berbew | 69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591

Analysis

max time kernel
114s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

get fucked.exe
Size

10.2MB
MD5

cb15c5a967ef9f97520336419ba91964
SHA1

7fc921d591e357108c64da40f8646841517cbc91
SHA256

69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591
SHA512

f692a0f845a2be87ae06b8bce8553c9b8061f9e9e2a9a60bca5ff603f11d4a09edf16c3023a717878ca4d528e586c192aa669f5cb7f21a4e301fe23382b16a62
SSDEEP

196608:zJxxbGXkwODPzMsVerPYVnN/SMFm0ICteEroXxRzlxZV3Gu5D4S26cSEqCS3JUl5:jxZgPYVnNSMhInEroX714S2IlpUlNWax

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgbdcgld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgeaifia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bifmqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjaqpbkh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgeaifia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bppfmigl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bihjfnmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bihjfnmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boklbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjaqpbkh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpnihiio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpleig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgbdcgld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpnihiio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	240919-hlbw9awarb9508c09d7dfb89931ad49cacba2daf4b3f306303c2815af7f07bc63ffaffb002N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccnncgmc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	240919-hlps4swdlna801a623080eaac37eb5fc872a3ba272f9c02c893e5938f434873872624987e7N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boklbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpleig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	240919-hlps4swdlna801a623080eaac37eb5fc872a3ba272f9c02c893e5938f434873872624987e7N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffmfadl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffmfadl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bifmqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bppfmigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	240919-hlbw9awarb9508c09d7dfb89931ad49cacba2daf4b3f306303c2815af7f07bc63ffaffb002N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccnncgmc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0007000000023576-333.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000024332-37563.dat	family_xworm
behavioral1/files/0x00070000000243e3-39551.dat	family_xworm

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Malicious RTF document (CVE-2017-0199) 1 IoCs

resource	yara_rule
behavioral1/files/0x00070000000244b3-40867.dat	rtf_objdata_urlmoniker_http

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023cef-33491.dat	family_quasar
behavioral1/files/0x00070000000240d7-34357.dat	family_quasar

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

ModiLoader Second Stage 7 IoCs

resource	yara_rule
behavioral1/memory/4032-164-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral1/memory/1984-216-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral1/memory/2844-13949-0x00000000026A0000-0x00000000026B3000-memory.dmp	modiloader_stage2
behavioral1/memory/4756-570-0x0000000000460000-0x0000000000473000-memory.dmp	modiloader_stage2
behavioral1/memory/7636-14089-0x0000000005BD0000-0x0000000005BE3000-memory.dmp	modiloader_stage2
behavioral1/memory/17076-14292-0x0000000002A70000-0x0000000002A83000-memory.dmp	modiloader_stage2
behavioral1/files/0x00070000000239ff-17161.dat	modiloader_stage2

XMRig Miner payload 15 IoCs

miner

resource	yara_rule
behavioral1/memory/3240-310-0x00007FF72D710000-0x00007FF72DA61000-memory.dmp	xmrig
behavioral1/memory/4544-517-0x00007FF63C030000-0x00007FF63C381000-memory.dmp	xmrig
behavioral1/memory/2608-533-0x00007FF6D56D0000-0x00007FF6D5A21000-memory.dmp	xmrig
behavioral1/memory/4748-544-0x00007FF71FB20000-0x00007FF71FE71000-memory.dmp	xmrig
behavioral1/memory/4456-549-0x00007FF70F950000-0x00007FF70FCA1000-memory.dmp	xmrig
behavioral1/memory/1020-550-0x00007FF765960000-0x00007FF765CB1000-memory.dmp	xmrig
behavioral1/memory/3240-13987-0x00007FF72D710000-0x00007FF72DA61000-memory.dmp	xmrig
behavioral1/memory/2192-594-0x00007FF6CEC00000-0x00007FF6CEF51000-memory.dmp	xmrig
behavioral1/memory/3260-548-0x00007FF653730000-0x00007FF653A81000-memory.dmp	xmrig
behavioral1/memory/3540-546-0x00007FF7D56E0000-0x00007FF7D5A31000-memory.dmp	xmrig
behavioral1/memory/3172-518-0x00007FF789090000-0x00007FF7893E1000-memory.dmp	xmrig
behavioral1/memory/3892-509-0x00007FF6D5450000-0x00007FF6D57A1000-memory.dmp	xmrig
behavioral1/memory/1368-501-0x00007FF76C1E0000-0x00007FF76C531000-memory.dmp	xmrig
behavioral1/memory/1688-453-0x00007FF623160000-0x00007FF6234B1000-memory.dmp	xmrig
behavioral1/memory/412-413-0x00007FF6F6460000-0x00007FF6F67B1000-memory.dmp	xmrig

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

resource	yara_rule
behavioral1/files/0x000700000002391e-29935.dat	office_xlm_macros

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000700000002362c-13959.dat	acprotect

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000700000002358f-543.dat	aspack_v212_v242

Executes dropped EXE 17 IoCs

pid	Process
3620	240919-hlps4swdlna801a623080eaac37eb5fc872a3ba272f9c02c893e5938f434873872624987e7N.exe
4032	240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
3148	Boklbi32.exe
1984	tcpip.exe
2820	Bgbdcgld.exe
4840	Bjaqpbkh.exe
4948	Bpnihiio.exe
4856	Bgeaifia.exe
628	Bifmqo32.exe
3876	Bppfmigl.exe
4660	Bihjfnmm.exe
4192	240919-hlbw9awarb9508c09d7dfb89931ad49cacba2daf4b3f306303c2815af7f07bc63ffaffb002N.exe
384	Ccnncgmc.exe
3960	Cpleig32.exe
2884	Cffmfadl.exe
2492	240919-hk1h8awdjjbc1f7d7dd47d8221676316b4eba81e38a9a80c3981c84f87507e5a54ea736ad7N.exe
4544	Dmpfbk32.exe

Loads dropped DLL 20 IoCs

pid	Process
3472	get fucked.exe
3472	get fucked.exe
3472	get fucked.exe
3472	get fucked.exe
3472	get fucked.exe
3472	get fucked.exe
3472	get fucked.exe
3472	get fucked.exe
3472	get fucked.exe
3472	get fucked.exe
3472	get fucked.exe
3472	get fucked.exe
3472	get fucked.exe
3472	get fucked.exe
3472	get fucked.exe
3472	get fucked.exe
3472	get fucked.exe
3472	get fucked.exe
3472	get fucked.exe
3472	get fucked.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4032-139-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/memory/4032-164-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/memory/1984-216-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/memory/3240-257-0x00007FF72D710000-0x00007FF72DA61000-memory.dmp	upx
behavioral1/memory/3240-310-0x00007FF72D710000-0x00007FF72DA61000-memory.dmp	upx
behavioral1/memory/1204-343-0x00007FF683D30000-0x00007FF684081000-memory.dmp	upx
behavioral1/memory/2220-362-0x00007FF6A3A80000-0x00007FF6A3DD1000-memory.dmp	upx
behavioral1/memory/696-388-0x00007FF78F500000-0x00007FF78F851000-memory.dmp	upx
behavioral1/memory/4408-379-0x00007FF71B570000-0x00007FF71B8C1000-memory.dmp	upx
behavioral1/memory/3688-424-0x00007FF709A70000-0x00007FF709DC1000-memory.dmp	upx
behavioral1/memory/2768-466-0x00007FF754B00000-0x00007FF754E51000-memory.dmp	upx
behavioral1/memory/4544-517-0x00007FF63C030000-0x00007FF63C381000-memory.dmp	upx
behavioral1/memory/2608-533-0x00007FF6D56D0000-0x00007FF6D5A21000-memory.dmp	upx
behavioral1/memory/4748-544-0x00007FF71FB20000-0x00007FF71FE71000-memory.dmp	upx
behavioral1/memory/4456-549-0x00007FF70F950000-0x00007FF70FCA1000-memory.dmp	upx
behavioral1/memory/1020-550-0x00007FF765960000-0x00007FF765CB1000-memory.dmp	upx
behavioral1/files/0x000700000002362c-13959.dat	upx
behavioral1/memory/3240-13987-0x00007FF72D710000-0x00007FF72DA61000-memory.dmp	upx
behavioral1/memory/2192-594-0x00007FF6CEC00000-0x00007FF6CEF51000-memory.dmp	upx
behavioral1/memory/3260-548-0x00007FF653730000-0x00007FF653A81000-memory.dmp	upx
behavioral1/memory/3540-546-0x00007FF7D56E0000-0x00007FF7D5A31000-memory.dmp	upx
behavioral1/memory/3172-518-0x00007FF789090000-0x00007FF7893E1000-memory.dmp	upx
behavioral1/memory/3892-509-0x00007FF6D5450000-0x00007FF6D57A1000-memory.dmp	upx
behavioral1/memory/1368-501-0x00007FF76C1E0000-0x00007FF76C531000-memory.dmp	upx
behavioral1/memory/5040-499-0x00007FF7278D0000-0x00007FF727C21000-memory.dmp	upx
behavioral1/memory/1688-453-0x00007FF623160000-0x00007FF6234B1000-memory.dmp	upx
behavioral1/memory/3948-434-0x00007FF6F5100000-0x00007FF6F5451000-memory.dmp	upx
behavioral1/memory/412-413-0x00007FF6F6460000-0x00007FF6F67B1000-memory.dmp	upx
behavioral1/memory/2632-368-0x00007FF7E78E0000-0x00007FF7E7C31000-memory.dmp	upx
behavioral1/memory/512-355-0x00007FF609A20000-0x00007FF609D71000-memory.dmp	upx
behavioral1/files/0x0007000000023576-333.dat	upx
behavioral1/files/0x0007000000023983-16613.dat	upx
behavioral1/files/0x00070000000242d1-36675.dat	upx

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	31.193.3.240
Destination IP	31.193.3.240

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
20728	Process not Found

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
480	discord.com
521	discord.com
452	discord.com
711	discord.com
156	discord.com
501	discord.com
714	discord.com
746	discord.com
58	discord.com
74	discord.com
49	discord.com
96	discord.com
450	discord.com
32	discord.com
70	discord.com
728	discord.com
784	discord.com
69	discord.com
81	discord.com
125	discord.com
532	discord.com
53	discord.com
120	discord.com
124	discord.com
9	discord.com
539	discord.com
555	discord.com
688	discord.com
139	discord.com
161	discord.com
181	discord.com
318	discord.com
321	pastebin.com
312	discord.com
471	discord.com
793	discord.com
828	discord.com
39	discord.com
121	discord.com
63	discord.com
90	discord.com
573	discord.com
159	discord.com
336	discord.com
881	discord.com
128	discord.com
173	discord.com
464	discord.com
490	discord.com
494	discord.com
45	discord.com
607	discord.com
652	discord.com
786	discord.com
77	discord.com
157	discord.com
178	discord.com
323	pastebin.com
592	discord.com
119	discord.com
144	discord.com
153	discord.com
158	discord.com
64	discord.com

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
811	whatismyipaddress.com
816	whatismyipaddress.com
616	ip-api.com
744	ipinfo.io
747	ipinfo.io

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000023816-15463.dat	autoit_exe
behavioral1/files/0x0007000000023cef-33491.dat	autoit_exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gnknpnlf.dll	Bjaqpbkh.exe
File created	C:\Windows\SysWOW64\Bihjfnmm.exe	Bppfmigl.exe
File opened for modification	C:\Windows\SysWOW64\Bihjfnmm.exe	Bppfmigl.exe
File created	C:\Windows\SysWOW64\Odnknc32.dll	Cpleig32.exe
File opened for modification	C:\Windows\SysWOW64\Bgbdcgld.exe	Boklbi32.exe
File created	C:\Windows\SysWOW64\Lpafph32.dll	Bgbdcgld.exe
File created	C:\Windows\SysWOW64\bhjeaka.bat	240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Bgeaifia.exe	Bpnihiio.exe
File created	C:\Windows\SysWOW64\Fpnfmjbo.dll	Bgeaifia.exe
File created	C:\Windows\SysWOW64\Bppfmigl.exe	Bifmqo32.exe
File created	C:\Windows\SysWOW64\Ccnncgmc.exe	Bihjfnmm.exe
File created	C:\Windows\SysWOW64\Ohmkjd32.dll	Cffmfadl.exe
File opened for modification	C:\Windows\SysWOW64\Boklbi32.exe	240919-hlps4swdlna801a623080eaac37eb5fc872a3ba272f9c02c893e5938f434873872624987e7N.exe
File opened for modification	C:\Windows\SysWOW64\Bjaqpbkh.exe	Bgbdcgld.exe
File created	C:\Windows\SysWOW64\Dmdnljan.dll	Bifmqo32.exe
File opened for modification	C:\Windows\SysWOW64\Egneae32.dll	240919-hlbw9awarb9508c09d7dfb89931ad49cacba2daf4b3f306303c2815af7f07bc63ffaffb002N.exe
File opened for modification	C:\Windows\SysWOW64\Dmpfbk32.exe	Cffmfadl.exe
File opened for modification	C:\Windows\SysWOW64\Bifmqo32.exe	Bgeaifia.exe
File opened for modification	C:\Windows\SysWOW64\Cpleig32.exe	Ccnncgmc.exe
File created	C:\Windows\SysWOW64\Boklbi32.exe	240919-hlps4swdlna801a623080eaac37eb5fc872a3ba272f9c02c893e5938f434873872624987e7N.exe
File created	C:\Windows\SysWOW64\Bjaqpbkh.exe	Bgbdcgld.exe
File opened for modification	C:\Windows\SysWOW64\Bpnihiio.exe	Bjaqpbkh.exe
File created	C:\Windows\SysWOW64\Looknpmn.dll	Bpnihiio.exe
File opened for modification	C:\Windows\SysWOW64\Ccnncgmc.exe	Bihjfnmm.exe
File created	C:\Windows\SysWOW64\Egneae32.dll	Bihjfnmm.exe
File created	C:\Windows\SysWOW64\Ikdkai32.dll	Boklbi32.exe
File created	C:\Windows\SysWOW64\Fliabjbh.dll	Bppfmigl.exe
File created	C:\Windows\SysWOW64\msiupdata.dll	tcpip.exe
File created	C:\Windows\SysWOW64\Cpleig32.exe	Ccnncgmc.exe
File created	C:\Windows\SysWOW64\tcpip.exe	240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Bpnihiio.exe	Bjaqpbkh.exe
File created	C:\Windows\SysWOW64\Fljcnd32.dll	Ccnncgmc.exe
File created	C:\Windows\SysWOW64\Cffmfadl.exe	Cpleig32.exe
File created	C:\Windows\SysWOW64\Oipoad32.dll	240919-hlps4swdlna801a623080eaac37eb5fc872a3ba272f9c02c893e5938f434873872624987e7N.exe
File opened for modification	C:\Windows\SysWOW64\tcpip.exe	240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Bgbdcgld.exe	Boklbi32.exe
File created	C:\Windows\SysWOW64\Bgeaifia.exe	Bpnihiio.exe
File created	C:\Windows\SysWOW64\Bifmqo32.exe	Bgeaifia.exe
File opened for modification	C:\Windows\SysWOW64\Bppfmigl.exe	Bifmqo32.exe
File opened for modification	C:\Windows\SysWOW64\Ccnncgmc.exe	240919-hlbw9awarb9508c09d7dfb89931ad49cacba2daf4b3f306303c2815af7f07bc63ffaffb002N.exe
File opened for modification	C:\Windows\SysWOW64\Cffmfadl.exe	Cpleig32.exe
File created	C:\Windows\SysWOW64\Dmpfbk32.exe	Cffmfadl.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
4836	Process not Found

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
13660	Process not Found
11792	Process not Found
21332	Process not Found
16476	Process not Found
16836	Process not Found
17292	Process not Found
21152	Process not Found
22784	Process not Found

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000a000000023a34-31195.dat	pyinstaller
behavioral1/files/0x0007000000024185-34908.dat	pyinstaller

Program crash 16 IoCs

pid	pid_target	Process	procid_target
2808	3508	WerFault.exe
5180	5512	WerFault.exe	413
11776	6092	WerFault.exe	726
11528	21164	WerFault.exe	723
8888	8196	WerFault.exe	508
8928	8300	WerFault.exe	504
15412	8260	WerFault.exe	505
1568	15116	WerFault.exe	820
25232	8440	Process not Found
24832	5960	WerFault.exe
7424	12784	Process not Found	1093
21620	664	Process not Found
19136	13184	Process not Found	1300
940	7256	Process not Found	555
21156	11260	Process not Found
14984	23168	Process not Found

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bifmqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240919-hk1h8awdjjbc1f7d7dd47d8221676316b4eba81e38a9a80c3981c84f87507e5a54ea736ad7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boklbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpnihiio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgeaifia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240919-hlbw9awarb9508c09d7dfb89931ad49cacba2daf4b3f306303c2815af7f07bc63ffaffb002N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccnncgmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240919-hlps4swdlna801a623080eaac37eb5fc872a3ba272f9c02c893e5938f434873872624987e7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tcpip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bihjfnmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgbdcgld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjaqpbkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bppfmigl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpleig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffmfadl.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
6136	backup.exe
7264	Process not Found
14548	Process not Found
24340	backup.exe

System Time Discovery 1 TTPs 4 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
18968	Process not Found
6388	Process not Found
17164	Process not Found
10456	Process not Found

Kills process with taskkill 2 IoCs

evasion

pid	Process
14164	Process not Found
24916	Process not Found

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnknpnlf.dll"	Bjaqpbkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bpnihiio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fliabjbh.dll"	Bppfmigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bppfmigl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	240919-hlbw9awarb9508c09d7dfb89931ad49cacba2daf4b3f306303c2815af7f07bc63ffaffb002N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	240919-hlps4swdlna801a623080eaac37eb5fc872a3ba272f9c02c893e5938f434873872624987e7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boklbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpafph32.dll"	Bgbdcgld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffmfadl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egneae32.dll"	240919-hlbw9awarb9508c09d7dfb89931ad49cacba2daf4b3f306303c2815af7f07bc63ffaffb002N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccnncgmc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpleig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bppfmigl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bihjfnmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffmfadl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	240919-hlps4swdlna801a623080eaac37eb5fc872a3ba272f9c02c893e5938f434873872624987e7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjaqpbkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Looknpmn.dll"	Bpnihiio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odnknc32.dll"	Cpleig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oipoad32.dll"	240919-hlps4swdlna801a623080eaac37eb5fc872a3ba272f9c02c893e5938f434873872624987e7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgbdcgld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgeaifia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bifmqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bihjfnmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmkjd32.dll"	Cffmfadl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjaqpbkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnfmjbo.dll"	Bgeaifia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bifmqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccnncgmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpleig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	240919-hlps4swdlna801a623080eaac37eb5fc872a3ba272f9c02c893e5938f434873872624987e7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egneae32.dll"	Bihjfnmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljcnd32.dll"	Ccnncgmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmdnljan.dll"	Bifmqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	240919-hlbw9awarb9508c09d7dfb89931ad49cacba2daf4b3f306303c2815af7f07bc63ffaffb002N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boklbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikdkai32.dll"	Boklbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgeaifia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	240919-hlps4swdlna801a623080eaac37eb5fc872a3ba272f9c02c893e5938f434873872624987e7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgbdcgld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	240919-hlbw9awarb9508c09d7dfb89931ad49cacba2daf4b3f306303c2815af7f07bc63ffaffb002N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	240919-hlbw9awarb9508c09d7dfb89931ad49cacba2daf4b3f306303c2815af7f07bc63ffaffb002N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	240919-hlps4swdlna801a623080eaac37eb5fc872a3ba272f9c02c893e5938f434873872624987e7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpnihiio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	240919-hlbw9awarb9508c09d7dfb89931ad49cacba2daf4b3f306303c2815af7f07bc63ffaffb002N.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
3556	NOTEPAD.EXE
24476	NOTEPAD.EXE
24880	Process not Found

Runs net.exe

Runs regedit.exe 1 IoCs

pid	Process
24836	Process not Found

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2612	Process not Found
5324	Process not Found
8624	Process not Found
5304	Process not Found

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4032	240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
4032	240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
4032	240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
4032	240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
4032	240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
4032	240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
4032	240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
4032	240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
4032	240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
4032	240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
4032	240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
4032	240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
1984	tcpip.exe
1984	tcpip.exe
1984	tcpip.exe
1984	tcpip.exe
1984	tcpip.exe
1984	tcpip.exe
1984	tcpip.exe
1984	tcpip.exe
1984	tcpip.exe
1984	tcpip.exe
1984	tcpip.exe
1984	tcpip.exe
4032	240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
4032	240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
4032	240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
4032	240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
4032	240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
4032	240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
4032	240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
4032	240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
1984	tcpip.exe
1984	tcpip.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4032	240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
Token: SeDebugPrivilege	1984	tcpip.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 3472	1380	get fucked.exe	83
PID 1380 wrote to memory of 3472	1380	get fucked.exe	83
PID 3472 wrote to memory of 3184	3472	get fucked.exe	84
PID 3472 wrote to memory of 3184	3472	get fucked.exe	84
PID 3472 wrote to memory of 3620	3472	get fucked.exe	85
PID 3472 wrote to memory of 3620	3472	get fucked.exe	85
PID 3472 wrote to memory of 3620	3472	get fucked.exe	85
PID 3472 wrote to memory of 4032	3472	get fucked.exe	86
PID 3472 wrote to memory of 4032	3472	get fucked.exe	86
PID 3472 wrote to memory of 4032	3472	get fucked.exe	86
PID 3620 wrote to memory of 3148	3620	240919-hlps4swdlna801a623080eaac37eb5fc872a3ba272f9c02c893e5938f434873872624987e7N.exe	87
PID 3620 wrote to memory of 3148	3620	240919-hlps4swdlna801a623080eaac37eb5fc872a3ba272f9c02c893e5938f434873872624987e7N.exe	87
PID 3620 wrote to memory of 3148	3620	240919-hlps4swdlna801a623080eaac37eb5fc872a3ba272f9c02c893e5938f434873872624987e7N.exe	87
PID 3148 wrote to memory of 2820	3148	Boklbi32.exe	89
PID 3148 wrote to memory of 2820	3148	Boklbi32.exe	89
PID 3148 wrote to memory of 2820	3148	Boklbi32.exe	89
PID 2820 wrote to memory of 4840	2820	Bgbdcgld.exe	90
PID 2820 wrote to memory of 4840	2820	Bgbdcgld.exe	90
PID 2820 wrote to memory of 4840	2820	Bgbdcgld.exe	90
PID 4032 wrote to memory of 4804	4032	240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe	91
PID 4032 wrote to memory of 4804	4032	240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe	91
PID 4032 wrote to memory of 4804	4032	240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe	91
PID 4840 wrote to memory of 4948	4840	Bjaqpbkh.exe	93
PID 4840 wrote to memory of 4948	4840	Bjaqpbkh.exe	93
PID 4840 wrote to memory of 4948	4840	Bjaqpbkh.exe	93
PID 4948 wrote to memory of 4856	4948	Bpnihiio.exe	94
PID 4948 wrote to memory of 4856	4948	Bpnihiio.exe	94
PID 4948 wrote to memory of 4856	4948	Bpnihiio.exe	94
PID 4856 wrote to memory of 628	4856	Bgeaifia.exe	95
PID 4856 wrote to memory of 628	4856	Bgeaifia.exe	95
PID 4856 wrote to memory of 628	4856	Bgeaifia.exe	95
PID 628 wrote to memory of 3876	628	Bifmqo32.exe	143
PID 628 wrote to memory of 3876	628	Bifmqo32.exe	143
PID 628 wrote to memory of 3876	628	Bifmqo32.exe	143
PID 3472 wrote to memory of 4192	3472	get fucked.exe	178
PID 3472 wrote to memory of 4192	3472	get fucked.exe	178
PID 3472 wrote to memory of 4192	3472	get fucked.exe	178
PID 3876 wrote to memory of 4660	3876	Bppfmigl.exe	98
PID 3876 wrote to memory of 4660	3876	Bppfmigl.exe	98
PID 3876 wrote to memory of 4660	3876	Bppfmigl.exe	98
PID 1984 wrote to memory of 3476	1984	tcpip.exe	56
PID 4192 wrote to memory of 384	4192	240919-hlbw9awarb9508c09d7dfb89931ad49cacba2daf4b3f306303c2815af7f07bc63ffaffb002N.exe	101
PID 4192 wrote to memory of 384	4192	240919-hlbw9awarb9508c09d7dfb89931ad49cacba2daf4b3f306303c2815af7f07bc63ffaffb002N.exe	101
PID 4192 wrote to memory of 384	4192	240919-hlbw9awarb9508c09d7dfb89931ad49cacba2daf4b3f306303c2815af7f07bc63ffaffb002N.exe	101
PID 384 wrote to memory of 3960	384	Ccnncgmc.exe	102
PID 384 wrote to memory of 3960	384	Ccnncgmc.exe	102
PID 384 wrote to memory of 3960	384	Ccnncgmc.exe	102
PID 3960 wrote to memory of 2884	3960	Cpleig32.exe	103
PID 3960 wrote to memory of 2884	3960	Cpleig32.exe	103
PID 3960 wrote to memory of 2884	3960	Cpleig32.exe	103
PID 3472 wrote to memory of 2492	3472	get fucked.exe	105
PID 3472 wrote to memory of 2492	3472	get fucked.exe	105
PID 3472 wrote to memory of 2492	3472	get fucked.exe	105
PID 2884 wrote to memory of 4544	2884	Cffmfadl.exe	155
PID 2884 wrote to memory of 4544	2884	Cffmfadl.exe	155
PID 2884 wrote to memory of 4544	2884	Cffmfadl.exe	155

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3476
- C:\Users\Admin\AppData\Local\Temp\get fucked.exe
  "C:\Users\Admin\AppData\Local\Temp\get fucked.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Users\Admin\AppData\Local\Temp\get fucked.exe
    "C:\Users\Admin\AppData\Local\Temp\get fucked.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3184
  - - C:\Users\Admin\Downloads\240919-hlps4swdlna801a623080eaac37eb5fc872a3ba272f9c02c893e5938f434873872624987e7N.exe
      C:\Users\Admin\Downloads\240919-hlps4swdlna801a623080eaac37eb5fc872a3ba272f9c02c893e5938f434873872624987e7N.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3620
    - - C:\Windows\SysWOW64\Boklbi32.exe
        
        C:\Windows\system32\Boklbi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3148
      - C:\Windows\SysWOW64\Bgbdcgld.exe
        
        C:\Windows\system32\Bgbdcgld.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Bjaqpbkh.exe
        
        C:\Windows\system32\Bjaqpbkh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Bpnihiio.exe
        
        C:\Windows\system32\Bpnihiio.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Bgeaifia.exe
        
        C:\Windows\system32\Bgeaifia.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Bifmqo32.exe
        
        C:\Windows\system32\Bifmqo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Bppfmigl.exe
        
        C:\Windows\system32\Bppfmigl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\Bihjfnmm.exe
        
        C:\Windows\system32\Bihjfnmm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4660
  - - C:\Users\Admin\Downloads\240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4032
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\bhjeaka.bat
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4804
  - - C:\Users\Admin\Downloads\240919-hlbw9awarb9508c09d7dfb89931ad49cacba2daf4b3f306303c2815af7f07bc63ffaffb002N.exe
      C:\Users\Admin\Downloads\240919-hlbw9awarb9508c09d7dfb89931ad49cacba2daf4b3f306303c2815af7f07bc63ffaffb002N.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4192
    - - C:\Windows\SysWOW64\Ccnncgmc.exe
        
        C:\Windows\system32\Ccnncgmc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:384
      - C:\Windows\SysWOW64\Cpleig32.exe
        
        C:\Windows\system32\Cpleig32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Cffmfadl.exe
        
        C:\Windows\system32\Cffmfadl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Dmpfbk32.exe
        
        C:\Windows\system32\Dmpfbk32.exe
        8⤵
        Executes dropped EXE
        
        PID:4544
  - - C:\Users\Admin\Downloads\240919-hk1h8awdjjbc1f7d7dd47d8221676316b4eba81e38a9a80c3981c84f87507e5a54ea736ad7N.exe
      C:\Users\Admin\Downloads\240919-hk1h8awdjjbc1f7d7dd47d8221676316b4eba81e38a9a80c3981c84f87507e5a54ea736ad7N.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2492
    - - C:\Windows\SysWOW64\Dcjnoece.exe
        
        C:\Windows\system32\Dcjnoece.exe
        5⤵
        
        PID:3068
      - C:\Windows\SysWOW64\Dannij32.exe
        
        C:\Windows\system32\Dannij32.exe
        6⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\Diicml32.exe
        
        C:\Windows\system32\Diicml32.exe
        7⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\Dmdonkgc.exe
        
        C:\Windows\system32\Dmdonkgc.exe
        8⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\Dapkni32.exe
        
        C:\Windows\system32\Dapkni32.exe
        9⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\Dcogje32.exe
        
        C:\Windows\system32\Dcogje32.exe
        10⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\Dhjckcgi.exe
        
        C:\Windows\system32\Dhjckcgi.exe
        11⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\Dfmcfp32.exe
        
        C:\Windows\system32\Dfmcfp32.exe
        12⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\Dikpbl32.exe
        
        C:\Windows\system32\Dikpbl32.exe
        13⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\Dmglcj32.exe
        
        C:\Windows\system32\Dmglcj32.exe
        14⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\Ejbbmnnb.exe
        
        C:\Windows\system32\Ejbbmnnb.exe
        15⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\Empoiimf.exe
        
        C:\Windows\system32\Empoiimf.exe
        16⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\Ealkjh32.exe
        
        C:\Windows\system32\Ealkjh32.exe
        17⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\Ehfcfb32.exe
        
        C:\Windows\system32\Ehfcfb32.exe
        18⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\Ejflhm32.exe
        
