810.TMP"
    3⤵
    PID:9520
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xquetjqv.cmdline"
  2⤵
  PID:5188
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES510A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD95C0CEEC09A45AEACED8BB0E79D244D.TMP"
    3⤵
    PID:8412
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lzppkph9.cmdline"
  2⤵
  PID:7572
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES777E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8C318DC3AE0047298FEB887D4B54F8A7.TMP"
    3⤵
    PID:6560
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cp_dl_0v.cmdline"
  2⤵
  PID:4204
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E5F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC53E047F15DF4D4299BFF15E925BC930.TMP"
    3⤵
    PID:8412
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\riymahjr.cmdline"
  2⤵
  PID:10052
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE2C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc504766FC16E44321BE37D7D1F285BD57.TMP"
    3⤵
    PID:1508
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fwfhl8yb.cmdline"
  2⤵
  PID:5584
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF21.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD3EA930E236E4B7CB5404B662F2B80EE.TMP"
    3⤵
    PID:6856
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iwwswyz4.cmdline"
  2⤵
  PID:8660
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF614.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCBEFF81E404D4309BB34F5CC67E3B488.TMP"
    3⤵
    PID:10060
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dx2nzivn.cmdline"
  2⤵
  PID:9112
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC0AC4B43DE234E83AE574673D6FF8516.TMP"
    3⤵
    PID:9008
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r5ehzp5h.cmdline"
  2⤵
  PID:3288
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10FF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcACC68693D6174F5D9719D0A9B927871B.TMP"
    3⤵
    PID:5496
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5br8m1s3.cmdline"
  2⤵
  PID:10676
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2FC2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc86502D4BBCB248B4BCD2FBCA7802D0.TMP"
    3⤵
    PID:10188
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sya0-owb.cmdline"
  2⤵
  PID:9676
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES698F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc104B440AE8074546A85F2D62EE932A44.TMP"
    3⤵
    PID:2980
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kk2kvk4g.cmdline"
  2⤵
  PID:8792
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9264.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC3AEC5503C9F4866A46213843CBB70AF.TMP"
    3⤵
    PID:11872

C:\Users\Admin\Desktop\anal\XClient.exe
"C:\Users\Admin\Desktop\anal\XClient.exe"
1⤵
PID:2332

C:\Users\Admin\Desktop\anal\Azorult.exe
"C:\Users\Admin\Desktop\anal\Azorult.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4976
- C:\ProgramData\Microsoft\Intel\wini.exe
  C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
  2⤵
  PID:7720
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
    3⤵
    PID:7560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
      4⤵
      PID:7832
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:8976
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:9064
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:10160
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        5⤵
        
        PID:11524
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        5⤵
        
        PID:7660
- - C:\ProgramData\Windows\winit.exe
    "C:\ProgramData\Windows\winit.exe"
    3⤵
    PID:7856
  - - C:\Program Files (x86)\Windows Mail\WinMail.exe
      "C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE
      4⤵
      PID:4868
    - - C:\Program Files\Windows Mail\WinMail.exe
        
        "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
        5⤵
        
        PID:10116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
      4⤵
      PID:1508
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:8868
- C:\ProgramData\install\sys.exe
  C:\ProgramData\install\sys.exe
  2⤵
  PID:5384
- C:\programdata\install\cheat.exe
  C:\programdata\install\cheat.exe -pnaxui
  2⤵
  PID:9856
- - C:\ProgramData\Microsoft\Intel\taskhost.exe
    "C:\ProgramData\Microsoft\Intel\taskhost.exe"
    3⤵
    PID:9480
  - - C:\Programdata\RealtekHD\taskhostw.exe
      C:\Programdata\RealtekHD\taskhostw.exe
      4⤵
      PID:8388
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)
      4⤵
      PID:10136
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)
        5⤵
        Modifies file permissions
        
        PID:9664
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)
      4⤵
      PID:7252
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)
        5⤵
        Modifies file permissions
        
        PID:7332
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)
      4⤵
      PID:7460
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)
        5⤵
        Modifies file permissions
        
        PID:7388
  - - C:\programdata\microsoft\intel\R8.exe
      C:\programdata\microsoft\intel\R8.exe
      4⤵
      PID:5372
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        5⤵
        
        PID:5684
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
        6⤵
        
        PID:8272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc start appidsvc
      4⤵
      PID:7156
    - - C:\Windows\SysWOW64\sc.exe
        
        sc start appidsvc
        5⤵
        Launches sc.exe
        
        PID:6300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc start appmgmt
      4⤵
      PID:2320
    - - C:\Windows\SysWOW64\sc.exe
        
        sc start appmgmt
        5⤵
        Launches sc.exe
        
        PID:5980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
      4⤵
      PID:10360
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config appidsvc start= auto
        5⤵
        Launches sc.exe
        
        PID:5820
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
      4⤵
      PID:8100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete swprv
  2⤵
  PID:9776
- - C:\Windows\SysWOW64\sc.exe
    sc delete swprv
    3⤵
    - Launches sc.exe
    PID:4044

C:\Users\Admin\Desktop\anal\BlackMoon.exe
"C:\Users\Admin\Desktop\anal\BlackMoon.exe"
1⤵
PID:4388
- \??\c:\rjhth.exe
  c:\rjhth.exe
  2⤵
  PID:3148
- - \??\c:\lbxdlxt.exe
    c:\lbxdlxt.exe
    3⤵
    PID:2948
  - - \??\c:\llfhxx.exe
      c:\llfhxx.exe
      4⤵
      PID:5892
    - - \??\c:\lnplr.exe
        