        C:\Windows\system32\Ejflhm32.exe
        19⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\Ehjlaaig.exe
        
        C:\Windows\system32\Ehjlaaig.exe
        20⤵
        
        PID:224
        
        C:\Windows\SysWOW64\Faenpf32.exe
        
        C:\Windows\system32\Faenpf32.exe
        21⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\Fknbil32.exe
        
        C:\Windows\system32\Fknbil32.exe
        22⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\Fhabbp32.exe
        
        C:\Windows\system32\Fhabbp32.exe
        23⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\Fmnkkg32.exe
        
        C:\Windows\system32\Fmnkkg32.exe
        24⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\Fdhcgaic.exe
        
        C:\Windows\system32\Fdhcgaic.exe
        25⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\Fdkpma32.exe
        
        C:\Windows\system32\Fdkpma32.exe
        26⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\Gaopfe32.exe
        
        C:\Windows\system32\Gaopfe32.exe
        27⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\Ggnedlao.exe
        
        C:\Windows\system32\Ggnedlao.exe
        28⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\Ginnfgop.exe
        
        C:\Windows\system32\Ginnfgop.exe
        29⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\Hnodaecc.exe
        
        C:\Windows\system32\Hnodaecc.exe
        30⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\Hpomcp32.exe
        
        C:\Windows\system32\Hpomcp32.exe
        31⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\Hglaej32.exe
        
        C:\Windows\system32\Hglaej32.exe
        32⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\Hgnoki32.exe
        
        C:\Windows\system32\Hgnoki32.exe
        33⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\Idbodn32.exe
        
        C:\Windows\system32\Idbodn32.exe
        34⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\Iafonaao.exe
        
        C:\Windows\system32\Iafonaao.exe
        35⤵
        
        PID:440
        
        C:\Windows\SysWOW64\Igchfiof.exe
        
        C:\Windows\system32\Igchfiof.exe
        36⤵
        
        PID:216
        
        C:\Windows\SysWOW64\Ihbdplfi.exe
        
        C:\Windows\system32\Ihbdplfi.exe
        37⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\Indfca32.exe
        
        C:\Windows\system32\Indfca32.exe
        38⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\Jbaojpgb.exe
        
        C:\Windows\system32\Jbaojpgb.exe
        39⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\Jkjcbe32.exe
        
        C:\Windows\system32\Jkjcbe32.exe
        40⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\Jgadgf32.exe
        
        C:\Windows\system32\Jgadgf32.exe
        41⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\Jhpqaiji.exe
        
        C:\Windows\system32\Jhpqaiji.exe
        42⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\Jdgafjpn.exe
        
        C:\Windows\system32\Jdgafjpn.exe
        43⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\Jbkbpoog.exe
        
        C:\Windows\system32\Jbkbpoog.exe
        44⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\Knflpoqf.exe
        
        C:\Windows\system32\Knflpoqf.exe
        45⤵
        
        PID:11696
        
        C:\Windows\SysWOW64\Kniieo32.exe
        
        C:\Windows\system32\Kniieo32.exe
        46⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Lgcjdd32.exe
        
        C:\Windows\system32\Lgcjdd32.exe
        47⤵
        
        PID:13096
        
        C:\Windows\SysWOW64\Ljdceo32.exe
        
        C:\Windows\system32\Ljdceo32.exe
        48⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\Lihpif32.exe
        
        C:\Windows\system32\Lihpif32.exe
        49⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\Mlmbfqoj.exe
        
        C:\Windows\system32\Mlmbfqoj.exe
        50⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Micoed32.exe
        
        C:\Windows\system32\Micoed32.exe
        51⤵
        
        PID:14640
        
        C:\Windows\SysWOW64\Nobdbkhf.exe
        
        C:\Windows\system32\Nobdbkhf.exe
        52⤵
        
        PID:15440
        
        C:\Windows\SysWOW64\Neoieenp.exe
        
        C:\Windows\system32\Neoieenp.exe
        53⤵
        
        PID:18440
        
        C:\Windows\SysWOW64\Nimbkc32.exe
        
        C:\Windows\system32\Nimbkc32.exe
        54⤵
        
        PID:21204
        
        C:\Windows\SysWOW64\Najceeoo.exe
        
        C:\Windows\system32\Najceeoo.exe
        55⤵
        
        PID:10980
        
        C:\Windows\SysWOW64\Olbdhn32.exe
        
        C:\Windows\system32\Olbdhn32.exe
        56⤵
        
        PID:9920
        
        C:\Windows\SysWOW64\Ohiemobf.exe
        
        C:\Windows\system32\Ohiemobf.exe
        57⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\Oaajed32.exe
        
        C:\Windows\system32\Oaajed32.exe
        58⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\Ooejohhq.exe
        
        C:\Windows\system32\Ooejohhq.exe
        59⤵
        
        PID:14500
        
        C:\Windows\SysWOW64\Oafcqcea.exe
        
        C:\Windows\system32\Oafcqcea.exe
        60⤵
        
        PID:16796
        
        C:\Windows\SysWOW64\Pedlgbkh.exe
        
        C:\Windows\system32\Pedlgbkh.exe
        61⤵
        
        PID:16840
        
        C:\Windows\SysWOW64\Pchlpfjb.exe
        
        C:\Windows\system32\Pchlpfjb.exe
        62⤵
        
        PID:17400
        
        C:\Windows\SysWOW64\Plpqil32.exe
        
        C:\Windows\system32\Plpqil32.exe
        63⤵
        
        PID:19460
        
        C:\Windows\SysWOW64\Pidabppl.exe
        
        C:\Windows\system32\Pidabppl.exe
        64⤵
        
        PID:20648
        
        C:\Windows\SysWOW64\Pcmeke32.exe
        
        C:\Windows\system32\Pcmeke32.exe
        65⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Pabblb32.exe
        
        C:\Windows\system32\Pabblb32.exe
        66⤵
        
        PID:10464
        
        C:\Windows\SysWOW64\Qadoba32.exe
        
        C:\Windows\system32\Qadoba32.exe
        67⤵
        
        PID:10372
        
        C:\Windows\SysWOW64\Qohpkf32.exe
        
        C:\Windows\system32\Qohpkf32.exe
        68⤵
        
        PID:10332
        
        C:\Windows\SysWOW64\Allpejfe.exe
        
        C:\Windows\system32\Allpejfe.exe
        69⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\Akamff32.exe
        
        C:\Windows\system32\Akamff32.exe
        70⤵
        
        PID:13276
        
        C:\Windows\SysWOW64\Akcjkfij.exe
        
        C:\Windows\system32\Akcjkfij.exe
        71⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\Ahgjejhd.exe
        
        C:\Windows\system32\Ahgjejhd.exe
        72⤵
        
        PID:14020
        
        C:\Windows\SysWOW64\Afkknogn.exe
        
        C:\Windows\system32\Afkknogn.exe
        73⤵
        
        PID:14056
        
        C:\Windows\SysWOW64\Aodogdmn.exe
        
        C:\Windows\system32\Aodogdmn.exe
        74⤵
        
        PID:14096
        
        C:\Windows\SysWOW64\Bjicdmmd.exe
        
        C:\Windows\system32\Bjicdmmd.exe
        75⤵
        
        PID:14620
        
        C:\Windows\SysWOW64\Bfpdin32.exe
        
        C:\Windows\system32\Bfpdin32.exe
        76⤵
        
        PID:14900
        
        C:\Windows\SysWOW64\Bfbaonae.exe
        
        C:\Windows\system32\Bfbaonae.exe
        77⤵
        
        PID:14968
        
        C:\Windows\SysWOW64\Bcfahbpo.exe
        
        C:\Windows\system32\Bcfahbpo.exe
        78⤵
        
        PID:15008
        
        C:\Windows\SysWOW64\Bmofagfp.exe
        
        C:\Windows\system32\Bmofagfp.exe
        79⤵
        
        PID:15048
        
        C:\Windows\SysWOW64\Bjbfklei.exe
        
        C:\Windows\system32\Bjbfklei.exe
        80⤵
        
        PID:15084
        
        C:\Windows\SysWOW64\Bckkca32.exe
        
        C:\Windows\system32\Bckkca32.exe
        81⤵
        
        PID:15120
        
        C:\Windows\SysWOW64\Cmcolgbj.exe
        
        C:\Windows\system32\Cmcolgbj.exe
        82⤵
        
        PID:15156
        
        C:\Windows\SysWOW64\Cbphdn32.exe
        
        C:\Windows\system32\Cbphdn32.exe
        83⤵
        
        PID:15192
        
        C:\Windows\SysWOW64\Cijpahho.exe
        
        C:\Windows\system32\Cijpahho.exe
        84⤵
        
        PID:15228
        
        C:\Windows\SysWOW64\Cbbdjm32.exe
        
        C:\Windows\system32\Cbbdjm32.exe
        85⤵
        
        PID:15268
        
        C:\Windows\SysWOW64\Cjjlkk32.exe
        
        C:\Windows\system32\Cjjlkk32.exe
        86⤵
        
        PID:15308
        
        C:\Windows\SysWOW64\Cimmggfl.exe
        
        C:\Windows\system32\Cimmggfl.exe
        87⤵
        
        PID:15340
        
        C:\Windows\SysWOW64\Ccbadp32.exe
        
        C:\Windows\system32\Ccbadp32.exe
        88⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Coiaiakf.exe
        
        C:\Windows\system32\Coiaiakf.exe
        89⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\Coknoaic.exe
        
        C:\Windows\system32\Coknoaic.exe
        90⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\Dfefkkqp.exe
        
        C:\Windows\system32\Dfefkkqp.exe
        91⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\Djqblj32.exe
        
        C:\Windows\system32\Djqblj32.exe
        92⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\Efccmidp.exe
        
        C:\Windows\system32\Efccmidp.exe
        93⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\Eciplm32.exe
        
        C:\Windows\system32\Eciplm32.exe
        94⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\Efhlhh32.exe
        
        C:\Windows\system32\Efhlhh32.exe
        95⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\Eclmamod.exe
        
        C:\Windows\system32\Eclmamod.exe
        96⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\Fdqfll32.exe
        
        C:\Windows\system32\Fdqfll32.exe
        97⤵
        
        PID:15392
        
        C:\Windows\SysWOW64\Fbfcmhpg.exe
        
        C:\Windows\system32\Fbfcmhpg.exe
        98⤵
        
        PID:15516
  - - C:\Users\Admin\Downloads\240919-hkt2fawapg2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
      C:\Users\Admin\Downloads\240919-hkt2fawapg2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
      4⤵
      PID:3240
    - - C:\Windows\System\RTsTGFa.exe
        
        C:\Windows\System\RTsTGFa.exe
        5⤵
        
        PID:1204
    - - C:\Windows\System\OovqWuO.exe
        
        C:\Windows\System\OovqWuO.exe
        5⤵
        
        PID:512
    - - C:\Windows\System\yPRqpmn.exe
        
        C:\Windows\System\yPRqpmn.exe
        5⤵
        
        PID:2220
    - - C:\Windows\System\JpMwZwP.exe
        
        C:\Windows\System\JpMwZwP.exe
        5⤵
        
        PID:2632
    - - C:\Windows\System\fmUgRHY.exe
        
        C:\Windows\System\fmUgRHY.exe
        5⤵
        
        PID:4408
    - - C:\Windows\System\nJLckBh.exe
        
        C:\Windows\System\nJLckBh.exe
        5⤵
        
        PID:696
    - - C:\Windows\System\yopDOeG.exe
        
        C:\Windows\System\yopDOeG.exe
        5⤵
        
        PID:412
    - - C:\Windows\System\NhYkmOX.exe
        
        C:\Windows\System\NhYkmOX.exe
        5⤵
        
        PID:3688
    - - C:\Windows\System\XNFtebT.exe
        
        C:\Windows\System\XNFtebT.exe
        5⤵
        
        PID:3948
    - - C:\Windows\System\uZOOFls.exe
        
        C:\Windows\System\uZOOFls.exe
        5⤵
        
        PID:2608
    - - C:\Windows\System\alYYrAp.exe
        
        C:\Windows\System\alYYrAp.exe
        5⤵
        
        PID:1688
    - - C:\Windows\System\NTKeWyw.exe
        
        C:\Windows\System\NTKeWyw.exe
        5⤵
        
        PID:4748
    - - C:\Windows\System\HvENzxg.exe
        
        C:\Windows\System\HvENzxg.exe
        5⤵
        
        PID:2768
    - - C:\Windows\System\jjYDOqn.exe
        
        C:\Windows\System\jjYDOqn.exe
        5⤵
        
        PID:3540
    - - C:\Windows\System\kPMbjRr.exe
        
        C:\Windows\System\kPMbjRr.exe
        5⤵
        
        PID:3260
    - - C:\Windows\System\SkJxYiy.exe
        
        C:\Windows\System\SkJxYiy.exe
        5⤵
        
        PID:5040
    - - C:\Windows\System\DDEHniM.exe
        
        C:\Windows\System\DDEHniM.exe
        5⤵
        
        PID:1368
    - - C:\Windows\System\IghyZpq.exe
        
        C:\Windows\System\IghyZpq.exe
        5⤵
        
        PID:4456
    - - C:\Windows\System\uOAsidq.exe
        
        C:\Windows\System\uOAsidq.exe
        5⤵
        
        PID:1020
    - - C:\Windows\System\XttgirJ.exe
        
        C:\Windows\System\XttgirJ.exe
        5⤵
        
        PID:4544
    - - C:\Windows\System\OZwRdWc.exe
        
        C:\Windows\System\OZwRdWc.exe
        5⤵
        
        PID:3172
  - - C:\Users\Admin\Downloads\240919-hjz63awcnpeac97d7e01d0b3b14f85bb97239ecac5_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-hjz63awcnpeac97d7e01d0b3b14f85bb97239ecac5_JaffaCakes118.exe
      4⤵
      PID:3580
    - - C:\Users\Admin\AppData\Local\Temp\WYHS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WYHS.exe"
        5⤵
        
        PID:4756
    - - C:\Users\Admin\AppData\Local\Temp\Ð¡·ãpao1011_.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ð¡·ãpao1011_.exe"
        5⤵
        
        PID:2844
  - - C:\Users\Admin\Downloads\240919-hkrw3swcrjfile.exe
      C:\Users\Admin\Downloads\240919-hkrw3swcrjfile.exe
      4⤵
      PID:3876
  - - C:\Users\Admin\Downloads\240919-hkf5kswanh2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe
      C:\Users\Admin\Downloads\240919-hkf5kswanh2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe
      4⤵
      PID:3892
  - - C:\Users\Admin\Downloads\240919-hjyy1awcnneac97c9f7533f816cbe246116fe64b07_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-hjyy1awcnneac97c9f7533f816cbe246116fe64b07_JaffaCakes118.exe
      4⤵
      PID:3508
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 640
        5⤵
        Program crash
        
        PID:2808
  - - C:\Users\Admin\Downloads\240919-hj38qawamg2024-09-19_1a5493b328c886fcb700dc374fe0552b_cobalt-strike_cobaltstrike_poet-rat.exe
      C:\Users\Admin\Downloads\240919-hj38qawamg2024-09-19_1a5493b328c886fcb700dc374fe0552b_cobalt-strike_cobaltstrike_poet-rat.exe
      4⤵
      PID:2192
  - - C:\Users\Admin\Downloads\240919-hj3xyswamfb21f02570a17a71023ba084650ca0b4b3c95f262b8177b56370bba159981a136N.exe
      C:\Users\Admin\Downloads\240919-hj3xyswamfb21f02570a17a71023ba084650ca0b4b3c95f262b8177b56370bba159981a136N.exe
      4⤵
      PID:324
    - - C:\Users\Admin\qxgoh.exe
        
        "C:\Users\Admin\qxgoh.exe"
        5⤵
        
        PID:8048
  - - C:\Users\Admin\Downloads\240919-hjv74swamaeac961fb615a513bc979e5d0b3590e82_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-hjv74swamaeac961fb615a513bc979e5d0b3590e82_JaffaCakes118.exe
      4⤵
      PID:6120
  - - C:\Users\Admin\Downloads\240919-hjsrzswalf1471afff1b1174a97ab756b4fbed1ecd33e883d2c965736dd3b6560a9e8aee6dN.exe
      C:\Users\Admin\Downloads\240919-hjsrzswalf1471afff1b1174a97ab756b4fbed1ecd33e883d2c965736dd3b6560a9e8aee6dN.exe
      4⤵
      PID:7636
    - - C:\backup.exe
        
        \backup.exe \
        5⤵
        
        PID:16952
      - C:\PerfLogs\backup.exe
        
        C:\PerfLogs\backup.exe C:\PerfLogs\
        6⤵
        
        PID:17076
      - C:\Program Files\update.exe
        
        "C:\Program Files\update.exe" C:\Program Files\
        6⤵
        
        PID:17192
        
        C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        7⤵
        
        PID:17424
        
        C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        8⤵
        
        PID:17652
        
        C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        7⤵
        
        PID:17980
        
        C:\Program Files\Common Files\DESIGNER\data.exe
        
        "C:\Program Files\Common Files\DESIGNER\data.exe" C:\Program Files\Common Files\DESIGNER\
        8⤵
        
        PID:18308
        
        C:\Program Files\Common Files\microsoft shared\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\System Restore.exe" C:\Program Files\Common Files\microsoft shared\
        8⤵
        
        PID:18540
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        9⤵
        
        PID:18740
        
        C:\Program Files\Common Files\microsoft shared\ink\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\
        9⤵
        
        PID:18932
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        10⤵
        
        PID:19132
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        10⤵
        
        PID:19368
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\update.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        10⤵
        
        PID:19592
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        10⤵
        
        PID:20012
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        10⤵
        
        PID:20212
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        10⤵
        
        PID:20548
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        10⤵
        
        PID:20796
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\update.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        10⤵
        
        PID:21068
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        10⤵
        
        PID:21448
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        10⤵
        
        PID:5804
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        10⤵
        
        PID:1880
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        10⤵
        
        PID:5416
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        10⤵
        
        PID:5208
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\update.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        10⤵
        
        PID:1744
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        10⤵
        
        PID:11864
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        11⤵
        
        PID:11600
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        11⤵
        
        PID:11468
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        11⤵
        
        PID:11308
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        11⤵
        
        PID:10876
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        11⤵
        
        PID:10520
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        11⤵
        
        PID:10068
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        11⤵
        
        PID:9936
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        11⤵
        
        PID:9792
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        11⤵
        
        PID:9616
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\data.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        11⤵
        
        PID:9480
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        10⤵
        
        PID:9372
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        10⤵
        
        PID:8628
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        10⤵
        
        PID:8476
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        10⤵
        
        PID:6136
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        10⤵
        
        PID:12540
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        10⤵
        
        PID:12884
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        10⤵
        
        PID:13216
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        10⤵
        
        PID:6640
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        10⤵
        
        PID:6924
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        10⤵
        
        PID:7288
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        10⤵
        
        PID:13548
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        10⤵
        
        PID:13760
        
        C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
        10⤵
        
        PID:5076
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
        10⤵
        
        PID:14424
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
        10⤵
        
        PID:14564
        
        C:\Program Files\Common Files\microsoft shared\ink\ro-RO\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ro-RO\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
        10⤵
        
        PID:14788
        
        C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\
        10⤵
        
        PID:15072
        
        C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\
        10⤵
        
        PID:7700
        
        C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sl-SI\
        10⤵
        
        PID:7896
        
        C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\
        10⤵
        
        PID:15536
        
        C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sv-SE\
        10⤵
        
        PID:15696
        
        C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\th-TH\
        10⤵
        
        PID:15840
        
        C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\tr-TR\
        10⤵
        
        PID:14904
        
        C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\uk-UA\
        10⤵
        
        PID:21184
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-CN\
        10⤵
        
        PID:5812
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-TW\
        10⤵
        
        PID:452
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        9⤵
        
        PID:10484
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        10⤵
        
        PID:16180
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        10⤵
        
        PID:1172
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\data.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        10⤵
        
        PID:3272
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        10⤵
        
        PID:5060
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        10⤵
        
        PID:4332
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        10⤵
        
        PID:17064
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\
        10⤵
        
        PID:17508
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        9⤵
        
        PID:18264
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        10⤵
        
        PID:18816
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        9⤵
        
        PID:4316
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        9⤵
        
        PID:20916
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        9⤵
        
        PID:5928
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        9⤵
        
        PID:12016
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        10⤵
        
        PID:10708
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        9⤵
        
        PID:10700
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        10⤵
        
        PID:9556
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        9⤵
        
        PID:20648
        
        C:\Program Files\Common Files\microsoft shared\VGX\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\update.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        9⤵
        
        PID:22104
        
        C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        9⤵
        
        PID:23032
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        10⤵
        
        PID:23452
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        11⤵
        
        PID:23572
        
        C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        8⤵
        
        PID:14984
        
        C:\Program Files\Common Files\System\update.exe
        
        "C:\Program Files\Common Files\System\update.exe" C:\Program Files\Common Files\System\
        8⤵
        
        PID:9944
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        9⤵
        
        PID:3112
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        10⤵
        
        PID:236
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        10⤵
        
        PID:16724
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        10⤵
        
        PID:17172
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        10⤵
        
        PID:17672
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        10⤵
        
        PID:18192
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        10⤵
        
        PID:19280
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        9⤵
        
        PID:20920
        
        C:\Program Files\Common Files\System\en-US\update.exe
        
        "C:\Program Files\Common Files\System\en-US\update.exe" C:\Program Files\Common Files\System\en-US\
        9⤵
        
        PID:5640
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        9⤵
        
        PID:11748
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        9⤵
        
        PID:10872
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        9⤵
        
        PID:2540
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        9⤵
        
        PID:19552
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        9⤵
        
        PID:16368
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        10⤵
        
        PID:20736
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        10⤵
        
        PID:23140
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        10⤵
        
        PID:23620
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        10⤵
        
        PID:12524
        
        C:\Program Files\Crashpad\backup.exe
        
        "C:\Program Files\Crashpad\backup.exe" C:\Program Files\Crashpad\
        7⤵
        
        PID:15556
        
        C:\Program Files\Crashpad\attachments\backup.exe
        
        "C:\Program Files\Crashpad\attachments\backup.exe" C:\Program Files\Crashpad\attachments\
        8⤵
        
        PID:7488
        
        C:\Program Files\Crashpad\reports\backup.exe
        
        "C:\Program Files\Crashpad\reports\backup.exe" C:\Program Files\Crashpad\reports\
        8⤵
        
        PID:15992
        
        C:\Program Files\dotnet\backup.exe
        
        "C:\Program Files\dotnet\backup.exe" C:\Program Files\dotnet\
        7⤵
        
        PID:9940
        
        C:\Program Files\dotnet\host\backup.exe
        
        "C:\Program Files\dotnet\host\backup.exe" C:\Program Files\dotnet\host\
        8⤵
        
        PID:16228
        
        C:\Program Files\dotnet\host\fxr\backup.exe
        
        "C:\Program Files\dotnet\host\fxr\backup.exe" C:\Program Files\dotnet\host\fxr\
        9⤵
        
        PID:3944
        
        C:\Program Files\dotnet\host\fxr\6.0.27\backup.exe
        
        "C:\Program Files\dotnet\host\fxr\6.0.27\backup.exe" C:\Program Files\dotnet\host\fxr\6.0.27\
        10⤵
        
        PID:1668
        
        C:\Program Files\dotnet\host\fxr\7.0.16\backup.exe
        
        "C:\Program Files\dotnet\host\fxr\7.0.16\backup.exe" C:\Program Files\dotnet\host\fxr\7.0.16\
        10⤵
        
        PID:2548
        
        C:\Program Files\dotnet\host\fxr\8.0.2\backup.exe
        
        "C:\Program Files\dotnet\host\fxr\8.0.2\backup.exe" C:\Program Files\dotnet\host\fxr\8.0.2\
        10⤵
        
        PID:16896
        
        C:\Program Files\dotnet\shared\backup.exe
        
        "C:\Program Files\dotnet\shared\backup.exe" C:\Program Files\dotnet\shared\
        8⤵
        
        PID:17596
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\
        9⤵
        
        PID:18128
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\
        10⤵
        
        PID:18572
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\
        10⤵
        
        PID:19936
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\
        10⤵
        
        PID:21036
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\
        9⤵
        
        PID:5880
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\
        10⤵
        
        PID:11900
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\
        11⤵
        
        PID:21056
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\update.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\update.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\
        11⤵
        
        PID:9936
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\
        11⤵
        
        PID:18916
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\
        11⤵
        
        PID:17460
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\
        11⤵
        
        PID:23200
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\
        11⤵
        
        PID:12208
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\
        10⤵
        
        PID:16608
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\
        11⤵
        
        PID:19404
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\
        11⤵
        
        PID:7444
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\
        11⤵
        
        PID:11364
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\
        11⤵
        
        PID:5500
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\
        10⤵
        
        PID:13264
        
        C:\Program Files\dotnet\swidtag\backup.exe
        
        "C:\Program Files\dotnet\swidtag\backup.exe" C:\Program Files\dotnet\swidtag\
        8⤵
        
        PID:14976
        
        C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        7⤵
        
        PID:8856
        
        C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        8⤵
        
        PID:17924
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        9⤵
        
        PID:22180
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\
        10⤵
        
        PID:20272
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\
        11⤵
        
        PID:23156
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\Extensions\
        11⤵
        
        PID:21092
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\
        11⤵
        
        PID:24984
        
        C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        7⤵
        
        PID:19864
        
        C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        8⤵
        
        PID:23472
        
        C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        8⤵
        
        PID:24528
        
        C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        8⤵
        
        PID:8344
      - C:\Program Files (x86)\backup.exe
        
        "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
        6⤵
        
        PID:15216
        
        C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        7⤵
        
        PID:7656
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        8⤵
        
        PID:7824
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        9⤵
        
        PID:1776
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        9⤵
        
        PID:15436
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        10⤵
        
        PID:15348
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        11⤵
        
        PID:15012
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        10⤵
        
        PID:16800
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        11⤵
        
        PID:21208
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        10⤵
        
        PID:212
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        10⤵
        
        PID:2712
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        10⤵
        
        PID:4348
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        11⤵
        
        PID:16932
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        10⤵
        
        PID:17452
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        11⤵
        
        PID:18236
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        10⤵
        
        PID:19324
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        10⤵
        
        PID:20212
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        11⤵
        
        PID:21192
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        10⤵
        
        PID:5444
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        11⤵
        
        PID:5208
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        10⤵
        
        PID:11020
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
        11⤵
        
        PID:10724
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
        12⤵
        
        PID:9576
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
        11⤵
        
        PID:14972
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
        12⤵
        
        PID:21984
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
        13⤵
        
        PID:19264
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
        11⤵
        
        PID:22896
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
        12⤵
        
        PID:11408
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
        11⤵
        
        PID:24100
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
        10⤵
        
        PID:21708
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\
        11⤵
        
        PID:19584
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
        10⤵
        
        PID:23176
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\
        10⤵
        
        PID:21064
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        9⤵
        
        PID:5508
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        10⤵
        
        PID:17064
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        11⤵
        
        PID:18488
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        10⤵
        
        PID:16968
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        10⤵
        
        PID:17492
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        11⤵
        
        PID:5936
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        12⤵
        
        PID:11388
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:24340
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6136
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        9⤵
        
        PID:15964
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        10⤵
        
        PID:23412
        
        C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        7⤵
        
        PID:9780
        
        C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        8⤵
        
        PID:14928
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        9⤵
        
        PID:21748
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        9⤵
        
        PID:22776
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        10⤵
        
        PID:11164
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        9⤵
        
        PID:23636
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        10⤵
        
        PID:8512
        
        C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        8⤵
        
        PID:24208
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        9⤵
        
        PID:12296
        
        C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        7⤵
        
        PID:17616
        
        C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        8⤵
        
        PID:22760
        
        C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        8⤵
        
        PID:10548
        
        C:\Program Files (x86)\Google\Update\1.3.36.371\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.371\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.371\
        9⤵
        
        PID:18892
      - C:\Users\backup.exe
        
        C:\Users\backup.exe C:\Users\
        6⤵
        
        PID:11720
        
        C:\Users\Admin\System Restore.exe
        
        "C:\Users\Admin\System Restore.exe" C:\Users\Admin\
        7⤵
        
        PID:9440
        
        C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        8⤵
        
        PID:9032
        
        C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        8⤵
        
        PID:16896
        
        C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        8⤵
        
        PID:20204
        
        C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        8⤵
        
        PID:12052
        
        C:\Users\Admin\Documents\OneNote Notebooks\data.exe
        
        "C:\Users\Admin\Documents\OneNote Notebooks\data.exe" C:\Users\Admin\Documents\OneNote Notebooks\
        9⤵
        
        PID:9432
        
        C:\Users\Public\data.exe
        
        C:\Users\Public\data.exe C:\Users\Public\
        7⤵
        
        PID:18832
        
        C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        8⤵
        
        PID:11776
        
        C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        8⤵
        
        PID:18380
        
        C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        8⤵
        
        PID:6160
      - C:\Windows\backup.exe
        
        C:\Windows\backup.exe C:\Windows\
        6⤵
        
        PID:17572
        
        C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        7⤵
        
        PID:20792
        
        C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        7⤵
        
        PID:23116
        
        C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        8⤵
        
        PID:21344
  - - C:\Users\Admin\Downloads\240919-hjev5awakb37870da7df2f13f1d8c9457b0d2cf4c75982e83edf1de668e651aeedec45b8eeN.exe
      C:\Users\Admin\Downloads\240919-hjev5awakb37870da7df2f13f1d8c9457b0d2cf4c75982e83edf1de668e651aeedec45b8eeN.exe
      4⤵
      PID:8064
    - - C:\Windows\SysWOW64\Fpggamqc.exe
        