        c:\lnplr.exe
        5⤵
        
        PID:2900
      - \??\c:\txpxvnh.exe
        
        c:\txpxvnh.exe
        6⤵
        
        PID:3528
        
        \??\c:\hlprfb.exe
        
        c:\hlprfb.exe
        7⤵
        
        PID:1364
        
        \??\c:\jbnlhvd.exe
        
        c:\jbnlhvd.exe
        8⤵
        
        PID:5164
        
        \??\c:\xbxbpr.exe
        
        c:\xbxbpr.exe
        9⤵
        
        PID:6308
        
        \??\c:\nrppvb.exe
        
        c:\nrppvb.exe
        10⤵
        
        PID:6504
        
        \??\c:\xtvpfxx.exe
        
        c:\xtvpfxx.exe
        11⤵
        
        PID:7144
        
        \??\c:\njlfn.exe
        
        c:\njlfn.exe
        12⤵
        
        PID:6532
        
        \??\c:\ppltv.exe
        
        c:\ppltv.exe
        13⤵
        
        PID:6280
        
        \??\c:\lxnnl.exe
        
        c:\lxnnl.exe
        14⤵
        
        PID:6500
        
        \??\c:\lttrfxv.exe
        
        c:\lttrfxv.exe
        15⤵
        
        PID:6720
        
        \??\c:\fllhjtf.exe
        
        c:\fllhjtf.exe
        16⤵
        
        PID:6308
        
        \??\c:\fbpnxb.exe
        
        c:\fbpnxb.exe
        17⤵
        
        PID:1216
        
        \??\c:\dnvjph.exe
        
        c:\dnvjph.exe
        18⤵
        
        PID:7136
        
        \??\c:\ftdvrj.exe
        
        c:\ftdvrj.exe
        19⤵
        
        PID:6948
        
        \??\c:\rvxtn.exe
        
        c:\rvxtn.exe
        20⤵
        
        PID:6728
        
        \??\c:\fdvbtfb.exe
        
        c:\fdvbtfb.exe
        21⤵
        
        PID:6692
        
        \??\c:\tjrhbdx.exe
        
        c:\tjrhbdx.exe
        22⤵
        
        PID:6332
        
        \??\c:\rblfjx.exe
        
        c:\rblfjx.exe
        23⤵
        
        PID:1828
        
        \??\c:\ljjlpv.exe
        
        c:\ljjlpv.exe
        24⤵
        
        PID:5924
        
        \??\c:\vdhnd.exe
        
        c:\vdhnd.exe
        25⤵
        
        PID:6532
        
        \??\c:\jfdbvp.exe
        
        c:\jfdbvp.exe
        26⤵
        
        PID:7180
        
        \??\c:\tfrrrj.exe
        
        c:\tfrrrj.exe
        27⤵
        
        PID:7452
        
        \??\c:\ffpptl.exe
        
        c:\ffpptl.exe
        28⤵
        
        PID:7524
        
        \??\c:\hxhfn.exe
        
        c:\hxhfn.exe
        29⤵
        
        PID:7636
        
        \??\c:\jjhflbr.exe
        
        c:\jjhflbr.exe
        30⤵
        
        PID:7748
        
        \??\c:\pljvd.exe
        
        c:\pljvd.exe
        31⤵
        
        PID:7840
        
        \??\c:\nnjlf.exe
        
        c:\nnjlf.exe
        32⤵
        
        PID:7916
        
        \??\c:\xvjfpt.exe
        
        c:\xvjfpt.exe
        33⤵
        
        PID:8044
        
        \??\c:\dvvvxf.exe
        
        c:\dvvvxf.exe
        34⤵
        
        PID:6332
        
        \??\c:\bvdnb.exe
        
        c:\bvdnb.exe
        35⤵
        
        PID:6536
        
        \??\c:\rtndf.exe
        
        c:\rtndf.exe
        36⤵
        
        PID:7352
        
        \??\c:\dtplx.exe
        
        c:\dtplx.exe
        37⤵
        
        PID:7516
        
        \??\c:\ftprhj.exe
        
        c:\ftprhj.exe
        38⤵
        
        PID:7868
        
        \??\c:\rndpbpn.exe
        
        c:\rndpbpn.exe
        39⤵
        
        PID:7816
        
        \??\c:\hxjxj.exe
        
        c:\hxjxj.exe
        40⤵
        
        PID:4044
        
        \??\c:\nxvjdb.exe
        
        c:\nxvjdb.exe
        41⤵
        
        PID:7388
        
        \??\c:\trdjp.exe
        
        c:\trdjp.exe
        42⤵
        
        PID:7580
        
        \??\c:\jnxtbp.exe
        
        c:\jnxtbp.exe
        43⤵
        
        PID:7904
        
        \??\c:\phxbj.exe
        
        c:\phxbj.exe
        44⤵
        
        PID:6820
        
        \??\c:\dffnnxn.exe
        
        c:\dffnnxn.exe
        45⤵
        
        PID:7984
        
        \??\c:\fjrrxv.exe
        
        c:\fjrrxv.exe
        46⤵
        
        PID:7632
        
        \??\c:\bxxtplv.exe
        
        c:\bxxtplv.exe
        47⤵
        
        PID:2084
        
        \??\c:\hntdr.exe
        
        c:\hntdr.exe
        48⤵
        
        PID:7828
        
        \??\c:\bhjxhtv.exe
        
        c:\bhjxhtv.exe
        49⤵
        
        PID:7256
        
        \??\c:\pbdnpn.exe
        
        c:\pbdnpn.exe
        50⤵
        
        PID:2988
        
        \??\c:\vdvjffp.exe
        
        c:\vdvjffp.exe
        51⤵
        
        PID:7164
        
        \??\c:\vfpplpx.exe
        
        c:\vfpplpx.exe
        52⤵
        
        PID:8040
        
        \??\c:\ttbvjx.exe
        
        c:\ttbvjx.exe
        53⤵
        
        PID:8068
        
        \??\c:\jljtpxb.exe
        
        c:\jljtpxb.exe
        54⤵
        
        PID:2208
        
        \??\c:\fdfhpt.exe
        
        c:\fdfhpt.exe
        55⤵
        
        PID:7744
        
        \??\c:\fjxvlh.exe
        
        c:\fjxvlh.exe
        56⤵
        
        PID:3816
        
        \??\c:\hjjrf.exe
        
        c:\hjjrf.exe
        57⤵
        
        PID:7768
        
        \??\c:\hjlfxd.exe
        
        c:\hjlfxd.exe
        58⤵
        
        PID:7920
        
        \??\c:\pvhpfdj.exe
        
        c:\pvhpfdj.exe
        59⤵
        
        PID:8104
        
        \??\c:\ddtxltn.exe
        
        c:\ddtxltn.exe
        60⤵
        
        PID:7212
        
        \??\c:\nbpxx.exe
        
        c:\nbpxx.exe
        61⤵
        
        PID:7768
        
        \??\c:\xjjlpd.exe
        
        c:\xjjlpd.exe
        62⤵
        
        PID:7688
        
        \??\c:\vddptln.exe
        
        c:\vddptln.exe
        63⤵
        
        PID:3380
        
        \??\c:\xnlfj.exe
        
        c:\xnlfj.exe
        64⤵
        
        PID:7944
        
        \??\c:\bvltttr.exe
        
        c:\bvltttr.exe
        65⤵
        
        PID:2984
        
        \??\c:\btbxfh.exe
        
        c:\btbxfh.exe
        66⤵
        
        PID:8224
        
        \??\c:\lxnlhlr.exe
        
        c:\lxnlhlr.exe
        67⤵
        
        PID:8320
        
        \??\c:\tbhxhxx.exe
        
        c:\tbhxhxx.exe
        68⤵
        
        PID:8356
        
        \??\c:\tdjffpj.exe
        
        c:\tdjffpj.exe
        69⤵
        
        PID:8432
        
        \??\c:\dfrdn.exe
        
        c:\dfrdn.exe
        70⤵
        
        PID:8488
        
        \??\c:\jdpjvth.exe
        
        c:\jdpjvth.exe
        71⤵
        
        PID:8604
        
        \??\c:\jjpvrll.exe
        
        c:\jjpvrll.exe
        72⤵
        
        PID:8660
        
        \??\c:\lnrhv.exe
        
        c:\lnrhv.exe
        73⤵
        
        PID:8740
        
        \??\c:\vnbrnnp.exe
        
        c:\vnbrnnp.exe
        74⤵
        
        PID:8780
        
        \??\c:\fxllrl.exe
        
        c:\fxllrl.exe
        75⤵
        
        PID:8808
        
        \??\c:\pbphrjd.exe
        
        c:\pbphrjd.exe
        76⤵
        
        PID:8836
        
        \??\c:\rdnflrt.exe
        
        c:\rdnflrt.exe
        77⤵
        
        PID:8924
        
        \??\c:\jljlb.exe
        
        c:\jljlb.exe
        78⤵
        
        PID:9136
        
        \??\c:\hbvptt.exe
        
        c:\hbvptt.exe
        79⤵
        
        PID:5064
        
        \??\c:\jxfpdj.exe
        
        c:\jxfpdj.exe
        80⤵
        
        PID:7492
        
        \??\c:\hprfdpl.exe
        
        c:\hprfdpl.exe
        81⤵
        
        PID:8216
        
        \??\c:\nnthprh.exe
        
        c:\nnthprh.exe
        82⤵
        
        PID:8408
        
        \??\c:\nhhddxr.exe
        
        c:\nhhddxr.exe
        83⤵
        
        PID:5884
        
        \??\c:\frlnnp.exe
        
        c:\frlnnp.exe
        84⤵
        
        PID:8608
        
        \??\c:\brpjpb.exe
        
        c:\brpjpb.exe
        85⤵
        
        PID:8716
        
        \??\c:\ptvhbnx.exe
        
        c:\ptvhbnx.exe
        86⤵
        
        PID:8764
        
        \??\c:\bbdlr.exe
        
        c:\bbdlr.exe
        87⤵
        
        PID:8884
        
        \??\c:\jfddh.exe
        
        c:\jfddh.exe
        88⤵
        
        PID:9128
        
        \??\c:\dhjxhl.exe
        
        c:\dhjxhl.exe
        89⤵
        
        PID:9196
        
        \??\c:\vxjrpx.exe
        
        c:\vxjrpx.exe
        90⤵
        
        PID:7724
        
        \??\c:\fxbvh.exe
        
        c:\fxbvh.exe
        91⤵
        
        PID:8388
        
        \??\c:\fjtdx.exe
        
        c:\fjtdx.exe
        92⤵
        
        PID:5660
        
        \??\c:\bjtph.exe
        
        c:\bjtph.exe
        93⤵
        
        PID:8676
        
        \??\c:\lrfdnlh.exe
        
        c:\lrfdnlh.exe
        94⤵
        
        PID:2928
        
        \??\c:\vjtxblr.exe
        
        c:\vjtxblr.exe
        95⤵
        
        PID:8744
        
        \??\c:\pdbfllx.exe
        
        c:\pdbfllx.exe
        96⤵
        
        PID:3148
        
        \??\c:\bpxvt.exe
        
        c:\bpxvt.exe
        97⤵
        
        PID:6460
        
        \??\c:\pnljp.exe
        
        c:\pnljp.exe
        98⤵
        
        PID:5596
        
        \??\c:\pblxxt.exe
        
        c:\pblxxt.exe
        99⤵
        
        PID:8272
        
        \??\c:\dhthjfh.exe
        
        c:\dhthjfh.exe
        100⤵
        
        PID:7724
        
        \??\c:\tthhf.exe
        
        c:\tthhf.exe
        101⤵
        
        PID:3812
        
        \??\c:\btrpdl.exe
        
        c:\btrpdl.exe
        102⤵
        
        PID:3500
        
        \??\c:\vnnfv.exe
        
        c:\vnnfv.exe
        103⤵
        
        PID:6196
        
        \??\c:\pjnvvlt.exe
        
        c:\pjnvvlt.exe
        104⤵
        
        PID:8828
        
        \??\c:\xtdhhj.exe
        
        c:\xtdhhj.exe
        105⤵
        
        PID:5356
        
        \??\c:\nhfnnt.exe
        
        c:\nhfnnt.exe
        106⤵
        
        PID:9084
        
        \??\c:\flvxdh.exe
        
        c:\flvxdh.exe
        107⤵
        
        PID:6948
        
        \??\c:\jltftl.exe
        
        c:\jltftl.exe
        108⤵
        
        PID:8356
        
        \??\c:\trxjlx.exe
        
        c:\trxjlx.exe
        109⤵
        
        PID:8256
        
        \??\c:\tpvpj.exe
        
        c:\tpvpj.exe
        110⤵
        
        PID:8296
        
        \??\c:\bnfbbnv.exe
        
        c:\bnfbbnv.exe
        111⤵
        
        PID:8320
        
        \??\c:\jhdvj.exe
        
        c:\jhdvj.exe
        112⤵
        
        PID:8400
        
        \??\c:\xrpfht.exe
        
        c:\xrpfht.exe
        113⤵
        
        PID:7276
        
        \??\c:\tdbrbrn.exe
        
        c:\tdbrbrn.exe
        114⤵
        
        PID:360
        
        \??\c:\jvphxf.exe
        
        c:\jvphxf.exe
        115⤵
        
        PID:8932
        
        \??\c:\rhfbnd.exe
        
        c:\rhfbnd.exe
        116⤵
        
        PID:9036
        
        \??\c:\lbdbr.exe
        
        c:\lbdbr.exe
        117⤵
        
        PID:7684
        
        \??\c:\ddnlb.exe
        
        c:\ddnlb.exe
        118⤵
        
        PID:7068
        
        \??\c:\ldljpv.exe
        
        c:\ldljpv.exe
        119⤵
        
        PID:3048
        
        \??\c:\vvtjx.exe
        
        c:\vvtjx.exe
        120⤵
        
        PID:6168
        
        \??\c:\jnrjptf.exe
        
        c:\jnrjptf.exe
        121⤵
        
        PID:7536
        
        \??\c:\jpnhl.exe
        
        c:\jpnhl.exe
        122⤵
        
        PID:10140
        
        \??\c:\xtjdl.exe
        
        c:\xtjdl.exe
        123⤵
        
        PID:8272
        
        \??\c:\lhhbtjn.exe
        
        c:\lhhbtjn.exe
        124⤵
        
        PID:9864
        
        \??\c:\hrldjxx.exe
        
        c:\hrldjxx.exe
        125⤵
        
        PID:7680
        
        \??\c:\nhlxpb.exe
        
        c:\nhlxpb.exe
        126⤵
        
        PID:7404
        
        \??\c:\bdfxtbn.exe
        
        c:\bdfxtbn.exe
        127⤵
        
        PID:6148
        
        \??\c:\htjfr.exe
        
        c:\htjfr.exe
        128⤵
        
        PID:5172
        
        \??\c:\rhhrdjj.exe
        
        c:\rhhrdjj.exe
        129⤵
        
        PID:3876
        
        \??\c:\xdjxxpl.exe
        
        c:\xdjxxpl.exe
        130⤵
        
        PID:4248
        
        \??\c:\lttljb.exe
        
        c:\lttljb.exe
        131⤵
        
        PID:6348
        
        \??\c:\xvfxf.exe
        
        c:\xvfxf.exe
        132⤵
        
        PID:9168
        
        \??\c:\hvdxpxj.exe
        
        c:\hvdxpxj.exe
        133⤵
        
        PID:8920
        
        \??\c:\vfhrvrh.exe
        
        c:\vfhrvrh.exe
        134⤵
        
        PID:9180
        
        \??\c:\xlvfr.exe
        
        c:\xlvfr.exe
        135⤵
        
        PID:9760
        
        \??\c:\vtdnpl.exe
        
        c:\vtdnpl.exe
        136⤵
        
        PID:9788
        
        \??\c:\rtxfxfl.exe
        
        c:\rtxfxfl.exe
        137⤵
        
        PID:5864
        
        \??\c:\rvvflvh.exe
        
        c:\rvvflvh.exe
        138⤵
        
        PID:8224
        
        \??\c:\pbxdftn.exe
        
        c:\pbxdftn.exe
        139⤵
        
        PID:10020
        
        \??\c:\rtnjt.exe
        
        c:\rtnjt.exe
        140⤵
        
        PID:8472
        
        \??\c:\pprvfl.exe
        
        c:\pprvfl.exe
        141⤵
        
        PID:9264
        
        \??\c:\xfdpl.exe
        
        c:\xfdpl.exe
        142⤵
        
        PID:8112
        
        \??\c:\pnfjf.exe
        
        c:\pnfjf.exe
        143⤵
        
        PID:7380
        
        \??\c:\jdvljxr.exe
        
        c:\jdvljxr.exe
        144⤵
        
        PID:5996
        
        \??\c:\vhbdfn.exe
        
        c:\vhbdfn.exe
        145⤵
        
        PID:9920
        
        \??\c:\hdvnf.exe
        
        c:\hdvnf.exe
        146⤵
        
        PID:7344
        
        \??\c:\rjppjj.exe
        
        c:\rjppjj.exe
        147⤵
        
        PID:4568
        
        \??\c:\dlbdd.exe
        
        c:\dlbdd.exe
        148⤵
        
        PID:9448
        
        \??\c:\xxthvj.exe
        
        c:\xxthvj.exe
        149⤵
        
        PID:1872
        
        \??\c:\vxtjld.exe
        
        c:\vxtjld.exe
        150⤵
        
        PID:7148
        
        \??\c:\hdnrhdt.exe
        
        c:\hdnrhdt.exe
        151⤵
        
        PID:208
        
        \??\c:\flrhhth.exe
        
        c:\flrhhth.exe
        152⤵
        
        PID:7916
        
        \??\c:\bltvxjv.exe
        
        c:\bltvxjv.exe
        153⤵
        
        PID:9388
        
        \??\c:\lxdxlr.exe
        
        c:\lxdxlr.exe
        154⤵
        
        PID:8472
        
        \??\c:\xbrdfbr.exe
        
        c:\xbrdfbr.exe
        155⤵
        
        PID:7836
        
        \??\c:\fjphl.exe
        
        c:\fjphl.exe
        156⤵
        
        PID:6368
        
        \??\c:\fphfdph.exe
        
        c:\fphfdph.exe
        157⤵
        
        PID:8572
        
        \??\c:\vdfbtj.exe
        
        c:\vdfbtj.exe
        158⤵
        
        PID:4252
        
        \??\c:\rhrllth.exe
        
        c:\rhrllth.exe
        159⤵
        
        PID:3068
        
        \??\c:\pvddvn.exe
        
        c:\pvddvn.exe
        160⤵
        
        PID:8556
        
        \??\c:\rnlpjn.exe
        
        c:\rnlpjn.exe
        161⤵
        
        PID:9840
        
        \??\c:\rvthx.exe
        
        c:\rvthx.exe
        162⤵
        
        PID:9532
        
        \??\c:\lvbtpnx.exe
        
        c:\lvbtpnx.exe
        163⤵
        
        PID:7844
        
        \??\c:\vpjhdb.exe
        
        c:\vpjhdb.exe
        164⤵
        
        PID:3172
        
        \??\c:\dbvvtl.exe
        
        c:\dbvvtl.exe
        165⤵
        
        PID:7496
        
        \??\c:\phndn.exe
        
        c:\phndn.exe
        166⤵
        
        PID:9004
        
        \??\c:\rrnll.exe
        
        c:\rrnll.exe
        167⤵
        
        PID:8396
        
        \??\c:\jphrdtj.exe
        