        C:\Windows\system32\Fpggamqc.exe
        5⤵
        
        PID:15476
      - C:\Windows\SysWOW64\Fdepgkgj.exe
        
        C:\Windows\system32\Fdepgkgj.exe
        6⤵
        
        PID:15564
        
        C:\Windows\SysWOW64\Fmndpq32.exe
        
        C:\Windows\system32\Fmndpq32.exe
        7⤵
        
        PID:15620
        
        C:\Windows\SysWOW64\Fplpll32.exe
        
        C:\Windows\system32\Fplpll32.exe
        8⤵
        
        PID:15656
        
        C:\Windows\SysWOW64\Fjadje32.exe
        
        C:\Windows\system32\Fjadje32.exe
        9⤵
        
        PID:15688
        
        C:\Windows\SysWOW64\Glcaambb.exe
        
        C:\Windows\system32\Glcaambb.exe
        10⤵
        
        PID:15744
        
        C:\Windows\SysWOW64\Gfheof32.exe
        
        C:\Windows\system32\Gfheof32.exe
        11⤵
        
        PID:15824
        
        C:\Windows\SysWOW64\Gmbmkpie.exe
        
        C:\Windows\system32\Gmbmkpie.exe
        12⤵
        
        PID:15860
        
        C:\Windows\SysWOW64\Gpqjglii.exe
        
        C:\Windows\system32\Gpqjglii.exe
        13⤵
        
        PID:15900
        
        C:\Windows\SysWOW64\Gkhkjd32.exe
        
        C:\Windows\system32\Gkhkjd32.exe
        14⤵
        
        PID:15964
        
        C:\Windows\SysWOW64\Gljgbllj.exe
        
        C:\Windows\system32\Gljgbllj.exe
        15⤵
        
        PID:16004
        
        C:\Windows\SysWOW64\Gdaociml.exe
        
        C:\Windows\system32\Gdaociml.exe
        16⤵
        
        PID:16040
        
        C:\Windows\SysWOW64\Gingkqkd.exe
        
        C:\Windows\system32\Gingkqkd.exe
        17⤵
        
        PID:16084
        
        C:\Windows\SysWOW64\Glldgljg.exe
        
        C:\Windows\system32\Glldgljg.exe
        18⤵
        
        PID:16120
        
        C:\Windows\SysWOW64\Gbfldf32.exe
        
        C:\Windows\system32\Gbfldf32.exe
        19⤵
        
        PID:16160
        
        C:\Windows\SysWOW64\Gipdap32.exe
        
        C:\Windows\system32\Gipdap32.exe
        20⤵
        
        PID:16196
        
        C:\Windows\SysWOW64\Hloqml32.exe
        
        C:\Windows\system32\Hloqml32.exe
        21⤵
        
        PID:16244
        
        C:\Windows\SysWOW64\Hibafp32.exe
        
        C:\Windows\system32\Hibafp32.exe
        22⤵
        
        PID:16280
        
        C:\Windows\SysWOW64\Hplicjok.exe
        
        C:\Windows\system32\Hplicjok.exe
        23⤵
        
        PID:16324
        
        C:\Windows\SysWOW64\Hmpjmn32.exe
        
        C:\Windows\system32\Hmpjmn32.exe
        24⤵
        
        PID:16372
        
        C:\Windows\SysWOW64\Hdjbiheb.exe
        
        C:\Windows\system32\Hdjbiheb.exe
        25⤵
        
        PID:16416
        
        C:\Windows\SysWOW64\Hginecde.exe
        
        C:\Windows\system32\Hginecde.exe
        26⤵
        
        PID:16452
        
        C:\Windows\SysWOW64\Hkdjfb32.exe
        
        C:\Windows\system32\Hkdjfb32.exe
        27⤵
        
        PID:16484
        
        C:\Windows\SysWOW64\Hmbfbn32.exe
        
        C:\Windows\system32\Hmbfbn32.exe
        28⤵
        
        PID:16520
        
        C:\Windows\SysWOW64\Hdmoohbo.exe
        
        C:\Windows\system32\Hdmoohbo.exe
        29⤵
        
        PID:16564
        
        C:\Windows\SysWOW64\Hgkkkcbc.exe
        
        C:\Windows\system32\Hgkkkcbc.exe
        30⤵
        
        PID:16612
        
        C:\Windows\SysWOW64\Hiiggoaf.exe
        
        C:\Windows\system32\Hiiggoaf.exe
        31⤵
        
        PID:16664
        
        C:\Windows\SysWOW64\Hcblpdgg.exe
        
        C:\Windows\system32\Hcblpdgg.exe
        32⤵
        
        PID:16704
        
        C:\Windows\SysWOW64\Ingpmmgm.exe
        
        C:\Windows\system32\Ingpmmgm.exe
        33⤵
        
        PID:16744
        
        C:\Windows\SysWOW64\Ipflihfq.exe
        
        C:\Windows\system32\Ipflihfq.exe
        34⤵
        
        PID:16792
        
        C:\Windows\SysWOW64\Icdheded.exe
        
        C:\Windows\system32\Icdheded.exe
        35⤵
        
        PID:16860
        
        C:\Windows\SysWOW64\Ikkpgafg.exe
        
        C:\Windows\system32\Ikkpgafg.exe
        36⤵
        
        PID:16964
        
        C:\Windows\SysWOW64\Ijqmhnko.exe
        
        C:\Windows\system32\Ijqmhnko.exe
        37⤵
        
        PID:17016
        
        C:\Windows\SysWOW64\Iloidijb.exe
        
        C:\Windows\system32\Iloidijb.exe
        38⤵
        
        PID:17052
        
        C:\Windows\SysWOW64\Iciaqc32.exe
        
        C:\Windows\system32\Iciaqc32.exe
        39⤵
        
        PID:17136
        
        C:\Windows\SysWOW64\Ijcjmmil.exe
        
        C:\Windows\system32\Ijcjmmil.exe
        40⤵
        
        PID:17224
        
        C:\Windows\SysWOW64\Ipmbjgpi.exe
        
        C:\Windows\system32\Ipmbjgpi.exe
        41⤵
        
        PID:17276
        
        C:\Windows\SysWOW64\Iggjga32.exe
        
        C:\Windows\system32\Iggjga32.exe
        42⤵
        
        PID:17328
        
        C:\Windows\SysWOW64\Inqbclob.exe
        
        C:\Windows\system32\Inqbclob.exe
        43⤵
        
        PID:17368
        
        C:\Windows\SysWOW64\Idkkpf32.exe
        
        C:\Windows\system32\Idkkpf32.exe
        44⤵
        
        PID:17472
        
        C:\Windows\SysWOW64\Jpaleglc.exe
        
        C:\Windows\system32\Jpaleglc.exe
        45⤵
        
        PID:17576
        
        C:\Windows\SysWOW64\Jkgpbp32.exe
        
        C:\Windows\system32\Jkgpbp32.exe
        46⤵
        
        PID:17684
        
        C:\Windows\SysWOW64\Jlhljhbg.exe
        
        C:\Windows\system32\Jlhljhbg.exe
        47⤵
        
        PID:17728
        
        C:\Windows\SysWOW64\Jjlmclqa.exe
        
        C:\Windows\system32\Jjlmclqa.exe
        48⤵
        
        PID:17820
        
        C:\Windows\SysWOW64\Jdaaaeqg.exe
        
        C:\Windows\system32\Jdaaaeqg.exe
        49⤵
        
        PID:17920
        
        C:\Windows\SysWOW64\Jjoiil32.exe
        
        C:\Windows\system32\Jjoiil32.exe
        50⤵
        
        PID:18028
        
        C:\Windows\SysWOW64\Jddnfd32.exe
        
        C:\Windows\system32\Jddnfd32.exe
        51⤵
        
        PID:18132
        
        C:\Windows\SysWOW64\Jjafok32.exe
        
        C:\Windows\system32\Jjafok32.exe
        52⤵
        
        PID:18168
        
        C:\Windows\SysWOW64\Jdfjld32.exe
        
        C:\Windows\system32\Jdfjld32.exe
        53⤵
        
        PID:18248
        
        C:\Windows\SysWOW64\Kqmkae32.exe
        
        C:\Windows\system32\Kqmkae32.exe
        54⤵
        
        PID:18364
        
        C:\Windows\SysWOW64\Kggcnoic.exe
        
        C:\Windows\system32\Kggcnoic.exe
        55⤵
        
        PID:18484
        
        C:\Windows\SysWOW64\Kqphfe32.exe
        
        C:\Windows\system32\Kqphfe32.exe
        56⤵
        
        PID:18576
        
        C:\Windows\SysWOW64\Kgipcogp.exe
        
        C:\Windows\system32\Kgipcogp.exe
        57⤵
        
        PID:18632
        
        C:\Windows\SysWOW64\Kkeldnpi.exe
        
        C:\Windows\system32\Kkeldnpi.exe
        58⤵
        
        PID:18680
        
        C:\Windows\SysWOW64\Kqbdldnq.exe
        
        C:\Windows\system32\Kqbdldnq.exe
        59⤵
        
        PID:18784
        
        C:\Windows\SysWOW64\Kjjiej32.exe
        
        C:\Windows\system32\Kjjiej32.exe
        60⤵
        
        PID:18912
        
        C:\Windows\SysWOW64\Kdpmbc32.exe
        
        C:\Windows\system32\Kdpmbc32.exe
        61⤵
        
        PID:19004
        
        C:\Windows\SysWOW64\Kgninn32.exe
        
        C:\Windows\system32\Kgninn32.exe
        62⤵
        
        PID:19068
        
        C:\Windows\SysWOW64\Kqfngd32.exe
        
        C:\Windows\system32\Kqfngd32.exe
        63⤵
        
        PID:19172
        
        C:\Windows\SysWOW64\Lmmolepp.exe
        
        C:\Windows\system32\Lmmolepp.exe
        64⤵
        
        PID:19296
        
        C:\Windows\SysWOW64\Lmpkadnm.exe
        
        C:\Windows\system32\Lmpkadnm.exe
        65⤵
        
        PID:19452
        
        C:\Windows\SysWOW64\Lnohlgep.exe
        
        C:\Windows\system32\Lnohlgep.exe
        66⤵
        
        PID:19548
        
        C:\Windows\SysWOW64\Ljfhqh32.exe
        
        C:\Windows\system32\Ljfhqh32.exe
        67⤵
        
        PID:19644
        
        C:\Windows\SysWOW64\Lgjijmin.exe
        
        C:\Windows\system32\Lgjijmin.exe
        68⤵
        
        PID:19824
        
        C:\Windows\SysWOW64\Lmgabcge.exe
        
        C:\Windows\system32\Lmgabcge.exe
        69⤵
        
        PID:19908
        
        C:\Windows\SysWOW64\Mkhapk32.exe
        
        C:\Windows\system32\Mkhapk32.exe
        70⤵
        
        PID:20004
        
        C:\Windows\SysWOW64\Mepfiq32.exe
        
        C:\Windows\system32\Mepfiq32.exe
        71⤵
        
        PID:20096
        
        C:\Windows\SysWOW64\Mjmoag32.exe
        
        C:\Windows\system32\Mjmoag32.exe
        72⤵
        
        PID:20152
        
        C:\Windows\SysWOW64\Mebcop32.exe
        
        C:\Windows\system32\Mebcop32.exe
        73⤵
        
        PID:20252
        
        C:\Windows\SysWOW64\Meepdp32.exe
        
        C:\Windows\system32\Meepdp32.exe
        74⤵
        
        PID:20368
        
        C:\Windows\SysWOW64\Malpia32.exe
        
        C:\Windows\system32\Malpia32.exe
        75⤵
        
        PID:20472
        
        C:\Windows\SysWOW64\Mnpabe32.exe
        
        C:\Windows\system32\Mnpabe32.exe
        76⤵
        
        PID:20528
        
        C:\Windows\SysWOW64\Njfagf32.exe
        
        C:\Windows\system32\Njfagf32.exe
        77⤵
        
        PID:20624
        
        C:\Windows\SysWOW64\Nelfeo32.exe
        
        C:\Windows\system32\Nelfeo32.exe
        78⤵
        
        PID:20688
        
        C:\Windows\SysWOW64\Ngjbaj32.exe
        
        C:\Windows\system32\Ngjbaj32.exe
        79⤵
        
        PID:20728
        
        C:\Windows\SysWOW64\Neqopnhb.exe
        
        C:\Windows\system32\Neqopnhb.exe
        80⤵
        
        PID:21016
        
        C:\Windows\SysWOW64\Nhahaiec.exe
        
        C:\Windows\system32\Nhahaiec.exe
        81⤵
        
        PID:21148
        
        C:\Windows\SysWOW64\Oeehkn32.exe
        
        C:\Windows\system32\Oeehkn32.exe
        82⤵
        
        PID:21288
        
        C:\Windows\SysWOW64\Ojdnid32.exe
        
        C:\Windows\system32\Ojdnid32.exe
        83⤵
        
        PID:21484
        
        C:\Windows\SysWOW64\Ohhnbhok.exe
        
        C:\Windows\system32\Ohhnbhok.exe
        84⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Ojgjndno.exe
        
        C:\Windows\system32\Ojgjndno.exe
        85⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Oaqbkn32.exe
        
        C:\Windows\system32\Oaqbkn32.exe
        86⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Oacoqnci.exe
        
        C:\Windows\system32\Oacoqnci.exe
        87⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Peahgl32.exe
        
        C:\Windows\system32\Peahgl32.exe
        88⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\Poimpapp.exe
        
        C:\Windows\system32\Poimpapp.exe
        89⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Pdfehh32.exe
        
        C:\Windows\system32\Pdfehh32.exe
        90⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Pmoiqneg.exe
        
        C:\Windows\system32\Pmoiqneg.exe
        91⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Phdnngdn.exe
        
        C:\Windows\system32\Phdnngdn.exe
        92⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Ponfka32.exe
        
        C:\Windows\system32\Ponfka32.exe
        93⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\Phfjcf32.exe
        
        C:\Windows\system32\Phfjcf32.exe
        94⤵
        
        PID:12248
        
        C:\Windows\SysWOW64\Paoollik.exe
        
        C:\Windows\system32\Paoollik.exe
        95⤵
        
        PID:12120
        
        C:\Windows\SysWOW64\Qdphngfl.exe
        
        C:\Windows\system32\Qdphngfl.exe
        96⤵
        
        PID:11744
        
        C:\Windows\SysWOW64\Qoelkp32.exe
        
        C:\Windows\system32\Qoelkp32.exe
        97⤵
        
        PID:11492
        
        C:\Windows\SysWOW64\Aafemk32.exe
        
        C:\Windows\system32\Aafemk32.exe
        98⤵
        
        PID:11432
        
        C:\Windows\SysWOW64\Ahpmjejp.exe
        
        C:\Windows\system32\Ahpmjejp.exe
        99⤵
        
        PID:11352
        
        C:\Windows\SysWOW64\Aahbbkaq.exe
        
        C:\Windows\system32\Aahbbkaq.exe
        100⤵
        
        PID:11216
        
        C:\Windows\SysWOW64\Alnfpcag.exe
        
        C:\Windows\system32\Alnfpcag.exe
        101⤵
        
        PID:11112
        
        C:\Windows\SysWOW64\Aolblopj.exe
        
        C:\Windows\system32\Aolblopj.exe
        102⤵
        
        PID:11016
        
        C:\Windows\SysWOW64\Alpbecod.exe
        
        C:\Windows\system32\Alpbecod.exe
        103⤵
        
        PID:10892
        
        C:\Windows\SysWOW64\Aamknj32.exe
        
        C:\Windows\system32\Aamknj32.exe
        104⤵
        
        PID:10800
        
        C:\Windows\SysWOW64\Albpkc32.exe
        
        C:\Windows\system32\Albpkc32.exe
        105⤵
        
        PID:10736
        
        C:\Windows\SysWOW64\Aoalgn32.exe
        
        C:\Windows\system32\Aoalgn32.exe
        106⤵
        
        PID:10656
        
        C:\Windows\SysWOW64\Adndoe32.exe
        
        C:\Windows\system32\Adndoe32.exe
        107⤵
        
        PID:10564
        
        C:\Windows\SysWOW64\Ahippdbe.exe
        
        C:\Windows\system32\Ahippdbe.exe
        108⤵
        
        PID:10512
        
        C:\Windows\SysWOW64\Bochmn32.exe
        
        C:\Windows\system32\Bochmn32.exe
        109⤵
        
        PID:10408
        
        C:\Windows\SysWOW64\Baadiiif.exe
        
        C:\Windows\system32\Baadiiif.exe
        110⤵
        
        PID:10104
        
        C:\Windows\SysWOW64\Bdpaeehj.exe
        
        C:\Windows\system32\Bdpaeehj.exe
        111⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\Blgifbil.exe
        
        C:\Windows\system32\Blgifbil.exe
        112⤵
        
        PID:9988
        
        C:\Windows\SysWOW64\Boeebnhp.exe
        
        C:\Windows\system32\Boeebnhp.exe
        113⤵
        
        PID:9884
        
        C:\Windows\SysWOW64\Badanigc.exe
        
        C:\Windows\system32\Badanigc.exe
        114⤵
        
        PID:9820
        
        C:\Windows\SysWOW64\Bepmoh32.exe
        
        C:\Windows\system32\Bepmoh32.exe
        115⤵
        
        PID:9764
        
        C:\Windows\SysWOW64\Bhnikc32.exe
        
        C:\Windows\system32\Bhnikc32.exe
        116⤵
        
        PID:9688
        
        C:\Windows\SysWOW64\Blielbfi.exe
        
        C:\Windows\system32\Blielbfi.exe
        117⤵
        
        PID:9648
        
        C:\Windows\SysWOW64\Bohbhmfm.exe
        
        C:\Windows\system32\Bohbhmfm.exe
        118⤵
        
        PID:9584
        
        C:\Windows\SysWOW64\Bafndi32.exe
        
        C:\Windows\system32\Bafndi32.exe
        119⤵
        
        PID:9532
        
        C:\Windows\SysWOW64\Bebjdgmj.exe
        
        C:\Windows\system32\Bebjdgmj.exe
        120⤵
        
        PID:9492
        
        C:\Windows\SysWOW64\Bhpfqcln.exe
        
        C:\Windows\system32\Bhpfqcln.exe
        121⤵
        
        PID:9428
        
        C:\Windows\SysWOW64\Bahkih32.exe
        
        C:\Windows\system32\Bahkih32.exe
        122⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\Bdickcpo.exe
        
        C:\Windows\system32\Bdickcpo.exe
        123⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\Blqllqqa.exe
        
        C:\Windows\system32\Blqllqqa.exe
        124⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\Cnahdi32.exe
        
        C:\Windows\system32\Cnahdi32.exe
        125⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\Cfipef32.exe
        
        C:\Windows\system32\Cfipef32.exe
        126⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\Ckeimm32.exe
        
        C:\Windows\system32\Ckeimm32.exe
        127⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\Cbpajgmf.exe
        
        C:\Windows\system32\Cbpajgmf.exe
        128⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\Chqogq32.exe
        
        C:\Windows\system32\Chqogq32.exe
        129⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\Dnpdegjp.exe
        
        C:\Windows\system32\Dnpdegjp.exe
        130⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\Dheibpje.exe
        
        C:\Windows\system32\Dheibpje.exe
        131⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Ddligq32.exe
        
        C:\Windows\system32\Ddligq32.exe
        132⤵
        
        PID:12372
        
        C:\Windows\SysWOW64\Ddnfmqng.exe
        
        C:\Windows\system32\Ddnfmqng.exe
        133⤵
        
        PID:12504
        
        C:\Windows\SysWOW64\Dfnbgc32.exe
        
        C:\Windows\system32\Dfnbgc32.exe
        134⤵
        
        PID:12620
        
        C:\Windows\SysWOW64\Ekkkoj32.exe
        
        C:\Windows\system32\Ekkkoj32.exe
        135⤵
        
        PID:12680
        
        C:\Windows\SysWOW64\Eecphp32.exe
        
        C:\Windows\system32\Eecphp32.exe
        136⤵
        
        PID:12792
        
        C:\Windows\SysWOW64\Ekmhejao.exe
        
        C:\Windows\system32\Ekmhejao.exe
        137⤵
        
        PID:12892
        
        C:\Windows\SysWOW64\Efblbbqd.exe
        
        C:\Windows\system32\Efblbbqd.exe
        138⤵
        
        PID:12960
        
        C:\Windows\SysWOW64\Eokqkh32.exe
        
        C:\Windows\system32\Eokqkh32.exe
        139⤵
        
        PID:13084
        
        C:\Windows\SysWOW64\Ekaapi32.exe
        
        C:\Windows\system32\Ekaapi32.exe
        140⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        141⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Ebnfbcbc.exe
        
        C:\Windows\system32\Ebnfbcbc.exe
        142⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Fpbflg32.exe
        
        C:\Windows\system32\Fpbflg32.exe
        143⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Fmhdkknd.exe
        
        C:\Windows\system32\Fmhdkknd.exe
        144⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Flmqlg32.exe
        
        C:\Windows\system32\Flmqlg32.exe
        145⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Fbgihaji.exe
        
        C:\Windows\system32\Fbgihaji.exe
        146⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Flpmagqi.exe
        
        C:\Windows\system32\Flpmagqi.exe
        147⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\Gnqfcbnj.exe
        
        C:\Windows\system32\Gnqfcbnj.exe
        148⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Gncchb32.exe
        
        C:\Windows\system32\Gncchb32.exe
        149⤵
        
        PID:13364
  - - C:\Users\Admin\Downloads\240919-hjb48swclq2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe
      C:\Users\Admin\Downloads\240919-hjb48swclq2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe
      4⤵
      PID:16236
  - - C:\Users\Admin\Downloads\240919-hh4g4awaja1b779f0f654c7eb6205a1c9ee6d26c131ca8afb26ae97c6e04c85d56b8499e4f.exe
      C:\Users\Admin\Downloads\240919-hh4g4awaja1b779f0f654c7eb6205a1c9ee6d26c131ca8afb26ae97c6e04c85d56b8499e4f.exe
      4⤵
      PID:17120
  - - C:\Users\Admin\Downloads\240919-hh2y9svhrgeac8e88f9559cb19546a0a744357d2e4_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-hh2y9svhrgeac8e88f9559cb19546a0a744357d2e4_JaffaCakes118.exe
      4⤵
      PID:17144
  - - C:\Users\Admin\Downloads\240919-hjc2jawajg7cc4e9e08b229b8769443bcd29e8473a852f674e57f8755c10e7a8d0a825b356N.exe
      C:\Users\Admin\Downloads\240919-hjc2jawajg7cc4e9e08b229b8769443bcd29e8473a852f674e57f8755c10e7a8d0a825b356N.exe
      4⤵
      PID:17396
  - - C:\Users\Admin\Downloads\240919-hh2cqswckne69d1d83a7e7338939f7873f44ac202d27cabc56310bcef2d8e5281a8297bf01N.exe
      C:\Users\Admin\Downloads\240919-hh2cqswckne69d1d83a7e7338939f7873f44ac202d27cabc56310bcef2d8e5281a8297bf01N.exe
      4⤵
      PID:17480
    - - C:\Windows\SysWOW64\Jncoikmp.exe
        
        C:\Windows\system32\Jncoikmp.exe
        5⤵
        
        PID:17536
      - C:\Windows\SysWOW64\Jdmgfedl.exe
        
        C:\Windows\system32\Jdmgfedl.exe
        6⤵
        
        PID:17620
        
        C:\Windows\SysWOW64\Jdodkebj.exe
        
        C:\Windows\system32\Jdodkebj.exe
        7⤵
        
        PID:17764
        
        C:\Windows\SysWOW64\Jnhidk32.exe
        
        C:\Windows\system32\Jnhidk32.exe
        8⤵
        
        PID:17860
        
        C:\Windows\SysWOW64\Jcdala32.exe
        
        C:\Windows\system32\Jcdala32.exe
        9⤵
        
        PID:17964
        
        C:\Windows\SysWOW64\Jlmfeg32.exe
        
        C:\Windows\system32\Jlmfeg32.exe
        10⤵
        
        PID:18068
        
        C:\Windows\SysWOW64\Jlobkg32.exe
        
        C:\Windows\system32\Jlobkg32.exe
        11⤵
        
        PID:18200
        
        C:\Windows\SysWOW64\Jcikgacl.exe
        
        C:\Windows\system32\Jcikgacl.exe
        12⤵
        
        PID:18276
        
        C:\Windows\SysWOW64\Kclgmq32.exe
        
        C:\Windows\system32\Kclgmq32.exe
        13⤵
        
        PID:18448
        
        C:\Windows\SysWOW64\Kjepjkhf.exe
        
        C:\Windows\system32\Kjepjkhf.exe
        14⤵
        
        PID:18516
        
        C:\Windows\SysWOW64\Kgipcogp.exe
        
        C:\Windows\system32\Kgipcogp.exe
        15⤵
        
        PID:18644
        
        C:\Windows\SysWOW64\Kjhloj32.exe
        
        C:\Windows\system32\Kjhloj32.exe
        16⤵
        
        PID:18712
        
        C:\Windows\SysWOW64\Kcpahpmd.exe
        
        C:\Windows\system32\Kcpahpmd.exe
        17⤵
        
        PID:18824
        
        C:\Windows\SysWOW64\Kglmio32.exe
        
        C:\Windows\system32\Kglmio32.exe
        18⤵
        
        PID:18868
        
        C:\Windows\SysWOW64\Kcbnnpka.exe
        
        C:\Windows\system32\Kcbnnpka.exe
        19⤵
        
        PID:19032
        
        C:\Windows\SysWOW64\Kjmfjj32.exe
        
        C:\Windows\system32\Kjmfjj32.exe
        20⤵
        
        PID:19104
        
        C:\Windows\SysWOW64\Kdbjhbbd.exe
        
        C:\Windows\system32\Kdbjhbbd.exe
        21⤵
        
        PID:19204
        
        C:\Windows\SysWOW64\Lnjnqh32.exe
        
        C:\Windows\system32\Lnjnqh32.exe
        22⤵
        
        PID:19256
        
        C:\Windows\SysWOW64\Lddgmbpb.exe
        
        C:\Windows\system32\Lddgmbpb.exe
        23⤵
        
        PID:19340
        
        C:\Windows\SysWOW64\Ljaoeini.exe
        
        C:\Windows\system32\Ljaoeini.exe
        24⤵
        
        PID:19408
        
        C:\Windows\SysWOW64\Ljclki32.exe
        
        C:\Windows\system32\Ljclki32.exe
        25⤵
        
        PID:19540
        
        C:\Windows\SysWOW64\Ljfhqh32.exe
        
        C:\Windows\system32\Ljfhqh32.exe
        26⤵
        
        PID:19628
        
        C:\Windows\SysWOW64\Lekmnajj.exe
        
        C:\Windows\system32\Lekmnajj.exe
        27⤵
        
        PID:19792
        
        C:\Windows\SysWOW64\Lkeekk32.exe
        
        C:\Windows\system32\Lkeekk32.exe
        28⤵
        
        PID:19876
        
        C:\Windows\SysWOW64\Mcqjon32.exe
        
        C:\Windows\system32\Mcqjon32.exe
        29⤵
        
        PID:19956
        
        C:\Windows\SysWOW64\Mminhceb.exe
        
        C:\Windows\system32\Mminhceb.exe
        30⤵
        
        PID:20060
        
        C:\Windows\SysWOW64\Mjmoag32.exe
        
        C:\Windows\system32\Mjmoag32.exe
        31⤵
        
        PID:20140
        
        C:\Windows\SysWOW64\Mmkkmc32.exe
        
        C:\Windows\system32\Mmkkmc32.exe
        32⤵
        
        PID:20188
        
        C:\Windows\SysWOW64\Mjokgg32.exe
        
        C:\Windows\system32\Mjokgg32.exe
        33⤵
        
        PID:20296
        
        C:\Windows\SysWOW64\Maiccajf.exe
        
        C:\Windows\system32\Maiccajf.exe
        34⤵
        
        PID:20332
        
        C:\Windows\SysWOW64\Mnmdme32.exe
        
        C:\Windows\system32\Mnmdme32.exe
        35⤵
        
        PID:20412
        
        C:\Windows\SysWOW64\Nlcalieg.exe
        
        C:\Windows\system32\Nlcalieg.exe
        36⤵
        
        PID:20596
        
        C:\Windows\SysWOW64\Njinmf32.exe
        
        C:\Windows\system32\Njinmf32.exe
        37⤵
        
        PID:20768
        
        C:\Windows\SysWOW64\Nlkgmh32.exe
        
        C:\Windows\system32\Nlkgmh32.exe
        38⤵
        
        PID:20988
        
        C:\Windows\SysWOW64\Neclenfo.exe
        
        C:\Windows\system32\Neclenfo.exe
        39⤵
        
        PID:21104
        
        C:\Windows\SysWOW64\Njpdnedf.exe
        
        C:\Windows\system32\Njpdnedf.exe
        40⤵
        
        PID:21212
        
        C:\Windows\SysWOW64\Oloahhki.exe
        
        C:\Windows\system32\Oloahhki.exe
        41⤵
        
        PID:21364
        
        C:\Windows\SysWOW64\Omqmop32.exe
        
        C:\Windows\system32\Omqmop32.exe
        42⤵
        
        PID:21412
        
        C:\Windows\SysWOW64\Oanfen32.exe
        
        C:\Windows\system32\Oanfen32.exe
        43⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Ohhnbhok.exe
        
        C:\Windows\system32\Ohhnbhok.exe
        44⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Oobfob32.exe
        
        C:\Windows\system32\Oobfob32.exe
        45⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Oelolmnd.exe
        
        C:\Windows\system32\Oelolmnd.exe
        46⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Omgcpokp.exe
        
        C:\Windows\system32\Omgcpokp.exe
        47⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Ohmhmh32.exe
        
        C:\Windows\system32\Ohmhmh32.exe
        48⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Pddhbipj.exe
        
        C:\Windows\system32\Pddhbipj.exe
        49⤵
        
        PID:456
        
        C:\Windows\SysWOW64\Pmlmkn32.exe
        
        C:\Windows\system32\Pmlmkn32.exe
        50⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Phaahggp.exe
        
        C:\Windows\system32\Phaahggp.exe
        51⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Pkpmdbfd.exe
        
        C:\Windows\system32\Pkpmdbfd.exe
        52⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Pmoiqneg.exe
        
        C:\Windows\system32\Pmoiqneg.exe
        53⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Plpjoe32.exe
        
        C:\Windows\system32\Plpjoe32.exe
        54⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\Pehngkcg.exe
        
        C:\Windows\system32\Pehngkcg.exe
        55⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\Pkegpb32.exe
        
        C:\Windows\system32\Pkegpb32.exe
        56⤵
        
        PID:12200
        
        C:\Windows\SysWOW64\Pldcjeia.exe
        
        C:\Windows\system32\Pldcjeia.exe
        57⤵
        
        PID:11836
        
        C:\Windows\SysWOW64\Qmepam32.exe
        
        C:\Windows\system32\Qmepam32.exe
        58⤵
        
        PID:11772
        
        C:\Windows\SysWOW64\Qlgpod32.exe
        
        C:\Windows\system32\Qlgpod32.exe
        59⤵
        
        PID:11648
        
        C:\Windows\SysWOW64\Qhmqdemc.exe
        
        C:\Windows\system32\Qhmqdemc.exe
        60⤵
        
        PID:11512
        
        C:\Windows\SysWOW64\Aeaanjkl.exe
        
        C:\Windows\system32\Aeaanjkl.exe
        61⤵
        
        PID:11404
        
        C:\Windows\SysWOW64\Ahpmjejp.exe
        
        C:\Windows\system32\Ahpmjejp.exe
        62⤵
        
        PID:11340
        
        C:\Windows\SysWOW64\Aahbbkaq.exe
        
        C:\Windows\system32\Aahbbkaq.exe
        63⤵
        
        PID:11192
        
        C:\Windows\SysWOW64\Akqfkp32.exe
        
        C:\Windows\system32\Akqfkp32.exe
        64⤵
        
        PID:11076
        
        C:\Windows\SysWOW64\Ahdged32.exe
        
        C:\Windows\system32\Ahdged32.exe
        65⤵
        
        PID:10936
        
        C:\Windows\SysWOW64\Anaomkdb.exe
        
        C:\Windows\system32\Anaomkdb.exe
        66⤵
        
        PID:10832
        
        C:\Windows\SysWOW64\Akepfpcl.exe
        
        C:\Windows\system32\Akepfpcl.exe
        67⤵
        
        PID:10700
        
        C:\Windows\SysWOW64\Anclbkbp.exe
        
        C:\Windows\system32\Anclbkbp.exe
        68⤵
        
        PID:10628
        
        C:\Windows\SysWOW64\Adndoe32.exe
        
        C:\Windows\system32\Adndoe32.exe
        69⤵
        
        PID:10576
        
        C:\Windows\SysWOW64\Akglloai.exe
        
        C:\Windows\system32\Akglloai.exe
        70⤵
        
        PID:10448
        
        C:\Windows\SysWOW64\Bochmn32.exe
        
        C:\Windows\system32\Bochmn32.exe
        71⤵
        
        PID:10344
  - - C:\Users\Admin\Downloads\240919-hhlx2svhqdeac88f439a17a1635e4aec685607c00c_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-hhlx2svhqdeac88f439a17a1635e4aec685607c00c_JaffaCakes118.exe
      4⤵
      PID:17776
  - - C:\Users\Admin\Downloads\240919-hh9zwawajdeac90624b777b28d1049dbb907d15a5f_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-hh9zwawajdeac90624b777b28d1049dbb907d15a5f_JaffaCakes118.exe
      4⤵
      PID:18960
  - - C:\Users\Admin\Downloads\240919-hhkd8awbrr2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe
      C:\Users\Admin\Downloads\240919-hhkd8awbrr2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe
      4⤵
      PID:19492
  - - C:\Users\Admin\Downloads\240919-hhfq2avhpca497c81c5708c4fd10e69f917b6ffedaff62aedc27bd6c3bdbf2f1348c360e08N.exe
      C:\Users\Admin\Downloads\240919-hhfq2avhpca497c81c5708c4fd10e69f917b6ffedaff62aedc27bd6c3bdbf2f1348c360e08N.exe
      4⤵
      PID:20776
    - - C:\Windows\SysWOW64\Nhmofj32.exe
        
        C:\Windows\system32\Nhmofj32.exe
        5⤵
        
        PID:20856
  - - C:\Users\Admin\Downloads\240919-hg67lawbqp698dc569edf5a79919ba4eb232f6d73022582ca7cbb4df42fcabbc39510bbedfN.exe
      C:\Users\Admin\Downloads\240919-hg67lawbqp698dc569edf5a79919ba4eb232f6d73022582ca7cbb4df42fcabbc39510bbedfN.exe
      4⤵
      PID:20828
    - - C:\Windows\SysWOW64\Nmigoagp.exe
        
        C:\Windows\system32\Nmigoagp.exe
        5⤵
        
        PID:20924
      - C:\Windows\SysWOW64\Nnicid32.exe
        
        C:\Windows\system32\Nnicid32.exe
        6⤵
        
        PID:21052
        
        C:\Windows\SysWOW64\Najmjokc.exe
        
        C:\Windows\system32\Najmjokc.exe
        7⤵
        
        PID:21264
        
        C:\Windows\SysWOW64\Ojbacd32.exe
        
        C:\Windows\system32\Ojbacd32.exe
        8⤵
        
        PID:21376
        
        C:\Windows\SysWOW64\Omcjep32.exe
        
        C:\Windows\system32\Omcjep32.exe
        9⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Ojgjndno.exe
        
        C:\Windows\system32\Ojgjndno.exe
        10⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Omegjomb.exe
        
        C:\Windows\system32\Omegjomb.exe
        11⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Ohkkhhmh.exe
        
        C:\Windows\system32\Ohkkhhmh.exe
        12⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Oacoqnci.exe
        
        C:\Windows\system32\Oacoqnci.exe
        13⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Peahgl32.exe
        
        C:\Windows\system32\Peahgl32.exe
        14⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\Poimpapp.exe
        
        C:\Windows\system32\Poimpapp.exe
        15⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5512 -s 220
        16⤵
        Program crash
        
        PID:5180
  - - C:\Users\Admin\Downloads\240919-hgb2fswbnl2024-09-19_099368f9fe6fd97b9a8a8cdad39a8a96_cobalt-strike_cobaltstrike_poet-rat.exe
      C:\Users\Admin\Downloads\240919-hgb2fswbnl2024-09-19_099368f9fe6fd97b9a8a8cdad39a8a96_cobalt-strike_cobaltstrike_poet-rat.exe
      4⤵
      PID:11324
  - - C:\Users\Admin\Downloads\240919-hf9w4awbnjeac78ab49419bf5186dd303311376041_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-hf9w4awbnjeac78ab49419bf5186dd303311376041_JaffaCakes118.exe
      4⤵
      PID:11276
  - - C:\Users\Admin\Downloads\240919-hgatdsvhkheac79cdb7f97cd5e8dd28a23a31dc4e1_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-hgatdsvhkheac79cdb7f97cd5e8dd28a23a31dc4e1_JaffaCakes118.exe
      4⤵
      PID:11256
    - - C:\Windows\SysWOW64\bnpmvxjpgy.exe
        
        bnpmvxjpgy.exe
        5⤵
        
        PID:8300
      - C:\Windows\SysWOW64\qsnhlpiu.exe
        
        C:\Windows\system32\qsnhlpiu.exe
        6⤵
        
        PID:12112
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8300 -s 1164
        6⤵
        Program crash
        
        PID:8928
    - - C:\Windows\SysWOW64\koojhdvhejkhgel.exe
        
        koojhdvhejkhgel.exe
        5⤵
        
        PID:8260
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8260 -s 696
        6⤵
        Program crash
        
        PID:15412
    - - C:\Windows\SysWOW64\qsnhlpiu.exe
        
        qsnhlpiu.exe
        5⤵
        
        PID:8208
    - - C:\Windows\SysWOW64\dzbmsniaispav.exe
        
        dzbmsniaispav.exe
        5⤵
        
        PID:8196
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8196 -s 740
        6⤵
        Program crash
        
        PID:8888
    - - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
        5⤵
        
        PID:12928
  - - C:\Users\Admin\Downloads\240919-hhya3swcjr2024-09-19_0e2de2117b9c55de3956f645b559e7c7_cobalt-strike_cobaltstrike_poet-rat.exe
      C:\Users\Admin\Downloads\240919-hhya3swcjr2024-09-19_0e2de2117b9c55de3956f645b559e7c7_cobalt-strike_cobaltstrike_poet-rat.exe
      4⤵
      PID:11180
  - - C:\Users\Admin\Downloads\240919-hgtaqswbpq2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe
      C:\Users\Admin\Downloads\240919-hgtaqswbpq2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe
      4⤵
      PID:11140
  - - C:\Users\Admin\Downloads\240919-hfpadswblkeac71a57b0528af9106fe5dc5a76eaa0_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-hfpadswblkeac71a57b0528af9106fe5dc5a76eaa0_JaffaCakes118.exe
      4⤵
      PID:9412
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\240919-hfpadswblkeac71a57b0528af9106fe5dc5a76eaa0_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\240919-hfpadswblkeac71a57b0528af9106fe5dc5a76eaa0_JaffaCakes118.exe"
        5⤵
        
        PID:8388
  - - C:\Users\Admin\Downloads\240919-hjqydswcmn2024-09-19_12d68164717ebe302aacbdc4f0755235_cobalt-strike_cobaltstrike_poet-rat.exe
      C:\Users\Admin\Downloads\240919-hjqydswcmn2024-09-19_12d68164717ebe302aacbdc4f0755235_cobalt-strike_cobaltstrike_poet-rat.exe
      4⤵
      PID:9392
  - - C:\Users\Admin\Downloads\240919-hfcxcswbkkeac6e9a711060f399396dfbc0d82c98a_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-hfcxcswbkkeac6e9a711060f399396dfbc0d82c98a_JaffaCakes118.exe
      4⤵
      PID:8376
    - - C:\Users\Admin\AppData\Local\Temp\tmp.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp.exe
        5⤵
        
        PID:12388
  - - C:\Users\Admin\Downloads\240919-hfx8asvhjed19b49c55816b6ffc9fc0739348ee233a3de0d98611a18f3ed79398c095b668cN.exe
      C:\Users\Admin\Downloads\240919-hfx8asvhjed19b49c55816b6ffc9fc0739348ee233a3de0d98611a18f3ed79398c095b668cN.exe
      4⤵
      PID:8132
    - - C:\Windows\SysWOW64\Dflfac32.exe
        
        C:\Windows\system32\Dflfac32.exe
        5⤵
        
        PID:12468
      - C:\Windows\SysWOW64\Dngjff32.exe
        
        C:\Windows\system32\Dngjff32.exe
        6⤵
        
        PID:12580
        
        C:\Windows\SysWOW64\Ebdcld32.exe
        
        C:\Windows\system32\Ebdcld32.exe
        7⤵
        
        PID:12728
        
        C:\Windows\SysWOW64\Eiokinbk.exe
        
        C:\Windows\system32\Eiokinbk.exe
        8⤵
        
        PID:12832
        
        C:\Windows\SysWOW64\Eeelnp32.exe
        
        C:\Windows\system32\Eeelnp32.exe
        9⤵
        
        PID:12996
        
        C:\Windows\SysWOW64\Eokqkh32.exe
        
        C:\Windows\system32\Eokqkh32.exe
        10⤵
        
        PID:13104
        
        C:\Windows\SysWOW64\Emoadlfo.exe
        
        C:\Windows\system32\Emoadlfo.exe
        11⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Enpmld32.exe
        
        C:\Windows\system32\Enpmld32.exe
        12⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Felbnn32.exe
        
        C:\Windows\system32\Felbnn32.exe
        13⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Fngcmcfe.exe
        
        C:\Windows\system32\Fngcmcfe.exe
        14⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Fbelcblk.exe
        
        C:\Windows\system32\Fbelcblk.exe
        15⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Fechomko.exe
        
        C:\Windows\system32\Fechomko.exe
        16⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Fpimlfke.exe
        
        C:\Windows\system32\Fpimlfke.exe
        17⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\Fbjena32.exe
        
        C:\Windows\system32\Fbjena32.exe
        18⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\Gblbca32.exe
        
        C:\Windows\system32\Gblbca32.exe
        19⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Gmafajfi.exe
        
        C:\Windows\system32\Gmafajfi.exe
        20⤵
        
        PID:13316
        
        C:\Windows\SysWOW64\Gncchb32.exe
        
        C:\Windows\system32\Gncchb32.exe
        21⤵
        
        PID:13380
        
        C:\Windows\SysWOW64\Gemkelcd.exe
        
        C:\Windows\system32\Gemkelcd.exe
        22⤵
        
        PID:13452
        
        C:\Windows\SysWOW64\Glgcbf32.exe
        
        C:\Windows\system32\Glgcbf32.exe
        23⤵
        
        PID:13524
        
        C:\Windows\SysWOW64\Geohklaa.exe
        
        C:\Windows\system32\Geohklaa.exe
        24⤵
        
        PID:13588
        
        C:\Windows\SysWOW64\Gojiiafp.exe
        
        C:\Windows\system32\Gojiiafp.exe
        25⤵
        
        PID:13792
        
        C:\Windows\SysWOW64\Hedafk32.exe
        
        C:\Windows\system32\Hedafk32.exe
        26⤵
        
        PID:13860
        
        C:\Windows\SysWOW64\Hibjli32.exe
        
        C:\Windows\system32\Hibjli32.exe
        27⤵
        
        PID:13936
        
        C:\Windows\SysWOW64\Hlbcnd32.exe
        
        C:\Windows\system32\Hlbcnd32.exe
        28⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\Hmbphg32.exe
        
        C:\Windows\system32\Hmbphg32.exe
        29⤵
        
        PID:14320
        
        C:\Windows\SysWOW64\Ipeeobbe.exe
        
        C:\Windows\system32\Ipeeobbe.exe
        30⤵
        
        PID:10312
        
        C:\Windows\SysWOW64\Iebngial.exe
        
        C:\Windows\system32\Iebngial.exe
        31⤵
        
        PID:10236
        
        C:\Windows\SysWOW64\Iipfmggc.exe
        
        C:\Windows\system32\Iipfmggc.exe
        32⤵
        
        PID:14520
        
        C:\Windows\SysWOW64\Iefgbh32.exe
        
        C:\Windows\system32\Iefgbh32.exe
        33⤵
        
        PID:14604
        
        C:\Windows\SysWOW64\Ieidhh32.exe
        
        C:\Windows\system32\Ieidhh32.exe
        34⤵
        
        PID:14744
        
        C:\Windows\SysWOW64\Ipoheakj.exe
        
        C:\Windows\system32\Ipoheakj.exe
        35⤵
        
        PID:14860
        
        C:\Windows\SysWOW64\Jcanll32.exe
        
        C:\Windows\system32\Jcanll32.exe
        36⤵
        
        PID:14952
        
        C:\Windows\SysWOW64\Jgpfbjlo.exe
        
        C:\Windows\system32\Jgpfbjlo.exe
        37⤵
        
        PID:15260
        
        C:\Windows\SysWOW64\Jniood32.exe
        
        C:\Windows\system32\Jniood32.exe
        38⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\Jokkgl32.exe
        
        C:\Windows\system32\Jokkgl32.exe
        39⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\Jedccfqg.exe
        
        C:\Windows\system32\Jedccfqg.exe
        40⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\Kpjgaoqm.exe
        
        C:\Windows\system32\Kpjgaoqm.exe
        41⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        42⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\Kegpifod.exe
        
        C:\Windows\system32\Kegpifod.exe
        43⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\Knnhjcog.exe
        
        C:\Windows\system32\Knnhjcog.exe
        44⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        45⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        46⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\Koaagkcb.exe
        
        C:\Windows\system32\Koaagkcb.exe
        47⤵
        
        PID:15604
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        48⤵
        
        PID:9748
        
        C:\Windows\SysWOW64\Kcpjnjii.exe
        
        C:\Windows\system32\Kcpjnjii.exe
        49⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        50⤵
        
        PID:15812
        
        C:\Windows\SysWOW64\Kofkbk32.exe
        
        C:\Windows\system32\Kofkbk32.exe
        51⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\Lpfgmnfp.exe
        
        C:\Windows\system32\Lpfgmnfp.exe
        52⤵
        
        PID:15924
        
        C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        53⤵
        
        PID:15928
        
        C:\Windows\SysWOW64\Ljnlecmp.exe
        
        C:\Windows\system32\Ljnlecmp.exe
        54⤵
        
        PID:15100
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        55⤵
        
        PID:14592
        
        C:\Windows\SysWOW64\Lfeljd32.exe
        
        C:\Windows\system32\Lfeljd32.exe
        56⤵
        
        PID:13996
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        57⤵
        
        PID:10356
        
        C:\Windows\SysWOW64\Lnoaaaad.exe
        
        C:\Windows\system32\Lnoaaaad.exe
        58⤵
        
        PID:19460
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        59⤵
        
        PID:21180
        
        C:\Windows\SysWOW64\Mmhgmmbf.exe
        
        C:\Windows\system32\Mmhgmmbf.exe
        60⤵
        
        PID:13076
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        61⤵
        
        PID:16336
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        62⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\Mqimikfj.exe
        
        C:\Windows\system32\Mqimikfj.exe
        63⤵
        
        PID:16408
        
        C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        64⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        65⤵
        
        PID:16476
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        66⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        67⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        68⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        69⤵
        
        PID:16824
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        70⤵
        
        PID:17028
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        71⤵
        
        PID:17208
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        72⤵
        
        PID:17364
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        73⤵
        
        PID:17564
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        74⤵
        
        PID:17836
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        75⤵
        
        PID:18108
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        76⤵
        
        PID:18320
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        77⤵
        
        PID:18520
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        78⤵
        
        PID:18748
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        79⤵
        
        PID:19052
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        80⤵
        
        PID:19200
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        81⤵
        
        PID:17164
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        82⤵
        
        PID:19776
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        83⤵
        
        PID:20184
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        84⤵
        
        PID:20436
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        85⤵
        
        PID:20700
        
        C:\Windows\SysWOW64\Dnonkq32.exe
        
        C:\Windows\system32\Dnonkq32.exe
        86⤵
        
        PID:21360
        
        C:\Windows\SysWOW64\Enhpao32.exe
        
        C:\Windows\system32\Enhpao32.exe
        87⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Edgbii32.exe
        
        C:\Windows\system32\Edgbii32.exe
        88⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Fnfmbmbi.exe
        
        C:\Windows\system32\Fnfmbmbi.exe
        89⤵
        
        PID:12084
        
        C:\Windows\SysWOW64\Hhdcmp32.exe
        
        C:\Windows\system32\Hhdcmp32.exe
        90⤵
        
        PID:12232
        
        C:\Windows\SysWOW64\Inebjihf.exe
        
        C:\Windows\system32\Inebjihf.exe
        91⤵
        
        PID:11228
        
        C:\Windows\SysWOW64\Jhkbdmbg.exe
        
        C:\Windows\system32\Jhkbdmbg.exe
        92⤵
        
        PID:10672
        
        C:\Windows\SysWOW64\Kbhmbdle.exe
        
        C:\Windows\system32\Kbhmbdle.exe
        93⤵
        
        PID:10540
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        94⤵
        
        PID:9732
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        95⤵
        
        PID:9628
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        96⤵
        
        PID:21216
        
        C:\Windows\SysWOW64\Nciopppp.exe
        
        C:\Windows\system32\Nciopppp.exe
        97⤵
        
        PID:9376
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        98⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        99⤵
        
        PID:15760
        
        C:\Windows\SysWOW64\Hjolie32.exe
        
        C:\Windows\system32\Hjolie32.exe
        100⤵
        
        PID:19452
        
        C:\Windows\SysWOW64\Iagqgn32.exe
        
        C:\Windows\system32\Iagqgn32.exe
        101⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\Mhnjna32.exe
        
        C:\Windows\system32\Mhnjna32.exe
        102⤵
        
        PID:22300
        
        C:\Windows\SysWOW64\Ndlacapp.exe
        
        C:\Windows\system32\Ndlacapp.exe
        103⤵
        
        PID:17844
        
        C:\Windows\SysWOW64\Okolfj32.exe
        
        C:\Windows\system32\Okolfj32.exe
        104⤵
        
        PID:18088
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        105⤵
        
        PID:18840
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        106⤵
        
        PID:22684
        
        C:\Windows\SysWOW64\Apddce32.exe
        
        C:\Windows\system32\Apddce32.exe
        107⤵
        
        PID:20300
        
        C:\Windows\SysWOW64\Bldgoeog.exe
        
        C:\Windows\system32\Bldgoeog.exe
        108⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Bbcignbo.exe
        
        C:\Windows\system32\Bbcignbo.exe
        109⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Cmmgof32.exe
        
        C:\Windows\system32\Cmmgof32.exe
        110⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Dipgpf32.exe
        
        C:\Windows\system32\Dipgpf32.exe
        111⤵
        
        PID:23372
        
        C:\Windows\SysWOW64\Dmbiackg.exe
        
        C:\Windows\system32\Dmbiackg.exe
        112⤵
        
        PID:11980
        
        C:\Windows\SysWOW64\Epeohn32.exe
        
        C:\Windows\system32\Epeohn32.exe
        113⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Fpckjlje.exe
        
        C:\Windows\system32\Fpckjlje.exe
        114⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\Gqmnpk32.exe
        
        C:\Windows\system32\Gqmnpk32.exe
        115⤵
        
        PID:23800
        
        C:\Windows\SysWOW64\Gqokekph.exe
        
        C:\Windows\system32\Gqokekph.exe
        116⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\Hqfqfj32.exe
        
        C:\Windows\system32\Hqfqfj32.exe
        117⤵
        
        PID:23876
        
        C:\Windows\SysWOW64\Icciccmd.exe
        
        C:\Windows\system32\Icciccmd.exe
        118⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\Jfhlpnfp.exe
        
        C:\Windows\system32\Jfhlpnfp.exe
        119⤵
        
        PID:19044
        
        C:\Windows\SysWOW64\Kmncif32.exe
        
        C:\Windows\system32\Kmncif32.exe
        120⤵
        
        PID:22672
        
        C:\Windows\SysWOW64\Khhaanop.exe
        
        C:\Windows\system32\Khhaanop.exe
        121⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Leqkeajd.exe
        
        C:\Windows\system32\Leqkeajd.exe
        122⤵
        
        PID:24584
  - - C:\Users\Admin\Downloads\240919-hfwz8swblqDispam.exe
      C:\Users\Admin\Downloads\240919-hfwz8swblqDispam.exe
      4⤵
      PID:12940
    - - C:\Users\Admin\Downloads\240919-hfwz8swblqDispam.exe
        
        C:\Users\Admin\Downloads\240919-hfwz8swblqDispam.exe
        5⤵
        
        PID:6696
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        6⤵
        
        PID:15648
      - C:\Users\Admin\Downloads\240919-hl24fawbke51046434636ee20141e62e18698b72081872c53a39c2173df905bba4513b8f2fN.exe
        
        C:\Users\Admin\Downloads\240919-hl24fawbke51046434636ee20141e62e18698b72081872c53a39c2173df905bba4513b8f2fN.exe
        6⤵
        
        PID:18036
      - C:\Users\Admin\Downloads\240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
        
        C:\Users\Admin\Downloads\240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
        6⤵
        
        PID:18472
      - C:\Users\Admin\Downloads\240919-hlps4swdlna801a623080eaac37eb5fc872a3ba272f9c02c893e5938f434873872624987e7N.exe
        
        C:\Users\Admin\Downloads\240919-hlps4swdlna801a623080eaac37eb5fc872a3ba272f9c02c893e5938f434873872624987e7N.exe
        6⤵
        
        PID:18504
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        7⤵
        
        PID:19156
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        8⤵
        
        PID:19768
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        9⤵
        
        PID:19992
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        10⤵
        
        PID:20544
      - C:\Users\Admin\Downloads\240919-hk1h8awdjjbc1f7d7dd47d8221676316b4eba81e38a9a80c3981c84f87507e5a54ea736ad7N.exe
        
        C:\Users\Admin\Downloads\240919-hk1h8awdjjbc1f7d7dd47d8221676316b4eba81e38a9a80c3981c84f87507e5a54ea736ad7N.exe
        6⤵
        
        PID:19244
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        7⤵
        
        PID:19416
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        8⤵
        
        PID:19624
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        9⤵
        
        PID:20080
      - C:\Users\Admin\Downloads\240919-hkrw3swcrjfile.exe
        
        C:\Users\Admin\Downloads\240919-hkrw3swcrjfile.exe
        6⤵
        
        PID:19904
      - C:\Users\Admin\Downloads\240919-hjz63awcnpeac97d7e01d0b3b14f85bb97239ecac5_JaffaCakes118.exe
        
        C:\Users\Admin\Downloads\240919-hjz63awcnpeac97d7e01d0b3b14f85bb97239ecac5_JaffaCakes118.exe
        6⤵
        
        PID:20796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\WYHS.exe"
        7⤵
        
        PID:10416
        
        C:\Users\Admin\AppData\Local\Temp\WYHS.exe
        
        C:\Users\Admin\AppData\Local\Temp\WYHS.exe
        8⤵
        
        PID:10432
        
        C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\XR.bat
        9⤵
        Opens file in notepad (likely ransom note)
        
        PID:3556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\PAO101~1.EXE"
        7⤵
        
        PID:9468
        
        C:\Users\Admin\AppData\Local\Temp\PAO101~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\PAO101~1.EXE
        8⤵
        
        PID:9268
      - C:\Users\Admin\Downloads\240919-hjyy1awcnneac97c9f7533f816cbe246116fe64b07_JaffaCakes118.exe
        
        C:\Users\Admin\Downloads\240919-hjyy1awcnneac97c9f7533f816cbe246116fe64b07_JaffaCakes118.exe
        6⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 612
        7⤵
        Program crash
        
        PID:11776
      - C:\Users\Admin\Downloads\240919-hlbw9awarb9508c09d7dfb89931ad49cacba2daf4b3f306303c2815af7f07bc63ffaffb002N.exe
        
        C:\Users\Admin\Downloads\240919-hlbw9awarb9508c09d7dfb89931ad49cacba2daf4b3f306303c2815af7f07bc63ffaffb002N.exe
        6⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Ebdlangb.exe
        
        C:\Windows\system32\Ebdlangb.exe
        7⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Eojiqb32.exe
        
        C:\Windows\system32\Eojiqb32.exe
        8⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Ekcgkb32.exe
        
        C:\Windows\system32\Ekcgkb32.exe
        9⤵
        
        PID:12092
        
        C:\Windows\SysWOW64\Hlppno32.exe
        
        C:\Windows\system32\Hlppno32.exe
        10⤵
        
        PID:11660
      - C:\Users\Admin\Downloads\240919-hjsrzswalf1471afff1b1174a97ab756b4fbed1ecd33e883d2c965736dd3b6560a9e8aee6dN.exe
        
        C:\Users\Admin\Downloads\240919-hjsrzswalf1471afff1b1174a97ab756b4fbed1ecd33e883d2c965736dd3b6560a9e8aee6dN.exe
        6⤵
        
        PID:6032
      - C:\Users\Admin\Downloads\240919-hjev5awakb37870da7df2f13f1d8c9457b0d2cf4c75982e83edf1de668e651aeedec45b8eeN.exe
        
        C:\Users\Admin\Downloads\240919-hjev5awakb37870da7df2f13f1d8c9457b0d2cf4c75982e83edf1de668e651aeedec45b8eeN.exe
        6⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\Hpfbcn32.exe
        
        C:\Windows\system32\Hpfbcn32.exe
        7⤵
        
        PID:11640
        
        C:\Windows\SysWOW64\Hnbeeiji.exe
        
        C:\Windows\system32\Hnbeeiji.exe
        8⤵
        
        PID:11236
        
        C:\Windows\SysWOW64\Ibjqaf32.exe
        
        C:\Windows\system32\Ibjqaf32.exe
        9⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        10⤵
        
        PID:10620
        
        C:\Windows\SysWOW64\Kolabf32.exe
        
        C:\Windows\system32\Kolabf32.exe
        11⤵
        
        PID:21004
        
        C:\Windows\SysWOW64\Kpnjah32.exe
        
        C:\Windows\system32\Kpnjah32.exe
        12⤵
        
        PID:10136
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        13⤵
        
        PID:10936
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        14⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        15⤵
        
        PID:20336
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        16⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\Gclafmej.exe
        