        c:\jphrdtj.exe
        168⤵
        
        PID:6068
        
        \??\c:\vfhxtdr.exe
        
        c:\vfhxtdr.exe
        169⤵
        
        PID:9956
        
        \??\c:\pxttx.exe
        
        c:\pxttx.exe
        170⤵
        
        PID:444
        
        \??\c:\xnltrfd.exe
        
        c:\xnltrfd.exe
        171⤵
        
        PID:8384
        
        \??\c:\fdlhjh.exe
        
        c:\fdlhjh.exe
        172⤵
        
        PID:9664
        
        \??\c:\bftdhfv.exe
        
        c:\bftdhfv.exe
        173⤵
        
        PID:6332
        
        \??\c:\jrdljjv.exe
        
        c:\jrdljjv.exe
        174⤵
        
        PID:8264
        
        \??\c:\dpvptnn.exe
        
        c:\dpvptnn.exe
        175⤵
        
        PID:8532
        
        \??\c:\llfdv.exe
        
        c:\llfdv.exe
        176⤵
        
        PID:7492
        
        \??\c:\fjxvbj.exe
        
        c:\fjxvbj.exe
        177⤵
        
        PID:6788
        
        \??\c:\njhdvh.exe
        
        c:\njhdvh.exe
        178⤵
        
        PID:6760
        
        \??\c:\pfrpp.exe
        
        c:\pfrpp.exe
        179⤵
        
        PID:764
        
        \??\c:\hdxppd.exe
        
        c:\hdxppd.exe
        180⤵
        
        PID:5896
        
        \??\c:\pjtnjnl.exe
        
        c:\pjtnjnl.exe
        181⤵
        
        PID:9412
        
        \??\c:\vfvvd.exe
        
        c:\vfvvd.exe
        182⤵
        
        PID:748
        
        \??\c:\pvpdj.exe
        
        c:\pvpdj.exe
        183⤵
        
        PID:9244
        
        \??\c:\jhtlxbr.exe
        
        c:\jhtlxbr.exe
        184⤵
        
        PID:5444
        
        \??\c:\vhjjrb.exe
        
        c:\vhjjrb.exe
        185⤵
        
        PID:8900
        
        \??\c:\dppffft.exe
        
        c:\dppffft.exe
        186⤵
        
        PID:8244
        
        \??\c:\llrtlv.exe
        
        c:\llrtlv.exe
        187⤵
        
        PID:7144
        
        \??\c:\blrlpf.exe
        
        c:\blrlpf.exe
        188⤵
        
        PID:7356
        
        \??\c:\xxhrr.exe
        
        c:\xxhrr.exe
        189⤵
        
        PID:8656
        
        \??\c:\flrjfld.exe
        
        c:\flrjfld.exe
        190⤵
        
        PID:1716
        
        \??\c:\tpxdxbb.exe
        
        c:\tpxdxbb.exe
        191⤵
        
        PID:4168
        
        \??\c:\pxnbrhp.exe
        
        c:\pxnbrhp.exe
        192⤵
        
        PID:6560
        
        \??\c:\thnjjj.exe
        
        c:\thnjjj.exe
        193⤵
        
        PID:8088
        
        \??\c:\pphbfp.exe
        
        c:\pphbfp.exe
        194⤵
        
        PID:2156
        
        \??\c:\dppftnn.exe
        
        c:\dppftnn.exe
        195⤵
        
        PID:9044
        
        \??\c:\jpphbbt.exe
        
        c:\jpphbbt.exe
        196⤵
        
        PID:6248
        
        \??\c:\htphbj.exe
        
        c:\htphbj.exe
        197⤵
        
        PID:7968
        
        \??\c:\rxhhj.exe
        
        c:\rxhhj.exe
        198⤵
        
        PID:9816
        
        \??\c:\rddhpr.exe
        
        c:\rddhpr.exe
        199⤵
        
        PID:5568
        
        \??\c:\tltjn.exe
        
        c:\tltjn.exe
        200⤵
        
        PID:8180
        
        \??\c:\hnfbp.exe
        
        c:\hnfbp.exe
        201⤵
        
        PID:10184
        
        \??\c:\jttfvxp.exe
        
        c:\jttfvxp.exe
        202⤵
        
        PID:10164
        
        \??\c:\frhpfdn.exe
        
        c:\frhpfdn.exe
        203⤵
        
        PID:6856
        
        \??\c:\vplfhfj.exe
        
        c:\vplfhfj.exe
        204⤵
        
        PID:9716
        
        \??\c:\tpdjlrx.exe
        
        c:\tpdjlrx.exe
        205⤵
        
        PID:8364
        
        \??\c:\tdrbjjf.exe
        
        c:\tdrbjjf.exe
        206⤵
        
        PID:7984
        
        \??\c:\nvltx.exe
        
        c:\nvltx.exe
        207⤵
        
        PID:2864
        
        \??\c:\vpfnpd.exe
        
        c:\vpfnpd.exe
        208⤵
        
        PID:9080
        
        \??\c:\jfdfx.exe
        
        c:\jfdfx.exe
        209⤵
        
        PID:204
        
        \??\c:\pdrbnb.exe
        
        c:\pdrbnb.exe
        210⤵
        
        PID:9264
        
        \??\c:\ljfpj.exe
        
        c:\ljfpj.exe
        211⤵
        
        PID:9468
        
        \??\c:\ldtnhf.exe
        
        c:\ldtnhf.exe
        212⤵
        
        PID:8964
        
        \??\c:\lfhhf.exe
        
        c:\lfhhf.exe
        213⤵
        
        PID:7492
        
        \??\c:\pxrxp.exe
        
        c:\pxrxp.exe
        214⤵
        
        PID:408
        
        \??\c:\rfhdbd.exe
        
        c:\rfhdbd.exe
        215⤵
        
        PID:8204
        
        \??\c:\jdjprx.exe
        
        c:\jdjprx.exe
        216⤵
        
        PID:9460
        
        \??\c:\rrbxr.exe
        
        c:\rrbxr.exe
        217⤵
        
        PID:5516
        
        \??\c:\jhfppt.exe
        
        c:\jhfppt.exe
        218⤵
        
        PID:10028
        
        \??\c:\rdjfndp.exe
        
        c:\rdjfndp.exe
        219⤵
        
        PID:5668
        
        \??\c:\vlbht.exe
        
        c:\vlbht.exe
        220⤵
        
        PID:7976
        
        \??\c:\hdrjf.exe
        
        c:\hdrjf.exe
        221⤵
        
        PID:6356
        
        \??\c:\rfvnfv.exe
        
        c:\rfvnfv.exe
        222⤵
        
        PID:2036
        
        \??\c:\ftbdn.exe
        
        c:\ftbdn.exe
        223⤵
        
        PID:3168
        
        \??\c:\hhhddv.exe
        
        c:\hhhddv.exe
        224⤵
        
        PID:9484
        
        \??\c:\bnhdvt.exe
        
        c:\bnhdvt.exe
        225⤵
        
        PID:5444
        
        \??\c:\xldpr.exe
        
        c:\xldpr.exe
        226⤵
        
        PID:9932
        
        \??\c:\hhnnjl.exe
        
        c:\hhnnjl.exe
        227⤵
        
        PID:1564
        
        \??\c:\lfbtf.exe
        
        c:\lfbtf.exe
        228⤵
        
        PID:3172
        
        \??\c:\pltrnnl.exe
        
        c:\pltrnnl.exe
        229⤵
        
        PID:7084
        
        \??\c:\dblntj.exe
        
        c:\dblntj.exe
        230⤵
        
        PID:7280
        
        \??\c:\dhrlj.exe
        
        c:\dhrlj.exe
        231⤵
        
        PID:1312
        
        \??\c:\tllbh.exe
        
        c:\tllbh.exe
        232⤵
        
        PID:9072
        
        \??\c:\xrjhj.exe
        
        c:\xrjhj.exe
        233⤵
        
        PID:6336
        
        \??\c:\tpjhnfp.exe
        
        c:\tpjhnfp.exe
        234⤵
        
        PID:8636
        
        \??\c:\pnpjv.exe
        
        c:\pnpjv.exe
        235⤵
        
        PID:10028
        
        \??\c:\fbndb.exe
        
        c:\fbndb.exe
        236⤵
        
        PID:4704
        
        \??\c:\thvtt.exe
        
        c:\thvtt.exe
        237⤵
        
        PID:10004
        
        \??\c:\btrhdd.exe
        
        c:\btrhdd.exe
        238⤵
        
        PID:9048
        
        \??\c:\rjbdv.exe
        
        c:\rjbdv.exe
        239⤵
        
        PID:5544
        
        \??\c:\drlvfp.exe
        
        c:\drlvfp.exe
        240⤵
        
        PID:2568
        
        \??\c:\xfhpdhf.exe
        
        c:\xfhpdhf.exe
        241⤵
        
        PID:5332
        
        \??\c:\dlrlt.exe
        
        c:\dlrlt.exe
        242⤵
        
        PID:9080
        
        \??\c:\nhjrx.exe
        
        c:\nhjrx.exe
        243⤵
        
        PID:9860
        
        \??\c:\frjlnr.exe
        
        c:\frjlnr.exe
        244⤵
        
        PID:10016
        
        \??\c:\xjtxv.exe
        
        c:\xjtxv.exe
        245⤵
        
        PID:8788
        
        \??\c:\ddhdbrx.exe
        
        c:\ddhdbrx.exe
        246⤵
        
        PID:7148
        
        \??\c:\rtnvt.exe
        
        c:\rtnvt.exe
        247⤵
        
        PID:5420
        
        \??\c:\dfbjp.exe
        
        c:\dfbjp.exe
        248⤵
        
        PID:8916
        
        \??\c:\tfjdt.exe
        
        c:\tfjdt.exe