        C:\Windows\system32\Gclafmej.exe
        17⤵
        
        PID:15712
        
        C:\Windows\SysWOW64\Hgcmbj32.exe
        
        C:\Windows\system32\Hgcmbj32.exe
        18⤵
        
        PID:19008
        
        C:\Windows\SysWOW64\Ibnjkbog.exe
        
        C:\Windows\system32\Ibnjkbog.exe
        19⤵
        
        PID:14644
        
        C:\Windows\SysWOW64\Kbjbnnfg.exe
        
        C:\Windows\system32\Kbjbnnfg.exe
        20⤵
        
        PID:21568
        
        C:\Windows\SysWOW64\Mohbjkgp.exe
        
        C:\Windows\system32\Mohbjkgp.exe
        21⤵
        
        PID:22348
        
        C:\Windows\SysWOW64\Ollljmhg.exe
        
        C:\Windows\system32\Ollljmhg.exe
        22⤵
        
        PID:17676
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        23⤵
        
        PID:19508
        
        C:\Windows\SysWOW64\Pomncfge.exe
        
        C:\Windows\system32\Pomncfge.exe
        24⤵
        
        PID:20512
        
        C:\Windows\SysWOW64\Abgjkpll.exe
        
        C:\Windows\system32\Abgjkpll.exe
        25⤵
        
        PID:23028
        
        C:\Windows\SysWOW64\Bifkcioc.exe
        
        C:\Windows\system32\Bifkcioc.exe
        26⤵
        
        PID:21196
        
        C:\Windows\SysWOW64\Bimach32.exe
        
        C:\Windows\system32\Bimach32.exe
        27⤵
        
        PID:21408
        
        C:\Windows\SysWOW64\Cplckbmc.exe
        
        C:\Windows\system32\Cplckbmc.exe
        28⤵
        
        PID:22556
        
        C:\Windows\SysWOW64\Cdlhgpag.exe
        
        C:\Windows\system32\Cdlhgpag.exe
        29⤵
        
        PID:22844
        
        C:\Windows\SysWOW64\Clijablo.exe
        
        C:\Windows\system32\Clijablo.exe
        30⤵
        
        PID:23056
      - C:\Users\Admin\Downloads\240919-hh2cqswckne69d1d83a7e7338939f7873f44ac202d27cabc56310bcef2d8e5281a8297bf01N.exe
        
        C:\Users\Admin\Downloads\240919-hh2cqswckne69d1d83a7e7338939f7873f44ac202d27cabc56310bcef2d8e5281a8297bf01N.exe
        6⤵
        
        PID:11652
        
        C:\Windows\SysWOW64\Hhimhobl.exe
        
        C:\Windows\system32\Hhimhobl.exe
        7⤵
        
        PID:11204
        
        C:\Windows\SysWOW64\Jihbip32.exe
        
        C:\Windows\system32\Jihbip32.exe
        8⤵
        
        PID:10728
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        9⤵
        
        PID:10604
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        10⤵
        
        PID:10456
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        11⤵
        
        PID:10044
        
        C:\Windows\SysWOW64\Likhem32.exe
        
        C:\Windows\system32\Likhem32.exe
        12⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\Llqjbhdc.exe
        
        C:\Windows\system32\Llqjbhdc.exe
        13⤵
        
        PID:11820
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        14⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        15⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        16⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Jblflp32.exe
        
        C:\Windows\system32\Jblflp32.exe
        17⤵
        
        PID:16948
        
        C:\Windows\SysWOW64\Ldbefe32.exe
        
        C:\Windows\system32\Ldbefe32.exe
        18⤵
        
        PID:21848
        
        C:\Windows\SysWOW64\Mhnjna32.exe
        
        C:\Windows\system32\Mhnjna32.exe
        19⤵
        
        PID:22316
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        20⤵
        
        PID:15704
        
        C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        21⤵
        
        PID:18612
        
        C:\Windows\SysWOW64\Pkoemhao.exe
        
        C:\Windows\system32\Pkoemhao.exe
        22⤵
        
        PID:20128
        
        C:\Windows\SysWOW64\Alkeifga.exe
        
        C:\Windows\system32\Alkeifga.exe
        23⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\Afeban32.exe
        
        C:\Windows\system32\Afeban32.exe
        24⤵
        
        PID:11568
        
        C:\Windows\SysWOW64\Bpgjpb32.exe
        
        C:\Windows\system32\Bpgjpb32.exe
        25⤵
        
        PID:21192
        
        C:\Windows\SysWOW64\Cboibm32.exe
        
        C:\Windows\system32\Cboibm32.exe
        26⤵
        
        PID:22876
        
        C:\Windows\SysWOW64\Ddqbbo32.exe
        
        C:\Windows\system32\Ddqbbo32.exe
        27⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Dlncla32.exe
        
        C:\Windows\system32\Dlncla32.exe
        28⤵
        
        PID:23288
        
        C:\Windows\SysWOW64\Fncbha32.exe
        
        C:\Windows\system32\Fncbha32.exe
        29⤵
        
        PID:10120
        
        C:\Windows\SysWOW64\Fgncff32.exe
        
        C:\Windows\system32\Fgncff32.exe
        30⤵
        
        PID:11692
        
        C:\Windows\SysWOW64\Gcimfg32.exe
        
        C:\Windows\system32\Gcimfg32.exe
        31⤵
        
        PID:23864
        
        C:\Windows\SysWOW64\Gdmcki32.exe
        
        C:\Windows\system32\Gdmcki32.exe
        32⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Hjcojo32.exe
        
        C:\Windows\system32\Hjcojo32.exe
        33⤵
        
        PID:24148
        
        C:\Windows\SysWOW64\Jgekdq32.exe
        
        C:\Windows\system32\Jgekdq32.exe
        34⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\Kmncif32.exe
        
        C:\Windows\system32\Kmncif32.exe
        35⤵
        
        PID:17592
        
        C:\Windows\SysWOW64\Kdmeqo32.exe
        
        C:\Windows\system32\Kdmeqo32.exe
        36⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Lmjcdd32.exe
        
        C:\Windows\system32\Lmjcdd32.exe
        37⤵
        
        PID:6780
      - C:\Users\Admin\Downloads\240919-hg67lawbqp698dc569edf5a79919ba4eb232f6d73022582ca7cbb4df42fcabbc39510bbedfN.exe
        
        C:\Users\Admin\Downloads\240919-hg67lawbqp698dc569edf5a79919ba4eb232f6d73022582ca7cbb4df42fcabbc39510bbedfN.exe
        6⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        7⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        8⤵
        
        PID:8988
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        9⤵
        
        PID:18528
        
        C:\Windows\SysWOW64\Gjaphgpl.exe
        
        C:\Windows\system32\Gjaphgpl.exe
        10⤵
        
        PID:10436
        
        C:\Windows\SysWOW64\Hebcao32.exe
        
        C:\Windows\system32\Hebcao32.exe
        11⤵
        
        PID:19520
        
        C:\Windows\SysWOW64\Ijmhkchl.exe
        
        C:\Windows\system32\Ijmhkchl.exe
        12⤵
        
        PID:6112
      - C:\Users\Admin\Downloads\240919-hhfq2avhpca497c81c5708c4fd10e69f917b6ffedaff62aedc27bd6c3bdbf2f1348c360e08N.exe
        
        C:\Users\Admin\Downloads\240919-hhfq2avhpca497c81c5708c4fd10e69f917b6ffedaff62aedc27bd6c3bdbf2f1348c360e08N.exe
        6⤵
        
        PID:9240
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        7⤵
        
        PID:20112
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        8⤵
        
        PID:15780
        
        C:\Windows\SysWOW64\Hgcmbj32.exe
        
        C:\Windows\system32\Hgcmbj32.exe
        9⤵
        
        PID:15992
        
        C:\Windows\SysWOW64\Ibnjkbog.exe
        
        C:\Windows\system32\Ibnjkbog.exe
        10⤵
        
        PID:9900
        
        C:\Windows\SysWOW64\Ilmedf32.exe
        
        C:\Windows\system32\Ilmedf32.exe
        11⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\Jjkdlall.exe
        
        C:\Windows\system32\Jjkdlall.exe
        12⤵
        
        PID:17212
        
        C:\Windows\SysWOW64\Kehojiej.exe
        
        C:\Windows\system32\Kehojiej.exe
        13⤵
        
        PID:21648
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        14⤵
        
        PID:21948
        
        C:\Windows\SysWOW64\Mkepineo.exe
        
        C:\Windows\system32\Mkepineo.exe
        15⤵
        
        PID:22144
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        16⤵
        
        PID:15668
        
        C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        17⤵
        
        PID:18564
      - C:\Users\Admin\Downloads\240919-hl48sswbkgPanelExecutorV11.exe
        
        C:\Users\Admin\Downloads\240919-hl48sswbkgPanelExecutorV11.exe
        6⤵
        
        PID:19064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAcQB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHQAZQBkACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVwBvAHIAawBpAG4AZwAgAGoAdQBzAHQAIABjAGwAaQBjAGsAIABvAGsAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGUAcQBoACMAPgA="
        7⤵
        
        PID:18036
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -EncodedCommand PAAjAGwAcQB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHQAZQBkACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVwBvAHIAawBpAG4AZwAgAGoAdQBzAHQAIABjAGwAaQBjAGsAIABvAGsAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGUAcQBoACMAPgA=
        8⤵
        
        PID:18880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAawBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGwAYgBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAagB2ACMAPgA="
        7⤵
        
        PID:11648
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -EncodedCommand PAAjAGQAawBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGwAYgBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAagB2ACMAPgA=
        8⤵
        
        PID:19244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RANSOM~1.EXE"
        7⤵
        
        PID:22984
        
        C:\Users\Admin\AppData\Local\Temp\RANSOM~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RANSOM~1.EXE
        8⤵
        
        PID:4300
      - C:\Users\Admin\Downloads\240919-hf9w4awbnjeac78ab49419bf5186dd303311376041_JaffaCakes118.exe
        
        C:\Users\Admin\Downloads\240919-hf9w4awbnjeac78ab49419bf5186dd303311376041_JaffaCakes118.exe
        6⤵
        
        PID:15116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 15116 -s 220
        7⤵
        Program crash
        
        PID:1568
      - C:\Users\Admin\Downloads\240919-hgatdsvhkheac79cdb7f97cd5e8dd28a23a31dc4e1_JaffaCakes118.exe
        
        C:\Users\Admin\Downloads\240919-hgatdsvhkheac79cdb7f97cd5e8dd28a23a31dc4e1_JaffaCakes118.exe
        6⤵
        
        PID:17576
      - C:\Users\Admin\Downloads\240919-he1a9swbjk506c76b3c72de227d885ad1afdcd15e83748d5c1a40da70829b6498272ccc7b9N.exe
        
        C:\Users\Admin\Downloads\240919-he1a9swbjk506c76b3c72de227d885ad1afdcd15e83748d5c1a40da70829b6498272ccc7b9N.exe
        6⤵
        
        PID:16180
        
        C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ZDqsS.bat
        7⤵
        Opens file in notepad (likely ransom note)
        
        PID:24476
      - C:\Users\Admin\Downloads\240919-hfcxcswbkkeac6e9a711060f399396dfbc0d82c98a_JaffaCakes118.exe
        
        C:\Users\Admin\Downloads\240919-hfcxcswbkkeac6e9a711060f399396dfbc0d82c98a_JaffaCakes118.exe
        6⤵
        
        PID:3208
      - C:\Users\Admin\Downloads\240919-helswavgpf5755e91ffe445606f1dd55d4ae96c0d698d777b37cdd33c6677c7153a487b8b0N.exe
        
        C:\Users\Admin\Downloads\240919-helswavgpf5755e91ffe445606f1dd55d4ae96c0d698d777b37cdd33c6677c7153a487b8b0N.exe
        6⤵
        
        PID:17684
        
        C:\Windows\SysWOW64\Jnpjlajn.exe
        
        C:\Windows\system32\Jnpjlajn.exe
        7⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\Kkbkmqed.exe
        
        C:\Windows\system32\Kkbkmqed.exe
        8⤵
        
        PID:21536
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        9⤵
        
        PID:22060
        
        C:\Windows\SysWOW64\Ohqpjo32.exe
        
        C:\Windows\system32\Ohqpjo32.exe
        10⤵
        
        PID:18084
        
        C:\Windows\SysWOW64\Pokanf32.exe
        
        C:\Windows\system32\Pokanf32.exe
        11⤵
        
        PID:19092
        
        C:\Windows\SysWOW64\Aehbmk32.exe
        
        C:\Windows\system32\Aehbmk32.exe
        12⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\Bcbeqaia.exe
        
        C:\Windows\system32\Bcbeqaia.exe
        13⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Cfjeckpj.exe
        
        C:\Windows\system32\Cfjeckpj.exe
        14⤵
        
        PID:22944
        
        C:\Windows\SysWOW64\Dfonnk32.exe
        
        C:\Windows\system32\Dfonnk32.exe
        15⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Epaemojk.exe
        
        C:\Windows\system32\Epaemojk.exe
        16⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Ecdkdj32.exe
        
        C:\Windows\system32\Ecdkdj32.exe
        17⤵
        
        PID:11384
        
        C:\Windows\SysWOW64\Eegqldqg.exe
        
        C:\Windows\system32\Eegqldqg.exe
        18⤵
        
        PID:10664
        
        C:\Windows\SysWOW64\Fdmjdkda.exe
        
        C:\Windows\system32\Fdmjdkda.exe
        19⤵
        
        PID:10624
        
        C:\Windows\SysWOW64\Iepihf32.exe
        
        C:\Windows\system32\Iepihf32.exe
        20⤵
        
        PID:19972
        
        C:\Windows\SysWOW64\Jnocakfb.exe
        
        C:\Windows\system32\Jnocakfb.exe
        21⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\Keekjc32.exe
        
        C:\Windows\system32\Keekjc32.exe
        22⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Mhfmbl32.exe
        
        C:\Windows\system32\Mhfmbl32.exe
        23⤵
        
        PID:24892
      - C:\Users\Admin\Downloads\240919-hd8w1swapq14b2a9b27378974f3e88d1cafdf4bae45e598b2f89d5968c3687326b43aab258N.exe
        
        C:\Users\Admin\Downloads\240919-hd8w1swapq14b2a9b27378974f3e88d1cafdf4bae45e598b2f89d5968c3687326b43aab258N.exe
        6⤵
        
        PID:16340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
        7⤵
        
        PID:21128
        
        C:\Users\Admin\AppData\Local\Temp\vnc.exe
        
        C:\Users\Admin\AppData\Local\Temp\vnc.exe
        8⤵
        
        PID:5960
        
        C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe -k
        9⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5960 -s 552
        9⤵
        Program crash
        
        PID:24832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\windef.exe"
        7⤵
        
        PID:12588
        
        C:\Users\Admin\AppData\Local\Temp\windef.exe
        
        C:\Users\Admin\AppData\Local\Temp\windef.exe
        8⤵
        
        PID:6264
      - C:\Users\Admin\Downloads\240919-hejnhswaqr491b1d018a1974923c1d5b75fe8eef7ba07879d989df74ea62b3d5abcedc0982N.exe
        
        C:\Users\Admin\Downloads\240919-hejnhswaqr491b1d018a1974923c1d5b75fe8eef7ba07879d989df74ea62b3d5abcedc0982N.exe
        6⤵
        
        PID:22024
      - C:\Users\Admin\Downloads\240919-hea2davgnh568b35f734708250ba46654364d728cc40038bba551d373d5c8f680a8b426d7fN.exe
        
        C:\Users\Admin\Downloads\240919-hea2davgnh568b35f734708250ba46654364d728cc40038bba551d373d5c8f680a8b426d7fN.exe
        6⤵
        
        PID:20324
      - C:\Users\Admin\Downloads\240919-hd5jlavgnd82abcb2bc2f4f52801f811772f5abce18475110c6626ade62f5ed664acffc7b3N.exe
        
        C:\Users\Admin\Downloads\240919-hd5jlavgnd82abcb2bc2f4f52801f811772f5abce18475110c6626ade62f5ed664acffc7b3N.exe
        6⤵
        
        PID:20584
        
        C:\Windows\SysWOW64\Cfhhml32.exe
        
        C:\Windows\system32\Cfhhml32.exe
        7⤵
        
        PID:22740
        
        C:\Windows\SysWOW64\Epcbbohh.exe
        
        C:\Windows\system32\Epcbbohh.exe
        8⤵
        
        PID:11472
        
        C:\Windows\SysWOW64\Feimadoe.exe
        
        C:\Windows\system32\Feimadoe.exe
        9⤵
        
        PID:10096
        
        C:\Windows\SysWOW64\Gqkajk32.exe
        
        C:\Windows\system32\Gqkajk32.exe
        10⤵
        
        PID:23564
        
        C:\Windows\SysWOW64\Gglpgd32.exe
        
        C:\Windows\system32\Gglpgd32.exe
        11⤵
        
        PID:9792
        
        C:\Windows\SysWOW64\Hjabdo32.exe
        
        C:\Windows\system32\Hjabdo32.exe
        12⤵
        
        PID:24252
        
        C:\Windows\SysWOW64\Iggocbke.exe
        
        C:\Windows\system32\Iggocbke.exe
        13⤵
        
        PID:23972
        
        C:\Windows\SysWOW64\Jffokn32.exe
        
        C:\Windows\system32\Jffokn32.exe
        14⤵
        
        PID:19220
        
        C:\Windows\SysWOW64\Kmlgcf32.exe
        
        C:\Windows\system32\Kmlgcf32.exe
        15⤵
        
        PID:17740
        
        C:\Windows\SysWOW64\Lndfchdj.exe
        
        C:\Windows\system32\Lndfchdj.exe
        16⤵
        
        PID:6544
      - C:\Users\Admin\Downloads\240919-hd87sawapr420ee04e303d000e1ea91aa9790aac6bef2e96ec7c6375d212f34cc7b4e57809N.exe
        
        C:\Users\Admin\Downloads\240919-hd87sawapr420ee04e303d000e1ea91aa9790aac6bef2e96ec7c6375d212f34cc7b4e57809N.exe
        6⤵
        
        PID:22608
        
        \??\c:\bhhnhh.exe
        
        c:\bhhnhh.exe
        7⤵
        
        PID:23500
        
        \??\c:\nhtnbb.exe
        
        c:\nhtnbb.exe
        8⤵
        
        PID:23228
        
        \??\c:\dvddd.exe
        
        c:\dvddd.exe
        9⤵
        
        PID:5372
        
        \??\c:\5hnhhh.exe
        
        c:\5hnhhh.exe
        10⤵
        
        PID:21324
        
        \??\c:\1pjpj.exe
        
        c:\1pjpj.exe
        11⤵
        
        PID:24448
        
        \??\c:\7ddpj.exe
        
        c:\7ddpj.exe
        12⤵
        
        PID:23588
        
        \??\c:\xxxrffx.exe
        
        c:\xxxrffx.exe
        13⤵
        
        PID:12040
        
        \??\c:\lflllrx.exe
        
        c:\lflllrx.exe
        14⤵
        
        PID:9456
        
        \??\c:\7xxxxxx.exe
        
        c:\7xxxxxx.exe
        15⤵
        
        PID:19792
        
        \??\c:\xlxlrxx.exe
        
        c:\xlxlrxx.exe
        16⤵
        
        PID:18692
        
        \??\c:\jjjjj.exe
        
        c:\jjjjj.exe
        17⤵
        
        PID:12416
        
        \??\c:\5tbbbb.exe
        
        c:\5tbbbb.exe
        18⤵
        
        PID:3316
      - C:\Users\Admin\Downloads\240919-hdqenswanqa1dfa603d414fef15c3092dff01577e2df1f29e58d957be1410d7c150c62cdefN.exe
        
        C:\Users\Admin\Downloads\240919-hdqenswanqa1dfa603d414fef15c3092dff01577e2df1f29e58d957be1410d7c150c62cdefN.exe
        6⤵
        
        PID:23516
        
        C:\Windows\SysWOW64\Eincadmf.exe
        
        C:\Windows\system32\Eincadmf.exe
        7⤵
        
        PID:11304
        
        C:\Windows\SysWOW64\Fnnimbaj.exe
        
        C:\Windows\system32\Fnnimbaj.exe
        8⤵
        
        PID:10612
        
        C:\Windows\SysWOW64\Ffcpgcfj.exe
        
        C:\Windows\system32\Ffcpgcfj.exe
        9⤵
        
        PID:24464
        
        C:\Windows\SysWOW64\Gggfme32.exe
        
        C:\Windows\system32\Gggfme32.exe
        10⤵
        
        PID:23680
        
        C:\Windows\SysWOW64\Gcngafol.exe
        
        C:\Windows\system32\Gcngafol.exe
        11⤵
        
        PID:19900
        
        C:\Windows\SysWOW64\Hgbfhc32.exe
        
        C:\Windows\system32\Hgbfhc32.exe
        12⤵
        
        PID:24284
        
        C:\Windows\SysWOW64\Hclccd32.exe
        
        C:\Windows\system32\Hclccd32.exe
        13⤵
        
        PID:24036
      - C:\Users\Admin\Downloads\240919-hdhptsvgkh146d515c23277e366b7a2b5044a24446eeb0f25670455573e02a38d0dac01738N.exe
        
        C:\Users\Admin\Downloads\240919-hdhptsvgkh146d515c23277e366b7a2b5044a24446eeb0f25670455573e02a38d0dac01738N.exe
        6⤵
        
        PID:23240
        
        C:\Windows\apppatch\svchost.exe
        
        "C:\Windows\apppatch\svchost.exe"
        7⤵
        
        PID:18276
      - C:\Users\Admin\Downloads\240919-hdphdavgldeac5f9ced24648bc518ee971ee16574c_JaffaCakes118.exe
        
        C:\Users\Admin\Downloads\240919-hdphdavgldeac5f9ced24648bc518ee971ee16574c_JaffaCakes118.exe
        6⤵
        
        PID:5492
        
        C:\Program Files\Common Files\Microsoft Shared\MSINFO\Se101.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSINFO\Se101.exe"
        7⤵
        
        PID:24092
        
        C:\Windows\SysWOW64\calc.exe
        
        "C:\Windows\system32\calc.exe"
        8⤵
        
        PID:12784
        
        C:\program files\internet explorer\IEXPLORE.EXE
        
        "C:\program files\internet explorer\IEXPLORE.EXE"
        8⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\DelSvel.bat""
        7⤵
        
        PID:24928
      - C:\Users\Admin\Downloads\240919-hcza7avgjfeac5664cd2fab25f97ff77d9a3f597a3_JaffaCakes118.exe
        
        C:\Users\Admin\Downloads\240919-hcza7avgjfeac5664cd2fab25f97ff77d9a3f597a3_JaffaCakes118.exe
        6⤵
        
        PID:24236
      - C:\Users\Admin\Downloads\240919-hc8vmawamk53713370c4f9fb2d9280195fb93ca7764f31f4731043d7dbce6e232e8cf8edcdN.exe
        
        C:\Users\Admin\Downloads\240919-hc8vmawamk53713370c4f9fb2d9280195fb93ca7764f31f4731043d7dbce6e232e8cf8edcdN.exe
        6⤵
        
        PID:24044
      - C:\Users\Admin\Downloads\240919-hc4kxawalpTrojan.Win32.Cerber.pz-07104bba2b7977a8c29c8662a74e134bc6a48c915a4b103e7de9a1f82df1bfd1N
        
        C:\Users\Admin\Downloads\240919-hc4kxawalpTrojan.Win32.Cerber.pz-07104bba2b7977a8c29c8662a74e134bc6a48c915a4b103e7de9a1f82df1bfd1N
        6⤵
        
        PID:24020
        
        C:\Windows\SysWOW64\Incdem32.exe
        
        C:\Windows\system32\Incdem32.exe
        7⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\Inkjfk32.exe
        
        C:\Windows\system32\Inkjfk32.exe
        8⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\Kjmjgk32.exe
        
        C:\Windows\system32\Kjmjgk32.exe
        9⤵
        
        PID:17860
        
        C:\Windows\SysWOW64\Khfdlnab.exe
        
        C:\Windows\system32\Khfdlnab.exe
        10⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Lhjnfn32.exe
        
        C:\Windows\system32\Lhjnfn32.exe
        11⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Laglkb32.exe
        
        C:\Windows\system32\Laglkb32.exe
        12⤵
        
        PID:24660
        
        C:\Windows\SysWOW64\Maoakaip.exe
        
        C:\Windows\system32\Maoakaip.exe
        13⤵
        
        PID:24964
      - C:\Users\Admin\Downloads\240919-hcrlcavfrheb61b0413eb161ac3559ef6dd5166d52ee276a04bec048c9a88da90740a96d90N.exe
        
        C:\Users\Admin\Downloads\240919-hcrlcavfrheb61b0413eb161ac3559ef6dd5166d52ee276a04bec048c9a88da90740a96d90N.exe
        6⤵
        
        PID:18500
        
        C:\Windows\SysWOW64\Kjbdbjbi.exe
        
        C:\Windows\system32\Kjbdbjbi.exe
        7⤵
        
        PID:13036
        
        C:\Windows\SysWOW64\Kaqejcep.exe
        
        C:\Windows\system32\Kaqejcep.exe
        8⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Ldfhgn32.exe
        
        C:\Windows\system32\Ldfhgn32.exe
        9⤵
        
        PID:24712
      - C:\Users\Admin\Downloads\240919-hcmx6avfrf115046eb6841b156e51a641c4c9899bb5560480dd3f458524014b85a6d7e1319N.exe
        
        C:\Users\Admin\Downloads\240919-hcmx6avfrf115046eb6841b156e51a641c4c9899bb5560480dd3f458524014b85a6d7e1319N.exe
        6⤵
        
        PID:12632
      - C:\Users\Admin\Downloads\240919-hcksssvfrc733e2d78201fbdbd6a96e31a5091418a7797419d77d4ccf42063cf7813d9bde8N.exe
        
        C:\Users\Admin\Downloads\240919-hcksssvfrc733e2d78201fbdbd6a96e31a5091418a7797419d77d4ccf42063cf7813d9bde8N.exe
        6⤵
        
        PID:10916
  - - C:\Users\Admin\Downloads\240919-hgpybavhmdeac7e6e96b3fd2185b7bbddb0d2d7d7b_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-hgpybavhmdeac7e6e96b3fd2185b7bbddb0d2d7d7b_JaffaCakes118.exe
      4⤵
      PID:13224
    - - C:\Users\Admin\eosRo6jbz1.exe
        
        C:\Users\Admin\eosRo6jbz1.exe
        5⤵
        
        PID:7300
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\yueut.exe"
        6⤵
        
        PID:19868
        
        C:\Users\Admin\yueut.exe
        
        C:\Users\Admin\yueut.exe
        7⤵
        
        PID:20176
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c tasklist&&del eosRo6jbz1.exe
        6⤵
        
        PID:21012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c tasklist&&del eosRo6jbz1.exe
        7⤵
        
        PID:21452
    - - C:\Users\Admin\2veg.exe
        
        C:\Users\Admin\2veg.exe
        5⤵
        
        PID:7440
      - C:\Users\Admin\2veg.exe
        
        "C:\Users\Admin\2veg.exe"
        6⤵
        
        PID:20364
      - C:\Users\Admin\2veg.exe
        
        "C:\Users\Admin\2veg.exe"
        6⤵
        
        PID:20396
      - C:\Users\Admin\2veg.exe
        
        "C:\Users\Admin\2veg.exe"
        6⤵
        
        PID:20716
      - C:\Users\Admin\2veg.exe
        
        "C:\Users\Admin\2veg.exe"
        6⤵
        
        PID:20860
      - C:\Users\Admin\2veg.exe
        
        "C:\Users\Admin\2veg.exe"
        6⤵
        
        PID:21164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 21164 -s 80
        7⤵
        Program crash
        
        PID:11528
    - - C:\Users\Admin\3veg.exe
        
        C:\Users\Admin\3veg.exe
        5⤵
        
        PID:11552
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3veg.exe"
        6⤵
        
        PID:8084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3veg.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3veg.exe
        7⤵
        
        PID:15044
        
        C:\Users\Admin\AppData\Local\a2c11b76\X
        
        *0*bc*560cb12c*31.193.3.240:53
        8⤵
        
        PID:17288
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c tasklist&&del 240919-hgpybavhmdeac7e6e96b3fd2185b7bbddb0d2d7d7b_JaffaCakes118.exe
        5⤵
        
        PID:22440
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c tasklist&&del 240919-hgpybavhmdeac7e6e96b3fd2185b7bbddb0d2d7d7b_JaffaCakes118.exe
        6⤵
        
        PID:15800
  - - C:\Users\Admin\Downloads\240919-hg7hcsvhnf2024-09-19_0cc2138dce5f268ff96d6d7ac48050ef_cobalt-strike_cobaltstrike_poet-rat.exe
      C:\Users\Admin\Downloads\240919-hg7hcsvhnf2024-09-19_0cc2138dce5f268ff96d6d7ac48050ef_cobalt-strike_cobaltstrike_poet-rat.exe
      4⤵
      PID:13692
  - - C:\Users\Admin\Downloads\240919-heve1svgqc65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe
      C:\Users\Admin\Downloads\240919-heve1svgqc65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe
      4⤵
      PID:25372
    - - C:\Windows\SysWOW64\Gggmgk32.exe
        
        C:\Windows\system32\Gggmgk32.exe
        5⤵
        
        PID:15664
      - C:\Windows\SysWOW64\Heepfn32.exe
        
        C:\Windows\system32\Heepfn32.exe
        6⤵
        
        PID:19176
        
        C:\Windows\SysWOW64\Hnbnjc32.exe
        
        C:\Windows\system32\Hnbnjc32.exe
        7⤵
        
        PID:14624
        
        C:\Windows\SysWOW64\Ihaidhgf.exe
        
        C:\Windows\system32\Ihaidhgf.exe
        8⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\Jjkdlall.exe
        
        C:\Windows\system32\Jjkdlall.exe
        9⤵
        
        PID:16260
        
        C:\Windows\SysWOW64\Kalcik32.exe
        
        C:\Windows\system32\Kalcik32.exe
        10⤵
        
        PID:21612
        
        C:\Windows\SysWOW64\Llimgb32.exe
        
        C:\Windows\system32\Llimgb32.exe
        11⤵
        
        PID:21916
        
        C:\Windows\SysWOW64\Lamlphoo.exe
        
        C:\Windows\system32\Lamlphoo.exe
        12⤵
        
        PID:22392
        
        C:\Windows\SysWOW64\Obidcdfo.exe
        
        C:\Windows\system32\Obidcdfo.exe
        13⤵
        
        PID:18288
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        14⤵
        
        PID:19128
        
        C:\Windows\SysWOW64\Pilpfm32.exe
        
        C:\Windows\system32\Pilpfm32.exe
        15⤵
        
        PID:19328
        
        C:\Windows\SysWOW64\Qmanljfo.exe
        
        C:\Windows\system32\Qmanljfo.exe
        16⤵
        
        PID:22724
        
        C:\Windows\SysWOW64\Apkjddke.exe
        
        C:\Windows\system32\Apkjddke.exe
        17⤵
        
        PID:752
        
        C:\Windows\SysWOW64\Bpemkcck.exe
        
        C:\Windows\system32\Bpemkcck.exe
        18⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Cmmgof32.exe
        
        C:\Windows\system32\Cmmgof32.exe
        19⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\Cfhhml32.exe
        
        C:\Windows\system32\Cfhhml32.exe
        20⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Dfakcj32.exe
        
        C:\Windows\system32\Dfakcj32.exe
        21⤵
        
        PID:23424
        
        C:\Windows\SysWOW64\Ddhhbngi.exe
        
        C:\Windows\system32\Ddhhbngi.exe
        22⤵
        
        PID:23784
        
        C:\Windows\SysWOW64\Edfddl32.exe
        
        C:\Windows\system32\Edfddl32.exe
        23⤵
        
        PID:10500
        
        C:\Windows\SysWOW64\Fpckjlje.exe
        
        C:\Windows\system32\Fpckjlje.exe
        24⤵
        
        PID:11152
        
        C:\Windows\SysWOW64\Gqmnpk32.exe
        
        C:\Windows\system32\Gqmnpk32.exe
        25⤵
        
        PID:23788
        
        C:\Windows\SysWOW64\Gcngafol.exe
        
        C:\Windows\system32\Gcngafol.exe
        26⤵
        
        PID:9540
        
        C:\Windows\SysWOW64\Hcgjhega.exe
        
        C:\Windows\system32\Hcgjhega.exe
        27⤵
        
        PID:23964
        
        C:\Windows\SysWOW64\Imnjbhaa.exe
        
        C:\Windows\system32\Imnjbhaa.exe
        28⤵
        
        PID:19104
        
        C:\Windows\SysWOW64\Knifging.exe
        
        C:\Windows\system32\Knifging.exe
        29⤵
        
        PID:12768
        
        C:\Windows\SysWOW64\Ljijci32.exe
        
        C:\Windows\system32\Ljijci32.exe
        30⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Lfddci32.exe
        
        C:\Windows\system32\Lfddci32.exe
        31⤵
        
        PID:24696
  - - C:\Users\Admin\Downloads\240919-he326avgrbcdd65ec093e134c6ee5ff2c5f1b14868558fd552541e42a0ad7024e9f4d51603N.exe
      C:\Users\Admin\Downloads\240919-he326avgrbcdd65ec093e134c6ee5ff2c5f1b14868558fd552541e42a0ad7024e9f4d51603N.exe
      4⤵
      PID:12100
  - - C:\Users\Admin\Downloads\240919-helswavgpf5755e91ffe445606f1dd55d4ae96c0d698d777b37cdd33c6677c7153a487b8b0N.exe
      C:\Users\Admin\Downloads\240919-helswavgpf5755e91ffe445606f1dd55d4ae96c0d698d777b37cdd33c6677c7153a487b8b0N.exe
      4⤵
      PID:5292
    - - C:\Windows\SysWOW64\Mdpagc32.exe
        
        C:\Windows\system32\Mdpagc32.exe
        5⤵
        
        PID:22232
      - C:\Windows\SysWOW64\Ookhfigk.exe
        
        C:\Windows\system32\Ookhfigk.exe
        6⤵
        
        PID:18256
        
        C:\Windows\SysWOW64\Oooaah32.exe
        
        C:\Windows\system32\Oooaah32.exe
        7⤵
        
        PID:19024
        
        C:\Windows\SysWOW64\Pbbgicnd.exe
        
        C:\Windows\system32\Pbbgicnd.exe
        8⤵
        
        PID:18820
        
        C:\Windows\SysWOW64\Poidhg32.exe
        
        C:\Windows\system32\Poidhg32.exe
        9⤵
        
        PID:19812
        
        C:\Windows\SysWOW64\Alpnde32.exe
        
        C:\Windows\system32\Alpnde32.exe
        10⤵
        
        PID:21252
        
        C:\Windows\SysWOW64\Beaecjab.exe
        
        C:\Windows\system32\Beaecjab.exe
        11⤵
        
        PID:21272
        
        C:\Windows\SysWOW64\Clpgkcdj.exe
        
        C:\Windows\system32\Clpgkcdj.exe
        12⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\Cdlhgpag.exe
        
        C:\Windows\system32\Cdlhgpag.exe
        13⤵
        
        PID:22824
        
        C:\Windows\SysWOW64\Dgfdojfm.exe
        
        C:\Windows\system32\Dgfdojfm.exe
        14⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Ecidpiad.exe
        
        C:\Windows\system32\Ecidpiad.exe
        15⤵
        
        PID:10648
        
        C:\Windows\SysWOW64\Gjnlha32.exe
        
        C:\Windows\system32\Gjnlha32.exe
        16⤵
        
        PID:12236
        
        C:\Windows\SysWOW64\Gdhjpjjd.exe
        
        C:\Windows\system32\Gdhjpjjd.exe
        17⤵
        
        PID:23732
  - - C:\Users\Admin\Downloads\240919-hd8w1swapq14b2a9b27378974f3e88d1cafdf4bae45e598b2f89d5968c3687326b43aab258N.exe
      C:\Users\Admin\Downloads\240919-hd8w1swapq14b2a9b27378974f3e88d1cafdf4bae45e598b2f89d5968c3687326b43aab258N.exe
      4⤵
      PID:21680
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
        5⤵
        
        PID:9416
      - C:\Users\Admin\AppData\Local\Temp\vnc.exe
        
        C:\Users\Admin\AppData\Local\Temp\vnc.exe
        6⤵
        
        PID:8440
        
        C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe -k
        7⤵
        
        PID:12364
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\windef.exe"
        5⤵
        
        PID:13268
      - C:\Users\Admin\AppData\Local\Temp\windef.exe
        
        C:\Users\Admin\AppData\Local\Temp\windef.exe
        6⤵
        
        PID:24788
  - - C:\Users\Admin\Downloads\240919-hea2davgnh568b35f734708250ba46654364d728cc40038bba551d373d5c8f680a8b426d7fN.exe
      C:\Users\Admin\Downloads\240919-hea2davgnh568b35f734708250ba46654364d728cc40038bba551d373d5c8f680a8b426d7fN.exe
      4⤵
      PID:23000
  - - C:\Users\Admin\Downloads\240919-hdhptsvgkh146d515c23277e366b7a2b5044a24446eeb0f25670455573e02a38d0dac01738N.exe
      C:\Users\Admin\Downloads\240919-hdhptsvgkh146d515c23277e366b7a2b5044a24446eeb0f25670455573e02a38d0dac01738N.exe
      4⤵
      PID:6764

C:\Windows\SysWOW64\tcpip.exe
C:\Windows\SysWOW64\tcpip.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3508 -ip 3508
1⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5512 -ip 5512
1⤵
PID:5432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 21164 -ip 21164
1⤵
PID:6044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6092 -ip 6092
1⤵
PID:5396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 8300 -ip 8300
1⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 8196 -ip 8196
1⤵
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 12112 -ip 12112
1⤵
PID:5596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 8260 -ip 8260
1⤵
PID:9564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 8208 -ip 8208
1⤵
PID:5668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 15116 -ip 15116
1⤵
PID:22468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5960 -ip 5960
1⤵
PID:8216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 8440 -ip 8440
1⤵
PID:13248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 12784 -ip 12784
1⤵
PID:6688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Network Share Discovery

T1135

Process Discovery

T1057

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
328KB

MD5
114445130d5e083c42830d9adbf5d748

SHA1
48a62ec52b835918cc19a2df9c624a7a0d6b85e1

SHA256
a5f47d59b8d08fc85ee411ec2e1015fedda08fd4a6cae2bf7b3bb1a7db2ccb5e

SHA512
45eb73fd4e12ed70c386c733b2bc04296fb1a16be04b4cd45260c70d0e4b6cf3a87dc223ce2319d94b79c513ba19d0816bae428c466076c1de906429aaa78748

Download Submit
C:\Program Files (x86)\Windows Defender\gahyqah.com

Filesize
24KB

MD5
dd1899d70c8a6b96460ae794b30195e3

SHA1
76e06571a3f863d0ebecfa378104d223d0f15768

SHA256
ad0dc4c7e27574dc2e4febee78c45aae8720a76b9f654ac83b83e709dcb8addb

SHA512
48b1a7b400e093130d924dc391a98a24401efa963cc14148d9ae7d643ced2ddfcabb50be7f6513efb1efdcaebc8ab4cbf85a882faf3036e650c2051ec484acc1

Download Submit
C:\Program Files (x86)\Windows Defender\galyqaz.com

Filesize
42KB

MD5
a69f945b57e21392a173a79e6d22a17a

SHA1
bd1ad118fac0839d81e783a45a269d2061b35b15

SHA256
07ec125bee10da19f39872363cc235856d89ed29d471f364c121a0dfbb031c19

SHA512
d15930c6b3c4785d406748aae05421b2d47aaf69e1aa01a3547dc96595775f8a0e678c8f1718249b62c15ea28c3e34792b4495af7469375d1bf8a41f8c58d3b7

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\SysInfo.dll

Filesize
56KB

MD5
0b01c0ebe00f48c299d5d31e93ec91a6

SHA1
c0a531c0243172061b10d8bde8bfcbf88700066e

SHA256
3537dcbf4b9f3228ab31e58cf1cd6fcf1c598c6539ed4461baabdaebb3fea424

SHA512
f919f08a8d5241d1836a42f481e5c451bcd0f4ce0635db2831b02ee46491d354a111d080aedf5a808dd907cceb3fec088a27fcf96fc15334b315eeae98dfe20a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\240919-hfpadswblkeac71a57b0528af9106fe5dc5a76eaa0_JaffaCakes118.exe

Filesize
1.1MB

MD5
0531cbb2a97e56f32cdec5e796bda23a

SHA1
e321f7e5573cba5be20102ccb7ab7e9dd06a8840

SHA256
ccf00ae074d5532b9d5975ea7a36b9dfcfd4bc1bb34d23c2dd0ce707901275dc

SHA512
b5fd414b851d210dc6a46f34963255ac9c5e9f8816992fd752d2dd90e3321c3aae1ef6b880f1b257882c1985b63e421c85a0b17b1b431a04530b6326704f429f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\3veg.exe

Filesize
287KB

MD5
357d9b4488d3191b0d6197015b326484

SHA1
057455015523d5b0b475dce4a49d510ba6a23ee4

SHA256
7444e14894fdd4a92bf4fc447ac8884c230730cbd0156e84d9c37f23db4b6c36

SHA512
f6e059efdbb604e3a2ad3a9d91d20061f03343dd387f2d88971a640a4fb142164c79ea275200a3dbe9ab2b21a16318b5fdd457c0464b900ea37497c7500373bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SE56B6.tmp

Filesize
1024B

MD5
12871388b682b159ddd85545302a289d

SHA1
76b47377da188fcfddeefa0f940287f1cce9885d

SHA256
cc033f00e96cae1829e3a5c15150fe68a62f65440f1b158d9257370fbc488a9b

SHA512
d60953b62d08e52fa2860db257e2bdbaa97e7eff7007617857f7b30a76f7c7ba81f8444d313a6ad496adbbaede5af1661e72522046789bb9aee1340f7ac12c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll

Filesize
86KB

MD5
147127382e001f495d1842ee7a9e7912

SHA1
92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b

SHA256
edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc

SHA512
97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD4EDE.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYHS.exe

Filesize
43KB

MD5
24ede56a418de315bf1669956f23fcfa

SHA1
35ee136b9287c00616e7865306f5561e728785ab

SHA256
b3bf005ce7a1f35c041ea3bd8fd3356631470e32ba412321206851cb0c085b6a

SHA512
01c345ae478a429ef186337c7dd3c46f1fdbe0347841fe98c946e7f78fb67b17b1cbb15d9f8538441a9610f1effda6061a149d960f20c43d058c7c4895f714e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZDqsS.txt

Filesize
143B

MD5
962bc493b87f298696ad6e3eed7c7937

SHA1
985cc0c7e37e2465c4349abd528e120663ebd205

SHA256
c167e2faa5307ac291ff833b8a1f5f802eaa028d1aba8d1ad342ca84c07bdb01

SHA512
9dd2b755a404b74206b713ab17d2ddedacc48910e942dab71cf7e98d8d25322c24e32648f0881136e5425134aaccfbfd9bdc52ceb4519bd07e97c5564116f173

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\_bz2.pyd

Filesize
78KB

MD5
b45e82a398713163216984f2feba88f6

SHA1
eaaf4b91db6f67d7c57c2711f4e968ce0fe5d839

SHA256
4c2649dc69a8874b91646723aacb84c565efeaa4277c46392055bca9a10497a8

SHA512
b9c4f22dc4b52815c407ab94d18a7f2e1e4f2250aecdb2e75119150e69b006ed69f3000622ec63eabcf0886b7f56ffdb154e0bf57d8f7f45c3b1dd5c18b84ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\_cffi_backend.cp310-win_amd64.pyd

Filesize
174KB

MD5
12d1fece05057f946654f475c4562a5c

SHA1
539534b9d419815a5dad73603437ecb5afebc0dc

SHA256
1ae3faac65748b494409b4dc6919752ecb444a5136865e5826076be71efd5d85

SHA512
124207d1c35a500f268904d1c4c860ee534cc129cd3cd4a1ffac70a58aa518055a2e7d415622531fcdf834f4d676144a0de729a2d832772e3626e835f5cf2978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\_ctypes.pyd

Filesize
117KB

MD5
79f339753dc8954b8eb45fe70910937e

SHA1
3ad1bf9872dc779f32795988eb85c81fe47b3dd4

SHA256
35cdd122679041ebef264de5626b7805f3f66c8ae6cc451b8bc520be647fa007

SHA512
21e567e813180ed0480c4b21be3e2e67974d8d787e663275be054cee0a3f5161fc39034704dbd25f1412feb021d6a21b300a32d1747dee072820be81b9d9b753

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\_decimal.pyd

Filesize
241KB

MD5
1cdd7239fc63b7c8a2e2bc0a08d9ea76

SHA1
85ef6f43ba1343b30a223c48442a8b4f5254d5b0

SHA256
384993b2b8cfcbf155e63f0ee2383a9f9483de92ab73736ff84590a0c4ca2690

SHA512
ba4e19e122f83d477cc4be5e0dea184dafba2f438a587dd4f0ef038abd40cb9cdc1986ee69c34bac3af9cf2347bea137feea3b82e02cca1a7720d735cea7acda

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\_hashlib.pyd

Filesize
57KB

MD5
cfb9e0a73a6c9d6d35c2594e52e15234

SHA1
b86042c96f2ce6d8a239b7d426f298a23df8b3b9

SHA256
50daeb3985302a8d85ce8167b0bf08b9da43e7d51ceae50e8e1cdfb0edf218c6

SHA512
22a5fd139d88c0eee7241c5597d8dbbf2b78841565d0ed0df62383ab50fde04b13a203bddef03530f8609f5117869ed06894a572f7655224285823385d7492d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\_lzma.pyd

Filesize
149KB

MD5
5a77a1e70e054431236adb9e46f40582

SHA1
be4a8d1618d3ad11cfdb6a366625b37c27f4611a

SHA256
f125a885c10e1be4b12d988d6c19128890e7add75baa935fe1354721aa2dea3e

SHA512
3c14297a1400a93d1a01c7f8b4463bfd6be062ec08daaf5eb7fcbcde7f4fa40ae06e016ff0de16cb03b987c263876f2f437705adc66244d3ee58f23d6bf7f635

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\_queue.pyd

Filesize
26KB

MD5
c9ee37e9f3bffd296ade10a27c7e5b50

SHA1
b7eee121b2918b6c0997d4889cff13025af4f676

SHA256
9ecec72c5fe3c83c122043cad8ceb80d239d99d03b8ea665490bbced183ce42a

SHA512
c63bb1b5d84d027439af29c4827fa801df3a2f3d5854c7c79789cad3f5f7561eb2a7406c6f599d2ac553bc31969dc3fa9eef8648bed7282fbc5dc3fb3ba4307f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\_socket.pyd

Filesize
72KB

MD5
5dd51579fa9b6a06336854889562bec0

SHA1
99c0ed0a15ed450279b01d95b75c162628c9be1d

SHA256
3669e56e99ae3a944fbe7845f0be05aea96a603717e883d56a27dc356f8c2f2c

SHA512
7aa6c6587890ae8c3f9a5e97ebde689243ac5b9abb9b1e887f29c53eef99a53e4b4ec100c03e1c043e2f0d330e7af444c3ca886c9a5e338c2ea42aaacae09f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\_ssl.pyd

Filesize
152KB

MD5
11c5008e0ba2caa8adf7452f0aaafd1e

SHA1
764b33b749e3da9e716b8a853b63b2f7711fcc7c

SHA256
bf63f44951f14c9d0c890415d013276498d6d59e53811bbe2fa16825710bea14

SHA512
fceb022d8694bce6504d6b64de4596e2b8252fc2427ee66300e37bcff297579cc7d32a8cb8f847408eaa716cb053e20d53e93fbd945e3f60d58214e6a969c9dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
e8b9d74bfd1f6d1cc1d99b24f44da796

SHA1
a312cfc6a7ed7bf1b786e5b3fd842a7eeb683452

SHA256
b1b3fd40ab437a43c8db4994ccffc7f88000cc8bb6e34a2bcbff8e2464930c59

SHA512
b74d9b12b69db81a96fc5a001fd88c1e62ee8299ba435e242c5cb2ce446740ed3d8a623e1924c2bc07bfd9aef7b2577c9ec8264e53e5be625f4379119bafcc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
cfe0c1dfde224ea5fed9bd5ff778a6e0

SHA1
5150e7edd1293e29d2e4d6bb68067374b8a07ce6

SHA256
0d0f80cbf476af5b1c9fd3775e086ed0dfdb510cd0cc208ec1ccb04572396e3e

SHA512
b0e02e1f19cfa7de3693d4d63e404bdb9d15527ac85a6d492db1128bb695bffd11bec33d32f317a7615cb9a820cd14f9f8b182469d65af2430ffcdbad4bd7000

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
33bbece432f8da57f17bf2e396ebaa58

SHA1
890df2dddfdf3eeccc698312d32407f3e2ec7eb1

SHA256
7cf0944901f7f7e0d0b9ad62753fc2fe380461b1cce8cdc7e9c9867c980e3b0e

SHA512
619b684e83546d97fc1d1bc7181ad09c083e880629726ee3af138a9e4791a6dcf675a8df65dc20edbe6465b5f4eac92a64265df37e53a5f34f6be93a5c2a7ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
eb0978a9213e7f6fdd63b2967f02d999

SHA1
9833f4134f7ac4766991c918aece900acfbf969f

SHA256
ab25a1fe836fc68bcb199f1fe565c27d26af0c390a38da158e0d8815efe1103e

SHA512
6f268148f959693ee213db7d3db136b8e3ad1f80267d8cbd7d5429c021adaccc9c14424c09d527e181b9c9b5ea41765aff568b9630e4eb83bfc532e56dfe5b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
efad0ee0136532e8e8402770a64c71f9

SHA1
cda3774fe9781400792d8605869f4e6b08153e55

SHA256
3d2c55902385381869db850b526261ddeb4628b83e690a32b67d2e0936b2c6ed

SHA512
69d25edf0f4c8ac5d77cb5815dfb53eac7f403dc8d11bfe336a545c19a19ffde1031fa59019507d119e4570da0d79b95351eac697f46024b4e558a0ff6349852

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
e89cdcd4d95cda04e4abba8193a5b492

SHA1
5c0aee81f32d7f9ec9f0650239ee58880c9b0337

SHA256
1a489e0606484bd71a0d9cb37a1dc6ca8437777b3d67bfc8c0075d0cc59e6238

SHA512
55d01e68c8c899e99a3c62c2c36d6bcb1a66ff6ecd2636d2d0157409a1f53a84ce5d6f0c703d5ed47f8e9e2d1c9d2d87cc52585ee624a23d92183062c999b97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
accc640d1b06fb8552fe02f823126ff5

SHA1
82ccc763d62660bfa8b8a09e566120d469f6ab67

SHA256
332ba469ae84aa72ec8cce2b33781db1ab81a42ece5863f7a3cb5a990059594f

SHA512
6382302fb7158fc9f2be790811e5c459c5c441f8caee63df1e09b203b8077a27e023c4c01957b252ac8ac288f8310bcee5b4dcc1f7fc691458b90cdfaa36dcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
c6024cc04201312f7688a021d25b056d

SHA1
48a1d01ae8bc90f889fb5f09c0d2a0602ee4b0fd

SHA256
8751d30df554af08ef42d2faa0a71abcf8c7d17ce9e9ff2ea68a4662603ec500

SHA512
d86c773416b332945acbb95cbe90e16730ef8e16b7f3ccd459d7131485760c2f07e95951aeb47c1cf29de76affeb1c21bdf6d8260845e32205fe8411ed5efa47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
1f2a00e72bc8fa2bd887bdb651ed6de5

SHA1
04d92e41ce002251cc09c297cf2b38c4263709ea

SHA256
9c8a08a7d40b6f697a21054770f1afa9ffb197f90ef1eee77c67751df28b7142

SHA512
8cf72df019f9fc9cd22ff77c37a563652becee0708ff5c6f1da87317f41037909e64dcbdcc43e890c5777e6bcfa4035a27afc1aeeb0f5deba878e3e9aef7b02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
3c38aac78b7ce7f94f4916372800e242

SHA1
c793186bcf8fdb55a1b74568102b4e073f6971d6

SHA256
3f81a149ba3862776af307d5c7feef978f258196f0a1bf909da2d3f440ff954d

SHA512
c2746aa4342c6afffbd174819440e1bbf4371a7fed29738801c75b49e2f4f94fd6d013e002bad2aadafbc477171b8332c8c5579d624684ef1afbfde9384b8588

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
321a3ca50e80795018d55a19bf799197

SHA1
df2d3c95fb4cbb298d255d342f204121d9d7ef7f

SHA256
5476db3a4fecf532f96d48f9802c966fdef98ec8d89978a79540cb4db352c15f

SHA512
3ec20e1ac39a98cb5f726d8390c2ee3cd4cd0bf118fdda7271f7604a4946d78778713b675d19dd3e1ec1d6d4d097abe9cd6d0f76b3a7dff53ce8d6dbc146870a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
0462e22f779295446cd0b63e61142ca5

SHA1
616a325cd5b0971821571b880907ce1b181126ae

SHA256
0b6b598ec28a9e3d646f2bb37e1a57a3dda069a55fba86333727719585b1886e

SHA512
07b34dca6b3078f7d1e8ede5c639f697c71210dcf9f05212fd16eb181ab4ac62286bc4a7ce0d84832c17f5916d0224d1e8aab210ceeff811fc6724c8845a74fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
c3632083b312c184cbdd96551fed5519

SHA1
a93e8e0af42a144009727d2decb337f963a9312e

SHA256
be8d78978d81555554786e08ce474f6af1de96fcb7fa2f1ce4052bc80c6b2125

SHA512
8807c2444a044a3c02ef98cf56013285f07c4a1f7014200a21e20fcb995178ba835c30ac3889311e66bc61641d6226b1ff96331b019c83b6fcc7c87870cce8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-core-profile-l1-1-0.dll

Filesize
21KB

MD5
f3ff2d544f5cd9e66bfb8d170b661673

SHA1
9e18107cfcd89f1bbb7fdaf65234c1dc8e614add

SHA256
e1c5d8984a674925fa4afbfe58228be5323fe5123abcd17ec4160295875a625f

SHA512
184b09c77d079127580ef80eb34bded0f5e874cefbe1c5f851d86861e38967b995d859e8491fcc87508930dc06c6bbf02b649b3b489a1b138c51a7d4b4e7aaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
21KB

MD5
a0c2dbe0f5e18d1add0d1ba22580893b

SHA1
29624df37151905467a223486500ed75617a1dfd

SHA256
3c29730df2b28985a30d9c82092a1faa0ceb7ffc1bd857d1ef6324cf5524802f

SHA512
3e627f111196009380d1687e024e6ffb1c0dcf4dcb27f8940f17fec7efdd8152ff365b43cb7fdb31de300955d6c15e40a2c8fb6650a91706d7ea1c5d89319b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-core-string-l1-1-0.dll

Filesize
21KB

MD5
2666581584ba60d48716420a6080abda

SHA1
c103f0ea32ebbc50f4c494bce7595f2b721cb5ad

SHA256
27e9d3e7c8756e4512932d674a738bf4c2969f834d65b2b79c342a22f662f328

SHA512
befed15f11a0550d2859094cc15526b791dadea12c2e7ceb35916983fb7a100d89d638fb1704975464302fae1e1a37f36e01e4bef5bc4924ab8f3fd41e60bd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
225d9f80f669ce452ca35e47af94893f

SHA1
37bd0ffc8e820247bd4db1c36c3b9f9f686bbd50

SHA256
61c0ebe60ce6ebabcb927ddff837a9bf17e14cd4b4c762ab709e630576ec7232

SHA512
2f71a3471a9868f4d026c01e4258aff7192872590f5e5c66aabd3c088644d28629ba8835f3a4a23825631004b1afd440efe7161bb9fc7d7c69e0ee204813ca7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-core-synch-l1-2-0.dll

Filesize
21KB

MD5
1281e9d1750431d2fe3b480a8175d45c

SHA1
bc982d1c750b88dcb4410739e057a86ff02d07ef

SHA256
433bd8ddc4f79aee65ca94a54286d75e7d92b019853a883e51c2b938d2469baa

SHA512
a954e6ce76f1375a8beac51d751b575bbc0b0b8ba6aa793402b26404e45718165199c2c00ccbcba3783c16bdd96f0b2c17addcc619c39c8031becebef428ce77

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
21KB

MD5
fd46c3f6361e79b8616f56b22d935a53

SHA1
107f488ad966633579d8ec5eb1919541f07532ce

SHA256
0dc92e8830bc84337dcae19ef03a84ef5279cf7d4fdc2442c1bc25320369f9df

SHA512
3360b2e2a25d545ccd969f305c4668c6cda443bbdbd8a8356ffe9fbc2f70d90cf4540f2f28c9ed3eea6c9074f94e69746e7705e6254827e6a4f158a75d81065b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-core-util-l1-1-0.dll

Filesize
21KB

MD5
0f129611a4f1e7752f3671c9aa6ea736

SHA1
40c07a94045b17dae8a02c1d2b49301fad231152

SHA256
2e1f090aba941b9d2d503e4cd735c958df7bb68f1e9bdc3f47692e1571aaac2f

SHA512
6abc0f4878bb302713755a188f662c6fe162ea6267e5e1c497c9ba9fddbdaea4db050e322cb1c77d6638ecf1dad940b9ebc92c43acaa594040ee58d313cbcfae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-crt-conio-l1-1-0.dll

Filesize
21KB

MD5
d4fba5a92d68916ec17104e09d1d9d12

SHA1
247dbc625b72ffb0bf546b17fb4de10cad38d495

SHA256
93619259328a264287aee7c5b88f7f0ee32425d7323ce5dc5a2ef4fe3bed90d5

SHA512
d5a535f881c09f37e0adf3b58d41e123f527d081a1ebecd9a927664582ae268341771728dc967c30908e502b49f6f853eeaebb56580b947a629edc6bce2340d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-crt-convert-l1-1-0.dll

Filesize
25KB

MD5
edf71c5c232f5f6ef3849450f2100b54

SHA1
ed46da7d59811b566dd438fa1d09c20f5dc493ce

SHA256
b987ab40cdd950ebe7a9a9176b80b8fffc005ccd370bb1cbbcad078c1a506bdc

SHA512
481a3c8dc5bef793ee78ce85ec0f193e3e9f6cd57868b813965b312bd0fadeb5f4419707cd3004fbdb407652101d52e061ef84317e8bd458979443e9f8e4079a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
f9235935dd3ba2aa66d3aa3412accfbf

SHA1
281e548b526411bcb3813eb98462f48ffaf4b3eb

SHA256
2f6bd6c235e044755d5707bd560a6afc0ba712437530f76d11079d67c0cf3200

SHA512
ad0c0a7891fb8328f6f0cf1ddc97523a317d727c15d15498afa53c07610210d2610db4bc9bd25958d47adc1af829ad4d7cf8aabcab3625c783177ccdb7714246

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
21KB

MD5
5107487b726bdcc7b9f7e4c2ff7f907c

SHA1
ebc46221d3c81a409fab9815c4215ad5da62449c

SHA256
94a86e28e829276974e01f8a15787fde6ed699c8b9dc26f16a51765c86c3eade

SHA512
a0009b80ad6a928580f2b476c1bdf4352b0611bb3a180418f2a42cfa7a03b9f0575ed75ec855d30b26e0cca96a6da8affb54862b6b9aff33710d2f3129283faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-crt-heap-l1-1-0.dll

Filesize
21KB

MD5
d5d77669bd8d382ec474be0608afd03f

SHA1
1558f5a0f5facc79d3957ff1e72a608766e11a64

SHA256
8dd9218998b4c4c9e8d8b0f8b9611d49419b3c80daa2f437cbf15bcfd4c0b3b8

SHA512
8defa71772105fd9128a669f6ff19b6fe47745a0305beb9a8cadb672ed087077f7538cd56e39329f7daa37797a96469eae7cd5e4cca57c9a183b35bdc44182f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-crt-locale-l1-1-0.dll