        249⤵
        
        PID:1272
        
        \??\c:\rtdxnd.exe
        
        c:\rtdxnd.exe
        250⤵
        
        PID:9416
        
        \??\c:\tjlxxf.exe
        
        c:\tjlxxf.exe
        251⤵
        
        PID:9236
        
        \??\c:\vvdlxr.exe
        
        c:\vvdlxr.exe
        252⤵
        
        PID:8328
        
        \??\c:\ppttxrj.exe
        
        c:\ppttxrj.exe
        253⤵
        
        PID:9572
        
        \??\c:\btbtjph.exe
        
        c:\btbtjph.exe
        254⤵
        
        PID:9640
        
        \??\c:\ttntpdl.exe
        
        c:\ttntpdl.exe
        255⤵
        
        PID:5516
        
        \??\c:\vhbph.exe
        
        c:\vhbph.exe
        256⤵
        
        PID:4376
        
        \??\c:\jbnxlvn.exe
        
        c:\jbnxlvn.exe
        257⤵
        
        PID:5668
        
        \??\c:\vdbvhj.exe
        
        c:\vdbvhj.exe
        258⤵
        
        PID:7860
        
        \??\c:\tvfnfbh.exe
        
        c:\tvfnfbh.exe
        259⤵
        
        PID:7544
        
        \??\c:\lfxpfpb.exe
        
        c:\lfxpfpb.exe
        260⤵
        
        PID:9564
        
        \??\c:\dftjrt.exe
        
        c:\dftjrt.exe
        261⤵
        
        PID:3504
        
        \??\c:\dblljh.exe
        
        c:\dblljh.exe
        262⤵
        
        PID:6856
        
        \??\c:\jnffp.exe
        
        c:\jnffp.exe
        263⤵
        
        PID:7264
        
        \??\c:\ljfbx.exe
        
        c:\ljfbx.exe
        264⤵
        
        PID:5600
        
        \??\c:\htjjt.exe
        
        c:\htjjt.exe
        265⤵
        
        PID:9484
        
        \??\c:\bbjdnh.exe
        
        c:\bbjdnh.exe
        266⤵
        
        PID:7176
        
        \??\c:\vjjlbb.exe
        
        c:\vjjlbb.exe
        267⤵
        
        PID:7976
        
        \??\c:\vvlbvlh.exe
        
        c:\vvlbvlh.exe
        268⤵
        
        PID:9800
        
        \??\c:\vbjxr.exe
        
        c:\vbjxr.exe
        269⤵
        
        PID:11144
        
        \??\c:\nprdphf.exe
        
        c:\nprdphf.exe
        270⤵
        
        PID:8424
        
        \??\c:\bvhpv.exe
        
        c:\bvhpv.exe
        271⤵
        
        PID:2036
        
        \??\c:\pfljl.exe
        
        c:\pfljl.exe
        272⤵
        
        PID:7244
        
        \??\c:\nlbprjf.exe
        
        c:\nlbprjf.exe
        273⤵
        
        PID:11000
        
        \??\c:\hhxrv.exe
        
        c:\hhxrv.exe
        274⤵
        
        PID:6560
        
        \??\c:\rnlrhx.exe
        
        c:\rnlrhx.exe
        275⤵
        
        PID:1412
        
        \??\c:\ftrdnx.exe
        
        c:\ftrdnx.exe
        276⤵
        
        PID:10304
        
        \??\c:\dfdvxr.exe
        
        c:\dfdvxr.exe
        277⤵
        
        PID:10540
        
        \??\c:\bxtpll.exe
        
        c:\bxtpll.exe
        278⤵
        
        PID:12032
        
        \??\c:\bxjffn.exe
        
        c:\bxjffn.exe
        279⤵
        
        PID:10688
        
        \??\c:\dhlnr.exe
        
        c:\dhlnr.exe
        280⤵
        
        PID:11416
        
        \??\c:\ddplx.exe
        
        c:\ddplx.exe
        281⤵
        
        PID:11904
        
        \??\c:\lrlhl.exe
        
        c:\lrlhl.exe
        282⤵
        
        PID:7260
        
        \??\c:\llpxnl.exe
        
        c:\llpxnl.exe
        283⤵
        
        PID:1180
        
        \??\c:\lvbhtj.exe
        
        c:\lvbhtj.exe
        284⤵
        
        PID:11552
        
        \??\c:\lpltjfb.exe
        
        c:\lpltjfb.exe
        285⤵
        
        PID:11356
        
        \??\c:\tbnjlpx.exe
        
        c:\tbnjlpx.exe
        286⤵
        
        PID:11532
        
        \??\c:\nbtvfl.exe
        
        c:\nbtvfl.exe
        287⤵
        
        PID:2644
        
        \??\c:\nxjnln.exe
        
        c:\nxjnln.exe
        288⤵
        
        PID:11232
        
        \??\c:\rttbxvn.exe
        
        c:\rttbxvn.exe
        289⤵
        
        PID:11744
        
        \??\c:\rlfxjfp.exe
        
        c:\rlfxjfp.exe
        290⤵
        
        PID:9944
        
        \??\c:\xrdxtj.exe
        
        c:\xrdxtj.exe
        291⤵
        
        PID:11208
        
        \??\c:\lbrptr.exe
        
        c:\lbrptr.exe
        292⤵
        
        PID:7616
        
        \??\c:\vxfxx.exe
        
        c:\vxfxx.exe
        293⤵
        
        PID:4252
        
        \??\c:\djxpdn.exe
        
        c:\djxpdn.exe
        294⤵
        
        PID:9448
        
        \??\c:\vjhlhr.exe
        
        c:\vjhlhr.exe
        295⤵
        
        PID:7172
        
        \??\c:\jxtlpx.exe
        
        c:\jxtlpx.exe
        296⤵
        
        PID:11860
        
        \??\c:\xfrvlp.exe
        
        c:\xfrvlp.exe
        297⤵
        
        PID:828
        
        \??\c:\dtvxpl.exe
        
        c:\dtvxpl.exe
        298⤵
        
        PID:10536
        
        \??\c:\pfnjt.exe
        
        c:\pfnjt.exe
        299⤵
        
        PID:11212
        
        \??\c:\xfhhv.exe
        
        c:\xfhhv.exe
        300⤵
        
        PID:11112

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:6996

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
1⤵
PID:7932

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
1⤵
PID:7864
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Users\Admin\AppData\Roaming\2.exe"
  2⤵
  PID:9148

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
1⤵
PID:8136
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Users\Admin\AppData\Roaming\18.exe"
  2⤵
  PID:9936

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:5216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:7776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Scripting

T1064

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$RECYCLE.BIN\S-1-5-21-1453213197-474736321-1741884505-1000\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
f817df49e7284ec5d686882610fdbdf7

SHA1
5a7b64857b780e315ad61cc0dc6b4b2e0e645244

SHA256
5f1acdf536de341b760c67026635cdc6efba1c38f593aa8626f3532369e5b313

SHA512
b35c41a16d036f49b4cd1a7abdaa4ab70182b4299c58670450279b068340a675642edfd868ab651783fbff4b3b7b4fffc08e2d774de7fc8d5b6cd2adc6219575

Download Submit
C:\Program Files\Java\jdk-1.8\javafx-src.zip.id-8F5BE14D.[[email protected]].BOMBO

Filesize
5.7MB

MD5
a7fbfa451e962b79910a145f05c13b34

SHA1
d54fadfa3d265d9d0d104625d7d1bc7d0277c984

SHA256
fb91865352ac4ea20477d6b0dcc37f61c14dffa51e6ddde93c782fc26f54eeff

SHA512
0c38b4f5bcf082a70b5ac50656b516289b9e5e8bee90f34947b4824257b2f72987fc126d8edb35c5ecf79f119aa51f9b995e9bd5fe295896d5482f93c17fb0c6

Download Submit
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\162__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml.energy[[email protected]]

Filesize
480B

MD5
5a0372da2ddeb6485893f6bcb699ba22

SHA1
6f337ef5ff67d6517b51458dc97baf4f69e55005

SHA256
d5e6baecf65968ca5b3175f4616992b5f8214fea705123a6ed36ab816806b0f4

SHA512
4094c7b2f707dca8859e7003f5a453e215bbcb2120eb0b0b91799f893773311dbef535d6e850d99556fd6b5b9b5b4ba0dddc34f568aceaf1c4e34b657e6aaee1

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\16.exe

Filesize
92KB

MD5
56ba37144bd63d39f23d25dae471054e

SHA1
088e2aff607981dfe5249ce58121ceae0d1db577

SHA256
307077d1a3fd2b53b94d88268e31b0b89b8c0c2ee9dbb46041d3e2395243f1b3

SHA512
6e086bea3389412f6a9fa11e2caa2887db5128c2ad1030685e6841d7d199b63c6d9a76fb9d1ed9116afd851485501843f72af8366537a8283de2f9ab7f3d56f0

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]

Filesize
180KB

MD5
067f26d83ff92764aecdc2aecb4d16bf

SHA1
0ebd0be526be2767631f58dd4c61bae5c9c8078e

SHA256
3c5e85a6a76c4edfa46cb1c406cdbb0fe895961c3612716fa78a5bd603a7b32e

SHA512
eec2c798280ef46cbf5e22a8df3c017c7ce59dfc95fd6bd5794d3f46359c8b9d1fecbeb975a845195af2ac7043f9f2f14270a4bbe6192f16e07ffeed4f6e6e28

Download Submit
C:\ProgramData\RevengeRAT\pvhpfdj.ico

Filesize
4KB

MD5
202d38b2a3f6aad1f2d361a493169c99

SHA1
6c20a9fd4ce92f8a0b1949e9ba7bcf9564d9d78b

SHA256
25e460a8b43dc4de6d1bd2ed008f076d7ded07a681c16dd45c59030a6b5b3828

SHA512
6d6b2e690ba19b5cb727c6fe1554dc35825f72e1e25c64cc7bb6e7c28afd44e838360df2afc8aec30fd29303dedf4879a23f488ce5fbb3522c5bfb2969a870be