Filesize
21KB

MD5
650435e39d38160abc3973514d6c6640

SHA1
9a5591c29e4d91eaa0f12ad603af05bb49708a2d

SHA256
551a34c400522957063a2d71fa5aba1cd78cc4f61f0ace1cd42cc72118c500c0

SHA512
7b4a8f86d583562956593d27b7ecb695cb24ab7192a94361f994fadba7a488375217755e7ed5071de1d0960f60f255aa305e9dd477c38b7bb70ac545082c9d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-crt-math-l1-1-0.dll

Filesize
29KB

MD5
b8f0210c47847fc6ec9fbe2a1ad4debb

SHA1
e99d833ae730be1fedc826bf1569c26f30da0d17

SHA256
1c4a70a73096b64b536be8132ed402bcfb182c01b8a451bff452efe36ddf76e7

SHA512
992d790e18ac7ae33958f53d458d15bff522a3c11a6bd7ee2f784ac16399de8b9f0a7ee896d9f2c96d1e2c8829b2f35ff11fc5d8d1b14c77e22d859a1387797c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-crt-process-l1-1-0.dll

Filesize
21KB

MD5
272c0f80fd132e434cdcdd4e184bb1d8

SHA1
5bc8b7260e690b4d4039fe27b48b2cecec39652f

SHA256
bd943767f3e0568e19fb52522217c22b6627b66a3b71cd38dd6653b50662f39d

SHA512
94892a934a92ef1630fbfea956d1fe3a3bfe687dec31092828960968cb321c4ab3af3caf191d4e28c8ca6b8927fbc1ec5d17d5c8a962c848f4373602ec982cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
25KB

MD5
20c0afa78836b3f0b692c22f12bda70a

SHA1
60bb74615a71bd6b489c500e6e69722f357d283e

SHA256
962d725d089f140482ee9a8ff57f440a513387dd03fdc06b3a28562c8090c0bc

SHA512
65f0e60136ab358661e5156b8ecd135182c8aaefd3ec320abdf9cfc8aeab7b68581890e0bbc56bad858b83d47b7a0143fa791195101dc3e2d78956f591641d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
96498dc4c2c879055a7aff2a1cc2451e

SHA1
fecbc0f854b1adf49ef07beacad3cec9358b4fb2

SHA256
273817a137ee049cbd8e51dc0bb1c7987df7e3bf4968940ee35376f87ef2ef8d

SHA512
4e0b2ef0efe81a8289a447eb48898992692feee4739ceb9d87f5598e449e0059b4e6f4eb19794b9dcdce78c05c8871264797c14e4754fd73280f37ec3ea3c304

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
115e8275eb570b02e72c0c8a156970b3

SHA1
c305868a014d8d7bbef9abbb1c49a70e8511d5a6

SHA256
415025dce5a086dbffc4cf322e8ead55cb45f6d946801f6f5193df044db2f004

SHA512
b97ef7c5203a0105386e4949445350d8ff1c83bdeaee71ccf8dc22f7f6d4f113cb0a9be136717895c36ee8455778549f629bf8d8364109185c0bf28f3cb2b2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
001e60f6bbf255a60a5ea542e6339706

SHA1
f9172ec37921432d5031758d0c644fe78cdb25fa

SHA256
82fba9bc21f77309a649edc8e6fc1900f37e3ffcb45cd61e65e23840c505b945

SHA512
b1a6dc5a34968fbdc8147d8403adf8b800a06771cc9f15613f5ce874c29259a156bab875aae4caaec2117817ce79682a268aa6e037546aeca664cd4eea60adbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\api-ms-win-crt-utility-l1-1-0.dll

Filesize
21KB

MD5
a0776b3a28f7246b4a24ff1b2867bdbf

SHA1
383c9a6afda7c1e855e25055aad00e92f9d6aaff

SHA256
2e554d9bf872a64d2cd0f0eb9d5a06dea78548bc0c7a6f76e0a0c8c069f3c0a9

SHA512
7c9f0f8e53b363ef5b2e56eec95e7b78ec50e9308f34974a287784a1c69c9106f49ea2d9ca037f0a7b3c57620fcbb1c7c372f207c68167df85797affc3d7f3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\base_library.zip

Filesize
858KB

MD5
0eb61f9b08b022e88d61efc7875930d6

SHA1
f2791f356dcae681196c37d1e6a523340adcf638

SHA256
0ff0c5dd453b4f0590a9d94aa6b9ca28e429cc78fc6afca0a415bb4fc06b8ea0

SHA512
b793e4d23cf5be9da6ed5f1ed88d46d4b9b1e8b5e6966e8705a633d183a75cea82aa5d94d43860fafbd02ede9d4d652e62b379d0a6239c2ef5a4f130bb71fe05

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\libcrypto-1_1.dll

Filesize
3.3MB

MD5
63c4f445b6998e63a1414f5765c18217

SHA1
8c1ac1b4290b122e62f706f7434517077974f40e

SHA256
664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2

SHA512
aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\libssl-1_1.dll

Filesize
678KB

MD5
bd857f444ebbf147a8fcd1215efe79fc

SHA1
1550e0d241c27f41c63f197b1bd669591a20c15b

SHA256
b7c0e42c1a60a2a062b899c8d4ebd0c50ef956177ba21785ce07c517c143aeaf

SHA512
2b85c1521edeadf7e118610d6546fafbbad43c288a7f0f9d38d97c4423a541dfac686634cde956812916830fbb4aad8351a23d95cd490c4a5c0f628244d30f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\python3.DLL

Filesize
60KB

MD5
a5471f05fd616b0f8e582211ea470a15

SHA1
cb5f8bf048dc4fc58f80bdfd2e04570dbef4730e

SHA256
8d5e09791b8b251676e16bdd66a7118d88b10b66ad80a87d5897fadbefb91790

SHA512
e87d06778201615b129dcf4e8b4059399128276eb87102b5c3a64b6e92714f6b0d5bde5df4413cc1b66d33a77d7a3912eaa1035f73565dbfd62280d09d46abff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\python310.dll

Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\select.pyd

Filesize
25KB

MD5
78d421a4e6b06b5561c45b9a5c6f86b1

SHA1
c70747d3f2d26a92a0fe0b353f1d1d01693929ac

SHA256
f1694ce82da997faa89a9d22d469bfc94abb0f2063a69ec9b953bc085c2cb823

SHA512
83e02963c9726a40cd4608b69b4cdf697e41c9eedfb2d48f3c02c91500e212e7e0ab03e6b3f70f42e16e734e572593f27b016b901c8aa75f674b6e0fbb735012

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13802\unicodedata.pyd

Filesize
1.1MB

MD5
a40ff441b1b612b3b9f30f28fa3c680d

SHA1
42a309992bdbb68004e2b6b60b450e964276a8fc

SHA256
9b22d93f4db077a70a1d85ffc503980903f1a88e262068dd79c6190ec7a31b08

SHA512
5f9142b16ed7ffc0e5b17d6a4257d7249a21061fe5e928d3cde75265c2b87b723b2e7bd3109c30d2c8f83913134445e8672c98c187073368c244a476ac46c3ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI219482\cryptography-43.0.1.dist-info\WHEEL

Filesize
94B

MD5
c869d30012a100adeb75860f3810c8c9

SHA1
42fd5cfa75566e8a9525e087a2018e8666ed22cb

SHA256
f3fe049eb2ef6e1cc7db6e181fc5b2a6807b1c59febe96f0affcc796bdd75012

SHA512
b29feaf6587601bbe0edad3df9a87bfc82bb2c13e91103699babd7e039f05558c0ac1ef7d904bcfaf85d791b96bc26fa9e39988dd83a1ce8ecca85029c5109f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI245802\certifi\cacert.pem

Filesize
284KB

MD5
181ac9a809b1a8f1bc39c1c5c777cf2a

SHA1
9341e715cea2e6207329e7034365749fca1f37dc

SHA256
488ba960602bf07cc63f4ef7aec108692fec41820fc3328a8e3f3de038149aee

SHA512
e19a92b94aedcf1282b3ef561bd471ea19ed361334092c55d72425f9183ebd1d30a619e493841b6f75c629f26f28dc682960977941b486c59475f21cf86fff85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI245802\cryptography-43.0.1.dist-info\license_files\LICENSE

Filesize
197B

MD5
8c3617db4fb6fae01f1d253ab91511e4

SHA1
e442040c26cd76d1b946822caf29011a51f75d6d

SHA256
3e0c7c091a948b82533ba98fd7cbb40432d6f1a9acbf85f5922d2f99a93ae6bb

SHA512
77a1919e380730bcce5b55d76fbffba2f95874254fad955bd2fe1de7fc0e4e25b5fdaab0feffd6f230fa5dc895f593cf8bfedf8fdc113efbd8e22fadab0b8998

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI245802\cryptography-43.0.1.dist-info\license_files\LICENSE.APACHE

Filesize
11KB

MD5
4e168cce331e5c827d4c2b68a6200e1b

SHA1
de33ead2bee64352544ce0aa9e410c0c44fdf7d9

SHA256
aac73b3148f6d1d7111dbca32099f68d26c644c6813ae1e4f05f6579aa2663fe

SHA512
f451048e81a49fbfa11b49de16ff46c52a8e3042d1bcc3a50aaf7712b097bed9ae9aed9149c21476c2a1e12f1583d4810a6d36569e993fe1ad3879942e5b0d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI245802\cryptography-43.0.1.dist-info\license_files\LICENSE.BSD

Filesize
1KB

MD5
5ae30ba4123bc4f2fa49aa0b0dce887b

SHA1
ea5b412c09f3b29ba1d81a61b878c5c16ffe69d8

SHA256
602c4c7482de6479dd2e9793cda275e5e63d773dacd1eca689232ab7008fb4fb

SHA512
ddbb20c80adbc8f4118c10d3e116a5cd6536f72077c5916d87258e155be561b89eb45c6341a1e856ec308b49a4cb4dba1408eabd6a781fbe18d6c71c32b72c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43002\pip-24.2.dist-info\top_level.txt

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sfrbinel.rxu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ransomewrar3.exe

Filesize
21.6MB

MD5
eeb609c203c96953017ce60c6c837c50

SHA1
cc7d00abeb70ba3c83e4fc169a133cb61794c43c

SHA256
94062fbf362116f6a73b00900baaee497c264f47184d527b7a5026bcef6332c1

SHA512
01ec0c74b166fe71788eec13426b43bf1016eea37656a2b3cfd8e57e25a19d3efb585d7481857fbd7eccfe31bbad3087bc7b2bfffc97d52b94b9c666237bf425

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnc.exe

Filesize
405KB

MD5
b8ba87ee4c3fc085a2fed0d839aadce1

SHA1
b3a2e3256406330e8b1779199bb2b9865122d766

SHA256
4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4

SHA512
7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ð¡·ãpao1011_.exe

Filesize
3.4MB

MD5
13045150bfa6bb83f0ef43afbdc32c4c

SHA1
33b6b990876db7c9beb97abf4f39259d8102a93e

SHA256
8fc280cb379dabea0e7cd1c22962c33168ebde7e7def788514be95b34d4fe723

SHA512
d23112aeb7de88ef1dcc0690a42c66f67237a5d975e4465be484804fb92351763ee42f57c3944c7729c6dba6a6a5b992be2a0195e10f2ec08c0d839de7a745ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
342B

MD5
f21d093ee7f906242c944a3371230631

SHA1
25c3e32f13753e7801479e5a22cd87a5e48f6ad7

SHA256
3e05aaf08856e8d138fbd83d68608d00c4d0cfa00a63b8349ab7617caf3f91b1

SHA512
58ec21616ed87cb6a45cb4c2c7ad6360a6396258a200202ff916727ba447c74c3c3e7fd034a48216c5cee2fa96b97c41ae72e8ebfa229f45c8e25989317932ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
d2bd091f0b83a756d8ca56249d8fac6f

SHA1
cc2e5f0e60986662b9cf2236683d9036c91e0919

SHA256
e6f3b28906552f588e255222d72c80e59b12336484f2e9c20f886bc8a4b19a6c

SHA512
8693372dcdb25731a3cddb3d0febb5db9ef90039bb6661b2c53bb13ae3b72a98596d8968b115b00699e3ed2b82a15ee0224c528567de72a2d400f930fe180c73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
665B

MD5
70f01816e007f8f8ad7caafb2946bbdc

SHA1
f9b321d37cd77cfe3a98897d5d0005baddbaee1b

SHA256
7a27e70f176370a78ed6ef2f019e8127f590dc089d154d16233bf712f6d052b3

SHA512
f567a079a6cea09a60ac7ce1655340be14ca3a138b9a54a9b3ff5027cacc13df47b555a75947022fe7ef14fd8382378f31792966c17bd5c97c009bf2b87b485d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
3b7238603f8ab6ea2a981fc6924f9ef4

SHA1
035591baa9c97cdbff8a567977fbbe3723f075d7

SHA256
3deb0f09a29f924d0f3f2b2522e9aad6b976e67384c9d5d527178e026cd636cd

SHA512
de01d274f1b119e3aab5970ca2c9511034db82076762514305e9d2f96876dc7569fe1d21418773c30ae02a2ceddfc82ccc70d37f01f4e94cd7ba1e1dea83c890

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe

Filesize
349KB

MD5
b4a202e03d4135484d0e730173abcc72

SHA1
01b30014545ea526c15a60931d676f9392ea0c70

SHA256
7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

SHA512
632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

Download Submit
C:\Users\Admin\Downloads\240919-g69hksvdpg83550a470151db9e27849bed1302204f90cf75eef30473ac4676fba564de3cf3N.exe

Filesize
1.5MB

MD5
c404e2499fbcaa3a948cc386a4e45e00

SHA1
f57ad9f65ab934bc5add821e124fa1eb8199bcc0

SHA256
83550a470151db9e27849bed1302204f90cf75eef30473ac4676fba564de3cf3

SHA512
d55507a27c23062403736d7945a009db04934fcec0cee657f0eca77f5be621e2af4ed58809d1cfa5222e8552f23ef3852ce8a777de638612beaab8b690ad78b4

Download Submit
C:\Users\Admin\Downloads\240919-g8c76avgmnDispam.exe

Filesize
12.1MB

MD5
61aa26439a0e4cbd13d4f531e58eac20

SHA1
d685cd48ce1e81ae574a3467628341140354573e

SHA256
fa17bf64d800d3af2abbd959a45ece4d0e4c6c7831b9e148f41bca3aab424491

SHA512
d7eaf0e99464987490ee1d97bcc532b18673054aacc706a74f180a47be0faf29065491d3d61818ad0fc49cbce3b6a8fb2ec77b55e682ef7b5b3caaab3dd30506

Download Submit
C:\Users\Admin\Downloads\240919-hanfxavfjeeac3e0b94509698289bda8b3c99eee88_JaffaCakes118.exe

Filesize
155KB

MD5
eac3e0b94509698289bda8b3c99eee88

SHA1
5f6f31c9736f201b0ddbb36a6c079e6b8e2516a6

SHA256
807391e7d966a61e58ac7b3362dc046433dea4bf6ce1b4be4f6e401816cb4d30

SHA512
02119d24f0b89a1352851c8362eb4a3f267d24482eb833f22abf26d722b6d54f379c4ec6b59e980469100bffd72db031bde3e930ad93106b9837f3b89d2651d7

Download Submit
C:\Users\Admin\Downloads\240919-hasevsvfjheac3f38a34b8d289341bb6ddf5f71612_JaffaCakes118.exe

Filesize
5KB

MD5
eac3f38a34b8d289341bb6ddf5f71612

SHA1
19d03275c0a6ad6c2281fd140748bec1c2ef2f4e

SHA256
242682b5b63e5fe39830721ce5989dd49da55562e0f792b1265759b1c51e2a7b

SHA512
d36d0a13c69de33954c179a413de59e4ebc19f98b82d078914c69743330b3be3b2aa252ca655e90ae63f8291902554fff58e92f75fb1017b113d8c9f5469c82f

Download Submit
C:\Users\Admin\Downloads\240919-hb77psvfqbeac4d80c6ae145c69559a8d62aff0d43_JaffaCakes118.exe

Filesize
53KB

MD5
eac4d80c6ae145c69559a8d62aff0d43

SHA1
d4130e2d404c1fcd009d0b3445ca87c13dfb9b94

SHA256
702e3c50d588e83a7d16d484baec389b4195c33e3abc3807e0aca27789990b01

SHA512
c8d1ef7fdcf9590137ac174d38fa40f6543f0eb2e2291f45e7629f09405c565815c0f348729580fe08ece0f9ff5da3580b9667e710ff317f99078f9ea788873c

Download Submit
C:\Users\Admin\Downloads\240919-hea2davgnh568b35f734708250ba46654364d728cc40038bba551d373d5c8f680a8b426d7fN.exe

Filesize
122KB

MD5
395563cacf0245228835e55b1d842510

SHA1
0dc0fb24b4cf1ba32af69569ac708eb941fff834

SHA256
568b35f734708250ba46654364d728cc40038bba551d373d5c8f680a8b426d7f

SHA512
0396d548d80e81ad7d2ae47beede122bed2c54147a0047123b16bd42df21669af7452e6abe51be880a0745ce4dab55128d05cf6ab3a4e2ccd3a66f9fee0fccda

Download Submit
C:\Users\Admin\Downloads\240919-hejnhswaqr491b1d018a1974923c1d5b75fe8eef7ba07879d989df74ea62b3d5abcedc0982N.dat

Filesize
1001B

MD5
f9575614387b2862d4e678197b9a7226

SHA1
fc892009f6cd21dab879a2d8856fcb4e835f1534

SHA256
d50d12d8bc3d004db64660548b9562d0eafa8ef37892d8ffb5c042c5ab9ed98f

SHA512
7ce759088c4f939de6ac4b8b526d96fd928c98f08d8c23254d9ed9e3f2ef2b39a2b46b89d0b32efebc19485c09b543ad0a7e7529fa6e75ef5a98d7b05be14b10

Download Submit
C:\Users\Admin\Downloads\240919-hejnhswaqr491b1d018a1974923c1d5b75fe8eef7ba07879d989df74ea62b3d5abcedc0982N.zip

Filesize
63KB

MD5
3ba39ad63610831b9334eccbb377675b

SHA1
7e21ac653ebe9a8e8bf802f8ddca08db9462c60c

SHA256
85e5592fb384aecefbf0cab1ed51e8895b8bda574f22b5f408789402566f8934

SHA512
8bec2b2b734a6ef13ff745ec373270a0011e5fdcbbbedc692a33b1adeef6924d4d525d24ad8725bf6f028a0872fc079b27046d61058c1afd347c9f0b9cecaca5

Download Submit
C:\Users\Admin\Downloads\240919-hewyvavgqdeac6ae245c86058f6b8eef8651de7f06_JaffaCakes118.exe

Filesize
110KB

MD5
eac6ae245c86058f6b8eef8651de7f06

SHA1
8e6fb839a827129f4126aa922d39fcd0ac8d6269

SHA256
8661b70a05067d692aae8cc62162d4a2363d219729cd05574b85356bb52af1f0

SHA512
3eef62cfd760438cbc49ae42ea8078c4e0f7864fc6390ee9d26ab040220b084c8fe7a5401d8696b119efca440ee63233e5fabf6304bed49df992a47e9a30f631

Download Submit
C:\Users\Admin\Downloads\240919-hh2y9svhrgeac8e88f9559cb19546a0a744357d2e4_JaffaCakes118.exe

Filesize
261KB

MD5
a351a72785975c9ad53d3579d21231a7

SHA1
d739e520b288b8f5ccf5b6c9776685a11c17e1e0

SHA256
b9f61039eec60395ea65c50392ae82da84778efb110a224aff7f325dbf79ee9d

SHA512
a664f4b51c924a12456e7aaa042345061ea0b683a0db23acc6914b96a8f3000727e5d493f35b021a9ff7f16aad7591906979299c8acbe1f30ff4298619bf51d2

Download Submit
C:\Users\Admin\Downloads\240919-hjwtmswcnleac96e5c93d88ec7f3d8ee2726a10297_JaffaCakes118.exe

Filesize
187KB

MD5
eac96e5c93d88ec7f3d8ee2726a10297

SHA1
63bfef8f50f95ba914036cbf5f8d462c35b84213

SHA256
524f6d1744c625d4ee827ab1ee1406f5aeef8c8799b8cf6474c2a53014a1dfad

SHA512
1e18f3de7b71b67bc97ab77851bac825b890ca567858f3e063ebc3471741e2ff5ae9517a8de32b5685ca2f13e4d6da50c8be04ab04c9a51fc3d499516076915a

Download Submit
C:\Users\Admin\Downloads\240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe

Filesize
23KB

MD5
eaca4be488cd57107299ee54406acbae

SHA1
ac4a42baecccf60acf48b9365f4b126435bb4b2d

SHA256
8f64ec3069aa95ace5e66ce58bdd0889cc4c2e04cc950949c08ac80f2121add4

SHA512
8e0ac5a256ed1e0e219cb75d11088776bd71ecc6d7928e0d97f4077f6fee4332556816dd1a7f3d9d8dffd17ac796135ddb7d9de80be4e0e9e2c6c7f4b0a7796d

Download Submit
C:\Users\Admin\Downloads\240919-hl8afswdnjPI-100957Revisar fatura.doc

Filesize
718KB

MD5
9f9efa8ebc90bdbac43ec953e9e78a53

SHA1
e4d8c70f54ad1559bd51293e8032550fadbf6a3b

SHA256
7368746a64683a8f9a810dc983e80da9cb7c3b5f5c1d65da8c980135c383647c

SHA512
8c7a6fe07038a7ec47d04b385c4a38915da03290a2f52504b9d9cb6e71700f7d2c0ee15164d48e062fbee38bef79976842649ed92f3f78dc7f483fc7435d2056

Download Submit
C:\Users\Admin\Downloads\240919-hlps4swdlna801a623080eaac37eb5fc872a3ba272f9c02c893e5938f434873872624987e7N.exe

Filesize
800KB

MD5
9927730860562c5fec12a71b18c031f0

SHA1
c691ee73b92b841c0c2c5231a1bcafad1c23c4d3

SHA256
a801a623080eaac37eb5fc872a3ba272f9c02c893e5938f434873872624987e7

SHA512
8058b2dfdbdfe7a1e316e425226a7ad1c39e06e535ead79c0fe2708b83d2a50d71f29f960acfc3b0f38d4a80c82d4307c0b6d6660e34ef5c65f3870e12cd2b5d

Download Submit
C:\Users\Admin\Downloads\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\Downloads\temp.zip

Filesize
21KB

MD5
1bfab02294fda29ede2f9c4ca2a0ea1c

SHA1
aadfde895b678c809f6a7527376ce2537975b38f

SHA256
a429b6bffdd8328000a63f49b4f767ba3f69b285b70cbb818c1e472681cb07a1

SHA512
e6ac6ddf39b52f0d6d8cd19930c95d123ed32148a85520cf01af7ed80d51a1b5429e9995be04f983f42da3a861747846ce41d25bef97609a421e1f072366e0f4

Download Submit
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe

Filesize
2.0MB

MD5
c7614bac48f467a1bbe4aab15b2d4873

SHA1
3487874549307be567676f680af742e495924754

SHA256
be191bb224c7562d3de87d42f504c48ca825b98442596795612eab2d6a666e98

SHA512
3f9c65a1ed55b3133eced51029636519b9204ec6d2a5aab6e90e2ca2808d36f2cdcf5a6bfec2adbaad39c74728104b711260837dae8d2304f4492dba52e0049b

Download Submit
C:\Users\Admin\qxgoh.exe

Filesize
296KB

MD5
7876930bd0771c72af629f8fcfea6b1d

SHA1
bc70773ee9f9bcca53e1482a243887ca934a0d04

SHA256
e34103d18f601b58f9605139c09346aa75049ea27b5c90df89c45c78920af590

SHA512
f047d0877d3abf908145d51faabf61f67722d2c8b05399f77fd61856d67adf7edc7d0e2d9716d5180e7e52b16325063ae9acebdbf577f7e6c9559af54dbd0d33

Download Submit
C:\Users\Admin\yueut.exe

Filesize
180KB

MD5
56e2cb86eceb994b5e2768c28a852077

SHA1
84c49a805394fd9de1c53a1f240119e43dd1912e

SHA256
b2565b043670f967130b6b61700e58e49cc63a45228b621d9bbee8e2ac78a536

SHA512
3a2b7606be4b60d23577dfabacdf8720a20cad0c3293076b26fa703410938670ee34dad788fee4861bc098212f05ea531fc9f3fa876d8222b0011454517fe872

Download Submit
C:\Users\Public\DeadCodeRootKit.exe

Filesize
151KB

MD5
b8479a23c22cf6fc456e197939284069

SHA1
b2d98cc291f16192a46f363d007e012d45c63300

SHA256
18294ee5a6383a48d1bcf2703f17d815529df3a17580e027c3efea1800900e8f

SHA512
786cd468ce3723516dc869b09e008ec5d35d1f0c1a61e70083a3be15180866be637bd7d8665c2f0218c56875a0ee597c277e088f77dd403bdd2182d06bad3bd4

Download Submit
C:\Users\Public\DeadROOTkit.exe

Filesize
42KB

MD5
7dd98fc2976ee270a278e1a9a28eefae

SHA1
0497ee045226b2d310c7678ed055eeedbc88dc77

SHA256
5711b50667b4de000c8031724427ec6cd00b41b760ca1608421dc47b549e2093

SHA512
94cab0f684f79e7adb6bea43a909d9621a2ef6bf223fbf4650b040766e7edfc95d77f62aa852efccb7752442e96182329934eee58ad4b8f579a75bd8414d984c

Download Submit
C:\Users\Public\DeadXClient.exe

Filesize
35KB

MD5
f1976ea02bffaef5ac943c2abbb7426c

SHA1
deeee7d4f336d0ba898b5579720aaf630951a72f

SHA256
4353e37a3d60dd30beeec61a812a07ba6bfc174a18cdd5a95be98666db2f7cf6

SHA512
2b21c93ee09865a5c5f365cb945ebc2473a5b8ddce009302e8f03815d7784ad3a95d615678b3b49e272d235d10c03262f2ddaaec9de8a373c0487b7904bd7858

Download Submit
C:\Windows\SysWOW64\Afafnj32.dll

Filesize
7KB

MD5
f809cc0e7554c67efe011666a1284a51

SHA1
d9450e04f73554bfd41f7e15ecc25f4d2af74c0c

SHA256
094e7ce85755565fb6cf6a06091fc4306d660cd164d26b524669e02aaa400e92

SHA512
158d3769fa8b99833fb4edd96607f5da6733f793f72e31d18ca438fe1283f17203e48d4b1758e2ed010e0472a32029362356034c6fcd1240a25758feeac25c9e

Download Submit
C:\Windows\SysWOW64\Agmmnnpj.exe

Filesize
55KB

MD5
71abc8b13504aebcf90293cc427992e4

SHA1
39582904d8d4bcc353fa83b6974d775ff97c8a5a

SHA256
f29b7178751f78c96a501de6efebb8e3078f01cf8e618db25905098fdf4993de

SHA512
dcda26426706b3685a8a6cf459aa7adf16f4856b8c7934f9b67a04cf4f34185f034f15038440ac51dbc3dfac12e5acd2cafdab93f63fb111de8a18846da6d1c8

Download Submit
C:\Windows\SysWOW64\Baadiiif.exe

Filesize
224KB

MD5
a8ecb88381552ba2ee360ddc9fb9ec19

SHA1
4eec63f266b7ef6d0cbb7d4ee1586d272878a66f

SHA256
a68882b097e13a74f21461efc4a2d8ddf5cb4831f525803513e00cfe70a60c04

SHA512
8bd5670a0f7983fe330eb6011e2648e75d54e5d66bd8b4e641acd8e2c42faeac38de21ad326861388d20d7e9fa4c6a2ab488e56ea54b78d9ec06ad38bc64221b

Download Submit
C:\Windows\SysWOW64\Bppfmigl.exe

Filesize
800KB

MD5
e38d999f6f4ceee224e50385f23cc156

SHA1
c5b875c753a088b79974435cdf56b5c1feac641f

SHA256
010f4170390c24f6c98ebafa0906e704044227e797b056672aae5778e556f21a

SHA512
6aa95328e2b8c0b4ddef67be01fe5eef11c4045f8108a1b27d1e14794eb54a7d19487000436ff360f3f7e30ba0954fba81771722f424eebdb17f964a3572cc8a

Download Submit
C:\Windows\SysWOW64\Dbijinfl.exe

Filesize
570KB

MD5
ae64f14ee5d14be4ef301212ce07e30c

SHA1
2063ef472f5fcc59079d33af0b46a0ce36cff55d

SHA256
84098298eca7e8168e09bb7cda19008bc25a719e0fa934aa118b190dff0fda3c

SHA512
9f1222448f4be267819348829bf9a80099567b7966fc47df885723bf78456aae534f6cd2d093c1d5248628a1500e46c4986c90004c441893aabcc39d4eba7d7c

Download Submit
C:\Windows\SysWOW64\Dlncla32.exe

Filesize
256KB

MD5
8864dff70c72b83341e98ba62f27bd64

SHA1
a72e366fe1587e7e5f7d48b2e716d20b4bbb45d1

SHA256
0b5f9a063f0874e05ff51b78ad3b6717a650600f1d3470fcf7088d487556f2f1

SHA512
396f8574280abd0eb8853da14943b169218819d40d9e93f9e60c73b1243a7a0bb99f3287b5af5ff7a4c103ee1b701232e05c2019bed8863e6275d24952ee7e14

Download Submit
C:\Windows\SysWOW64\Fmndpq32.exe

Filesize
224KB

MD5
69f128ae4619b08ef448a3d0ac0eac78

SHA1
5595a36e165bd83e12d57fddbd875fdfc52d47ea

SHA256
92e60dd9eee90e97bac44c7be18a3f7adb031313eaa9f6a43637e3519ce67c16

SHA512
7ccc4f52c13b3d179fa2026e35ce4a3ce0f432256cea0cceb63c20169a6304ec967355c220b5493c6ef353470cd240c20903b5267ee504d55c488b5b9df2e049

Download Submit
C:\Windows\SysWOW64\Gemkelcd.exe

Filesize
224KB

MD5
3032b362dc6cc8c2803f7d0a64d7abff

SHA1
466fbf2a8695931da3b555d1c8299ae610df68cb

SHA256
fbd22c6e4418ee2a46532da1c65888db4f585dab83c423a615482e148af5c33a

SHA512
f25e6b4a3b9813079a3145345a20d42033b13b4fa69552cd000fac613bb55052f252e0c9aab0c59f9b65d7b7ef7fb7d2af52d1653e3ea07a2e095a93018e0692

Download Submit
C:\Windows\SysWOW64\Gipbmd32.dll

Filesize
6KB

MD5
df5a099c729b8f4a14f1135cd00ade59

SHA1
24581250855cd173bb5329a77264b706e0ae05e1

SHA256
2644c00c01bae85607b41549454b28d313b3589a90b307e30e99c7e385196aed

SHA512
6f3588cd48090828445d93bc8b0cc31aafce0eb6d0d7b0dd3c9a2899d2a7fee3bd5b683fb1cbc1e0d1ac6f2bb50bef5182d90575ff3f8b903b3fbdc391eec11f

Download Submit
C:\Windows\SysWOW64\Gmlplbib.exe

Filesize
76KB

MD5
c8924490ed7dc8e715581d7faca861ea

SHA1
64c935b166494484297dfafb3bc7f2375343fba9

SHA256
15cb391770f83614b2431c6298f877c5e416fc3665c030e193ac97ca01b3e2e6

SHA512
03568e46cc7a4ff87b309d6b9bc5b2402aa67387aa8afaba32fbeb02f53075395ecd8a59c92fc4ccf24f281c3824520ec81dd77985432d5a65a2f1c583bb6205

Download Submit
C:\Windows\SysWOW64\Hhimhobl.exe

Filesize
59KB

MD5
faac430e03f7bb776f8b3399c2cefee9

SHA1
44dce5a1363734364f4ff6f33076aef4c499de54

SHA256
b8e2c8a8316e2f02441cb61b0b7aa21b546e20bfd100d0465906d66c369f887d

SHA512
f15cef8f25d537392b1234aa04a9bd85b8733a2b7a20fc6fe59b9acb778b0daeffbd447c7e909c2c305a5fb8db632be500e295c0d2ee97297dcab1a6fdce66b8

Download Submit
C:\Windows\SysWOW64\Hqfqfj32.exe

Filesize
256KB

MD5
ae7a843eb5f69fe235d798d339ef7a25

SHA1
c7aed832e39f1949d9bf372bd9242ddf819ae731

SHA256
94523aa2ad5846f453188427e1625e77725755500ea001e6b8408529e099e688

SHA512
e05b1565eb9b20bd5452944b931e4986bad918e94bd7af49ffd5238da00a9265796bb5b4557e723ece9dca93d6f024520c32119898e9c098dbd5459da51b31ca

Download Submit
C:\Windows\SysWOW64\Ikcmmjkb.exe

Filesize
570KB

MD5
1d650db4a1f3dd03502983415f0ef77d

SHA1
fb1d9d5366bcc108bc4e9c61f5b6ffb212845ec6

SHA256
49801fc73f9d12ffde31c76dc4862f19a80ebb2adf3c36a2e98ae19aa6036bcf

SHA512
ac75ac1a9c44424f65d3da70db2b16f9313f56a030e8adb30feb05ce65ae68d53a216c8adc26e1ebbca5f1e91d287ec74cc48fcb1bfedddc8e6b1494d58347ea

Download Submit
C:\Windows\SysWOW64\Ipflihfq.exe

Filesize
224KB

MD5
0df1fff7f0f1b71ac3761ed1acddafb3

SHA1
b26bb254a5716ebfbb6557bc448b772bf88a6330

SHA256
0c5523633d948a3a56f6fa4df2479ae7d342509951ac4c889d7ae90d0df339a5

SHA512
a3c925a9fac57a226c0aba6d19c2923b4b3b9849211148576d509d371d0ff528ff391795f6f72e405766c2560587324947d9f3ec58bdaa7fb0646dc96ce22269

Download Submit
C:\Windows\SysWOW64\Jblflp32.exe

Filesize
256KB

MD5
59d40ff5871b84a2efd9a6f917538941

SHA1
1ddb62606ec5be621af7f2e665a228f9214b8d32

SHA256
356201af19471aef0411cd18f0b503352d1f715edeb8fe52a357813f9d933445

SHA512
cbec27e54b292e69a1fe44df69b9816c78b44108b8838916a95bbb3fb3f63c907a2bf43f1343acf350646ef40346b3513cabc14ab5d8bde1acbdaf9ce0f2cb18

Download Submit
C:\Windows\SysWOW64\Jffokn32.exe

Filesize
1.8MB

MD5
5aa5e38b61e3b6a36775e07236383532

SHA1
3adf6b706736e2f54a4fd9d673aa38a1d9c1a803

SHA256
cd9076f4fd7d491aadc07e3df18483a8e7627f0199cee023141fb5c9fc5c0a6e

SHA512
7ab63fb8fc1eab364dc4e49202009c748e7bdf4c86ab0e56986c1a9c3c63e7f6c07a2c14a5eb451f66c7acc3dd80691b9dd27b2dcdb1476a7bacd59ead317ad4

Download Submit
C:\Windows\SysWOW64\Looknpmn.dll

Filesize
7KB

MD5
1004e53c8c9661eea34907b34f314454

SHA1
bb60374974d513dbb2a41d1daf15467ec21358c8

SHA256
8e1e69d2bee0600389b6f114f6720dd7029c5ce7747333054a32b753b6725ec0

SHA512
76c7a4427bfa40029e67ba0179d75ff1f04f580b9722e9bdc5143df0ab07bcd3a34f56ead227630eba60f7c6f6f0c2c75a284d9b08d82f3c6d86c047652bedc5

Download Submit
C:\Windows\SysWOW64\Mhnjna32.exe

Filesize
256KB

MD5
bfe912cf8b2188c807b34b695328f695

SHA1
d4c55479022f7fd0d00c7c266646cff08b0206d2

SHA256
8e9d8760891a157598232c74b920316f330444cec3aeaf5ba3260294d16ffc42

SHA512
3e4e7467c3d1b147ba0c30e801858bcde04ad409220184ac1e9c01c4435990fecc82989df2e343942448557aad368b8b083a53d406d1a59b520e3850017e0f11

Download Submit
C:\Windows\SysWOW64\Mig2.scr

Filesize
91KB

MD5
2bde5b0f373cd81f12f024a946ae3900

SHA1
de17b8c314c99eddbc2e6755f6db8e1a5a9a7ed0

SHA256
53713370c4f9fb2d9280195fb93ca7764f31f4731043d7dbce6e232e8cf8edcd

SHA512
4b69c30e80a1b6dddb2d4ef032dcc051b6785d9eb26260d4396bf1d7d12fe9afcabaf5a362288a13ae08f3af4c930de5193f2e3907320ba43c98227568695be3

Download Submit
C:\Windows\SysWOW64\Mlkngglh.dll

Filesize
6KB

MD5
730c80e6d69d14010538e47993af4802

SHA1
6d2249a6ef5c260e3ed7c7a5027af679de04bd5e

SHA256
e0fbfc3b4c30333967192815858aeb90b99c7e91ce5be1859bdec86d8bc399ba

SHA512
00cd21d33d84fd0f75fddd396c401556221c07259720289a48848cb3a33a1594acaf5bc85a30cd2fe7c2efd2b707d37cbf2b9375f9dfeb98a7c3105e1b1e0f09

Download Submit
C:\Windows\SysWOW64\Ofckhj32.exe

Filesize
256KB

MD5
489b75abc4be5435ab28d81aaf704393

SHA1
ee445efb9e1ef07a330ea520587d4bf2ff47b6b2

SHA256
82b0256d94461c58f19787287d25885ed59c429bf1e1acbb724543d01264af7f

SHA512
b544561a32d5b86d155488b83e9b340054a0ea365f6046d5611c4e8afbe67b8c093bb9b57d1cd16dbd17dce752755040e482c06c51dfada0537dca24198c5584

Download Submit
C:\Windows\SysWOW64\Omlkmign.exe

Filesize
57KB

MD5
59ef6242f59431554df578bb6de5eaa0

SHA1
3cb9b5e74ecf2c1f2949082c2399317f9f0557bd

SHA256
2280c9814a1f93111331314f0ee69d558af2d1410168f382945814877ed96f80

SHA512
73ec8978d0e7cc95db2ac1944322e88acb4838c50718abe2a11d899081a67822c65b3bcf5b46e8eaf1d38b9d4ca003af172ccf1ab23c2bf07ad72132d1064e55

Download Submit
C:\Windows\SysWOW64\Pdfehh32.exe

Filesize
52KB

MD5
4955ee410654028cd5d0cd9524fc4c8d

SHA1
2f8bbedadac0077d612174ec9d7f93d27df56f8d

SHA256
8ba3339326e22fafcec9a113528c9b303ca3660f1617a73e79ec154972cecf15

SHA512
360268b9c2eee5dcfc2748a912ad481b6fba9a75d2c570e10cf428881bc6b261f681f51eef0d3d7139b16daa779ee50810aba2e83da83f7807e015f76657cae4

Download Submit
C:\Windows\SysWOW64\Peahgl32.exe

Filesize
52KB

MD5
ba485e5a8c44547dcd102a1f7322944f

SHA1
75f7de5382b62f4ac41b08a7cd0c0b68a1457f72

SHA256
20dcf3919ccdfc46c3c4d968c6aa2986cee8261528820828f1d632828b2e5134

SHA512
290cabf7fc1c5c3870d76e6b7df7b567b951904ffbeb6321fd4d8fe00d67d56bef1310314bcf99929c50ef05b0b7237520d5297201f61ef34e5243dcd9197846

Download Submit
C:\Windows\SysWOW64\Pfandnla.exe

Filesize
224KB

MD5
3d532ab2ab6757921975e03390040061

SHA1
d57b9d03c6c111e5cce840c01e70bb53d7ee57ec

SHA256
a501dcbd45479c466f31ebf538f916e68b925346eba1b44b5c2de4da63f9e064

SHA512
9597de17c0983883b728a71182211976409d547383f892d3302933e72ae2b880d8347e0fa889e4ac17fe77f2d810f8750541eda7e0b42ff7b18868d3d73a73ac

Download Submit
C:\Windows\SysWOW64\Pkoemhao.exe

Filesize
256KB

MD5
41d20da7dc0d51528a8d731d6591bb15

SHA1
14d62229ca253250498c301821ee6cf3816d128c

SHA256
55fe88877a8990e1fcfea8e2c3c4c1a52108741fcc9f3bb6c61c5264e854dfc9

SHA512
2c896daa78dbe566c3796130c49411c798008b3b0b95099366bc96d18b798c2351be19453995b0285b24ce450b66fb2c2650872e8d2b0777a4dda43b6dca9c5c

Download Submit
C:\Windows\SysWOW64\Ppafpm32.exe

Filesize
176KB

MD5
ddb4e41f341eb0411549ac7800eea438

SHA1
5e0edd209b11ac3fcf47599810cc6ccc00e89a9e

SHA256
6dadc0a2b7bc73b8caf03f8fd80773afcd344fd4530f418778c4c277746cc68c

SHA512
a7721172fe13794d748472d1661d48d55b3a6095d14023fa9867d20617d93a28de8b04dc5185c126a5be161afaf0bd4085b52ee0fc18d5d840bbbd1f2a0b7cf3

Download Submit
C:\Windows\SysWOW64\Qagdia32.exe

Filesize
318KB

MD5
1a442ae7679fa1c291d90f6c64bc709c

SHA1
833216e8671a6701db52707d5e7c568f748d9802

SHA256
3942515e583d0c1ca8b1964c5443813a798d3ce929c1c3263736db2400795815

SHA512
93adbf8d2f2e095d7e579f3904524fd47e6f697cb4948d5b7a6c8d6f7e0f76aa897a1d67a11c02a60fcbbb0d982b9fbb6a2c4bff5597eeb9448fb0d4c9464a9a

Download Submit
C:\Windows\SysWOW64\_Se101.exe

Filesize
297KB

MD5
eac5f9ced24648bc518ee971ee16574c

SHA1
d64bfbc45844cae92d68bfc191cb3d21c38932f1

SHA256
933d3e7874fda20f8772409be85f9aa75e925ad97be98b9020ff1f9f43297cd4

SHA512
fb04a6fef38f79d3abe5d2d842cd30d42350eef759e30e2408236c5d5ed2196003eef954b9620b02402dcbb6c08bbeb61001d0f57be02b8970dc12feeab9a24c

Download Submit
C:\Windows\SysWOW64\bnpmvxjpgy.exe

Filesize
512KB

MD5
d6be480072d78a427d2f1a5c9eb3165e

SHA1
69323f900aff09b4dfe97d85a9c94c8a5bf602be

SHA256
e2dfcd961f322cbe43884773765be721d23d82f6dc9320ef4812078db419f2a5

SHA512
ff36d9184812a21d68fb4f0fe939aa8578af091a999f36e320f847641c778cb1f52319051a4a58028cb5fa961567139f7c2cfcc9c907aebd6dc80b023df3399c

Download Submit
C:\Windows\SysWOW64\cugrqqkl.nls

Filesize
428B

MD5
e59c68d7ddcda526765a879e63228e1e

SHA1
6d26b4ef1f31858e7f1332bb20c2c49d0472ede6

SHA256
135b283bdb69aed077557005e816d8b8eeaece4323f4093a76f4eb2d55be1b94

SHA512
4ddcbd27da1d5778f1558efc834fd7cc8a1aec7257c40ca3f0c2092a65563906ff85078ed9d7c68c5386d18e6f273ea0345a7e55cac8fcf447684d5b8e43d7b1

Download Submit
C:\Windows\SysWOW64\cugrqqkl.tmp

Filesize
2.3MB

MD5
2b193e236328e0f44d051ea91e8887a9

SHA1
29aa5df80be4b8f58d2e0a73053e6abe981dd0d7

SHA256
10d82902bb9e98b75adca6eca1beaf62fa8914d7772e199ffda396c1ee0ce1f0

SHA512
6d715258655b4cc80b5b24a0f3ab740ceda3f1b6b70b943459142e2e96391323357a36312f77a9292b8968a559717667e032e30b5dfe05019986a1de1e26ab7f

Download Submit
C:\Windows\System\OovqWuO.exe

Filesize
5.2MB

MD5
15f0da57f99e2897faa9d17395235c8a

SHA1
68e6dcdff6e66487a51e2ae91a29354066924052

SHA256
3d5651678379dfb4531c2992873bb7f751d799a054e7a11ba54b252d24d5f844

SHA512
09094941299fa2300e0a06e6b11671a08f214073dabd61741c3645e1e32c691008ecdf6a147be461775c8d6f77b03c3c8c9e33e852dbd717ed36a7b387a6573e

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
205KB

MD5
3279b3e119b79a220fd6029b0eb2ff42

SHA1
b28138ffb03817270abd9b9a615d0164a6b8d92c

SHA256
a94dab4dc9040408120a5228710ae950a4450fc650c2255482e62c7c4a0869e8

SHA512
9b24da73b929793c9b2eb207e96d9220ba6f71478e3441993551a1e8154fcf8264f2b17728370bb45d359e3af11e7992fe7b42f3c2a5b6c1c001250da80ff0c5

Download Submit
C:\Windows\directx.sys

Filesize
71B

MD5
a10e1144f2f15b0147e07126a886a68d

SHA1
2039e9b4335f2989de269e96491312d687888a8d

SHA256
d152abbe46a99c239df7e468ff09b17d34740a405a10aa3c326934fa2d5ff272

SHA512
4ba4d2dd78c154518755245ab927f452bce2df3b5a68922be16cb9224625358f7bed93f0b82a03571f3c2a44d63cddf678970e0f8d263b5570853bf2b4a81242

Download Submit
C:\Windows\directx.sys

Filesize
44B

MD5
2cec4c964f3ee48368a83f08d0f22421

SHA1
e6e89af4c6de3ddc4bc34936e21c2d559b3e394f

SHA256
79bcf04feeca4c0cb41e132094df4f9060201e830b7f6c9e40e5701d8cc2eb0a

SHA512
6607a8a2d0d384d3d1fefb95a5e3aea7b72611a4eda5ce8b72173a406d69cd538afba1f85b1064a65ec5f6a9404399053fcb64f5de3ee95b6119df6db1cb1589

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
29fb8e821887ba58714676dd28efe205

SHA1
677f7db11e102a0bd01f199afbe538857349eb25

SHA256
51d1c2dcf8f2c137b91698264f1920d0e9f33b061664aaab446f806922d5da3d

SHA512
6437a5109d0dae0d9c1c75e9aa2aa73eb761397d1e6ca1f7b5e722f60965348a7a63b238d115bb7de582814b2a0ecedd2444cbf083d31809becb0636a7fe4806

Download Submit
C:\Windows\directx.sys

Filesize
53B

MD5
fb3db907c72cbf1787f5337e390d75e8

SHA1
2a5c0226f1513be399a0cb1f7da0c649f7b1929b

SHA256
9c35f18b52cc8798b985a9107bf24d4819d17eb34e13cde59b613ea150d06c70

SHA512
ac1367e224c536559972ec0d081920a3c7d33222d742f4e827246965b7ec8dafa2e9ef85d3c10c29e8274535823540abe0f17c1e89b25f159452fc527cb5bdd7

Download Submit
C:\Windows\directx.sys

Filesize
59B

MD5
9e06cbaea528ed37c8d88cb88a27a9ff

SHA1
8c6863473edbbe39d692ede22a57d09076bd40e1

SHA256
fb23916ef2ef95cabf567d35d79de3209bd357967bbe1aac618b684d06f4ad36

SHA512
b9ea6e2ef1e35be7ee1e2782452ff4419787792299b30cfd7adf9b37dc6d92d3e6ec36040e6320822e405c7fafe7f79d05975b8430af113041d1726a9bf90754

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
16409e97cd6ea279d8d214dc92c79232

SHA1
d1e3256e04581785772a3d4021427605d767b60f

SHA256
14bff9a462e594c71d19c1c17db73e1cd8c0cbcfdb31a20bf114fa4628e9ec03

SHA512
ed3513de3832459cbb80d1bc1197a8eb8cd17db2b4b4b560648a61363a5eb7e6afeb400cf79840a0ab254df40ee21dc033e85db2d991dcce3fa9bb24a8b04a63

Download Submit
C:\Windows\directx.sys

Filesize
43B

MD5
16b6fa735eb16d494e2567da36df0f26

SHA1
d59c2557ccd26fc810f3fd310fbc328596434893

SHA256
809334f4638c9453287115a30843d2729c4f304d2a62a85eabe1b32e112b0622

SHA512
256d614e8c7eab40049956d9e0075eb1d5fdd831f9317276cb1dfe885485fcfa5d8dd0793750b64125e5ccf3ba04aebc8352ec578f2a794cd55dd830720b973a

Download Submit
C:\Windows\directx.sys

Filesize
46B

MD5
3ab15ee04c526663abf0eac243c8e98f

SHA1
b767ee19388ee75bd29610cdc3636040a6d5748c

SHA256
d2eaa20a0c5d4ee22ff8933cbe519c6aa58d0cf7932ceedf18591cf672e9261d

SHA512
5ad8b395aea455b7478fa03bfa7a9791f389210d40d9754f06792c756d7b71d6ed67568de95b54e6875402b2577d4328f4316b0c8a19a96ef0854dc80932a66e

Download Submit
C:\Windows\directx.sys

Filesize
90B

MD5
b1851cb36c5691b1494d0580b6454c7d

SHA1
1be6683de0565dfcbf8078c5dfdcc13a243196d3

SHA256
9d226a17b02adef5404e256a727b39ae920f9eeb01938a8f8f5ee493522b58b7

SHA512
ac545c2ae874d50b8fdb7e033270099a54868fadae13b85762c4e552129415710e3912e4001958b2c831bec0d0897c1378bc2ea36ac7fa94586c1c59433045ac

Download Submit
C:\Windows\directx.sys

Filesize
27B

MD5
2950a142c397c4f97892f1aed9ddccb7

SHA1
c9cb6494ab28ad92ba7207aebcf9cdbfaae7e32e

SHA256
696c9174c9e7516b7eba2ce8b2986687a06bf609d4e3a4d51db2a3d6769dd3c6

SHA512
7a34933c3d9c9e504511fe8563f22a10ff34825dc6159cd1eba78edd84d46854d43617c5365099ec80618b808bb8c3f54351fdba05226e76368a66acbbd1d3f5

Download Submit
C:\Windows\directx.sys

Filesize
70B

MD5
1bb99dae57d88c3bc8e15ab2c16dcec4

SHA1
06328df256ffa3eebf64d97cd7d3b68677a74043

SHA256
abb459f196de52607ef63c814b3aa6b323741796fb8fc37623298aa4eb433aad

SHA512
b5385c5e143032b6cf053ee47d88e3c3849e8ad856ee9184f5315bef0ee1e0a068db9635e744e9fbe424056b68c74057036a43d2b95d604f805310f6619e9bf7

Download Submit
C:\Windows\directx.sys

Filesize
127B

MD5
d45feed365697d73f24e61e225d72140

SHA1
9ac59a927288e473cd4eb88534b48f57614be5ce

SHA256
aac48e98e38fb3c46386fa1eb904a3a63fe795f82a47c03db2fbe3fad627a496

SHA512
898a3784a584b7992a829e4fd22d5356a8e1dceb9226150d86f999862fe3d7cd7e6b89f145eb2776ae7e2341aec38b13674eb2db582bd294653b66e56f746f0d

Download Submit
C:\Windows\directx.sys

Filesize
71B

MD5
3b282e83d6654cf017eac27328ea9d81

SHA1
983cf9f549a536b31f7eb6ef6e42006be90d83c9

SHA256
432018385650922ddaf917ece94798d10a3eb0d8e4b9b6c278d23c369d326c0e

SHA512
8da05b7b04f0de27cb3f60c95672ad8e97d34e153ba6a7bbe0e424c5a3e47a0f6d4bf0e45fa9b4545d5a7a1d48cb4ed331add6ece1dedc05e5ae128a7f8218b7

Download Submit
C:\backup.exe

Filesize
64KB

MD5
f548373a2514dbf624e42e2312f95962

SHA1
6cfcdfad8810380250d17acaffae0a74c910590d

SHA256
18d9bf84e3676d4d5b9f335d5a27d936649d9ceec90fa4ade54401cc08b43814

SHA512
409c6400ebd3b39b2b45d6e69d8d4f7b9ca2b59b73d0fe9f10d2dc7f1f307ce18b11b000ace1bc018424c8fe966b31040f631f6f8f7991a10bc8a01e569c28bd

Download Submit
C:\frfxxxx.exe

Filesize
333KB

MD5
d0ff7886a8d0ebc6b1e88506c2cae93b

SHA1
17a266870b208617a985bb0b4976029bc0066e18

SHA256
b3c9b2a778467b4839ad14c0b7e8201212341ec000b3b6d88d27a72e62ea5b61

SHA512
8f4f989f11e55ac5e08e16fe480b940ea6d52913e90f2017c6fa76d64bc835c5424418d75a790129852e4198f6b57320063e7f4c199c524d3031722e891dc4bb

Download Submit
C:\nhtnbb.exe

Filesize
58KB

MD5
367fede441f3dc99e5db684ca1ff3048

SHA1
73bd05161002f7a4f748b392e9582035fe157246

SHA256
0c6d40ec2ee468e696c6c3ebcc337f06c35522f96c2cd7a4aa73bfc46eb197bb

SHA512
4009cd8363c3f9712751bc89d68c32ce2f667c5ba85ed61d9c5507612994693f42dc0dc22e7a77ab3fcaa6f8e5de11de422b4cc141d1f5e952249a84ea6ef3f4

Download Submit
F:\Autorun.inf

Filesize
237B

MD5
94bcd02c5afd5918b4446345e7a5ded9

SHA1
79839238e84be225132e1382fae6333dfc4906a1

SHA256
5d9f41e4f886926dae2ed8a57807708110d3c6964ab462be21462bff0088d9a1

SHA512
149f6bd49fc3b62fa5f41666bfb3a58060514eec1b61c6aa1ac4c75417c840b028e701eb5533460eb00e2fee8543379564bc47d7477264771d81b99a0caab500

Download Submit
memory/216-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/224-524-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/384-218-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/384-249-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/412-413-0x00007FF6F6460000-0x00007FF6F67B1000-memory.dmp

Filesize
3.3MB

Download
memory/440-578-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/512-355-0x00007FF609A20000-0x00007FF609D71000-memory.dmp

Filesize
3.3MB

Download
memory/628-182-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/628-202-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/696-388-0x00007FF78F500000-0x00007FF78F851000-memory.dmp

Filesize
3.3MB

Download
memory/1020-550-0x00007FF765960000-0x00007FF765CB1000-memory.dmp

Filesize
3.3MB

Download
memory/1204-343-0x00007FF683D30000-0x00007FF684081000-memory.dmp

Filesize
3.3MB

Download
memory/1368-501-0x00007FF76C1E0000-0x00007FF76C531000-memory.dmp

Filesize
3.3MB

Download
memory/1540-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1580-500-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-603-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-510-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1672-451-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1688-453-0x00007FF623160000-0x00007FF6234B1000-memory.dmp

Filesize
3.3MB

Download
memory/1984-216-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2092-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2112-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-594-0x00007FF6CEC00000-0x00007FF6CEF51000-memory.dmp

Filesize
3.3MB

Download
memory/2220-362-0x00007FF6A3A80000-0x00007FF6A3DD1000-memory.dmp

Filesize
3.3MB

Download
memory/2356-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2536-595-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-533-0x00007FF6D56D0000-0x00007FF6D5A21000-memory.dmp

Filesize
3.3MB

Download
memory/2632-368-0x00007FF7E78E0000-0x00007FF7E7C31000-memory.dmp

Filesize
3.3MB

Download
memory/2712-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-466-0x00007FF754B00000-0x00007FF754E51000-memory.dmp

Filesize
3.3MB

Download
memory/2780-271-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-154-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2820-206-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2844-8470-0x0000000077200000-0x00000000773A0000-memory.dmp

Filesize
1.6MB

Download
memory/2844-621-0x00000000778C0000-0x0000000077AD5000-memory.dmp

Filesize
2.1MB

Download
memory/2844-11140-0x0000000076BD0000-0x0000000076C4A000-memory.dmp

Filesize
488KB

Download
memory/2844-13949-0x00000000026A0000-0x00000000026B3000-memory.dmp

Filesize
76KB

Download
memory/2884-245-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2884-230-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2912-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3124-577-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3148-207-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3148-147-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3172-518-0x00007FF789090000-0x00007FF7893E1000-memory.dmp

Filesize
3.3MB

Download
memory/3184-525-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3208-597-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3236-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3240-253-0x0000024BFFAB0000-0x0000024BFFAC0000-memory.dmp

Filesize
64KB

Download
memory/3240-13987-0x00007FF72D710000-0x00007FF72DA61000-memory.dmp

Filesize
3.3MB

Download
memory/3240-257-0x00007FF72D710000-0x00007FF72DA61000-memory.dmp

Filesize
3.3MB

Download
memory/3240-310-0x00007FF72D710000-0x00007FF72DA61000-memory.dmp

Filesize
3.3MB

Download
memory/3260-548-0x00007FF653730000-0x00007FF653A81000-memory.dmp

Filesize
3.3MB

Download
memory/3288-575-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3464-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3468-596-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3528-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-546-0x00007FF7D56E0000-0x00007FF7D5A31000-memory.dmp

Filesize
3.3MB

Download
memory/3580-611-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3620-208-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3620-137-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3688-424-0x00007FF709A70000-0x00007FF709DC1000-memory.dmp

Filesize
3.3MB

Download
memory/3876-194-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3876-489-0x0000000000B00000-0x0000000000FD0000-memory.dmp

Filesize
4.8MB

Download
memory/3892-509-0x00007FF6D5450000-0x00007FF6D57A1000-memory.dmp

Filesize
3.3MB

Download
memory/3924-519-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-434-0x00007FF6F5100000-0x00007FF6F5451000-memory.dmp

Filesize
3.3MB

Download
memory/3956-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3960-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4032-164-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4032-139-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4068-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4192-260-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4192-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4348-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4408-379-0x00007FF71B570000-0x00007FF71B8C1000-memory.dmp

Filesize
3.3MB

Download
memory/4456-549-0x00007FF70F950000-0x00007FF70FCA1000-memory.dmp

Filesize
3.3MB

Download
memory/4544-244-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4544-238-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4544-517-0x00007FF63C030000-0x00007FF63C381000-memory.dmp

Filesize
3.3MB

Download
memory/4656-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4660-195-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4660-201-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4720-464-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4736-576-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4748-544-0x00007FF71FB20000-0x00007FF71FE71000-memory.dmp

Filesize
3.3MB

Download
memory/4756-570-0x0000000000460000-0x0000000000473000-memory.dmp

Filesize
76KB

Download
memory/4784-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4840-205-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4840-162-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4856-176-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4856-203-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4948-204-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4948-170-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5040-499-0x00007FF7278D0000-0x00007FF727C21000-memory.dmp

Filesize
3.3MB

Download
memory/5056-604-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7636-13985-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/7636-14089-0x0000000005BD0000-0x0000000005BE3000-memory.dmp

Filesize
76KB

Download
memory/17076-14292-0x0000000002A70000-0x0000000002A83000-memory.dmp

Filesize
76KB

Download
memory/17144-14301-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download