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tfn5swa0.lmd.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\autC34A.tmp

Filesize
4.5MB

MD5
098d7cf555f2bafd4535c8c245cf5e10

SHA1
b45daf862b6cbb539988476a0b927a6b8bb55355

SHA256
01e043bc0d9a8d53b605b1c7c2b05a5ceab0f8547222d37edd47f7c5ccde191a

SHA512
e57b8a48597bf50260c0427468a67b6b9ee5a26fd581644cd53cef5f13dc3e743960c0968cb7e5e5dff186273b75a1c6e133d26ef26320fffabc36b249fbc624

Download Submit
C:\Users\Admin\AppData\Local\Temp\autF970.tmp

Filesize
61B

MD5
398a9ce9f398761d4fe45928111a9e18

SHA1
caa84e9626433fec567089a17f9bcca9f8380e62

SHA256
e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1

SHA512
45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Ifouauwioue\ipjvfmvr.exe

Filesize
627KB

MD5
3d2c6861b6d0899004f8abe7362f45b7

SHA1
33855b9a9a52f9183788b169cc5d57e6ad9da994

SHA256
dbe95b94656eb0173998737fb5e733d3714c8e3b58226a1a038ca85257c8b064

SHA512
19b28a05d6e0d6026fb47a20e2ff43bfdf32387ee823053dcd4878123b20730c0ea65d01ff25080c484f67eeedb2caa45b4b5eb01a3a3bb2d3bc5246cc73aa6e

Download Submit
C:\Users\Admin\AppData\Roaming\feeed.exe

Filesize
666KB

MD5
dea5598aaf3e9dcc3073ba73d972ab17

SHA1
51da8356e81c5acff3c876dffbf52195fe87d97f

SHA256
8ec9516ac0a765c28adfe04c132619170e986df07b1ea541426be124fb7cfd2c

SHA512
a6c674ba3d510120a1d163be7e7638f616eedb15af5653b0952e63b7fd4c2672fafc9638ab7795e76b7f07d995196437d6c35e5b8814e9ad866ea903f620e81e

Download Submit
C:\Windows\SysWOW64\Ackbfioj.exe

Filesize
109KB

MD5
b5805b269f1442b25f1f1d84745d3b90

SHA1
711a9ba1d7e93a9b6edaadc354bd6ea8bd3ad23e

SHA256
c600dcfaafe2535eb2272d0d2f3fd692bd25f0380ba6138ea1e2c97c6774ddc1

SHA512
d4dcabce64b04978c7a39d9433a8bce14b3efef440b1a6e5ed3b57fe80476339d71dd37b1f7f9d5dad600271947e87a88e9b02ab278607054e0ac35f52409d6e

Download Submit
C:\Windows\SysWOW64\Ajkgmd32.exe

Filesize
109KB

MD5
8ca4e483777890bcf4f07cb863af071b

SHA1
1137225a7bfa8ea02b6d314c4cc2056e10d60629

SHA256
ce3915f033ea6e647b4f1e46bb07ccc4a42e73ea74a1a579070f2bdafedbf9b3

SHA512
f5ba34b6a26992ee8865b19485666e587d61286d172ab7ce877d47be93d7bf43e1e2a0c1fb7c8d4431542235c0a8ff6b330cc127bb8db4a46e913474849127c8

Download Submit
C:\Windows\SysWOW64\Allpnplb.exe

Filesize
109KB

MD5
0c17104563a70e57d8558d13cf026bba

SHA1
23add64da9dfe6fc3b4688b9c824cec8465b69f4

SHA256
9cb08fa520bec83564a4775c3366d3a059bc8d114aff65fe64c0cca9eb6ec465

SHA512
b66d3f22c445bfa2ba1ec357515ca97da9138178e1d3e77ad4f4e4086825337cf4a0d3f45bbc96fd4bdf8124622160f94090260ded18fb9166bbcd24f58cd799

Download Submit
C:\Windows\SysWOW64\Cipppc32.exe

Filesize
109KB

MD5
0286911d6d3fcdcc43ceadae85e92d84

SHA1
cfad671a2502e6fae21ccaa962e31ae8d9471d6c

SHA256
fd08c584b8266d36738d71de3ab4ccc80f4e5aa4f265043b21ebc315f21a290d

SHA512
0d35f1e93b27a95399895099c2b2e9c4ae0bd75211e0ce3fff8780fabc1e5cf33261061c419a4fa053e870d9a1a4b37466573b4b878fcf8541dcd5120c0d1d58

Download Submit
C:\Windows\SysWOW64\Daiegp32.exe

Filesize
109KB

MD5
ad59e240ab876d083ad0340a45ebc5fc

SHA1
013b2ef531266014b4ab9108757d816e81161ad0

SHA256
ccea84a30c217b5e1553b9960095b40f409e9d3530652d5573bafdcdbb22dfa3

SHA512
f6e83ceaa5c255a2b523cf0afaa07de610481a8c2b97dd1b7aa5d86a7ffe3598b40998693814c5e5845175203e7d6958e1fbdfb0e897a600fc51a285fefd6eb0

Download Submit
C:\Windows\SysWOW64\Dmbbaq32.exe

Filesize
109KB

MD5
d5aaefe191b0fda62a3e93440a9e6f9c

SHA1
f584f3e0f0feb52b33f2ab107abce2e8c9383627

SHA256
e6c7e6f09c4a3ca95be1ec1a9a8a0c5f0e92825a60e76e037465852943f5da02

SHA512
1ef7007ed0dca542f5bdbbf409b6ecc9a6a94f1ded862d1e4be0fca4bb86cb484f1f383fcf5e1980aa590791c93fe89afa6a9075c9830b62d3384dcdf561dda6

Download Submit
C:\Windows\SysWOW64\Ehlpjikd.exe

Filesize
109KB

MD5
5c6c1873f224dd15ba16d638c3253d14

SHA1
f03119d3994dfd9a07306c7a15cae8d9f75ecd1e

SHA256
459ae16902a7397748f1b77197a6648de0442c64a659dfd97779cddb01691648

SHA512
fdd87af1ec421fc93659a07c59b4a9f9e6740375a189432b45659f2d5ab6103a3c372e34977fd534b9a922ff7f20ea25bec9db5bbeae2361c046e95ff72bc63e

Download Submit
C:\Windows\SysWOW64\Fabqdl32.exe

Filesize
109KB

MD5
296cf972f87fd3159f3a140929f42170

SHA1
e3aa44023c2bf39323c23caa6800b3ffeb8dff73

SHA256
e494675641f02c4b0d6a4d76a6e098994f80dae521878b14c299d7cf61bf35c9

SHA512
7878e0bda6fc9cc16f5c5ffc8b78cbdfa89d35b7b520e10abd5a3eeac5d4df186cf7dd70c2bb7bbae400cc71de08559dd4a9273945097a04228ae2ca4a049439

Download Submit
C:\Windows\SysWOW64\Gbioffpe.exe

Filesize
109KB

MD5
166ae438a9b8fdfc1595464b9173174d

SHA1
1205da3004e7077f86eb6bab43f1ae2bbcf93c79

SHA256
a54cfeaba1f0b6c3099c27d1b7057e4b2a88c5669fa08b97213b959ac5a9ac37

SHA512
ad7fadd62d3449591b4ea5308a2c6573ba1fa5b8567d42573b6e7ad8479005dee976b79278b647c690519bd807f9fe67ae8154e34ee55e23cfcb2566e988adb5

Download Submit
C:\Windows\SysWOW64\Ghmbhd32.exe

Filesize
109KB

MD5
08080221d0267034ad44b7b727fcb5cc

SHA1
cd1c8def259917d7da242d598a89295e5b1bcc3e

SHA256
83cf2d7c35d9d1fc06cf251d1e144096de1b2298b27f5f34466b34bd4b1d87b6

SHA512
eb248ed25940008d183fc4d1c9366af9a27e87b44dedf51c0f9916eff9fe443932ee9e9e425254adb3f37f5a04995f29144d363301fc14e4da6136c7119c6e72

Download Submit
C:\Windows\SysWOW64\Gmqgjl32.exe

Filesize
109KB

MD5
2931ceb1dd9db8c4dfab92d1e0b1dde1

SHA1
f805a5fedf99cf8e7ac19553b5f222b7f1be31fb

SHA256
3cab227acf0764ac0de7753b0730dea39795a484d3060dfd456409cad479eb88

SHA512
588777b9261f2dcbb15040053bcaef9d3ab6fdf92eb4ffd99272efc0b850b7e612c40d689904b4d24c4d057707dddafef0dae2439f4c18026670217765c1508c

Download Submit
C:\Windows\SysWOW64\Hhdhhchf.exe

Filesize
109KB

MD5
37e380c15603db92eca83e02771b7faa

SHA1
47765725ce72c844abcb7ec772c3d790056d970a

SHA256
ef3c8afc536eb4ae6f61608e734c44e07c73de594dabd10df96ed2e119216b0a

SHA512
e3b932037d5682b971de800e5c757ec3c8e1ec8d856ccf35d5a40582fc3e9c657aa50022a0f3daa7a5980343c1c63625d14d13bdf5465e1c06ef0b42d86afb5f

Download Submit
C:\Windows\SysWOW64\Iegpaf32.dll

Filesize
7KB

MD5
be1581ad0ab15378115d1b44106b2391

SHA1
eff7d0fb5bc3893a74e887d5ea7ed9bfe1f27456

SHA256
64468f081ce2f3453485a3941211cf00bc9aab8093748de650f9f5590ab24aa3

SHA512
ab4be9ebe1a9fb34b42d8818b122d947d16d1b209506f56dce225056b9d259ea4fbf14b45cd67ef4c4ff2dccefb7e540fb2edfc2236829daf662b294526b9606

Download Submit
C:\Windows\SysWOW64\Jkjclk32.exe

Filesize
109KB

MD5
b7c99a243498e705e269847e6af51565

SHA1
78d6eb4edfaa26a90d070af808f71e31939c6ff3

SHA256
27741cb3414f1bc71b14ca50a18bba603cabebc0bffa824a3a66f1093232129b

SHA512
b444f01c43b1a63b4114cde3b5e956a163de988302ae2e7c99b5e81bdbc2f4fa4a67863be685948f57d0b8fcb89613e3fe4499e85d5ce4d9977e822a5cfcecc5

Download Submit
C:\Windows\SysWOW64\Jqpfccgo.exe

Filesize
109KB

MD5
b3e9f0a579443d186f5c263aae9c56e1

SHA1
5a2402081bc32249c955fc72fd28fe485c706cab

SHA256
e28af24843e99c1af5988cb2b0429ac3feacdefdd996d423fe854790f6263c67

SHA512
37fbea72294f9578a1b777609cafb31e96dfc83df0d1c6d5525cf4c42c95ce48de1b3b8a43a30d8e9fabec60dcc64d508cb3ec3e535f5f0927d7ef9c2b53c3e2

Download Submit
C:\Windows\SysWOW64\Kdgapp32.exe

Filesize
109KB

MD5
ef2a87cc5ae138b7d4e127c24ecb06fc

SHA1
37ee79ec8551c7378af05ac0cd2253543b84c015

SHA256
9139ad7896c8c1de80220af440a5816d93a8a1c0a1e5c9b226d76fa05bee9dc6

SHA512
58aef78c7f491007e85fbf1da555fe466722d2f4f676f614fd1cb73019256094757f35a00c97fa1ccd7a40f6f0ed977a6314162bd4644673676050fc45c34406

Download Submit
C:\Windows\SysWOW64\Kkechjib.exe

Filesize
109KB

MD5
194546e4270e86c760028b1dc586074f

SHA1
ca5ed62d9a7454000927e38b61c3414c13ee0776

SHA256
2174fd93ce0d851d2759307391c4d7becd13347741f43a3f03e3314cc54a474d

SHA512
67fefb580bbba271415f3a8e0da590dbc0569d5d76de97eb32997bc7434be4e4d7cfea5867fa5cebb5edb8b954293ec37b4ebcf9cc4b280e48d5739935be5214

Download Submit
C:\Windows\SysWOW64\Lgamhjja.exe

Filesize
109KB

MD5
195dbe6fa281de40b0743fe2bfe0c672

SHA1
4e1e94c3e5cd6bae7d69411f34159657e845f627

SHA256
0b51ac1d9e0788883c552668f973776b72d15da05b22bb1cd8ab9d2460a61902

SHA512
a0581b1893595eb2aebade245f48fd303cc82307c719bb6217eb33f20a261ecaf0f5759fdea24c1b367cbceffa1f0d079c4e0679fbada3ac5138b9a225aa089b

Download Submit
C:\Windows\SysWOW64\Meefhl32.exe

Filesize
109KB

MD5
2c8e7a5b8b1804b2d72e6b9a3ad70bbf

SHA1
9b2cb7691af1ef4fce2fe8cc3e2f9d384d86fb04

SHA256
98778db7cf01614daca74e3b803646d3d8e3411a6046fdad7894418282615edf

SHA512
9737780a0690009d4a8af3d705119035dbdceea491759a45082eabaaa0bb41d94e20c142ed04a6a9ceba150f02c72460bf275129c879d157b71df87468eddadc

Download Submit
C:\Windows\SysWOW64\Ndlamg32.exe

Filesize
109KB

MD5
792195daa86d950d7604ac4a46539da3

SHA1
a5734d2b7dd2215e43993e5385fafb07f85bec2f

SHA256
e281ec8131cfc0a1023d00bf02033b8345bf7f9540e61b54af1c848eb4ca9bbc

SHA512
b160048388d7cdfb213774c847b5afb2ad65b9df945926e91250a0847cab87c7e75a6c9f89a310fa43533135aa76b85b1c1a800eff61bc0155a586e390d4c82c

Download Submit
C:\Windows\SysWOW64\Nejpckgc.exe

Filesize
109KB

MD5
5134ae7cd61966692a009f4dd58b8e58

SHA1
6a69ff851e72fe49cd9504f6ee144505540b324f

SHA256
c62fa0b59c18355962f6ab72cce66969aac244e60680f7c3158231c79f36d1ae

SHA512
1b5696609a8a3244b0649304c96105eb91675d4ae81fa6734cdb95a6ede9d9319e944961ab74a6ab8a12708e44109a7061ac0c9789ffdf2f37d958dfe2c8cf2b

Download Submit
C:\Windows\SysWOW64\Oeccijoh.exe

Filesize
109KB

MD5
00f0fb458bca47c61a60dc57031fc56c

SHA1
f008a4f00b2d97d0809f616af72f548cf07dbab4

SHA256
6979633d4352990ea6cfb9e67bfe93024c6140aba3527ed86def34437c9df943

SHA512
f6464daa14c2b76a8c57738f7f07b971c4f0ae40ab2206aa014fca12a5ba71afe6490eccb34e449546a66544b1e4c80ed28b04a7578254b01bd2b4caf1446405

Download Submit
C:\Windows\SysWOW64\Phddbbnf.exe

Filesize
109KB

MD5
b398e7c30d0096aff01a459bc418a48b

SHA1
c7664cb316dd1a4305c081279e032b72a9299e9e

SHA256
2646638ba25410e2a49b91608f409b319541f79f553928160cd1d67f9640597c

SHA512
8d869df8330472266daa39638c732935bb3cca9aed72283755abcc1e45baaa6bf99a1a608cbf972b031e1ea2ed4df87d258f399f970c79bfc8a2a982db17ad9c

Download Submit
C:\Windows\SysWOW64\Pkencn32.exe

Filesize
109KB

MD5
004f877e326220ebce97ea9f084c884d

SHA1
5ba2c9f24f565581a402b12319c91633dc4ea88f

SHA256
d9d67de70185a4d1ccc44ef98a9742010bf4756e425827e6e44596c2fe7b1167

SHA512
4c211c6771cc31ba5445923a98219bedcb6d81e86e0581b4b0279e34892d4595e04cfff968b91bcb563c1b55999e965b54d84f25ee8475209947e59f35ec9ff0

Download Submit
C:\Windows\SysWOW64\Pklkmo32.exe

Filesize
109KB

MD5
2449570505a26a62117b9a628c32ec6c

SHA1
45e635e7816985014cc55a80c635c8c66e507601

SHA256
71c22faf2d40344e5d636c48666c734b1d052c3ad7031b7cc49c1cef12c3301f

SHA512
cf95b6df1af66e49cad7a9a1294344165a1ca33608c028f8384a5c939c15a24cbbd12d39515c22b6decc65c898efcd69d28f8f66b3770ae54b710cfd6cb94e20

Download Submit
C:\Windows\SysWOW64\Qaabfgpa.exe

Filesize
109KB

MD5
d56ac0e83d14b0936c265282c48191da

SHA1
bd20f1563b6476413cfd05b653f396e39296fc48

SHA256
f566222239577b9ac6474f596b24c812ed6e5f32a80fbe03833ad0faf4560fb2

SHA512
d9fefbb6f4537f7c5685f0b34c398eb5eed27245a3a704d86d5e98d6c4b2e31514ff30ace9b8f635752f82fa6096e4a8f62b2e57da338abda1f3afdd82a555d3

Download Submit
C:\\xbxbpr.exe

Filesize
387KB

MD5
9a78228c4dcb8213a8a3212f9a1d4d3c

SHA1
57df5da5db7ced70808f9c3dbf978e331f4d09a9

SHA256
fd3ab2b6128a9cf5964e472b0ce1306e357c5ec478890778fb453888387d965c

SHA512
8f5e6bb803ba27d84b465b6b504074f4884911780f8ba4fa83b64c0c8716040a36ea4371d2b4bca00340b46897248a66eb31b4884f8d9937ce3c7afd80305a50

Download Submit
C:\nrppvb.exe

Filesize
387KB

MD5
89aab4920c20d4dd40cf1169cda12f41

SHA1
b763d71ec93e80fdfdc823785c1942b1a047d71a

SHA256
47ce8c7453bc0202929ba826ebce4ba17e382eb3fc5b4c383f47fa5cffde372a

SHA512
bd4a48a59e5aacca7e7414a4ff2869f68f3228004132fc8e9d7486048322f07496c7d9ec1e464aa71f412ba4755ba6a234d63f06fe9eacf9233235c976367532

Download Submit
\??\c:\hlprfb.exe

Filesize
387KB

MD5
d132289bbe2a0d03dfbc186aed732cc8

SHA1
effac2dbd63dedf514475369e9be4fe16cc23d8f

SHA256
5e38105e285b109454dce396a555ad2add408b7f50348669bae5977ef7b722c3

SHA512
f50c9da82e45469c3750d9cbc1cd2d3d5f2811d9f1a0e1f1784eb4b4a25f3cbcdc6c4a0de69f6ea4b00d662956f594a2aa89e52a628f66aa8194968e4aa40db2

Download Submit
\??\c:\jbnlhvd.exe

Filesize
387KB

MD5
6cf5ec50374c636126ad1868bed77d3d

SHA1
086d65db543db9fc20c6d498335d0be6dfc25137

SHA256
1aad2e30fe55d3ed591f038bc4709823c456d5fd31e64cfcb3b7c44a7c9d1eeb

SHA512
5da7eadaaa5d60596fe5212819318b783113d8fad03a7e8241141fe3479393721600da12dc924738e62b070142177b64b53601daa035439dd1108d0ef6189817

Download Submit
\??\c:\lbxdlxt.exe

Filesize
387KB

MD5
e4173d397437011226a47b6625398713

SHA1
9ea386664f58178633b5a43dafcf8dd980e552b7

SHA256
d25e8ab0b3590c9d0e151b6013c072e29f46812ecc355401705c26b6c5a07a04

SHA512
10fae29d535a5d3f95ea25ebfaea3cce2ff45cd868e45835caf300234f5717c0094101d8e959d8647161fa3c6a8d84ac817d9644bc3408cf1a2fa4c9bae7ebbd

Download Submit
\??\c:\llfhxx.exe

Filesize
387KB

MD5
86c4bbf8f6e4bd7f0127dca41489702d

SHA1
54d17f667b1af194093fb11249a3406fd24a63ed

SHA256
83a8fa5c98ebc106bfdb2ebb09bdeedafc1c4a73c4cf11210ab8dfca00b9303b

SHA512
7b26c68d67ed85e9f4aa914ee810ef760cdacf000e1000e474d0d3e01549314e322e8bd31d84b1cc8344d4fa4fc8712454552d3397f30f4704d9df0f5d756f26

Download Submit
\??\c:\lnplr.exe

Filesize
387KB

MD5
5e9ebed3ca38746a24f3c5218ada2de9

SHA1
f0b7636e0a5a83014395dae4cddea66a4466a252

SHA256
2af97f7bc9210a0a60b53b83183601c402f8de10f7968ef3b99c8bb2ad6cb39d

SHA512
e5c39dc43fdf8bd9f9e5abb8aa06fedae7b9262ee12a895457cefc6652b9e4009e8605d82ca8c5a0d1d898d88db44cab260ad3b6f4594758dc7df1d670816c7c

Download Submit
\??\c:\rjhth.exe

Filesize
387KB

MD5
842d47c780d4ef3f2fc7f928e208795d

SHA1
58bbb4679f9a6148011277f832bbfb333b407698

SHA256
37be1cc9d098619ee73f37fc1fc04325ddb78b6da9735a14c69a9b786cfd4427

SHA512
93826dd9bc4406ebcf498130705d2d98cf248c8f6ce72355686823a3f961347e625e15b082af857cd3461e8a47a2c60c0d7dc38fbefc3c80825b2bd275d979e4

Download Submit
\??\c:\txpxvnh.exe

Filesize
387KB

MD5
6eec0549aff12271da1fd332d859b48d

SHA1
e80c9cd04d93422a328d6865e776fdb07c7fb844

SHA256
49ae7f1db6fd1a26d727028e50364380ada34c16b12e85e6fca117419d0dc015

SHA512
67344e32fddebd8b881ac3040d6d1d05254ceb1d5d8524d10c32316f861c2d24b95e3bd52dfdf61e63d3878215f23c3db8b4d9b5455698ec7e539b9b3b41524a

Download Submit
\Users\Admin\AppData\Local\Temp\D47F.tmp

Filesize
1.5MB

MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
memory/504-424-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/520-15-0x00000000007F0000-0x000000000080A000-memory.dmp

Filesize
104KB

Download
memory/808-419-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1008-642-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1188-555-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1360-262-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1364-1092-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1596-641-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1660-1586-0x0000000000B90000-0x0000000000C4E000-memory.dmp

Filesize
760KB

Download
memory/1928-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2036-630-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2332-169-0x00000000000C0000-0x00000000000F0000-memory.dmp

Filesize
192KB

Download
memory/2440-266-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2784-903-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2788-254-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2856-317-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2992-37-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3124-518-0x00000214DF870000-0x00000214DF892000-memory.dmp

Filesize
136KB

Download
memory/3124-717-0x00000214DFA20000-0x00000214DFA96000-memory.dmp

Filesize
472KB

Download
memory/3348-278-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3408-333-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3500-412-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3652-408-0x0000000000400000-0x0000000002CE4000-memory.dmp

Filesize
40.9MB

Download
memory/3652-606-0x0000000000400000-0x0000000002CE4000-memory.dmp

Filesize
40.9MB

Download
memory/3652-213-0x0000000000400000-0x0000000002CE4000-memory.dmp

Filesize
40.9MB

Download
memory/4080-267-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4084-303-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4328-22-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4328-21-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4328-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4388-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4388-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-263-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4408-23-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4544-41-0x000000001BBB0000-0x000000001C07E000-memory.dmp

Filesize
4.8MB

Download
memory/4544-173-0x000000001C080000-0x000000001C126000-memory.dmp

Filesize
664KB

Download
memory/4544-194-0x000000001C1F0000-0x000000001C252000-memory.dmp

Filesize
392KB

Download
memory/4544-1326-0x000000001D020000-0x000000001D0BC000-memory.dmp

Filesize
624KB

Download
memory/4564-628-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4696-264-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4736-46-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/4736-98-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/4736-52-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/4736-70-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/4736-72-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/4736-54-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/4736-302-0x00000000050D0000-0x00000000050DA000-memory.dmp

Filesize
40KB

Download
memory/4736-56-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/4736-58-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/4736-63-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/4736-64-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/4736-74-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/4736-66-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/4736-76-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/4736-48-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/4736-204-0x0000000004AA0000-0x0000000004F9E000-memory.dmp

Filesize
5.0MB

Download
memory/4736-78-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/4736-80-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/4736-82-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/4736-44-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/4736-84-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/4736-86-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/4736-43-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/4736-88-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/4736-94-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/4736-90-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/4736-60-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/4736-92-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/4736-96-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/4736-50-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/4736-32-0x0000000002380000-0x00000000023B2000-memory.dmp

Filesize
200KB

Download
memory/4736-224-0x0000000002690000-0x0000000002722000-memory.dmp

Filesize
584KB

Download
memory/4736-29-0x0000000002190000-0x00000000021C2000-memory.dmp

Filesize
200KB

Download
memory/4736-68-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/4964-265-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5148-409-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5416-268-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5516-680-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5680-1473-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5680-279-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5756-420-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5980-637-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6028-811-0x0000000000400000-0x0000000002CE4000-memory.dmp

Filesize
40.9MB

Download
memory/6028-605-0x0000000000400000-0x0000000002CE4000-memory.dmp

Filesize
40.9MB

Download
memory/6108-410-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6196-442-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6204-812-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6260-451-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6380-463-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6396-683-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6456-483-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6532-1010-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6560-629-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6648-702-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6664-492-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6720-891-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6744-632-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6756-493-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6784-636-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6924-678-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6932-640-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6940-505-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/7080-730-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/7084-509-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/7104-631-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/7136-660-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/7228-824-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/7260-910-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/7272-813-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/7380-814-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/7420-923-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/7424-815-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/7488-933-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/7496-816-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/7568-818-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/7588-950-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/7636-1030-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/7664-823-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/7776-831-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/7792-1001-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/7884-1069-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/7888-1051-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/7948-840-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/7996-976-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/8024-857-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/8088-864-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/8128-1082-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/8140-870-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/8188-890-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/8848-1548-0x0000000005740000-0x0000000005748000-memory.dmp

Filesize
32KB

Download
memory/8848-1518-0x0000000000E40000-0x0000000000EEC000-memory.dmp

Filesize
688KB

Download
memory/8848-1530-0x0000000002FA0000-0x0000000002FB4000-memory.dmp

Filesize
80KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads